pwquality: fix quality_check_password return value

quality_check_password() used to return the same value 0 in two different cases: when pwq_allocate_context() failed with a ERRNO_IS_NOT_SUPPORTED() code, and when pwquality_check() rejected the password. As result, users of quality_check_password() used to report password weakness also in case when the underlying library was not available. Fix this by changing quality_check_password() to forward the ERRNO_IS_NOT_SUPPORTED() code to its callers, and change the callers to handle this case gracefully.
2025-03-09 12:58:26 +03:00 · 2023-07-05 08:00:00 +00:00 · 2023-07-05 08:00:00 +00:00 · 7fc3f9c032
commit 7fc3f9c032
parent 29dd2e253c
3 changed files with 15 additions and 8 deletions
--- a/src/cryptenroll/cryptenroll-password.c
+++ b/src/cryptenroll/cryptenroll-password.c
@ -3,6 +3,7 @@
 #include "ask-password-api.h"
 #include "cryptenroll-password.h"
 #include "env-util.h"
+#include "errno-util.h"
 #include "escape.h"
 #include "memory-util.h"
 #include "pwquality-util.h"
@ -156,8 +157,12 @@ int enroll_password(
        }

        r = quality_check_password(new_password, NULL, &error);
-        if (r < 0)
-                return log_error_errno(r, "Failed to check password for quality: %m");
+        if (r < 0) {
+                if (ERRNO_IS_NOT_SUPPORTED(r))
+                        log_warning("Password quality check is not supported, proceeding anyway.");
+                else
+                        return log_error_errno(r, "Failed to check password quality: %m");
+        }
        if (r == 0)
                log_warning("Specified password does not pass quality checks (%s), proceeding anyway.", error);

--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@ -19,6 +19,7 @@
 #include "creds-util.h"
 #include "dissect-image.h"
 #include "env-file.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
@ -790,8 +791,12 @@ static int prompt_root_password(int rfd) {
                }

                r = quality_check_password(*a, "root", &error);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to check quality of password: %m");
+                if (r < 0) {
+                        if (ERRNO_IS_NOT_SUPPORTED(r))
+                                log_warning("Password quality check is not supported, proceeding anyway.");
+                        else
+                                return log_error_errno(r, "Failed to check password quality: %m");
+                }
                if (r == 0)
                        log_warning("Password is weak, accepting anyway: %s", error);

--- a/src/shared/pwquality-util.c
+++ b/src/shared/pwquality-util.c
@ -141,11 +141,8 @@ int quality_check_password(const char *password, const char *username, char **re
        assert(password);

        r = pwq_allocate_context(&pwq);
-        if (r < 0) {
-                if (ERRNO_IS_NOT_SUPPORTED(r))
-                        return 0;
+        if (r < 0)
                return log_debug_errno(r, "Failed to allocate libpwquality context: %m");
-        }

        r = sym_pwquality_check(pwq, password, NULL, username, &auxerror);
        if (r < 0) {