summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/lib/kadm5/password_quality.c
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/lib/kadm5/password_quality.c')
-rw-r--r--third_party/heimdal/lib/kadm5/password_quality.c508
1 files changed, 508 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/kadm5/password_quality.c b/third_party/heimdal/lib/kadm5/password_quality.c
new file mode 100644
index 0000000..84c1d39
--- /dev/null
+++ b/third_party/heimdal/lib/kadm5/password_quality.c
@@ -0,0 +1,508 @@
+/*
+ * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kadm5_locl.h"
+#include "kadm5-pwcheck.h"
+
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+
+static int
+min_length_passwd_quality (krb5_context context,
+ krb5_principal principal,
+ krb5_data *pwd,
+ const char *opaque,
+ char *message,
+ size_t length)
+{
+ uint32_t min_length = krb5_config_get_int_default(context, NULL, 6,
+ "password_quality",
+ "min_length",
+ NULL);
+
+ if (pwd->length < min_length) {
+ strlcpy(message, "Password too short", length);
+ return 1;
+ } else
+ return 0;
+}
+
+static const char *
+min_length_passwd_quality_v0 (krb5_context context,
+ krb5_principal principal,
+ krb5_data *pwd)
+{
+ static char message[1024];
+ int ret;
+
+ message[0] = '\0';
+
+ ret = min_length_passwd_quality(context, principal, pwd, NULL,
+ message, sizeof(message));
+ if (ret)
+ return message;
+ return NULL;
+}
+
+
+static int
+char_class_passwd_quality (krb5_context context,
+ krb5_principal principal,
+ krb5_data *pwd,
+ const char *opaque,
+ char *message,
+ size_t length)
+{
+ const char *classes[] = {
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+ "abcdefghijklmnopqrstuvwxyz",
+ "1234567890",
+ " !\"#$%&'()*+,-./:;<=>?@\\]^_`{|}~"
+ };
+ int counter = 0, req_classes;
+ size_t i, len;
+ char *pw;
+
+ req_classes = krb5_config_get_int_default(context, NULL, 3,
+ "password_quality",
+ "min_classes",
+ NULL);
+
+ len = pwd->length + 1;
+ pw = malloc(len);
+ if (pw == NULL) {
+ strlcpy(message, "out of memory", length);
+ return 1;
+ }
+ strlcpy(pw, pwd->data, len);
+ len = strlen(pw);
+
+ for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) {
+ if (strcspn(pw, classes[i]) < len)
+ counter++;
+ }
+ memset(pw, 0, pwd->length + 1);
+ free(pw);
+ if (counter < req_classes) {
+ snprintf(message, length,
+ "Password doesn't meet complexity requirement.\n"
+ "Add more characters from at least %d of the\n"
+ "following classes:\n"
+ "1. English uppercase characters (A through Z)\n"
+ "2. English lowercase characters (a through z)\n"
+ "3. Base 10 digits (0 through 9)\n"
+ "4. Nonalphanumeric characters (e.g., !, $, #, %%)", req_classes);
+ return 1;
+ }
+ return 0;
+}
+
+static int
+external_passwd_quality (krb5_context context,
+ krb5_principal principal,
+ krb5_data *pwd,
+ const char *opaque,
+ char *message,
+ size_t length)
+{
+ krb5_error_code ret;
+ const char *program;
+ char *p;
+ pid_t child;
+ int status;
+ char reply[1024];
+ FILE *in = NULL, *out = NULL, *error = NULL;
+
+ if (memchr(pwd->data, '\n', pwd->length) != NULL) {
+ snprintf(message, length, "password contains newline, "
+ "not valid for external test");
+ return 1;
+ }
+
+ program = krb5_config_get_string(context, NULL,
+ "password_quality",
+ "external_program",
+ NULL);
+ if (program == NULL) {
+ snprintf(message, length, "external password quality "
+ "program not configured");
+ return 1;
+ }
+
+ ret = krb5_unparse_name(context, principal, &p);
+ if (ret) {
+ strlcpy(message, "out of memory", length);
+ return 1;
+ }
+
+ child = pipe_execv(&in, &out, &error, program, program, p, NULL);
+ if (child < 0) {
+ snprintf(message, length, "external password quality "
+ "program failed to execute for principal %s", p);
+ free(p);
