pam_passwdqc: new recipe

pam_passwdqc is a simple password strength checking module for
PAM-aware password changing programs, such as passwd(1).

It is capable of checking password or passphrase strength,enforcing
a policy, and offering randomly-generated passphrases,with all of
these features being optional and easily (re-)configurable.

Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>

meta-oe/recipes-support/pam-passwdqc/files/1000patch-219201.patch

@@ -0,0 +1,156 @@
+diff -urNp pam_passwdqc-1.0.5-orig/pam_passwdqc.c pam_passwdqc-1.0.5/pam_passwdqc.c
+--- pam_passwdqc-1.0.5-orig/pam_passwdqc.c	2008-02-12 15:11:13.000000000 -0500
++++ pam_passwdqc-1.0.5/pam_passwdqc.c	2009-09-28 12:10:32.171696694 -0400
+@@ -70,6 +70,8 @@ typedef struct {
+ 	passwdqc_params_t qc;
+ 	int flags;
+ 	int retry;
++	char oldpass_prompt_file[FILE_LEN+1];
++	char newpass_prompt_file[FILE_LEN+1];
+ } params_t;
+ 
+ static params_t defaults = {
+@@ -79,10 +81,13 @@ static params_t defaults = {
+ 		3,				/* passphrase_words */
+ 		4,				/* match_length */
+ 		1,				/* similar_deny */
+-		42				/* random_bits */
++		42,				/* random_bits */
++		1				/* firstupper_lastdigit_check */
+ 	},
+ 	F_ENFORCE_EVERYONE,			/* flags */
+-	3					/* retry */
++	3,					/* retry */
++	"",					/* oldpass_prompt_file */
++	""					/* newpass_prompt_file */
+ };
+ 
+ #define PROMPT_OLDPASS \
+@@ -361,6 +366,37 @@ static int parse(params_t *params, pam_h
+ 		if (!strcmp(*argv, "use_authtok")) {
+ 			params->flags |= F_USE_AUTHTOK;
+ 		} else
++		if (!strcmp(*argv, "disable_firstupper_lastdigit_check")) {
++			params->qc.firstupper_lastdigit_check = 0;
++		} else
++		if (!strncmp(*argv, "oldpass_prompt_file=", 20)) {
++			int n;
++			FILE *fp = fopen(*argv + 20, "r");
++			if (fp) {
++				n=fread(params->oldpass_prompt_file, sizeof(char), FILE_LEN, fp);
++				if (0==n || ferror(fp)!=0 ) {
++					memset(params->oldpass_prompt_file, '\0', FILE_LEN+1);
++				}
++				else {
++					feof(fp)? (params->oldpass_prompt_file[n-1]='\0'): (params->oldpass_prompt_file[n]='\0');
++				}
++				fclose(fp);
++			}
++		} else
++		if (!strncmp(*argv, "newpass_prompt_file=", 20)) {
++			int n;
++			FILE *fp = fopen(*argv + 20, "r");
++			if (fp) {
++				n=fread(params->newpass_prompt_file, sizeof(char), FILE_LEN, fp);
++				if (0==n || ferror(fp)!=0 ) {
++					memset(params->newpass_prompt_file, '\0', FILE_LEN+1);
++				}
++				else {
++                                        feof(fp)? (params->newpass_prompt_file[n-1]='\0'): (params->newpass_prompt_file[n]='\0');
++				}
++				fclose(fp);
++			}
++		} else
+ 			break;
+ 		argc--; argv++;
+ 	}
+@@ -406,7 +442,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand
+ 
+ 	if (ask_oldauthtok && !am_root(pamh)) {
+ 		status = converse(pamh, PAM_PROMPT_ECHO_OFF,
+-		    PROMPT_OLDPASS, &resp);
++		    strlen(params.oldpass_prompt_file) ? params.oldpass_prompt_file : PROMPT_OLDPASS, &resp);
+ 
+ 		if (status == PAM_SUCCESS) {
+ 			if (resp && resp->resp) {
+@@ -540,8 +576,7 @@ retry:
+ 		    MESSAGE_RANDOMFAILED : MESSAGE_MISCONFIGURED);
+ 		return PAM_AUTHTOK_ERR;
+ 	}
+-
+-	status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp);
++	status = converse(pamh, PAM_PROMPT_ECHO_OFF, strlen(params.newpass_prompt_file) ? params.newpass_prompt_file : PROMPT_NEWPASS1, &resp);
+ 	if (status == PAM_SUCCESS && (!resp || !resp->resp))
+ 		status = PAM_AUTHTOK_ERR;
+ 
+diff -urNp pam_passwdqc-1.0.5-orig/passwdqc_check.c pam_passwdqc-1.0.5/passwdqc_check.c
+--- pam_passwdqc-1.0.5-orig/passwdqc_check.c	2008-02-12 14:31:52.000000000 -0500
++++ pam_passwdqc-1.0.5/passwdqc_check.c	2009-09-25 22:45:16.080842425 -0400
+@@ -90,10 +90,12 @@ static int is_simple(passwdqc_params_t *
+ 
+ /* Upper case characters and digits used in common ways don't increase the
+  * strength of a password */
+-	c = (unsigned char)newpass[0];
+-	if (uppers && isascii(c) && isupper(c)) uppers--;
+-	c = (unsigned char)newpass[length - 1];
+-	if (digits && isascii(c) && isdigit(c)) digits--;
++	if (params->firstupper_lastdigit_check) {
++		c = (unsigned char)newpass[0];
++		if (uppers && isascii(c) && isupper(c)) uppers--;
++		c = (unsigned char)newpass[length - 1];
++		if (digits && isascii(c) && isdigit(c)) digits--;
++	}
+ 
+ /* Count the number of different character classes we've seen.  We assume
+  * that there are no non-ASCII characters for digits. */
+diff -urNp pam_passwdqc-1.0.5-orig/passwdqc.h pam_passwdqc-1.0.5/passwdqc.h
+--- pam_passwdqc-1.0.5-orig/passwdqc.h	2008-02-12 14:30:00.000000000 -0500
++++ pam_passwdqc-1.0.5/passwdqc.h	2009-09-25 14:08:56.214695858 -0400
+@@ -7,12 +7,15 @@
+ 
+ #include <pwd.h>
+ 
++#define FILE_LEN		4096	/* Max file len = 4096 */
++
+ typedef struct {
+ 	int min[5], max;
+ 	int passphrase_words;
+ 	int match_length;
+ 	int similar_deny;
+ 	int random_bits;
++	int firstupper_lastdigit_check;
+ } passwdqc_params_t;
+ 
+ extern char _passwdqc_wordset_4k[0x1000][6];
+diff -urNp pam_passwdqc-1.0.5-orig/README pam_passwdqc-1.0.5/README
+--- pam_passwdqc-1.0.5-orig/README	2008-02-12 14:43:33.000000000 -0500
++++ pam_passwdqc-1.0.5/README	2009-09-28 12:12:40.251016423 -0400
+@@ -41,9 +41,12 @@ words (see the "passphrase" option below
+ N3 and N4 are used for passwords consisting of characters from three
+ and four character classes, respectively.
+ 
++	disable_firstupper_lastdigit_check	[]
++
+ When calculating the number of character classes, upper-case letters
+ used as the first character and digits used as the last character of a
+-password are not counted.
++password are not counted. To disable this, you can specify 
++"disable_firstupper_lastdigit_check".
+ 
+ In addition to being sufficiently long, passwords are required to
+ contain enough different characters for the character classes and
+@@ -142,6 +145,14 @@ This disables user interaction within pa
+ the only difference between "use_first_pass" and "use_authtok" is that
+ the former is incompatible with "ask_oldauthtok".
+ 
++	oldpass_prompt_file=absolute-file-path	[]
++	newpass_prompt_file=abosulte-file-path	[]
++
++The options "oldpass_prompt_file" and "newpass_prompt_file" can be used
++to override prompts while requesting old password and new password, 
++respectively. The maximum size of the prompt files can be 4096 
++characters at present. If the file size is more than 4096 characters, the
++output will be truncated to 4096 characters.
+ -- 
+ Solar Designer <solar at openwall.com>
+ 

