2 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
39 #ifdef HAVE_SYS_WAIT_H
47 min_length_passwd_quality (krb5_context context
,
48 krb5_principal principal
,
54 uint32_t min_length
= krb5_config_get_int_default(context
, NULL
, 6,
59 if (pwd
->length
< min_length
) {
60 strlcpy(message
, "Password too short", length
);
67 min_length_passwd_quality_v0 (krb5_context context
,
68 krb5_principal principal
,
71 static char message
[1024];
76 ret
= min_length_passwd_quality(context
, principal
, pwd
, NULL
,
77 message
, sizeof(message
));
85 char_class_passwd_quality (krb5_context context
,
86 krb5_principal principal
,
92 const char *classes
[] = {
93 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
94 "abcdefghijklmnopqrstuvwxyz",
96 "!@#$%^&*()/?<>,.{[]}\\|'~`\" "
98 int i
, counter
= 0, req_classes
;
102 req_classes
= krb5_config_get_int_default(context
, NULL
, 3,
107 len
= pwd
->length
+ 1;
110 strlcpy(message
, "out of memory", length
);
113 strlcpy(pw
, pwd
->data
, len
);
116 for (i
= 0; i
< sizeof(classes
)/sizeof(classes
[0]); i
++) {
117 if (strcspn(pw
, classes
[i
]) < len
)
120 memset(pw
, 0, pwd
->length
+ 1);
122 if (counter
< req_classes
) {
123 snprintf(message
, length
,
124 "Password doesn't meet complexity requirement.\n"
125 "Add more characters from the following classes:\n"
126 "1. English uppercase characters (A through Z)\n"
127 "2. English lowercase characters (a through z)\n"
128 "3. Base 10 digits (0 through 9)\n"
129 "4. Nonalphanumeric characters (e.g., !, $, #, %%)");
136 external_passwd_quality (krb5_context context
,
137 krb5_principal principal
,
149 FILE *in
= NULL
, *out
= NULL
, *error
= NULL
;
151 if (memchr(pwd
->data
, pwd
->length
, '\n') != NULL
) {
152 snprintf(message
, length
, "password contains newline, "
153 "not valid for external test");
157 program
= krb5_config_get_string(context
, NULL
,
161 if (program
== NULL
) {
162 snprintf(message
, length
, "external password quality "
163 "program not configured");
167 ret
= krb5_unparse_name(context
, principal
, &p
);
169 strlcpy(message
, "out of memory", length
);
173 child
= pipe_execv(&in
, &out
, &error
, program
, program
, p
, NULL
);
175 snprintf(message
, length
, "external password quality "
176 "program failed to execute for principal %s", p
);
181 fprintf(in
, "principal: %s\n"
182 "new-password: %.*s\n"
184 p
, (int)pwd
->length
, (char *)pwd
->data
);
188 if (fgets(reply
, sizeof(reply
), out
) == NULL
) {
190 if (fgets(reply
, sizeof(reply
), error
) == NULL
) {
191 snprintf(message
, length
, "external password quality "
192 "program failed without error");
195 reply
[strcspn(reply
, "\n")] = '\0';
196 snprintf(message
, length
, "External password quality "
197 "program failed: %s", reply
);
202 wait_for_process(child
);
205 reply
[strcspn(reply
, "\n")] = '\0';
210 status
= wait_for_process(child
);
212 if (SE_IS_ERROR(status
) || SE_PROCSTATUS(status
) != 0) {
213 snprintf(message
, length
, "external program failed: %s", reply
);
218 if (strcmp(reply
, "APPROVED") != 0) {
219 snprintf(message
, length
, "%s", reply
);
230 static kadm5_passwd_quality_check_func_v0 passwd_quality_check
=
231 min_length_passwd_quality_v0
;
233 struct kadm5_pw_policy_check_func builtin_funcs
[] = {
234 { "minimum-length", min_length_passwd_quality
},
235 { "character-class", char_class_passwd_quality
},
236 { "external-check", external_passwd_quality
},
239 struct kadm5_pw_policy_verifier builtin_verifier
= {
241 KADM5_PASSWD_VERSION_V1
,
246 static struct kadm5_pw_policy_verifier
**verifiers
;
247 static int num_verifiers
;
250 * setup the password quality hook
258 kadm5_setup_passwd_quality_check(krb5_context context
,
259 const char *check_library
,
260 const char *check_function
)
268 if(check_library
== NULL
) {
269 tmp
= krb5_config_get_string(context
, NULL
,
276 if(check_function
== NULL
) {
277 tmp
= krb5_config_get_string(context
, NULL
,
