2 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
37 #ifdef HAVE_SYS_WAIT_H
45 min_length_passwd_quality (krb5_context context,
46 krb5_principal principal,
52 uint32_t min_length = krb5_config_get_int_default(context, NULL, 6,
57 if (pwd->length < min_length) {
58 strlcpy(message, "Password too short", length);
65 min_length_passwd_quality_v0 (krb5_context context,
66 krb5_principal principal,
69 static char message[1024];
74 ret = min_length_passwd_quality(context, principal, pwd, NULL,
75 message, sizeof(message));
83 char_class_passwd_quality (krb5_context context,
84 krb5_principal principal,
90 const char *classes[] = {
91 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
92 "abcdefghijklmnopqrstuvwxyz",
94 "!@#$%^&*()/?<>,.{[]}\\|'~`\" "
96 int counter = 0, req_classes;
100 req_classes = krb5_config_get_int_default(context, NULL, 3,
105 len = pwd->length + 1;
108 strlcpy(message, "out of memory", length);
111 strlcpy(pw, pwd->data, len);
114 for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) {
115 if (strcspn(pw, classes[i]) < len)
118 memset(pw, 0, pwd->length + 1);
120 if (counter < req_classes) {
121 snprintf(message, length,
122 "Password doesn't meet complexity requirement.\n"
123 "Add more characters from the following classes:\n"
124 "1. English uppercase characters (A through Z)\n"
125 "2. English lowercase characters (a through z)\n"
126 "3. Base 10 digits (0 through 9)\n"
127 "4. Nonalphanumeric characters (e.g., !, $, #, %%)");
134 external_passwd_quality (krb5_context context,
135 krb5_principal principal,
147 FILE *in = NULL, *out = NULL, *error = NULL;
149 if (memchr(pwd->data, '\n', pwd->length) != NULL) {
150 snprintf(message, length, "password contains newline, "
151 "not valid for external test");
155 program = krb5_config_get_string(context, NULL,
159 if (program == NULL) {
160 snprintf(message, length, "external password quality "
161 "program not configured");
165 ret = krb5_unparse_name(context, principal, &p);
167 strlcpy(message, "out of memory", length);
171 child = pipe_execv(&in, &out, &error, program, program, p, NULL);
173 snprintf(message, length, "external password quality "
174 "program failed to execute for principal %s", p);
179 fprintf(in, "principal: %s\n"
180 "new-password: %.*s\n"
182 p, (int)pwd->length, (char *)pwd->data);
186 if (fgets(reply, sizeof(reply), out) == NULL) {
188 if (fgets(reply, sizeof(reply), error) == NULL) {
189 snprintf(message, length, "external password quality "
190 "program failed without error");
193 reply[strcspn(reply, "\n")] = '\0';
194 snprintf(message, length, "External password quality "
195 "program failed: %s", reply);
200 wait_for_process(child);
203 reply[strcspn(reply, "\n")] = '\0';
208 status = wait_for_process(child);
210 if (SE_IS_ERROR(status) || SE_PROCSTATUS(status) != 0) {
211 snprintf(message, length, "external program failed: %s", reply);
216 if (strcmp(reply, "APPROVED") != 0) {
217 snprintf(message, length, "%s", reply);
228 static kadm5_passwd_quality_check_func_v0 passwd_quality_check =
229 min_length_passwd_quality_v0;
231 struct kadm5_pw_policy_check_func builtin_funcs[] = {
232 { "minimum-length", min_length_passwd_quality },
233 { "character-class", char_class_passwd_quality },
234 { "external-check", external_passwd_quality },
237 struct kadm5_pw_policy_verifier builtin_verifier = {
239 KADM5_PASSWD_VERSION_V1,
244 static struct kadm5_pw_policy_verifier **verifiers;
245 static int num_verifiers;
248 * setup the password quality hook
256 kadm5_setup_passwd_quality_check(krb5_context context,
257 const char *check_library,
258 const char *check_function)
266 if(check_library == NULL) {
267 tmp = krb5_config_get_string(context, NULL,
274 if(check_function == NULL) {
275 tmp = krb5_config_get_string(context, NULL,
280 check_function = tmp;
