2 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
37 #ifdef HAVE_SYS_WAIT_H
45 min_length_passwd_quality (krb5_context context
,
46 krb5_principal principal
,
52 uint32_t min_length
= krb5_config_get_int_default(context
, NULL
, 6,
57 if (pwd
->length
< min_length
) {
58 strlcpy(message
, "Password too short", length
);
65 min_length_passwd_quality_v0 (krb5_context context
,
66 krb5_principal principal
,
69 static char message
[1024];
74 ret
= min_length_passwd_quality(context
, principal
, pwd
, NULL
,
75 message
, sizeof(message
));
83 char_class_passwd_quality (krb5_context context
,
84 krb5_principal principal
,
90 const char *classes
[] = {
91 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
92 "abcdefghijklmnopqrstuvwxyz",
94 "!@#$%^&*()/?<>,.{[]}\\|'~`\" "
96 int counter
= 0, req_classes
;
100 req_classes
= krb5_config_get_int_default(context
, NULL
, 3,
105 len
= pwd
->length
+ 1;
108 strlcpy(message
, "out of memory", length
);
111 strlcpy(pw
, pwd
->data
, len
);
114 for (i
= 0; i
< sizeof(classes
)/sizeof(classes
[0]); i
++) {
115 if (strcspn(pw
, classes
[i
]) < len
)
118 memset(pw
, 0, pwd
->length
+ 1);
120 if (counter
< req_classes
) {
121 snprintf(message
, length
,
122 "Password doesn't meet complexity requirement.\n"
123 "Add more characters from the following classes:\n"
124 "1. English uppercase characters (A through Z)\n"
125 "2. English lowercase characters (a through z)\n"
126 "3. Base 10 digits (0 through 9)\n"
127 "4. Nonalphanumeric characters (e.g., !, $, #, %%)");
134 external_passwd_quality (krb5_context context
,
135 krb5_principal principal
,
147 FILE *in
= NULL
, *out
= NULL
, *error
= NULL
;
149 if (memchr(pwd
->data
, '\n', pwd
->length
) != NULL
) {
150 snprintf(message
, length
, "password contains newline, "
151 "not valid for external test");
155 program
= krb5_config_get_string(context
, NULL
,
159 if (program
== NULL
) {
160 snprintf(message
, length
, "external password quality "
161 "program not configured");
165 ret
= krb5_unparse_name(context
, principal
, &p
);
167 strlcpy(message
, "out of memory", length
);
171 child
= pipe_execv(&in
, &out
, &error
, program
, program
, p
, NULL
);
173 snprintf(message
, length
, "external password quality "
174 "program failed to execute for principal %s", p
);
179 fprintf(in
, "principal: %s\n"
180 "new-password: %.*s\n"
182 p
, (int)pwd
->length
, (char *)pwd
->data
);
186 if (fgets(reply
, sizeof(reply
), out
) == NULL
) {
188 if (fgets(reply
, sizeof(reply
), error
) == NULL
) {
189 snprintf(message
, length
, "external password quality "
190 "program failed without error");
193 reply
[strcspn(reply
, "\n")] = '\0';
194 snprintf(message
, length
, "External password quality "
195 "program failed: %s", reply
);
200 wait_for_process(child
);
203 reply
[strcspn(reply
, "\n")] = '\0';
208 status
= wait_for_process(child
);
210 if (SE_IS_ERROR(status
) || SE_PROCSTATUS(status
) != 0) {
211 snprintf(message
, length
, "external program failed: %s", reply
);
216 if (strcmp(reply
, "APPROVED") != 0) {
217 snprintf(message
, length
, "%s", reply
);
228 static kadm5_passwd_quality_check_func_v0 passwd_quality_check
=
229 min_length_passwd_quality_v0
;
231 struct kadm5_pw_policy_check_func builtin_funcs
[] = {
232 { "minimum-length", min_length_passwd_quality
},
233 { "character-class", char_class_passwd_quality
},
234 { "external-check", external_passwd_quality
},
237 struct kadm5_pw_policy_verifier builtin_verifier
= {
239 KADM5_PASSWD_VERSION_V1
,
244 static struct kadm5_pw_policy_verifier
**verifiers
;
245 static int num_verifiers
;
248 * setup the password quality hook
256 kadm5_setup_passwd_quality_check(krb5_context context
,
257 const char *check_library
,
258 const char *check_function
)
266 if(check_library
== NULL
) {
267 tmp
= krb5_config_get_string(context
, NULL
,
274 if(check_function
== NULL
) {
275 tmp
= krb5_config_get_string(context
, NULL
,
280 check_function
= tmp
;
282 if(check_library
