2 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
37 #ifdef HAVE_SYS_WAIT_H
45 min_length_passwd_quality (krb5_context context
,
46 krb5_principal principal
,
52 uint32_t min_length
= krb5_config_get_int_default(context
, NULL
, 6,
57 if (pwd
->length
< min_length
) {
58 strlcpy(message
, "Password too short", length
);
65 min_length_passwd_quality_v0 (krb5_context context
,
66 krb5_principal principal
,
69 static char message
[1024];
74 ret
= min_length_passwd_quality(context
, principal
, pwd
, NULL
,
75 message
, sizeof(message
));
83 char_class_passwd_quality (krb5_context context
,
84 krb5_principal principal
,
90 const char *classes
[] = {
91 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
92 "abcdefghijklmnopqrstuvwxyz",
94 " !\"#$%&'()*+,-./:;<=>?@\\]^_`{|}~"
96 int counter
= 0, req_classes
;
100 req_classes
= krb5_config_get_int_default(context
, NULL
, 3,
105 len
= pwd
->length
+ 1;
108 strlcpy(message
, "out of memory", length
);
111 strlcpy(pw
, pwd
->data
, len
);
114 for (i
= 0; i
< sizeof(classes
)/sizeof(classes
[0]); i
++) {
115 if (strcspn(pw
, classes
[i
]) < len
)
118 memset(pw
, 0, pwd
->length
+ 1);
120 if (counter
< req_classes
) {
121 snprintf(message
, length
,
122 "Password doesn't meet complexity requirement.\n"
123 "Add more characters from at least %d of the\n"
124 "following classes:\n"
125 "1. English uppercase characters (A through Z)\n"
126 "2. English lowercase characters (a through z)\n"
127 "3. Base 10 digits (0 through 9)\n"
128 "4. Nonalphanumeric characters (e.g., !, $, #, %%)", req_classes
);
135 external_passwd_quality (krb5_context context
,
136 krb5_principal principal
,
148 FILE *in
= NULL
, *out
= NULL
, *error
= NULL
;
150 if (memchr(pwd
->data
, '\n', pwd
->length
) != NULL
) {
151 snprintf(message
, length
, "password contains newline, "
152 "not valid for external test");
156 program
= krb5_config_get_string(context
, NULL
,
160 if (program
== NULL
) {
161 snprintf(message
, length
, "external password quality "
162 "program not configured");
166 ret
= krb5_unparse_name(context
, principal
, &p
);
168 strlcpy(message
, "out of memory", length
);
172 child
= pipe_execv(&in
, &out
, &error
, program
, program
, p
, NULL
);
174 snprintf(message
, length
, "external password quality "
175 "program failed to execute for principal %s", p
);
180 fprintf(in
, "principal: %s\n"
181 "new-password: %.*s\n"
183 p
, (int)pwd
->length
, (char *)pwd
->data
);
187 if (fgets(reply
, sizeof(reply
), out
) == NULL
) {
189 if (fgets(reply
, sizeof(reply
), error
) == NULL
) {
190 snprintf(message
, length
, "external password quality "
191 "program failed without error");
194 reply
[strcspn(reply
, "\n")] = '\0';
195 snprintf(message
, length
, "External password quality "
196 "program failed: %s", reply
);
201 wait_for_process(child
);
204 reply
[strcspn(reply
, "\n")] = '\0';
209 status
= wait_for_process(child
);
211 if (SE_IS_ERROR(status
) || SE_PROCSTATUS(status
) != 0) {
212 snprintf(message
, length
, "external program failed: %s", reply
);
217 if (strcmp(reply
, "APPROVED") != 0) {
218 snprintf(message
, length
, "%s", reply
);
229 static kadm5_passwd_quality_check_func_v0 passwd_quality_check
=
230 min_length_passwd_quality_v0
;
232 struct kadm5_pw_policy_check_func builtin_funcs
[] = {
233 { "minimum-length", min_length_passwd_quality
},
234 { "character-class", char_class_passwd_quality
},
235 { "external-check", external_passwd_quality
},
238 struct kadm5_pw_policy_verifier builtin_verifier
= {
240 KADM5_PASSWD_VERSION_V1
,
245 static struct kadm5_pw_policy_verifier
**verifiers
;
246 static int num_verifiers
;
249 * setup the password quality hook
257 kadm5_setup_passwd_quality_check(krb5_context context
,
258 const char *check_library
,
259 const char *check_function
)
267 if(check_library
== NULL
) {
268 tmp
= krb5_config_get_string(context
, NULL
,
275 if(check_function
== NULL
) {
276 tmp
= krb5_config_get_string(context
, NULL
,
281 check_function
= tmp
;
