1 /* $NetBSD: password_quality.c,v 1.1.1.2 2014/04/24 12:45:49 pettai Exp $ */
2
3 /*
4 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kadm5_locl.h"
37 #include "kadm5-pwcheck.h"
38
39 #ifdef HAVE_SYS_WAIT_H
40 #include <sys/wait.h>
41 #endif
42 #ifdef HAVE_DLFCN_H
43 #include <dlfcn.h>
44 #endif
45
46 static int
min_length_passwd_quality(krb5_context context,krb5_principal principal,krb5_data * pwd,const char * opaque,char * message,size_t length)47 min_length_passwd_quality (krb5_context context,
48 krb5_principal principal,
49 krb5_data *pwd,
50 const char *opaque,
51 char *message,
52 size_t length)
53 {
54 uint32_t min_length = krb5_config_get_int_default(context, NULL, 6,
55 "password_quality",
56 "min_length",
57 NULL);
58
59 if (pwd->length < min_length) {
60 strlcpy(message, "Password too short", length);
61 return 1;
62 } else
63 return 0;
64 }
65
66 static const char *
min_length_passwd_quality_v0(krb5_context context,krb5_principal principal,krb5_data * pwd)67 min_length_passwd_quality_v0 (krb5_context context,
68 krb5_principal principal,
69 krb5_data *pwd)
70 {
71 static char message[1024];
72 int ret;
73
74 message[0] = '\0';
75
76 ret = min_length_passwd_quality(context, principal, pwd, NULL,
77 message, sizeof(message));
78 if (ret)
79 return message;
80 return NULL;
81 }
82
83
84 static int
char_class_passwd_quality(krb5_context context,krb5_principal principal,krb5_data * pwd,const char * opaque,char * message,size_t length)85 char_class_passwd_quality (krb5_context context,
86 krb5_principal principal,
87 krb5_data *pwd,
88 const char *opaque,
89 char *message,
90 size_t length)
91 {
92 const char *classes[] = {
93 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
94 "abcdefghijklmnopqrstuvwxyz",
95 "1234567890",
96 " !\"#$%&'()*+,-./:;<=>?@\\]^_`{|}~"
97 };
98 int counter = 0, req_classes;
99 size_t i, len;
100 char *pw;
101
102 req_classes = krb5_config_get_int_default(context, NULL, 3,
103 "password_quality",
104 "min_classes",
105 NULL);
106
107 len = pwd->length + 1;
108 pw = malloc(len);
109 if (pw == NULL) {
110 strlcpy(message, "out of memory", length);
111 return 1;
112 }
113 strlcpy(pw, pwd->data, len);
114 len = strlen(pw);
115
116 for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) {
117 if (strcspn(pw, classes[i]) < len)
118 counter++;
119 }
120 memset(pw, 0, pwd->length + 1);
121 free(pw);
122 if (counter < req_classes) {
123 snprintf(message, length,
124 "Password doesn't meet complexity requirement.\n"
125 "Add more characters from at least %d of the\n"
126 "following classes:\n"
127 "1. English uppercase characters (A through Z)\n"
128 "2. English lowercase characters (a through z)\n"
129 "3. Base 10 digits (0 through 9)\n"
130 "4. Nonalphanumeric characters (e.g., !, $, #, %%)", req_classes);
131 return 1;
132 }
133 return 0;
134 }
135
136 static int
external_passwd_quality(krb5_context context,krb5_principal principal,krb5_data * pwd,const char * opaque,char * message,size_t length)137 external_passwd_quality (krb5_context context,
138 krb5_principal principal,
139 krb5_data *pwd,
140 const char *opaque,
141 char *message,
142 size_t length)
143 {
144 krb5_error_code ret;
145 const char *program;
146 char *p;
147 pid_t child;
148 int status;
149 char reply[1024];
150 FILE *in = NULL, *out = NULL, *error = NULL;
151
152 if (memchr(pwd->data, '\n', pwd->length) != NULL) {
153 snprintf(message, length, "password contains newline, "
154 "not valid for external test");
155 return 1;
156 }
157
158 program = krb5_config_get_string(context, NULL,
159 "password_quality",
160 "external_program",
161 NULL);
162 if (program == NULL) {
163 snprintf(message, length, "external password quality "
164 "program not configured");
165 return 1;
166 }
167
168 ret = krb5_unparse_name(context, principal, &p);
169 if (ret) {
170 strlcpy(message, "out of memory", length);
171 return 1;
172 }
173
174 child = pipe_execv(&in, &out, &error, program, program, p, NULL);
175 if (child < 0) {
176 snprintf(message, length, "external password quality "
177 "program failed to execute for principal %s", p);
178 free(p);
179 return 1;
180 }
181
182 fprintf(in, "principal: %s\n"
183 "new-password: %.*s\n"
184 "end\n",
