make the simplistic check and the purging of special characters much

less aggressive (#1003624, #985378)
2013-09-03 08:00:17 +02:00 · 2013-09-03 08:00:17 +02:00 · d8d736852f
commit d8d736852f
parent 247f79b137
2 changed files with 101 additions and 1 deletions
--- a/cracklib-2.9.0-simplistic.patch
+++ b/cracklib-2.9.0-simplistic.patch
@ -0,0 +1,94 @@
+diff -up cracklib-2.9.0/lib/fascist.c.simplistic cracklib-2.9.0/lib/fascist.c
+--- cracklib-2.9.0/lib/fascist.c.simplistic	2013-09-03 07:45:55.369653537 +0200
+++ cracklib-2.9.0/lib/fascist.c	2013-09-03 07:48:58.686759120 +0200
+@@ -55,7 +55,6 @@ static char *r_destructors[] = {
+ 
+     "/?p@?p",                   /* purging out punctuation/symbols/junk */
+     "/?s@?s",
+-    "/?X@?X",
+ 
+     /* attempt reverse engineering of password strings */
+ 
+@@ -454,6 +453,12 @@ GTry(rawtext, password)
+ 	    continue;
+ 	}
+ 
+	if (len - strlen(mp) >= 3)
+	{
+	    /* purged too much */
+	    continue;
+	}
+
+ #ifdef DEBUG
+ 	printf("%-16s = %-16s (destruct %s)\n", mp, rawtext, r_destructors[i]);
+ #endif
+@@ -480,6 +485,12 @@ GTry(rawtext, password)
+ 	    continue;
+ 	}
+ 
+	if (len - strlen(mp) >= 3)
+	{
+	    /* purged too much */
+	    continue;
+	}
+
+ #ifdef DEBUG
+ 	printf("%-16s = %-16s (construct %s)\n", mp, password, r_constructors[i]);
+ #endif
+@@ -699,6 +710,7 @@ FascistLookUser(PWDICT *pwp, char *instr
+     char rpassword[STRINGSIZE];
+     char area[STRINGSIZE];
+     uint32_t notfound;
+    int len;
+ 
+     notfound = PW_WORDS(pwp);
+     /* already truncated if from FascistCheck() */
+@@ -748,6 +760,7 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	return _("it is all whitespace");
+     }
+ 
+    len = strlen(password);
+     i = 0;
+     ptr = password;
+     while (ptr[0] && ptr[1])
+@@ -759,10 +772,9 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	ptr++;
+     }
+ 
+-    /*  Change by Ben Karsin from ITS at University of Hawaii at Manoa.  Static MAXSTEP 
+-        would generate many false positives for long passwords. */
+-    maxrepeat = 3+(0.09*strlen(password));
+-    if (i > maxrepeat)
+    /*  We were still generating false positives for long passwords.
+        Just count systematic double as a single character. */
+    if (len - i < MINLEN)
+     {
+ 	return _("it is too simplistic/systematic");
+     }
+@@ -795,6 +807,12 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	    continue;
+ 	}
+ 
+	if (len - strlen(a) >= 3)
+	{
+	    /* purged too much */
+	    continue;
+	}
+
+ #ifdef DEBUG
+ 	printf("%-16s (dict)\n", a);
+ #endif
+@@ -815,6 +833,13 @@ FascistLookUser(PWDICT *pwp, char *instr
+ 	{
+ 	    continue;
+ 	}
+
+	if (len - strlen(a) >= 3)
+	{
+	    /* purged too much */
+	    continue;
+	}
+
+ #ifdef DEBUG
+ 	printf("%-16s (reversed dict)\n", a);
+ #endif
--- a/cracklib.spec
+++ b/cracklib.spec
@ -5,7 +5,7 @@
 Summary: A password-checking library
 Name: cracklib
 Version: 2.9.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: System Environment/Libraries
 Source0: http://prdownloads.sourceforge.net/cracklib/cracklib-%{version}.tar.gz

@ -57,6 +57,7 @@ Patch2: cracklib-2.9.0-python-gzdicts.patch
 Patch3: cracklib-2.9.0-packlib-lookup.patch
 Patch4: cracklib-2.9.0-packlib-reentrant.patch
 Patch5: cracklib-2.9.0-packlib-gztype.patch
+Patch6: cracklib-2.9.0-simplistic.patch
 URL: http://sourceforge.net/projects/cracklib/
 License: LGPLv2+
 Buildroot: %{_tmppath}/%{name}-%{version}-root
@ -130,6 +131,7 @@ install -p -m 644 %{SOURCE3} po/zh_CN.po
 %patch3 -p1 -b .lookup
 %patch4 -p1 -b .reentrant
 %patch5 -p1 -b .gztype
+%patch6 -p1 -b .simplistic

 autoreconf -f -i
 mkdir cracklib-dicts
@ -256,6 +258,10 @@ EOF
 %{_libdir}/../lib/python*/site-packages/*.py*

 %changelog
+* Tue Sep  3 2013 Tomáš Mráz <tmraz@redhat.com> - 2.9.0-5
+- make the simplistic check and the purging of special characters much
+  less aggressive (#1003624, #985378)
+
 * Wed Aug 28 2013 Tomáš Mráz <tmraz@redhat.com> - 2.9.0-4
 - revert compression of the dictionaries as the performance penalty is too big