283 if(check_library
!= NULL
&& check_function
== NULL
)
284 check_function
= "passwd_check";
286 if(check_library
== NULL
)
288 handle
= dlopen(check_library
, RTLD_NOW
);
290 krb5_warnx(context
, "failed to open `%s'", check_library
);
293 version
= (int *) dlsym(handle
, "version");
294 if(version
== NULL
) {
296 "didn't find `version' symbol in `%s'", check_library
);
300 if(*version
!= KADM5_PASSWD_VERSION_V0
) {
302 "version of loaded library is %d (expected %d)",
303 *version
, KADM5_PASSWD_VERSION_V0
);
307 sym
= dlsym(handle
, check_function
);
310 "didn't find `%s' symbol in `%s'",
311 check_function
, check_library
);
315 passwd_quality_check
= (kadm5_passwd_quality_check_func_v0
) sym
;
316 #endif /* HAVE_DLOPEN */
321 static krb5_error_code
322 add_verifier(krb5_context context
, const char *check_library
)
324 struct kadm5_pw_policy_verifier
*v
, **tmp
;
328 handle
= dlopen(check_library
, RTLD_NOW
);
330 krb5_warnx(context
, "failed to open `%s'", check_library
);
333 v
= (struct kadm5_pw_policy_verifier
*) dlsym(handle
, "kadm5_password_verifier");
336 "didn't find `kadm5_password_verifier' symbol "
337 "in `%s'", check_library
);
341 if(v
->version
!= KADM5_PASSWD_VERSION_V1
) {
343 "version of loaded library is %d (expected %d)",
344 v
->version
, KADM5_PASSWD_VERSION_V1
);
348 for (i
= 0; i
< num_verifiers
; i
++) {
349 if (strcmp(v
->name
, verifiers
[i
]->name
) == 0)
352 if (i
< num_verifiers
) {
353 krb5_warnx(context
, "password verifier library `%s' is already loaded",
359 tmp
= realloc(verifiers
, (num_verifiers
+ 1) * sizeof(*verifiers
));
361 krb5_warnx(context
, "out of memory");
366 verifiers
[num_verifiers
] = v
;
375 kadm5_add_passwd_quality_verifier(krb5_context context
,
376 const char *check_library
)
380 if(check_library
== NULL
) {
384 tmp
= krb5_config_get_strings(context
, NULL
,
388 if(tmp
== NULL
|| *tmp
== NULL
)
392 ret
= add_verifier(context
, *tmp
);
399 return add_verifier(context
, check_library
);
403 #endif /* HAVE_DLOPEN */
410 static const struct kadm5_pw_policy_check_func
*
411 find_func(krb5_context context
, const char *name
)
413 const struct kadm5_pw_policy_check_func
*f
;
415 const char *p
, *func
;
418 p
= strchr(name
, ':');
420 size_t len
= p
- name
+ 1;
422 module
= malloc(len
);
425 strlcpy(module
, name
, len
);
429 /* Find module in loaded modules first */
430 for (i
= 0; i
< num_verifiers
; i
++) {
431 if (module
&& strcmp(module
, verifiers
[i
]->name
) != 0)
433 for (f
= verifiers
[i
]->funcs
; f
->name
; f
++)
434 if (strcmp(func
, f
->name
) == 0) {
440 /* Lets try try the builtin modules */
441 if (module
== NULL
|| strcmp(module
, "builtin") == 0) {
442 for (f
= builtin_verifier
.funcs
; f
->name
; f
++)
443 if (strcmp(func
, f
->name
) == 0) {
455 kadm5_check_password_quality (krb5_context context
,
456 krb5_principal principal
,
459 const struct kadm5_pw_policy_check_func
*proc
;
460 static char error_msg
[1024];
466 * Check if we should use the old version of policy function.
469 v
= krb5_config_get_strings(context
, NULL
,
474 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
476 krb5_set_error_message(context
, 0, "password policy failed: %s", msg
);
483 for(vp
= v
; *vp
; vp
++) {
484 proc
= find_func(context
, *vp
);
486 msg
= "failed to find password verifier function";
487 krb5_set_error_message(context
, 0, "Failed to find password policy "
488 "function: %s", *vp
);
491 ret
= (proc
->func
)(context
, principal
, pwd_data
, NULL
,
492 error_msg
, sizeof(error_msg
));
494 krb5_set_error_message(context
, 0, "Password policy "
496 proc
->name
, error_msg
);
501 krb5_config_free_strings(v
);
503 /* If the default quality check isn't used, lets check that the
504 * old quality function the user have set too */
505 if (msg
== NULL
&& passwd_quality_check
!= min_length_passwd_quality_v0
) {
506 msg
= (*passwd_quality_check
) (context
, principal
, pwd_data
);
508 krb5_set_error_message(context
, 0, "(old) password policy "
509 "failed with %s", msg
);