Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------

2008-10-10  Thorsten Kukuk  <kukuk@thkukuk.de>

        * configure.in: add modules/pam_pwhistory/Makefile.
        * doc/sag/Linux-PAM_SAG.xml: Include pam_pwhistory.xml.
        * doc/sag/pam_pwhistory.xml: New.
        * libpam/pam_static_modules.h: Add pam_pwhistory data.
        * modules/Makefile.am: Add pam_pwhistory directory.
        * modules/pam_pwhistory/Makefile.am: New.
        * modules/pam_pwhistory/README.xml: New.
        * modules/pam_pwhistory/opasswd.c: New.
        * modules/pam_pwhistory/opasswd.h: New.
        * modules/pam_pwhistory/pam_pwhistory.8.xml: New.
        * modules/pam_pwhistory/pam_pwhistory.c: New.
        * modules/pam_pwhistory/tst-pam_pwhistory: New.
        * xtests/Makefile.am: New.
        * xtests/run-xtests.sh: New.
        * xtests/tst-pam_pwhistory1.c: New.
        * xtests/tst-pam_pwhistory1.pamd: New.
        * xtests/tst-pam_pwhistory1.sh: New.
        * po/POTFILES.in: Add modules/pam_pwhistory/.
        * po/de.po: Update translations.

6 files changed, 191 insertions, 2 deletions

diff --git a/xtests/.cvsignore b/xtests/.cvsignore
index 530ce890..cc96e8c7 100644
--- a/xtests/.cvsignore
+++ b/xtests/.cvsignore
@@ -21,3 +21,4 @@ tst-pam_succeed_if1
 tst-pam_group1
 tst-pam_authfail
 tst-pam_authsucceed
+tst-pam_pwhistory1
diff --git a/xtests/Makefile.am b/xtests/Makefile.am
index 30a923aa..620c61d1 100644
--- a/xtests/Makefile.am
+++ b/xtests/Makefile.am
@@ -28,7 +28,8 @@ EXTRA_DIST = run-xtests.sh tst-pam_dispatch1.pamd tst-pam_dispatch2.pamd \
 	tst-pam_substack3.pamd tst-pam_substack3a.pamd tst-pam_substack3.sh \
 	tst-pam_substack4.pamd tst-pam_substack4a.pamd tst-pam_substack4.sh \
 	tst-pam_substack5.pamd tst-pam_substack5a.pamd tst-pam_substack5.sh \
-	tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh
+	tst-pam_assemble_line1.pamd tst-pam_assemble_line1.sh \
+	tst-pam_pwhistory1.pamd tst-pam_pwhistory1.sh
 
 XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
 	tst-pam_dispatch4 tst-pam_dispatch5 \
@@ -36,7 +37,8 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
 	tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 \
 	tst-pam_access1 tst-pam_access2 tst-pam_access3 \
 	tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
-	tst-pam_group1 tst-pam_authfail tst-pam_authsucceed
+	tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
+	tst-pam_pwhistory1
 
 NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \
 	tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line1
diff --git a/xtests/run-xtests.sh b/xtests/run-xtests.sh
index 4e981858..b06685da 100755
--- a/xtests/run-xtests.sh
+++ b/xtests/run-xtests.sh
@@ -23,6 +23,8 @@ cp /etc/security/group.conf /etc/security/group.conf-pam-xtests
 install -m 644 "${SRCDIR}"/group.conf /etc/security/group.conf
 cp /etc/security/limits.conf /etc/security/limits.conf-pam-xtests
 install -m 644 "${SRCDIR}"/limits.conf /etc/security/limits.conf
+mv /etc/security/opasswd /etc/security/opasswd-pam-xtests
+
 for testname in $XTESTS ; do
 	  for cfg in "${SRCDIR}"/$testname*.pamd ; do
 	    install -m 644 $cfg /etc/pam.d/$(basename $cfg .pamd)
@@ -49,6 +51,7 @@ done
 mv /etc/security/access.conf-pam-xtests /etc/security/access.conf
 mv /etc/security/group.conf-pam-xtests /etc/security/group.conf
 mv /etc/security/limits.conf-pam-xtests /etc/security/limits.conf
+mv /etc/security/opasswd-pam-xtests /etc/security/opasswd
 if test "$failed" -ne 0; then
 	  echo "==================="
 	  echo "$failed of $all tests failed"
diff --git a/xtests/tst-pam_pwhistory1.c b/xtests/tst-pam_pwhistory1.c
new file mode 100644
index 00000000..5c3246fa
--- /dev/null
+++ b/xtests/tst-pam_pwhistory1.c
@@ -0,0 +1,169 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Check remember handling
+ * Change ten times the password
+ * Try the ten passwords again, should always be rejected
+ * Try a new password, should succeed
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <security/pam_appl.h>
+
+static int in_test;
+
+static const char *passwords[] =  {
+  "pamhistory01", "pamhistory02", "pamhistory03",
+  "pamhistory04", "pamhistory05", "pamhistory06",
+  "pamhistory07", "pamhistory08", "pamhistory09",
+  "pamhistory10",
+  "pamhistory01", "pamhistory02", "pamhistory03",
+  "pamhistory04", "pamhistory05", "pamhistory06",
+  "pamhistory07", "pamhistory08", "pamhistory09",
+  "pamhistory10",
+  "pamhistory11",
+  "pamhistory01", "pamhistory02", "pamhistory03",
+  "pamhistory04", "pamhistory05", "pamhistory06",
+  "pamhistory07", "pamhistory08", "pamhistory09",
+  "pamhistory10"};
+
+static int debug;
+
+/* A conversation function which uses an internally-stored value for
+   the responses. */
+static int
+fake_conv (int num_msg, const struct pam_message **msgm,
+	   struct pam_response **response, void *appdata_ptr UNUSED)
+{
+  struct pam_response *reply;
+  int count;
+
+  /* Sanity test. */
+  if (num_msg <= 0)
+    return PAM_CONV_ERR;
+
+  if (debug)
+    fprintf (stderr, "msg_style=%d, msg=%s\n", msgm[0]->msg_style,
+	     msgm[0]->msg);
+
+  if (msgm[0]->msg_style != 1)
+    return PAM_SUCCESS;
+
+  /* Allocate memory for the responses. */
+  reply = calloc (num_msg, sizeof (struct pam_response));
+  if (reply == NULL)
+    return PAM_CONV_ERR;
+
+  /* Each prompt elicits the same response. */
+  for (count = 0; count < num_msg; ++count)
+    {
+      reply[count].resp_retcode = 0;
+      reply[count].resp = strdup (passwords[in_test]);
+      if (debug)
+	fprintf (stderr, "send password %s\n", reply[count].resp);
+    }
+
+  /* Set the pointers in the response structure and return. */
+  *response = reply;
+  return PAM_SUCCESS;
+}
+
+static struct pam_conv conv = {
+    fake_conv,
+    NULL
+};
+
+
+int
+main(int argc, char *argv[])
+{
+  pam_handle_t *pamh=NULL;
+  const char *user="tstpampwhistory";
+  int retval;
+
+  if (argc > 1 && strcmp (argv[1], "-d") == 0)
+    debug = 1;
+
+  for (in_test = 0;
+       in_test < (int)(sizeof (passwords)/sizeof (char *)); in_test++)
+    {
+
+      retval = pam_start("tst-pam_pwhistory1", user, &conv, &pamh);
+      if (retval != PAM_SUCCESS)
+	{
+	  if (debug)
+	    fprintf (stderr, "pwhistory1-%d: pam_start returned %d\n",
+		     in_test, retval);
+	  return 1;
+	}
+
+      retval = pam_chauthtok (pamh, 0);
+      if (in_test < 10 || in_test == 20)
+	{
+	  if (retval != PAM_SUCCESS)
+	    {
+	      if (debug)
+		fprintf (stderr, "pwhistory1-%d: pam_chauthtok returned %d\n",
+			 in_test, retval);
+	      return 1;
+	    }
+	}
+      else if (in_test < 20)
+	{
+	  if (retval != PAM_MAXTRIES)
+	    {
+	      if (debug)
+		fprintf (stderr, "pwhistory1-%d: pam_chauthtok returned %d\n",
+			 in_test, retval);
+	      return 1;
+	    }
+	}
+
+      retval = pam_end (pamh,retval);
+      if (retval != PAM_SUCCESS)
+	{
+	  if (debug)
+	    fprintf (stderr, "pwhistory1: pam_end returned %d\n", retval);
+	  return 1;
+	}
+    }
+
+  return 0;
+}
diff --git a/xtests/tst-pam_pwhistory1.pamd b/xtests/tst-pam_pwhistory1.pamd
new file mode 100644
index 00000000..b03098fa
--- /dev/null
+++ b/xtests/tst-pam_pwhistory1.pamd
@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth     required       pam_permit.so
+account  required       pam_permit.so
+password required	pam_pwhistory.so remember=10 retry=1 debug
+password required	pam_unix.so	use_authtok md5
+session  required       pam_permit.so
+
diff --git a/xtests/tst-pam_pwhistory1.sh b/xtests/tst-pam_pwhistory1.sh
new file mode 100644
index 00000000..ddb3b8b1
--- /dev/null
+++ b/xtests/tst-pam_pwhistory1.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+/usr/sbin/useradd tstpampwhistory
+./tst-pam_pwhistory1
+RET=$?
+/usr/sbin/userdel -r tstpampwhistory 2> /dev/null
+exit $RET