search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
afslog.1: Remove documentation for removed no-v4 argument.
[heimdal.git] / lib / kadm5 / password_quality.c
blobae3a6affeb739840a4277c6c631e140ab63d6d49
1 /*
2 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
36
37 #ifdef HAVE_SYS_WAIT_H
38 #include <sys/wait.h>
39 #endif
40 #ifdef HAVE_DLFCN_H
41 #include <dlfcn.h>
42 #endif
43
44 static int
45 min_length_passwd_quality (krb5_context context,
46 krb5_principal principal,
47 krb5_data *pwd,
48 const char *opaque,
49 char *message,
50 size_t length)
51 {
52 uint32_t min_length = krb5_config_get_int_default(context, NULL, 6,
53 "password_quality",
54 "min_length",
55 NULL);
56
57 if (pwd->length < min_length) {
58 strlcpy(message, "Password too short", length);
59 return 1;
60 } else
61 return 0;
62 }
63
64 static const char *
65 min_length_passwd_quality_v0 (krb5_context context,
66 krb5_principal principal,
67 krb5_data *pwd)
68 {
69 static char message[1024];
70 int ret;
71
72 message[0] = '\0';
73
74 ret = min_length_passwd_quality(context, principal, pwd, NULL,
75 message, sizeof(message));
76 if (ret)
77 return message;
78 return NULL;
79 }
80
81
82 static int
83 char_class_passwd_quality (krb5_context context,
84 krb5_principal principal,
85 krb5_data *pwd,
86 const char *opaque,
87 char *message,
88 size_t length)
89 {
90 const char *classes[] = {
91 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
92 "abcdefghijklmnopqrstuvwxyz",
93 "1234567890",
94 " !\"#$%&'()*+,-./:;<=>?@\\]^_`{|}~"
95 };
96 int counter = 0, req_classes;
97 size_t i, len;
98 char *pw;
99
100 req_classes = krb5_config_get_int_default(context, NULL, 3,
101 "password_quality",
102 "min_classes",
103 NULL);
104
105 len = pwd->length + 1;
106 pw = malloc(len);
107 if (pw == NULL) {
108 strlcpy(message, "out of memory", length);
109 return 1;
110 }
111 strlcpy(pw, pwd->data, len);
112 len = strlen(pw);
113
114 for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) {
115 if (strcspn(pw, classes[i]) < len)
116 counter++;
117 }
118 memset(pw, 0, pwd->length + 1);
119 free(pw);
120 if (counter < req_classes) {
121 snprintf(message, length,
122 "Password doesn't meet complexity requirement.\n"
123 "Add more characters from at least %d of the\n"
124 "following classes:\n"
125 "1. English uppercase characters (A through Z)\n"
126 "2. English lowercase characters (a through z)\n"
127 "3. Base 10 digits (0 through 9)\n"
128 "4. Nonalphanumeric characters (e.g., !, $, #, %%)", req_classes);
129 return 1;
130 }
131 return 0;
132 }
133
134 static int
135 external_passwd_quality (krb5_context context,
136 krb5_principal principal,
137 krb5_data *pwd,
138 const char *opaque,
139 char *message,
140 size_t length)
141 {
142 krb5_error_code ret;
143 const char *program;
144 char *p;
145 pid_t child;
146 int status;
147 char reply[1024];
148 FILE *in = NULL, *out = NULL, *error = NULL;
149
150 if (memchr(pwd->data, '\n', pwd->length) != NULL) {
151 snprintf(message, length, "password contains newline, "
152 "not valid for external test");
153 return 1;
154 }
155
156 program = krb5_config_get_string(context, NULL,
157 "password_quality",
158 "external_program",
159 NULL);
160 if (program == NULL) {
161 snprintf(message, length, "external password quality "
162 "program not configured");
163 return 1;
164 }
165
166 ret = krb5_unparse_name(context, principal, &p);
167 if (ret) {
168 strlcpy(message, "out of memory", length);
169 return 1;
170 }
171
172 child = pipe_execv(&in, &out, &error, program, program, p, NULL);
173 if (child < 0) {
174 snprintf(message, length, "external password quality "
175 "program failed to execute for principal %s", p);
176 free(p);
177 return 1;
178 }
179
180 fprintf(in, "principal: %s\n"
181 "new-password: %.*s\n"
182 "end\n",
183 p, (int)pwd->length, (char *)pwd->data);
184
185 fclose(in);
186
187 if (fgets(reply, sizeof(reply), out) == NULL) {
188
189 if (fgets(reply, sizeof(reply), error) == NULL) {
