1 /* $NetBSD: password_quality.c,v 1.1.1.2 2014/04/24 12:45:49 pettai Exp $ */ 2 3 /* 4 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan 5 * (Royal Institute of Technology, Stockholm, Sweden). 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "kadm5_locl.h" 37 #include "kadm5-pwcheck.h" 38 39 #ifdef HAVE_SYS_WAIT_H 40 #include <sys/wait.h> 41 #endif 42 #ifdef HAVE_DLFCN_H 43 #include <dlfcn.h> 44 #endif 45 46 static int 47 min_length_passwd_quality (krb5_context context, 48 krb5_principal principal, 49 krb5_data *pwd, 50 const char *opaque, 51 char *message, 52 size_t length) 53 { 54 uint32_t min_length = krb5_config_get_int_default(context, NULL, 6, 55 "password_quality", 56 "min_length", 57 NULL); 58 59 if (pwd->length < min_length) { 60 strlcpy(message, "Password too short", length); 61 return 1; 62 } else 63 return 0; 64 } 65 66 static const char * 67 min_length_passwd_quality_v0 (krb5_context context, 68 krb5_principal principal, 69 krb5_data *pwd) 70 { 71 static char message[1024]; 72 int ret; 73 74 message[0] = '\0'; 75 76 ret = min_length_passwd_quality(context, principal, pwd, NULL, 77 message, sizeof(message)); 78 if (ret) 79 return message; 80 return NULL; 81 } 82 83 84 static int 85 char_class_passwd_quality (krb5_context context, 86 krb5_principal principal, 87 krb5_data *pwd, 88 const char *opaque, 89 char *message, 90 size_t length) 91 { 92 const char *classes[] = { 93 "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 94 "abcdefghijklmnopqrstuvwxyz", 95 "1234567890", 96 " !\"#$%&'()*+,-./:;<=>?@\\]^_`{|}~" 97 }; 98 int counter = 0, req_classes; 99 size_t i, len; 100 char *pw; 101 102 req_classes = krb5_config_get_int_default(context, NULL, 3, 103 "password_quality", 104 "min_classes", 105 NULL); 106 107 len = pwd->length + 1; 108 pw = malloc(len); 109 if (pw == NULL) { 110 strlcpy(message, "out of memory", length); 111 return 1; 112 } 113 strlcpy(pw, pwd->data, len); 114 len = strlen(pw); 115 116 for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) { 117 if (strcspn(pw, classes[i]) < len) 118 counter++; 119 } 120 memset(pw, 0, pwd->length + 1); 121 free(pw); 122 if (counter < req_classes) { 123 snprintf(message, length, 124 "Password doesn't meet complexity requirement.\n" 125 "Add more characters from at least %d of the\n" 126 "following classes:\n" 127 "1. English uppercase characters (A through Z)\n" 128 "2. English lowercase characters (a through z)\n" 129 "3. Base 10 digits (0 through 9)\n" 130 "4. Nonalphanumeric characters (e.g., !, $, #, %%)", req_classes); 131 return 1; 132 } 133 return 0; 134 } 135 136 static int 137 external_passwd_quality (krb5_context context, 138 krb5_principal principal, 139 krb5_data *pwd, 140 const char *opaque, 141 char *message, 142 size_t length) 143 { 144 krb5_error_code ret; 145 const char *program; 146 char *p; 147 pid_t child; 148 int status; 149 char reply[1024]; 150 FILE *in = NULL, *out = NULL, *error = NULL; 151 152 if (memchr(pwd->data, '\n', pwd->length) != NULL) { 153 snprintf(message, length, "password contains newline, " 154 "not valid for external test"); 155 return 1; 156 } 157 158 program = krb5_config_get_string(context, NULL, 159 "password_quality", 160 "external_program", 161 NULL); 162 if (program == NULL) { 163 snprintf(message, length, "external password quality " 164 "program not configured"); 165 return 1; 166 } 167 168 ret = krb5_unparse_name(context, principal, &p); 169 if (ret) { 170 strlcpy(message, "out of memory", length); 171 return 1; 172 } 173 174 child = pipe_execv(&in, &out, &error, program, program, p, NULL); 175 if (child < 0) { 176 snprintf(message, length, "external password quality " 177 "program failed to execute for principal %s", p); 178 free(p); 179 return 1; 180 } 181 182 fprintf(in, "principal: %s\n" 183 "new-password: %.