282 check_function
= tmp
;
284 if(check_library
!= NULL
&& check_function
== NULL
)
285 check_function
= "passwd_check";
287 if(check_library
== NULL
)
289 handle
= dlopen(check_library
, RTLD_NOW
);
291 krb5_warnx(context
, "failed to open `%s'", check_library
);
294 version
= dlsym(handle
, "version");
295 if(version
== NULL
) {
297 "didn't find `version' symbol in `%s'", check_library
);
301 if(*version
!= KADM5_PASSWD_VERSION_V0
) {
303 "version of loaded library is %d (expected %d)",
304 *version
, KADM5_PASSWD_VERSION_V0
);
308 sym
= dlsym(handle
, check_function
);
311 "didn't find `%s' symbol in `%s'",
312 check_function
, check_library
);
316 passwd_quality_check
= (kadm5_passwd_quality_check_func_v0
) sym
;
317 #endif /* HAVE_DLOPEN */
322 static krb5_error_code
323 add_verifier(krb5_context context
, const char *check_library
)
325 struct kadm5_pw_policy_verifier
*v
, **tmp
;
329 handle
= dlopen(check_library
, RTLD_NOW
);
331 krb5_warnx(context
, "failed to open `%s'", check_library
);
334 v
= dlsym(handle
, "kadm5_password_verifier");
337 "didn't find `kadm5_password_verifier' symbol "
338 "in `%s'", check_library
);
342 if(v
->version
!= KADM5_PASSWD_VERSION_V1
) {
344 "version of loaded library is %d (expected %d)",
345 v
->version
, KADM5_PASSWD_VERSION_V1
);
349 for (i
= 0; i
< num_verifiers
; i
++) {
350 if (strcmp(v
->name
, verifiers
[i
]->name
) == 0)
353 if (i
< num_verifiers
) {
354 krb5_warnx(context
, "password verifier library `%s' is already loaded",
360 tmp
= realloc(verifiers
, (num_verifiers
+ 1) * sizeof(*verifiers
));
362 krb5_warnx(context
, "out of memory");
367 verifiers
[num_verifiers
] = v
;
376 kadm5_add_passwd_quality_verifier(krb5_context context
,
377 const char *check_library
)
381 if(check_library
== NULL
) {
385 tmp
= krb5_config_get_strings(context
, NULL
,
393 ret
= add_verifier(context
, *tmp
);
400 return add_verifier(context
, check_library
);
404 #endif /* HAVE_DLOPEN */
411 static const struct kadm5_pw_policy_check_func
*
412 find_func(krb5_context context
, const char *name
)
414 const struct kadm5_pw_policy_check_func
*f
;
416 const char *p
, *func
;
419 p
= strchr(name
, ':');
421 size_t len
= p
- name
+ 1;
423 module
= malloc(len
);
426 strlcpy(module
, name
, len
);
430 /* Find module in loaded modules first */
431 for (i
= 0; i
< num_verifiers
; i
++) {
432 if (module
&& strcmp(module
, verifiers
[i
]->name
) != 0)
434 for (f
= verifiers
[i
]->funcs
; f
->name
; f
++)
435 if (strcmp(name
, f
->name
) == 0) {
441 /* Lets try try the builtin modules */
442 if (module
== NULL
|| strcmp(module
, "builtin") == 0) {
443 for (f
= builtin_verifier
.funcs
; f
->name
; f
++)
444 if (strcmp(func
, f
->name
) == 0) {
456 kadm5_check_password_quality (krb5_context context
,
457 krb5_principal principal
,
460 const struct kadm5_pw_policy_check_func
*proc
;
461 static char error_msg
[1024];
467 * Check if we should use the old version of policy function.
470 v
= krb5_config_get_strings(context
, NULL
,
475 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
476 krb5_set_error_message(context
, 0, "password policy failed: %s", msg
);
483 for(vp
= v
; *vp
; vp
++) {
484 proc
= find_func(context
, *vp
);
486 msg
= "failed to find password verifier function";
487 krb5_set_error_message(context
, 0, "Failed to find password policy "
488 "function: %s", *vp
);
491 ret
= (proc
->func
)(context
, principal
, pwd_data
, NULL
,
492 error_msg
, sizeof(error_msg
));
494 krb5_set_error_message(context
, 0, "Password policy "
496 proc
->name
, error_msg
);
501 krb5_config_free_strings(v
);
503 /* If the default quality check isn't used, lets check that the
504 * old quality function the user have set too */
505 if (msg
== NULL
&& passwd_quality_check
!= min_length_passwd_quality_v0
) {
506 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
508 krb5_set_error_message(context
, 0, "(old) password policy "
509 "failed with %s", msg
);