Sync usage with man page.
[netbsd-mini2440.git] / crypto / dist / heimdal / lib / kadm5 / password_quality.c
blob62832190553449c7927777d210edd0a8e6f8ccbb
1 /*
2 * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
37 __RCSID("$Heimdal: password_quality.c 17595 2006-05-30 21:51:55Z lha $"
38 "$NetBSD$");
40 #ifdef HAVE_SYS_WAIT_H
41 #include <sys/wait.h>
42 #endif
43 #ifdef HAVE_DLFCN_H
44 #include <dlfcn.h>
45 #endif
47 static int
48 min_length_passwd_quality (krb5_context context,
49 krb5_principal principal,
50 krb5_data *pwd,
51 const char *opaque,
52 char *message,
53 size_t length)
55 uint32_t min_length = krb5_config_get_int_default(context, NULL, 6,
56 "password_quality",
57 "min_length",
58 NULL);
60 if (pwd->length < min_length) {
61 strlcpy(message, "Password too short", length);
62 return 1;
63 } else
64 return 0;
67 static const char *
68 min_length_passwd_quality_v0 (krb5_context context,
69 krb5_principal principal,
70 krb5_data *pwd)
72 static char message[1024];
73 int ret;
75 message[0] = '\0';
77 ret = min_length_passwd_quality(context, principal, pwd, NULL,
78 message, sizeof(message));
79 if (ret)
80 return message;
81 return NULL;
85 static int
86 char_class_passwd_quality (krb5_context context,
87 krb5_principal principal,
88 krb5_data *pwd,
89 const char *opaque,
90 char *message,
91 size_t length)
93 const char *classes[] = {
94 "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
95 "abcdefghijklmnopqrstuvwxyz",
96 "1234567890",
97 "!@#$%^&*()/?<>,.{[]}\\|'~`\" "
99 int i, counter = 0, req_classes;
100 size_t len;
101 char *pw;
103 req_classes = krb5_config_get_int_default(context, NULL, 3,
104 "password_quality",
105 "min_classes",
106 NULL);
108 len = pwd->length + 1;
109 pw = malloc(len);
110 if (pw == NULL) {
111 strlcpy(message, "out of memory", length);
112 return 1;
114 strlcpy(pw, pwd->data, len);
115 len = strlen(pw);
117 for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) {
118 if (strcspn(pw, classes[i]) < len)
119 counter++;
121 memset(pw, 0, pwd->length + 1);
122 free(pw);
123 if (counter < req_classes) {
124 snprintf(message, length,
125 "Password doesn't meet complexity requirement.\n"
126 "Add more characters from the following classes:\n"
127 "1. English uppercase characters (A through Z)\n"
128 "2. English lowercase characters (a through z)\n"
129 "3. Base 10 digits (0 through 9)\n"
130 "4. Nonalphanumeric characters (e.g., !, $, #, %%)");
131 return 1;
133 return 0;
136 static int
137 external_passwd_quality (krb5_context context,
138 krb5_principal principal,
139 krb5_data *pwd,
140 const char *opaque,
141 char *message,
142 size_t length)
144 krb5_error_code ret;
145 const char *program;
146 char *p;
147 pid_t child;
148 int status;
149 char reply[1024];
150 FILE *in = NULL, *out = NULL, *error = NULL;
152 if (memchr(pwd->data, pwd->length, '\n') != NULL) {
153 snprintf(message, length, "password contains newline, "
154 "not valid for external test");
155 return 1;
158 program = krb5_config_get_string(context, NULL,
159 "password_quality",
160 "external_program",
161 NULL);
162 if (program == NULL) {
163 snprintf(message, length, "external password quality "
164 "program not configured");
165 return 1;
168 ret = krb5_unparse_name(context, principal, &p);
169 if (ret) {
170 strlcpy(message, "out of memory", length);
171 return 1;
174 child = pipe_execv(&in, &out, &error, program, p, NULL);
175 if (child < 0) {
176 snprintf(message, length, "external password quality "
177 "program failed to execute for principal %s", p);
178 free(p);
179 return 1;
182 fprintf(in, "principal: %s\n"
183 "new-password: %.*s\n"
184 "end\n",
185 p, (int)pwd->length, (char *)pwd->data);
187 fclose(in);
189 if (fgets(reply, sizeof(reply), out) == NULL) {
191 if (fgets(reply, sizeof(reply), error) == NULL) {
192 snprintf(message, length, "external password quality "
193 "program failed without error");
195 } else {
196 reply[strcspn(reply, "\n")] = '\0';
197 snprintf(message, length, "External password quality "
198 "program failed: %s", reply);
201 fclose(out);
202 fclose(error);
203 waitpid(child, &status, 0);
204 return 1;
206 reply[strcspn(reply, "\n")] = '\0';