!= NULL
&& check_function
== NULL
)
283 check_function
= "passwd_check";
285 if(check_library
== NULL
)
287 handle
= dlopen(check_library
, RTLD_NOW
);
289 krb5_warnx(context
, "failed to open `%s'", check_library
);
292 version
= (int *) dlsym(handle
, "version");
293 if(version
== NULL
) {
295 "didn't find `version' symbol in `%s'", check_library
);
299 if(*version
!= KADM5_PASSWD_VERSION_V0
) {
301 "version of loaded library is %d (expected %d)",
302 *version
, KADM5_PASSWD_VERSION_V0
);
306 sym
= dlsym(handle
, check_function
);
309 "didn't find `%s' symbol in `%s'",
310 check_function
, check_library
);
314 passwd_quality_check
= (kadm5_passwd_quality_check_func_v0
) sym
;
315 #endif /* HAVE_DLOPEN */
320 static krb5_error_code
321 add_verifier(krb5_context context
, const char *check_library
)
323 struct kadm5_pw_policy_verifier
*v
, **tmp
;
327 handle
= dlopen(check_library
, RTLD_NOW
);
329 krb5_warnx(context
, "failed to open `%s'", check_library
);
332 v
= (struct kadm5_pw_policy_verifier
*) dlsym(handle
, "kadm5_password_verifier");
335 "didn't find `kadm5_password_verifier' symbol "
336 "in `%s'", check_library
);
340 if(v
->version
!= KADM5_PASSWD_VERSION_V1
) {
342 "version of loaded library is %d (expected %d)",
343 v
->version
, KADM5_PASSWD_VERSION_V1
);
347 for (i
= 0; i
< num_verifiers
; i
++) {
348 if (strcmp(v
->name
, verifiers
[i
]->name
) == 0)
351 if (i
< num_verifiers
) {
352 krb5_warnx(context
, "password verifier library `%s' is already loaded",
358 tmp
= realloc(verifiers
, (num_verifiers
+ 1) * sizeof(*verifiers
));
360 krb5_warnx(context
, "out of memory");
365 verifiers
[num_verifiers
] = v
;
374 kadm5_add_passwd_quality_verifier(krb5_context context
,
375 const char *check_library
)
379 if(check_library
== NULL
) {
383 tmp
= krb5_config_get_strings(context
, NULL
,
387 if(tmp
== NULL
|| *tmp
== NULL
)
391 ret
= add_verifier(context
, *tmp
);
398 return add_verifier(context
, check_library
);
402 #endif /* HAVE_DLOPEN */
409 static const struct kadm5_pw_policy_check_func
*
410 find_func(krb5_context context
, const char *name
)
412 const struct kadm5_pw_policy_check_func
*f
;
414 const char *p
, *func
;
417 p
= strchr(name
, ':');
419 size_t len
= p
- name
+ 1;
421 module
= malloc(len
);
424 strlcpy(module
, name
, len
);
428 /* Find module in loaded modules first */
429 for (i
= 0; i
< num_verifiers
; i
++) {
430 if (module
&& strcmp(module
, verifiers
[i
]->name
) != 0)
432 for (f
= verifiers
[i
]->funcs
; f
->name
; f
++)
433 if (strcmp(func
, f
->name
) == 0) {
439 /* Lets try try the builtin modules */
440 if (module
== NULL
|| strcmp(module
, "builtin") == 0) {
441 for (f
= builtin_verifier
.funcs
; f
->name
; f
++)
442 if (strcmp(func
, f
->name
) == 0) {
454 kadm5_check_password_quality (krb5_context context
,
455 krb5_principal principal
,
458 const struct kadm5_pw_policy_check_func
*proc
;
459 static char error_msg
[1024];
465 * Check if we should use the old version of policy function.
468 v
= krb5_config_get_strings(context
, NULL
,
473 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
475 krb5_set_error_message(context
, 0, "password policy failed: %s", msg
);
482 for(vp
= v
; *vp
; vp
++) {
483 proc
= find_func(context
, *vp
);
485 msg
= "failed to find password verifier function";
486 krb5_set_error_message(context
, 0, "Failed to find password policy "
487 "function: %s", *vp
);
490 ret
= (proc
->func
)(context
, principal
, pwd_data
, NULL
,
491 error_msg
, sizeof(error_msg
));
493 krb5_set_error_message(context
, 0, "Password policy "
495 proc
->name
, error_msg
);
500 krb5_config_free_strings(v
);
502 /* If the default quality check isn't used, lets check that the
503 * old quality function the user have set too */
504 if (msg
== NULL
&& passwd_quality_check
!= min_length_passwd_quality_v0
) {
505 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
507 krb5_set_error_message(context
, 0, "(old) password policy "
508 "failed with %s", msg
);