190 snprintf(message, length, "external password quality "
191 "program failed without error");
192
193 } else {
194 reply[strcspn(reply, "\n")] = '\0';
195 snprintf(message, length, "External password quality "
196 "program failed: %s", reply);
197 }
198
199 fclose(out);
200 fclose(error);
201 wait_for_process(child);
202 return 1;
203 }
204 reply[strcspn(reply, "\n")] = '\0';
205
206 fclose(out);
207 fclose(error);
208
209 status = wait_for_process(child);
210
211 if (SE_IS_ERROR(status) || SE_PROCSTATUS(status) != 0) {
212 snprintf(message, length, "external program failed: %s", reply);
213 free(p);
214 return 1;
215 }
216
217 if (strcmp(reply, "APPROVED") != 0) {
218 snprintf(message, length, "%s", reply);
219 free(p);
220 return 1;
221 }
222
223 free(p);
224
225 return 0;
226 }
227
228
229 static kadm5_passwd_quality_check_func_v0 passwd_quality_check =
230 min_length_passwd_quality_v0;
231
232 struct kadm5_pw_policy_check_func builtin_funcs[] = {
233 { "minimum-length", min_length_passwd_quality },
234 { "character-class", char_class_passwd_quality },
235 { "external-check", external_passwd_quality },
236 { NULL, NULL }
237 };
238 struct kadm5_pw_policy_verifier builtin_verifier = {
239 "builtin",
240 KADM5_PASSWD_VERSION_V1,
241 "Heimdal builtin",
242 builtin_funcs
243 };
244
245 static struct kadm5_pw_policy_verifier **verifiers;
246 static int num_verifiers;
247
248 /*
249 * setup the password quality hook
250 */
251
252 #ifndef RTLD_NOW
253 #define RTLD_NOW 0
254 #endif
255
256 void
257 kadm5_setup_passwd_quality_check(krb5_context context,
258 const char *check_library,
259 const char *check_function)
260 {
261 #ifdef HAVE_DLOPEN
262 void *handle;
263 void *sym;
264 int *version;
265 const char *tmp;
266
267 if(check_library == NULL) {
268 tmp = krb5_config_get_string(context, NULL,
269 "password_quality",
270 "check_library",
271 NULL);
272 if(tmp != NULL)
273 check_library = tmp;
274 }
275 if(check_function == NULL) {
276 tmp = krb5_config_get_string(context, NULL,
277 "password_quality",
278 "check_function",
279 NULL);
280 if(tmp != NULL)
281 check_function = tmp;
282 }
283 if(check_library != NULL && check_function == NULL)
284 check_function = "passwd_check";
285
286 if(check_library == NULL)
287 return;
288 handle = dlopen(check_library, RTLD_NOW);
289 if(handle == NULL) {
290 krb5_warnx(context, "failed to open `%s'", check_library);
291 return;
292 }
293 version = (int *) dlsym(handle, "version");
294 if(version == NULL) {
295 krb5_warnx(context,
296 "didn't find `version' symbol in `%s'", check_library);
297 dlclose(handle);
298 return;
299 }
300 if(*version != KADM5_PASSWD_VERSION_V0) {
301 krb5_warnx(context,
302 "version of loaded library is %d (expected %d)",
303 *version, KADM5_PASSWD_VERSION_V0);
304 dlclose(handle);
305 return;
306 }
307 sym = dlsym(handle, check_function);
308 if(sym == NULL) {
309 krb5_warnx(context,
310 "didn't find `%s' symbol in `%s'",
311 check_function, check_library);
312 dlclose(handle);
313 return;
314 }
315 passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym;
316 #endif /* HAVE_DLOPEN */
317 }
318
319 #ifdef HAVE_DLOPEN
320
321 static krb5_error_code
322 add_verifier(krb5_context context, const char *check_library)
323 {
324 struct kadm5_pw_policy_verifier *v, **tmp;
325 void *handle;
326 int i;
327
328 handle = dlopen(check_library, RTLD_NOW);
329 if(handle == NULL) {
330 krb5_warnx(context, "failed to open `%s'", check_library);
331 return ENOENT;
332 }
333 v = (struct kadm5_pw_policy_verifier *) dlsym(handle, "kadm5_password_verifier");
334 if(v == NULL) {
335 krb5_warnx(context,
336 "didn't find `kadm5_password_verifier' symbol "
337 "in `%s'", check_library);
338 dlclose(handle);
339 return ENOENT;
340 }
341 if(v->version != KADM5_PASSWD_VERSION_V1) {
342 krb5_warnx(context,
343 "version of loaded library is %d (expected %d)",
344 v->version, KADM5_PASSWD_VERSION_V1);
345 dlclose(handle);
346 return EINVAL;