+ return 1;
+ }
+
+ fprintf(in, "principal: %s\n"
+ "new-password: %.*s\n"
+ "end\n",
+ p, (int)pwd->length, (char *)pwd->data);
+
+ fclose(in);
+
+ if (fgets(reply, sizeof(reply), out) == NULL) {
+
+ if (fgets(reply, sizeof(reply), error) == NULL) {
+ snprintf(message, length, "external password quality "
+ "program failed without error");
+
+ } else {
+ reply[strcspn(reply, "\n")] = '\0';
+ snprintf(message, length, "External password quality "
+ "program failed: %s", reply);
+ }
+
+ fclose(out);
+ fclose(error);
+ wait_for_process(child);
+ free(p);
+ return 1;
+ }
+ reply[strcspn(reply, "\n")] = '\0';
+
+ fclose(out);
+ fclose(error);
+
+ status = wait_for_process(child);
+
+ if (SE_IS_ERROR(status) || SE_PROCSTATUS(status) != 0) {
+ snprintf(message, length, "external program failed: %s", reply);
+ free(p);
+ return 1;
+ }
+
+ if (strcmp(reply, "APPROVED") != 0) {
+ snprintf(message, length, "%s", reply);
+ free(p);
+ return 1;
+ }
+
+ free(p);
+
+ return 0;
+}
+
+
+static kadm5_passwd_quality_check_func_v0 passwd_quality_check =
+ min_length_passwd_quality_v0;
+
+struct kadm5_pw_policy_check_func builtin_funcs[] = {
+ { "minimum-length", min_length_passwd_quality },
+ { "character-class", char_class_passwd_quality },
+ { "external-check", external_passwd_quality },
+ { NULL, NULL }
+};
+struct kadm5_pw_policy_verifier builtin_verifier = {
+ "builtin",
+ KADM5_PASSWD_VERSION_V1,
+ "Heimdal builtin",
+ builtin_funcs
+};
+
+static struct kadm5_pw_policy_verifier **verifiers;
+static int num_verifiers;
+
+/*
+ * setup the password quality hook
+ */
+
+void
+kadm5_setup_passwd_quality_check(krb5_context context,
+ const char *check_library,
+ const char *check_function)
+{
+#ifdef HAVE_DLOPEN
+ void *handle;
+ void *sym;
+ int *version;
+ const char *tmp;
+
+ if(check_library == NULL) {
+ tmp = krb5_config_get_string(context, NULL,
+ "password_quality",
+ "check_library",
+ NULL);
+ if(tmp != NULL)
+ check_library = tmp;
+ }
+ if(check_function == NULL) {
+ tmp = krb5_config_get_string(context, NULL,
+ "password_quality",
+ "check_function",
+ NULL);
+ if(tmp != NULL)
+ check_function = tmp;
+ }
+ if(check_library != NULL && check_function == NULL)
+ check_function = "passwd_check";
+
+ if(check_library == NULL)
+ return;
+ handle = dlopen(check_library, RTLD_NOW | RTLD_LOCAL | RTLD_GROUP);
+ if(handle == NULL) {
+ krb5_warnx(context, "failed to open `%s'", check_library);
+ return;
+ }
+ version = (int *) dlsym(handle, "version");
+ if(version == NULL) {
+ krb5_warnx(context,
+ "didn't find `version' symbol in `%s'", check_library);
+ dlclose(handle);
+ return;
+ }
+ if(*version != KADM5_PASSWD_VERSION_V0) {
+ krb5_warnx(context,
+ "version of loaded library is %d (expected %d)",
+ *version, KADM5_PASSWD_VERSION_V0);
+ dlclose(handle);
+ return;
+ }
+ sym = dlsym(handle, check_function);
+ if(sym == NULL) {
+ krb5_warnx(context,
+ "didn't find `%s' symbol in `%s'",
+ check_function, check_library);
+ dlclose(handle);
+ return;
+ }
+ passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym;
+#endif /* HAVE_DLOPEN */
+}
+
+#ifdef HAVE_DLOPEN
+
+static krb5_error_code
+add_verifier(krb5_context context, const char *check_library)
+{
+ struct kadm5_pw_policy_verifier *v, **tmp;
+ void *handle;
+ int i;
+
+ handle = dlopen(check_library, RTLD_NOW | RTLD_LOCAL | RTLD_GROUP);
+ if(handle == NULL) {
+ krb5_warnx(context, "failed to open `%s'", check_library);
+ return ENOENT;
+ }
+ v = (struct kadm5_pw_policy_verifier *) dlsym(handle, "kadm5_password_verifier");
+ if(v == NULL) {
+ krb5_warnx(context,
+ "didn't find `kadm5_password_verifier' symbol "
+ "in `%s'", check_library);
+ dlclose(handle);
+ return ENOENT;
+ }
+ if(v->version != KADM5_PASSWD_VERSION_V1) {
+ krb5_warnx(context,