185 p, (int)pwd->length, (char *)pwd->data);
186
187 fclose(in);
188
189 if (fgets(reply, sizeof(reply), out) == NULL) {
190
191 if (fgets(reply, sizeof(reply), error) == NULL) {
192 snprintf(message, length, "external password quality "
193 "program failed without error");
194
195 } else {
196 reply[strcspn(reply, "\n")] = '\0';
197 snprintf(message, length, "External password quality "
198 "program failed: %s", reply);
199 }
200
201 fclose(out);
202 fclose(error);
203 wait_for_process(child);
204 return 1;
205 }
206 reply[strcspn(reply, "\n")] = '\0';
207
208 fclose(out);
209 fclose(error);
210
211 status = wait_for_process(child);
212
213 if (SE_IS_ERROR(status) || SE_PROCSTATUS(status) != 0) {
214 snprintf(message, length, "external program failed: %s", reply);
215 free(p);
216 return 1;
217 }
218
219 if (strcmp(reply, "APPROVED") != 0) {
220 snprintf(message, length, "%s", reply);
221 free(p);
222 return 1;
223 }
224
225 free(p);
226
227 return 0;
228 }
229
230
231 static kadm5_passwd_quality_check_func_v0 passwd_quality_check =
232 min_length_passwd_quality_v0;
233
234 struct kadm5_pw_policy_check_func builtin_funcs[] = {
235 { "minimum-length", min_length_passwd_quality },
236 { "character-class", char_class_passwd_quality },
237 { "external-check", external_passwd_quality },
238 { NULL, NULL }
239 };
240 struct kadm5_pw_policy_verifier builtin_verifier = {
241 "builtin",
242 KADM5_PASSWD_VERSION_V1,
243 "Heimdal builtin",
244 builtin_funcs
245 };
246
247 static struct kadm5_pw_policy_verifier **verifiers;
248 static int num_verifiers;
249
250 /*
251 * setup the password quality hook
252 */
253
254 #ifndef RTLD_NOW
255 #define RTLD_NOW 0
256 #endif
257
258 void
kadm5_setup_passwd_quality_check(krb5_context context,const char * check_library,const char * check_function)259 kadm5_setup_passwd_quality_check(krb5_context context,
260 const char *check_library,
261 const char *check_function)
262 {
263 #ifdef HAVE_DLOPEN
264 void *handle;
265 void *sym;
266 int *version;
267 const char *tmp;
268
269 if(check_library == NULL) {
270 tmp = krb5_config_get_string(context, NULL,
271 "password_quality",
272 "check_library",
273 NULL);
274 if(tmp != NULL)
275 check_library = tmp;
276 }
277 if(check_function == NULL) {
278 tmp = krb5_config_get_string(context, NULL,
279 "password_quality",
280 "check_function",
281 NULL);
282 if(tmp != NULL)
283 check_function = tmp;
284 }
285 if(check_library != NULL && check_function == NULL)
286 check_function = "passwd_check";
287
288 if(check_library == NULL)
289 return;
290 handle = dlopen(check_library, RTLD_NOW);
291 if(handle == NULL) {
292 krb5_warnx(context, "failed to open `%s'", check_library);
293 return;
294 }
295 version = (int *) dlsym(handle, "version");
296 if(version == NULL) {
297 krb5_warnx(context,
298 "didn't find `version' symbol in `%s'", check_library);
299 dlclose(handle);
300 return;
301 }
302 if(*version != KADM5_PASSWD_VERSION_V0) {
303 krb5_warnx(context,
304 "version of loaded library is %d (expected %d)",
305 *version, KADM5_PASSWD_VERSION_V0);
306 dlclose(handle);
307 return;
308 }
309 sym = dlsym(handle, check_function);
310 if(sym == NULL) {
311 krb5_warnx(context,
312 "didn't find `%s' symbol in `%s'",
313 check_function, check_library);
314 dlclose(handle);
315 return;
316 }
317 passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym;
318 #endif /* HAVE_DLOPEN */
319 }
320
321 #ifdef HAVE_DLOPEN
322
323 static krb5_error_code
add_verifier(krb5_context context,const char * check_library)324 add_verifier(krb5_context context, const char *check_library)
325 {
326 struct kadm5_pw_policy_verifier *v, **tmp;
327 void *handle;
328 int i;
329
330 handle = dlopen(check_library, RTLD_NOW);
331 if(handle == NULL) {
332 krb5_warnx(context, "failed to open `%s'", check_library);
333 return ENOENT;
334 }
335 v = (struct kadm5_pw_policy_verifier *) dlsym(handle, "kadm5_password_verifier");
336 if(v == NULL) {
337 krb5_warnx(context,
338 "didn't find `kadm5_password_verifier' symbol "
339 "in `%s'", check_library);
340 dlclose(handle);
341 return ENOENT;
342 }
343 if(v->version != KADM5_PASSWD_VERSION_V1) {
344 krb5_warnx(context,
345 "version of loaded library is %d (expected %d)",
346 v->version, KADM5_PASSWD_VERSION_V1);