347 }
348 for (i = 0; i < num_verifiers; i++) {
349 if (strcmp(v->name, verifiers[i]->name) == 0)
350 break;
351 }
352 if (i < num_verifiers) {
353 krb5_warnx(context, "password verifier library `%s' is already loaded",
354 v->name);
355 dlclose(handle);
356 return 0;
357 }
358
359 tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers));
360 if (tmp == NULL) {
361 krb5_warnx(context, "out of memory");
362 dlclose(handle);
363 return 0;
364 }
365 verifiers = tmp;
366 verifiers[num_verifiers] = v;
367 num_verifiers++;
368
369 return 0;
370 }
371
372 #endif
373
374 krb5_error_code
375 kadm5_add_passwd_quality_verifier(krb5_context context,
376 const char *check_library)
377 {
378 #ifdef HAVE_DLOPEN
379
380 if(check_library == NULL) {
381 krb5_error_code ret;
382 char **tmp;
383
384 tmp = krb5_config_get_strings(context, NULL,
385 "password_quality",
386 "policy_libraries",
387 NULL);
388 if(tmp == NULL || *tmp == NULL)
389 return 0;
390
391 while (*tmp) {
392 ret = add_verifier(context, *tmp);
393 if (ret)
394 return ret;
395 tmp++;
396 }
397 return 0;
398 } else {
399 return add_verifier(context, check_library);
400 }
401 #else
402 return 0;
403 #endif /* HAVE_DLOPEN */
404 }
405
406 /*
407 *
408 */
409
410 static const struct kadm5_pw_policy_check_func *
411 find_func(krb5_context context, const char *name)
412 {
413 const struct kadm5_pw_policy_check_func *f;
414 char *module = NULL;
415 const char *p, *func;
416 int i;
417
418 p = strchr(name, ':');
419 if (p) {
420 size_t len = p - name + 1;
421 func = p + 1;
422 module = malloc(len);
423 if (module == NULL)
424 return NULL;
425 strlcpy(module, name, len);
426 } else
427 func = name;
428
429 /* Find module in loaded modules first */
430 for (i = 0; i < num_verifiers; i++) {
431 if (module && strcmp(module, verifiers[i]->name) != 0)
432 continue;
433 for (f = verifiers[i]->funcs; f->name ; f++)
434 if (strcmp(func, f->name) == 0) {
435 if (module)
436 free(module);
437 return f;
438 }
439 }
440 /* Lets try try the builtin modules */
441 if (module == NULL || strcmp(module, "builtin") == 0) {
442 for (f = builtin_verifier.funcs; f->name ; f++)
443 if (strcmp(func, f->name) == 0) {
444 if (module)
445 free(module);
446 return f;
447 }
448 }
449 if (module)
450 free(module);
451 return NULL;
452 }
453
454 const char *
455 kadm5_check_password_quality (krb5_context context,
456 krb5_principal principal,
457 krb5_data *pwd_data)
458 {
459 const struct kadm5_pw_policy_check_func *proc;
460 static char error_msg[1024];
461 const char *msg;
462 char **v, **vp;
463 int ret;
464
465 /*
466 * Check if we should use the old version of policy function.
467 */
468
469 v = krb5_config_get_strings(context, NULL,
470 "password_quality",
471 "policies",
472 NULL);
473 if (v == NULL) {
474 msg = (*passwd_quality_check) (context, principal, pwd_data);
475 if (msg)
476 krb5_set_error_message(context, 0, "password policy failed: %s", msg);
477 return msg;
478 }
479
480 error_msg[0] = '\0';
481
482 msg = NULL;
483 for(vp = v; *vp; vp++) {
484 proc = find_func(context, *vp);
485 if (proc == NULL) {
486 msg = "failed to find password verifier function";
487 krb5_set_error_message(context, 0, "Failed to find password policy "
488 "function: %s", *vp);
489 break;
490 }
491 ret = (proc->func)(context, principal, pwd_data, NULL,
492 error_msg, sizeof(error_msg));
493 if (ret) {
494 krb5_set_error_message(context, 0, "Password policy "
495 "%s failed with %s",
496 proc->name, error_msg);
497 msg = error_msg;
498 break;
499 }
500 }
501 krb5_config_free_strings(v);
502
503 /* If the default quality check isn't used, lets check that the
504 * old quality function the user have set too */
505 if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) {
506 msg = (*passwd_quality_check) (context, principal, pwd_data);
507 if (msg)
508 krb5_set_error_message(context, 0, "(old) password policy "
509 "failed with %s", msg);
510
511 }
512 return msg;
513 }
Heimdal