+ "version of loaded library is %d (expected %d)",
+ v->version, KADM5_PASSWD_VERSION_V1);
+ dlclose(handle);
+ return EINVAL;
+ }
+ for (i = 0; i < num_verifiers; i++) {
+ if (strcmp(v->name, verifiers[i]->name) == 0)
+ break;
+ }
+ if (i < num_verifiers) {
+ krb5_warnx(context, "password verifier library `%s' is already loaded",
+ v->name);
+ dlclose(handle);
+ return 0;
+ }
+
+ tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers));
+ if (tmp == NULL) {
+ krb5_warnx(context, "out of memory");
+ dlclose(handle);
+ return 0;
+ }
+ verifiers = tmp;
+ verifiers[num_verifiers] = v;
+ num_verifiers++;
+
+ return 0;
+}
+
+#endif
+
+krb5_error_code
+kadm5_add_passwd_quality_verifier(krb5_context context,
+ const char *check_library)
+{
+#ifdef HAVE_DLOPEN
+
+ if(check_library == NULL) {
+ krb5_error_code ret = 0;
+ char **strs;
+ char **tmp;
+
+ strs = krb5_config_get_strings(context, NULL,
+ "password_quality",
+ "policy_libraries",
+ NULL);
+ if (strs == NULL)
+ return 0;
+
+ for (tmp = strs; *tmp; tmp++) {
+ ret = add_verifier(context, *tmp);
+ if (ret)
+ break;
+ }
+ krb5_config_free_strings(strs);
+ return ret;
+ } else {
+ return add_verifier(context, check_library);
+ }
+#else
+ return 0;
+#endif /* HAVE_DLOPEN */
+}
+
+/*
+ *
+ */
+
+static const struct kadm5_pw_policy_check_func *
+find_func(krb5_context context, const char *name)
+{
+ const struct kadm5_pw_policy_check_func *f;
+ char *module = NULL;
+ const char *p, *func;
+ int i;
+
+ p = strchr(name, ':');
+ if (p) {
+ size_t len = p - name + 1;
+ func = p + 1;
+ module = malloc(len);
+ if (module == NULL)
+ return NULL;
+ strlcpy(module, name, len);
+ } else
+ func = name;
+
+ /* Find module in loaded modules first */
+ for (i = 0; i < num_verifiers; i++) {
+ if (module && strcmp(module, verifiers[i]->name) != 0)
+ continue;
+ for (f = verifiers[i]->funcs; f->name ; f++)
+ if (strcmp(func, f->name) == 0) {
+ if (module)
+ free(module);
+ return f;
+ }
+ }
+ /* Lets try try the builtin modules */
+ if (module == NULL || strcmp(module, "builtin") == 0) {
+ for (f = builtin_verifier.funcs; f->name ; f++)
+ if (strcmp(func, f->name) == 0) {
+ if (module)
+ free(module);
+ return f;
+ }
+ }
+ if (module)
+ free(module);
+ return NULL;
+}
+
+const char *
+kadm5_check_password_quality (krb5_context context,
+ krb5_principal principal,
+ krb5_data *pwd_data)
+{
+ const struct kadm5_pw_policy_check_func *proc;
+ static char error_msg[1024];
+ const char *msg;
+ char **v, **vp;
+ int ret;
+
+ /*
+ * Check if we should use the old version of policy function.
+ */
+
+ v = krb5_config_get_strings(context, NULL,
+ "password_quality",
+ "policies",
+ NULL);
+ if (v == NULL) {
+ msg = (*passwd_quality_check) (context, principal, pwd_data);
+ if (msg)
+ krb5_set_error_message(context, 0, "password policy failed: %s", msg);
+ return msg;
+ }
+
+ error_msg[0] = '\0';
+
+ msg = NULL;
+ for(vp = v; *vp; vp++) {
+ proc = find_func(context, *vp);
+ if (proc == NULL) {
+ msg = "failed to find password verifier function";
+ krb5_set_error_message(context, 0, "Failed to find password policy "
+ "function: %s", *vp);
+ break;
+ }
+ ret = (proc->func)(context, principal, pwd_data, NULL,
+ error_msg, sizeof(error_msg));
+ if (ret) {
+ krb5_set_error_message(context, 0, "Password policy "
+ "%s failed with %s",
+ proc->name, error_msg);
+ msg = error_msg;
+ break;
+ }
+ }
+ krb5_config_free_strings(v);
+
+ /* If the default quality check isn't used, lets check that the
+ * old quality function the user have set too */
+ if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) {
+ msg = (*passwd_quality_check) (context, principal, pwd_data);
+ if (msg)
+ krb5_set_error_message(context, 0, "(old) password policy "
+ "failed with %s", msg);
+
+ }
+ return msg;
+}