347 dlclose(handle);
348 return EINVAL;
349 }
350 for (i = 0; i < num_verifiers; i++) {
351 if (strcmp(v->name, verifiers[i]->name) == 0)
352 break;
353 }
354 if (i < num_verifiers) {
355 krb5_warnx(context, "password verifier library `%s' is already loaded",
356 v->name);
357 dlclose(handle);
358 return 0;
359 }
360
361 tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers));
362 if (tmp == NULL) {
363 krb5_warnx(context, "out of memory");
364 dlclose(handle);
365 return 0;
366 }
367 verifiers = tmp;
368 verifiers[num_verifiers] = v;
369 num_verifiers++;
370
371 return 0;
372 }
373
374 #endif
375
376 krb5_error_code
kadm5_add_passwd_quality_verifier(krb5_context context,const char * check_library)377 kadm5_add_passwd_quality_verifier(krb5_context context,
378 const char *check_library)
379 {
380 #ifdef HAVE_DLOPEN
381
382 if(check_library == NULL) {
383 krb5_error_code ret;
384 char **tmp;
385
386 tmp = krb5_config_get_strings(context, NULL,
387 "password_quality",
388 "policy_libraries",
389 NULL);
390 if(tmp == NULL || *tmp == NULL)
391 return 0;
392
393 while (*tmp) {
394 ret = add_verifier(context, *tmp);
395 if (ret)
396 return ret;
397 tmp++;
398 }
399 return 0;
400 } else {
401 return add_verifier(context, check_library);
402 }
403 #else
404 return 0;
405 #endif /* HAVE_DLOPEN */
406 }
407
408 /*
409 *
410 */
411
412 static const struct kadm5_pw_policy_check_func *
find_func(krb5_context context,const char * name)413 find_func(krb5_context context, const char *name)
414 {
415 const struct kadm5_pw_policy_check_func *f;
416 char *module = NULL;
417 const char *p, *func;
418 int i;
419
420 p = strchr(name, ':');
421 if (p) {
422 size_t len = p - name + 1;
423 func = p + 1;
424 module = malloc(len);
425 if (module == NULL)
426 return NULL;
427 strlcpy(module, name, len);
428 } else
429 func = name;
430
431 /* Find module in loaded modules first */
432 for (i = 0; i < num_verifiers; i++) {
433 if (module && strcmp(module, verifiers[i]->name) != 0)
434 continue;
435 for (f = verifiers[i]->funcs; f->name ; f++)
436 if (strcmp(func, f->name) == 0) {
437 if (module)
438 free(module);
439 return f;
440 }
441 }
442 /* Lets try try the builtin modules */
443 if (module == NULL || strcmp(module, "builtin") == 0) {
444 for (f = builtin_verifier.funcs; f->name ; f++)
445 if (strcmp(func, f->name) == 0) {
446 if (module)
447 free(module);
448 return f;
449 }
450 }
451 if (module)
452 free(module);
453 return NULL;
454 }
455
456 const char *
kadm5_check_password_quality(krb5_context context,krb5_principal principal,krb5_data * pwd_data)457 kadm5_check_password_quality (krb5_context context,
458 krb5_principal principal,
459 krb5_data *pwd_data)
460 {
461 const struct kadm5_pw_policy_check_func *proc;
462 static char error_msg[1024];
463 const char *msg;
464 char **v, **vp;
465 int ret;
466
467 /*
468 * Check if we should use the old version of policy function.
469 */
470
471 v = krb5_config_get_strings(context, NULL,
472 "password_quality",
473 "policies",
474 NULL);
475 if (v == NULL) {
476 msg = (*passwd_quality_check) (context, principal, pwd_data);
477 if (msg)
478 krb5_set_error_message(context, 0, "password policy failed: %s", msg);
479 return msg;
480 }
481
482 error_msg[0] = '\0';
483
484 msg = NULL;
485 for(vp = v; *vp; vp++) {
486 proc = find_func(context, *vp);
487 if (proc == NULL) {
488 msg = "failed to find password verifier function";
489 krb5_set_error_message(context, 0, "Failed to find password policy "
490 "function: %s", *vp);
491 break;
492 }
493 ret = (proc->func)(context, principal, pwd_data, NULL,
494 error_msg, sizeof(error_msg));
495 if (ret) {
496 krb5_set_error_message(context, 0, "Password policy "
497 "%s failed with %s",
498 proc->name, error_msg);
499 msg = error_msg;
500 break;
501 }
502 }
503 krb5_config_free_strings(v);
504
505 /* If the default quality check isn't used, lets check that the
506 * old quality function the user have set too */
507 if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) {
508 msg = (*passwd_quality_check) (context, principal, pwd_data);
509 if (msg)
510 krb5_set_error_message(context, 0, "(old) password policy "
511 "failed with %s", msg);
512
513 }
514 return msg;
515 }
516