2 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
39 #ifdef HAVE_SYS_WAIT_H
47 min_length_passwd_quality (krb5_context context
,
48 krb5_principal principal
,
54 uint32_t min_length
= krb5_config_get_int_default(context
, NULL
, 6,
59 if (pwd
->length
< min_length
) {
60 strlcpy(message
, "Password too short", length
);
67 min_length_passwd_quality_v0 (krb5_context context
,
68 krb5_principal principal
,
71 static char message
[1024];
76 ret
= min_length_passwd_quality(context
, principal
, pwd
, NULL
,
77 message
, sizeof(message
));
85 char_class_passwd_quality (krb5_context context
,
86 krb5_principal principal
,
92 const char *classes
[] = {
93 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
94 "abcdefghijklmnopqrstuvwxyz",
96 "!@#$%^&*()/?<>,.{[]}\\|'~`\" "
98 int i
, counter
= 0, req_classes
;
102 req_classes
= krb5_config_get_int_default(context
, NULL
, 3,
107 len
= pwd
->length
+ 1;
110 strlcpy(message
, "out of memory", length
);
113 strlcpy(pw
, pwd
->data
, len
);
116 for (i
= 0; i
< sizeof(classes
)/sizeof(classes
[0]); i
++) {
117 if (strcspn(pw
, classes
[i
]) < len
)
120 memset(pw
, 0, pwd
->length
+ 1);
122 if (counter
< req_classes
) {
123 snprintf(message
, length
,
124 "Password doesn't meet complexity requirement.\n"
125 "Add more characters from the following classes:\n"
126 "1. English uppercase characters (A through Z)\n"
127 "2. English lowercase characters (a through z)\n"
128 "3. Base 10 digits (0 through 9)\n"
129 "4. Nonalphanumeric characters (e.g., !, $, #, %%)");
136 external_passwd_quality (krb5_context context
,
137 krb5_principal principal
,
149 FILE *in
= NULL
, *out
= NULL
, *error
= NULL
;
151 if (memchr(pwd
->data
, pwd
->length
, '\n') != NULL
) {
152 snprintf(message
, length
, "password contains newline, "
153 "not valid for external test");
157 program
= krb5_config_get_string(context
, NULL
,
161 if (program
== NULL
) {
162 snprintf(message
, length
, "external password quality "
163 "program not configured");
167 ret
= krb5_unparse_name(context
, principal
, &p
);
169 strlcpy(message
, "out of memory", length
);
173 child
= pipe_execv(&in
, &out
, &error
, program
, p
, NULL
);
175 snprintf(message
, length
, "external password quality "
176 "program failed to execute for principal %s", p
);
181 fprintf(in
, "principal: %s\n"
182 "new-password: %.*s\n"
184 p
, (int)pwd
->length
, (char *)pwd
->data
);
188 if (fgets(reply
, sizeof(reply
), out
) == NULL
) {
190 if (fgets(reply
, sizeof(reply
), error
) == NULL
) {
191 snprintf(message
, length
, "external password quality "
192 "program failed without error");
195 reply
[strcspn(reply
, "\n")] = '\0';
196 snprintf(message
, length
, "External password quality "
197 "program failed: %s", reply
);
202 waitpid(child
, &status
, 0);
205 reply
[strcspn(reply
, "\n")] = '\0';
210 if (waitpid(child
, &status
, 0) < 0) {
211 snprintf(message
, length
, "external program failed: %s", reply
);
215 if (!WIFEXITED(status
) || WEXITSTATUS(status
) != 0) {
216 snprintf(message
, length
, "external program failed: %s", reply
);
221 if (strcmp(reply
, "APPROVED") != 0) {
222 snprintf(message
, length
, "%s", reply
);
233 static kadm5_passwd_quality_check_func_v0 passwd_quality_check
=
234 min_length_passwd_quality_v0
;
236 struct kadm5_pw_policy_check_func builtin_funcs
[] = {
237 { "minimum-length", min_length_passwd_quality
},
238 { "character-class", char_class_passwd_quality
},
239 { "external-check", external_passwd_quality
},
242 struct kadm5_pw_policy_verifier builtin_verifier
= {
244 KADM5_PASSWD_VERSION_V1
,
249 static struct kadm5_pw_policy_verifier
**verifiers
;
250 static int num_verifiers
;
253 * setup the password quality hook
261 kadm5_setup_passwd_quality_check(krb5_context context
,
262 const char *check_library
,
263 const char *check_function
)
271 if(check_library
== NULL
) {
272 tmp
= krb5_config_get_string(context
, NULL
,
279 if(check_function
== NULL
) {
280 tmp