*s\n" 184 "end\n", 185 p, (int)pwd->length, (char *)pwd->data); 186 187 fclose(in); 188 189 if (fgets(reply, sizeof(reply), out) == NULL) { 190 191 if (fgets(reply, sizeof(reply), error) == NULL) { 192 snprintf(message, length, "external password quality " 193 "program failed without error"); 194 195 } else { 196 reply[strcspn(reply, "\n")] = '\0'; 197 snprintf(message, length, "External password quality " 198 "program failed: %s", reply); 199 } 200 201 fclose(out); 202 fclose(error); 203 wait_for_process(child); 204 return 1; 205 } 206 reply[strcspn(reply, "\n")] = '\0'; 207 208 fclose(out); 209 fclose(error); 210 211 status = wait_for_process(child); 212 213 if (SE_IS_ERROR(status) || SE_PROCSTATUS(status) != 0) { 214 snprintf(message, length, "external program failed: %s", reply); 215 free(p); 216 return 1; 217 } 218 219 if (strcmp(reply, "APPROVED") != 0) { 220 snprintf(message, length, "%s", reply); 221 free(p); 222 return 1; 223 } 224 225 free(p); 226 227 return 0; 228 } 229 230 231 static kadm5_passwd_quality_check_func_v0 passwd_quality_check = 232 min_length_passwd_quality_v0; 233 234 struct kadm5_pw_policy_check_func builtin_funcs[] = { 235 { "minimum-length", min_length_passwd_quality }, 236 { "character-class", char_class_passwd_quality }, 237 { "external-check", external_passwd_quality }, 238 { NULL, NULL } 239 }; 240 struct kadm5_pw_policy_verifier builtin_verifier = { 241 "builtin", 242 KADM5_PASSWD_VERSION_V1, 243 "Heimdal builtin", 244 builtin_funcs 245 }; 246 247 static struct kadm5_pw_policy_verifier **verifiers; 248 static int num_verifiers; 249 250 /* 251 * setup the password quality hook 252 */ 253 254 #ifndef RTLD_NOW 255 #define RTLD_NOW 0 256 #endif 257 258 void 259 kadm5_setup_passwd_quality_check(krb5_context context, 260 const char *check_library, 261 const char *check_function) 262 { 263 #ifdef HAVE_DLOPEN 264 void *handle; 265 void *sym; 266 int *version; 267 const char *tmp; 268 269 if(check_library == NULL) { 270 tmp = krb5_config_get_string(context, NULL, 271 "password_quality", 272 "check_library", 273 NULL); 274 if(tmp != NULL) 275 check_library = tmp; 276 } 277 if(check_function == NULL) { 278 tmp = krb5_config_get_string(context, NULL, 279 "password_quality", 280 "check_function", 281 NULL); 282 if(tmp != NULL) 283 check_function = tmp; 284 } 285 if(check_library != NULL && check_function == NULL) 286 check_function = "passwd_check"; 287 288 if(check_library == NULL) 289 return; 290 handle = dlopen(check_library, RTLD_NOW); 291 if(handle == NULL) { 292 krb5_warnx(context, "failed to open `%s'", check_library); 293 return; 294 } 295 version = (int *) dlsym(handle, "version"); 296 if(version == NULL) { 297 krb5_warnx(context, 298 "didn't find `version' symbol in `%s'", check_library); 299 dlclose(handle); 300 return; 301 } 302 if(*version != KADM5_PASSWD_VERSION_V0) { 303 krb5_warnx(context, 304 "version of loaded library is %d (expected %d)", 305 *version, KADM5_PASSWD_VERSION_V0); 306 dlclose(handle); 307 return; 308 } 309 sym = dlsym(handle, check_function); 310 if(sym == NULL) { 311 krb5_warnx(context, 312 "didn't find `%s' symbol in `%s'", 313 check_function, check_library); 314 dlclose(handle); 315 return; 316 } 317 passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym; 318 #endif /* HAVE_DLOPEN */ 319 } 320 321 #ifdef HAVE_DLOPEN 322 323 static krb5_error_code 324 add_verifier(krb5_context context, const char *check_library) 325 { 326 struct kadm5_pw_policy_verifier *v, **tmp; 327 void *handle; 328 int i; 329 330 handle = dlopen(check_library, RTLD_NOW); 331 if(handle == NULL) { 332 krb5_warnx(context, "failed to open `%s'", check_library); 333 return ENOENT; 334 } 335 v = (struct kadm5_pw_policy_verifier *) dlsym(handle, "kadm5_password_verifier"); 336 if(v == NULL) { 337 krb5_warnx(context, 338 "didn't find `kadm5_password_verifier' symbol " 339 "in `%s'", check_library); 340 dlclose(handle); 341 return ENOENT; 342 } 343 if(v->version != KADM5_PASSWD_VERSION_V1) { 344 krb5_warnx(context, 345 "version of loaded library is %d (expected %d)", 346 v->version, KADM5_PASSWD_VERSION_V1); 347 dlclose(handle); 