meta-oe/recipes-support/pam-passwdqc/files/7000Makefile-fix-CC.patch

@@ -0,0 +1,11 @@
+--- pam_passwdqc-1.0.5/Makefile.orig	2012-10-02 20:53:55.443592886 +0900
++++ pam_passwdqc-1.0.5/Makefile	2012-10-02 20:54:19.076108001 +0900
+@@ -2,7 +2,7 @@
+ # Copyright (c) 2000-2003,2005 by Solar Designer.  See LICENSE.
+ #
+ 
+-CC = gcc
++#CC = gcc
+ LD = $(CC)
+ RM = rm -f
+ MKDIR = mkdir -p

meta-oe/recipes-support/pam-passwdqc/pam-passwdqc_1.0.5.bb

@@ -0,0 +1,34 @@
+SUMMARY = "Pluggable password quality-control module."
+DESCRIPTION = "pam_passwdqc is a simple password strength checking module for \
+PAM-aware password changing programs, such as passwd(1). In addition \
+to checking regular passwords, it offers support for passphrases and \
+can provide randomly generated passwords. All features are optional \
+and can be (re-)configured without rebuilding."
+
+HOMEPAGE = "http://www.openwall.com/passwdqc/"
+SECTION = "System Environment/Base"
+
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e284d013ef08e66d4737f446c5890550"
+
+SRC_URI = "http://www.openwall.com/pam/modules/pam_passwdqc/pam_passwdqc-1.0.5.tar.gz \
+           file://1000patch-219201.patch \
+           file://7000Makefile-fix-CC.patch \
+          "
+SRC_URI[md5sum] = "cd9c014f736158b1a60384a8e2bdc28a"
+SRC_URI[sha256sum] = "32528ddf7d8219c788b6e7702361611ff16c6340b6dc0f418ff164aadc4a4a88"
+
+
+S = "${WORKDIR}/pam_passwdqc-${PV}"
+
+DEPENDS = "libpam"
+
+EXTRA_OEMAKE = "CFLAGS="${CFLAGS} -Wall -fPIC -DHAVE_SHADOW""
+
+do_install() {
+	oe_runmake install DESTDIR=${D}
+}
+
+FILES_${PN} += "/lib/security/pam_passwdqc.so"
+FILES_${PN}-dbg += "/lib/security/.debug"
+