= krb5_config_get_string(context
, NULL
,
285 check_function
= tmp
;
287 if(check_library
!= NULL
&& check_function
== NULL
)
288 check_function
= "passwd_check";
290 if(check_library
== NULL
)
292 handle
= dlopen(check_library
, RTLD_NOW
);
294 krb5_warnx(context
, "failed to open `%s'", check_library
);
297 version
= dlsym(handle
, "version");
298 if(version
== NULL
) {
300 "didn't find `version' symbol in `%s'", check_library
);
304 if(*version
!= KADM5_PASSWD_VERSION_V0
) {
306 "version of loaded library is %d (expected %d)",
307 *version
, KADM5_PASSWD_VERSION_V0
);
311 sym
= dlsym(handle
, check_function
);
314 "didn't find `%s' symbol in `%s'",
315 check_function
, check_library
);
319 passwd_quality_check
= (kadm5_passwd_quality_check_func_v0
) sym
;
320 #endif /* HAVE_DLOPEN */
325 static krb5_error_code
326 add_verifier(krb5_context context
, const char *check_library
)
328 struct kadm5_pw_policy_verifier
*v
, **tmp
;
332 handle
= dlopen(check_library
, RTLD_NOW
);
334 krb5_warnx(context
, "failed to open `%s'", check_library
);
337 v
= dlsym(handle
, "kadm5_password_verifier");
340 "didn't find `kadm5_password_verifier' symbol "
341 "in `%s'", check_library
);
345 if(v
->version
!= KADM5_PASSWD_VERSION_V1
) {
347 "version of loaded library is %d (expected %d)",
348 v
->version
, KADM5_PASSWD_VERSION_V1
);
352 for (i
= 0; i
< num_verifiers
; i
++) {
353 if (strcmp(v
->name
, verifiers
[i
]->name
) == 0)
356 if (i
< num_verifiers
) {
357 krb5_warnx(context
, "password verifier library `%s' is already loaded",
363 tmp
= realloc(verifiers
, (num_verifiers
+ 1) * sizeof(*verifiers
));
365 krb5_warnx(context
, "out of memory");
370 verifiers
[num_verifiers
] = v
;
379 kadm5_add_passwd_quality_verifier(krb5_context context
,
380 const char *check_library
)
384 if(check_library
== NULL
) {
388 tmp
= krb5_config_get_strings(context
, NULL
,
396 ret
= add_verifier(context
, *tmp
);
402 return add_verifier(context
, check_library
);
405 #endif /* HAVE_DLOPEN */
412 static const struct kadm5_pw_policy_check_func
*
413 find_func(krb5_context context
, const char *name
)
415 const struct kadm5_pw_policy_check_func
*f
;
417 const char *p
, *func
;
420 p
= strchr(name
, ':');
422 size_t len
= p
- name
+ 1;
424 module
= malloc(len
);
427 strlcpy(module
, name
, len
);
431 /* Find module in loaded modules first */
432 for (i
= 0; i
< num_verifiers
; i
++) {
433 if (module
&& strcmp(module
, verifiers
[i
]->name
) != 0)
435 for (f
= verifiers
[i
]->funcs
; f
->name
; f
++)
436 if (strcmp(name
, f
->name
) == 0) {
442 /* Lets try try the builtin modules */
443 if (module
== NULL
|| strcmp(module
, "builtin") == 0) {
444 for (f
= builtin_verifier
.funcs
; f
->name
; f
++)
445 if (strcmp(func
, f
->name
) == 0) {
457 kadm5_check_password_quality (krb5_context context
,
458 krb5_principal principal
,
461 const struct kadm5_pw_policy_check_func
*proc
;
462 static char error_msg
[1024];
468 * Check if we should use the old version of policy function.
471 v
= krb5_config_get_strings(context
, NULL
,
476 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
477 krb5_set_error_message(context
, 0, "password policy failed: %s", msg
);
484 for(vp
= v
; *vp
; vp
++) {
485 proc
= find_func(context
, *vp
);
487 msg
= "failed to find password verifier function";
488 krb5_set_error_message(context
, 0, "Failed to find password policy "
489 "function: %s", *vp
);
492 ret
= (proc
->func
)(context
, principal
, pwd_data
, NULL
,
493 error_msg
, sizeof(error_msg
));
495 krb5_set_error_message(context
, 0, "Password policy "
497 proc
->name
, error_msg
);
502 krb5_config_free_strings(v
);
504 /* If the default quality check isn't used, lets check that the
505 * old quality function the user have set too */
506 if (msg
== NULL
&& passwd_quality_check
!= min_length_passwd_quality_v0
) {
507 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
509 krb5_set_error_message(context
, 0, "(old) password policy "
510 "failed with %s", msg
);