282 if(check_library != NULL && check_function == NULL)
283 check_function = "passwd_check";
285 if(check_library == NULL)
287 handle = dlopen(check_library, RTLD_NOW);
289 krb5_warnx(context, "failed to open `%s'", check_library);
292 version = (int *) dlsym(handle, "version");
293 if(version == NULL) {
295 "didn't find `version' symbol in `%s'", check_library);
299 if(*version != KADM5_PASSWD_VERSION_V0) {
301 "version of loaded library is %d (expected %d)",
302 *version, KADM5_PASSWD_VERSION_V0);
306 sym = dlsym(handle, check_function);
309 "didn't find `%s' symbol in `%s'",
310 check_function, check_library);
314 passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym;
315 #endif /* HAVE_DLOPEN */
320 static krb5_error_code
321 add_verifier(krb5_context context, const char *check_library)
323 struct kadm5_pw_policy_verifier *v, **tmp;
327 handle = dlopen(check_library, RTLD_NOW);
329 krb5_warnx(context, "failed to open `%s'", check_library);
332 v = (struct kadm5_pw_policy_verifier *) dlsym(handle, "kadm5_password_verifier");
335 "didn't find `kadm5_password_verifier' symbol "
336 "in `%s'", check_library);
340 if(v->version != KADM5_PASSWD_VERSION_V1) {
342 "version of loaded library is %d (expected %d)",
343 v->version, KADM5_PASSWD_VERSION_V1);
347 for (i = 0; i < num_verifiers; i++) {
348 if (strcmp(v->name, verifiers[i]->name) == 0)
351 if (i < num_verifiers) {
352 krb5_warnx(context, "password verifier library `%s' is already loaded",
358 tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers));
360 krb5_warnx(context, "out of memory");
365 verifiers[num_verifiers] = v;
374 kadm5_add_passwd_quality_verifier(krb5_context context,
375 const char *check_library)
379 if(check_library == NULL) {
383 tmp = krb5_config_get_strings(context, NULL,
387 if(tmp == NULL || *tmp == NULL)
391 ret = add_verifier(context, *tmp);
398 return add_verifier(context, check_library);
402 #endif /* HAVE_DLOPEN */
409 static const struct kadm5_pw_policy_check_func *
410 find_func(krb5_context context, const char *name)
412 const struct kadm5_pw_policy_check_func *f;
414 const char *p, *func;
417 p = strchr(name, ':');
419 size_t len = p - name + 1;
421 module = malloc(len);
424 strlcpy(module, name, len);
428 /* Find module in loaded modules first */
429 for (i = 0; i < num_verifiers; i++) {
430 if (module && strcmp(module, verifiers[i]->name) != 0)
432 for (f = verifiers[i]->funcs; f->name ; f++)
433 if (strcmp(func, f->name) == 0) {
439 /* Lets try try the builtin modules */
440 if (module == NULL || strcmp(module, "builtin") == 0) {
441 for (f = builtin_verifier.funcs; f->name ; f++)
442 if (strcmp(func, f->name) == 0) {
454 kadm5_check_password_quality (krb5_context context,
455 krb5_principal principal,
458 const struct kadm5_pw_policy_check_func *proc;
459 static char error_msg[1024];
465 * Check if we should use the old version of policy function.
468 v = krb5_config_get_strings(context, NULL,
473 msg = (*passwd_quality_check) (context, principal, pwd_data);
475 krb5_set_error_message(context, 0, "password policy failed: %s", msg);
482 for(vp = v; *vp; vp++) {
483 proc = find_func(context, *vp);
485 msg = "failed to find password verifier function";
486 krb5_set_error_message(context, 0, "Failed to find password policy "
487 "function: %s", *vp);
490 ret = (proc->func)(context, principal, pwd_data, NULL,
491 error_msg, sizeof(error_msg));
493 krb5_set_error_message(context, 0, "Password policy "
495 proc->name, error_msg);
500 krb5_config_free_strings(v);
502 /* If the default quality check isn't used, lets check that the
503 * old quality function the user have set too */
504 if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) {
505 msg = (*passwd_quality_check) (context, principal, pwd_data);
507 krb5_set_error_message(context, 0, "(old) password policy "
508 "failed with %s", msg);