348 return EINVAL; 349 } 350 for (i = 0; i < num_verifiers; i++) { 351 if (strcmp(v->name, verifiers[i]->name) == 0) 352 break; 353 } 354 if (i < num_verifiers) { 355 krb5_warnx(context, "password verifier library `%s' is already loaded", 356 v->name); 357 dlclose(handle); 358 return 0; 359 } 360 361 tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers)); 362 if (tmp == NULL) { 363 krb5_warnx(context, "out of memory"); 364 dlclose(handle); 365 return 0; 366 } 367 verifiers = tmp; 368 verifiers[num_verifiers] = v; 369 num_verifiers++; 370 371 return 0; 372 } 373 374 #endif 375 376 krb5_error_code 377 kadm5_add_passwd_quality_verifier(krb5_context context, 378 const char *check_library) 379 { 380 #ifdef HAVE_DLOPEN 381 382 if(check_library == NULL) { 383 krb5_error_code ret; 384 char **tmp; 385 386 tmp = krb5_config_get_strings(context, NULL, 387 "password_quality", 388 "policy_libraries", 389 NULL); 390 if(tmp == NULL || *tmp == NULL) 391 return 0; 392 393 while (*tmp) { 394 ret = add_verifier(context, *tmp); 395 if (ret) 396 return ret; 397 tmp++; 398 } 399 return 0; 400 } else { 401 return add_verifier(context, check_library); 402 } 403 #else 404 return 0; 405 #endif /* HAVE_DLOPEN */ 406 } 407 408 /* 409 * 410 */ 411 412 static const struct kadm5_pw_policy_check_func * 413 find_func(krb5_context context, const char *name) 414 { 415 const struct kadm5_pw_policy_check_func *f; 416 char *module = NULL; 417 const char *p, *func; 418 int i; 419 420 p = strchr(name, ':'); 421 if (p) { 422 size_t len = p - name + 1; 423 func = p + 1; 424 module = malloc(len); 425 if (module == NULL) 426 return NULL; 427 strlcpy(module, name, len); 428 } else 429 func = name; 430 431 /* Find module in loaded modules first */ 432 for (i = 0; i < num_verifiers; i++) { 433 if (module && strcmp(module, verifiers[i]->name) != 0) 434 continue; 435 for (f = verifiers[i]->funcs; f->name ; f++) 436 if (strcmp(func, f->name) == 0) { 437 if (module) 438 free(module); 439 return f; 440 } 441 } 442 /* Lets try try the builtin modules */ 443 if (module == NULL || strcmp(module, "builtin") == 0) { 444 for (f = builtin_verifier.funcs; f->name ; f++) 445 if (strcmp(func, f->name) == 0) { 446 if (module) 447 free(module); 448 return f; 449 } 450 } 451 if (module) 452 free(module); 453 return NULL; 454 } 455 456 const char * 457 kadm5_check_password_quality (krb5_context context, 458 krb5_principal principal, 459 krb5_data *pwd_data) 460 { 461 const struct kadm5_pw_policy_check_func *proc; 462 static char error_msg[1024]; 463 const char *msg; 464 char **v, **vp; 465 int ret; 466 467 /* 468 * Check if we should use the old version of policy function. 469 */ 470 471 v = krb5_config_get_strings(context, NULL, 472 "password_quality", 473 "policies", 474 NULL); 475 if (v == NULL) { 476 msg = (*passwd_quality_check) (context, principal, pwd_data); 477 if (msg) 478 krb5_set_error_message(context, 0, "password policy failed: %s", msg); 479 return msg; 480 } 481 482 error_msg[0] = '\0'; 483 484 msg = NULL; 485 for(vp = v; *vp; vp++) { 486 proc = find_func(context, *vp); 487 if (proc == NULL) { 488 msg = "failed to find password verifier function"; 489 krb5_set_error_message(context, 0, "Failed to find password policy " 490 "function: %s", *vp); 491 break; 492 } 493 ret = (proc->func)(context, principal, pwd_data, NULL, 494 error_msg, sizeof(error_msg)); 495 if (ret) { 496 krb5_set_error_message(context, 0, "Password policy " 497 "%s failed with %s", 498 proc->name, error_msg); 499 msg = error_msg; 500 break; 501 } 502 } 503 krb5_config_free_strings(v); 504 505 /* If the default quality check isn't used, lets check that the 506 * old quality function the user have set too */ 507 if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) { 508 msg = (*passwd_quality_check) (context, principal, pwd_data); 509 if (msg) 510 krb5_set_error_message(context, 0, "(old) password policy " 511 "failed with %s", msg); 512 513 } 514 return msg; 515 } 516