208 fclose(out);
209 fclose(error);
211 if (waitpid(child, &status, 0) < 0) {
212 snprintf(message, length, "external program failed: %s", reply);
213 free(p);
214 return 1;
216 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
217 snprintf(message, length, "external program failed: %s", reply);
218 free(p);
219 return 1;
222 if (strcmp(reply, "APPROVED") != 0) {
223 snprintf(message, length, "%s", reply);
224 free(p);
225 return 1;
228 free(p);
230 return 0;
234 static kadm5_passwd_quality_check_func_v0 passwd_quality_check =
235 min_length_passwd_quality_v0;
237 struct kadm5_pw_policy_check_func builtin_funcs[] = {
238 { "minimum-length", min_length_passwd_quality },
239 { "character-class", char_class_passwd_quality },
240 { "external-check", external_passwd_quality },
241 { NULL }
243 struct kadm5_pw_policy_verifier builtin_verifier = {
244 "builtin",
245 KADM5_PASSWD_VERSION_V1,
246 "Heimdal builtin",
247 builtin_funcs
250 static struct kadm5_pw_policy_verifier **verifiers;
251 static int num_verifiers;
254 * setup the password quality hook
257 #ifndef RTLD_NOW
258 #define RTLD_NOW 0
259 #endif
261 void
262 kadm5_setup_passwd_quality_check(krb5_context context,
263 const char *check_library,
264 const char *check_function)
266 #ifdef HAVE_DLOPEN
267 void *handle;
268 void *sym;
269 int *version;
270 const char *tmp;
272 if(check_library == NULL) {
273 tmp = krb5_config_get_string(context, NULL,
274 "password_quality",
275 "check_library",
276 NULL);
277 if(tmp != NULL)
278 check_library = tmp;
280 if(check_function == NULL) {
281 tmp = krb5_config_get_string(context, NULL,
282 "password_quality",
283 "check_function",
284 NULL);
285 if(tmp != NULL)
286 check_function = tmp;
288 if(check_library != NULL && check_function == NULL)
289 check_function = "passwd_check";
291 if(check_library == NULL)
292 return;
293 handle = dlopen(check_library, RTLD_NOW);
294 if(handle == NULL) {
295 krb5_warnx(context, "failed to open `%s'", check_library);
296 return;
298 version = dlsym(handle, "version");
299 if(version == NULL) {
300 krb5_warnx(context,
301 "didn't find `version' symbol in `%s'", check_library);
302 dlclose(handle);
303 return;
305 if(*version != KADM5_PASSWD_VERSION_V0) {
306 krb5_warnx(context,
307 "version of loaded library is %d (expected %d)",
308 *version, KADM5_PASSWD_VERSION_V0);
309 dlclose(handle);
310 return;
312 sym = dlsym(handle, check_function);
313 if(sym == NULL) {
314 krb5_warnx(context,
315 "didn't find `%s' symbol in `%s'",
316 check_function, check_library);
317 dlclose(handle);
318 return;
320 passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym;
321 #endif /* HAVE_DLOPEN */
324 #ifdef HAVE_DLOPEN
326 static krb5_error_code
327 add_verifier(krb5_context context, const char *check_library)
329 struct kadm5_pw_policy_verifier *v, **tmp;
330 void *handle;
331 int i;
333 handle = dlopen(check_library, RTLD_NOW);
334 if(handle == NULL) {
335 krb5_warnx(context, "failed to open `%s'", check_library);
336 return ENOENT;
338 v = dlsym(handle, "kadm5_password_verifier");
339 if(v == NULL) {
340 krb5_warnx(context,
341 "didn't find `kadm5_password_verifier' symbol "
342 "in `%s'", check_library);
343 dlclose(handle);
344 return ENOENT;
346 if(v->version != KADM5_PASSWD_VERSION_V1) {
347 krb5_warnx(context,
348 "version of loaded library is %d (expected %d)",
349 v->version, KADM5_PASSWD_VERSION_V1);
350 dlclose(handle);
351 return EINVAL;
353 for (i = 0; i < num_verifiers; i++) {
354 if (strcmp(v->name, verifiers[i]->name) == 0)
355 break;
357 if (i < num_verifiers) {
358 krb5_warnx(context, "password verifier library `%s' is already loaded",
359 v->name);
360 dlclose(handle);
361 return 0;
364 tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers));
365 if (tmp == NULL) {
366 krb5_warnx(context, "out of memory");
367 dlclose(handle);
368 return 0;
370 verifiers = tmp;
371 verifiers[num_verifiers] = v;
372 num_verifiers++;
374 return 0;
377 #endif
379 krb5_error_code
380 kadm5_add_passwd_quality_verifier(krb5_context context,
381 const char *check_library)
383 #ifdef HAVE_DLOPEN
385 if(check_library == NULL) {
386 krb5_error_code ret;
387 char **tmp;
389 tmp = krb5_config_get_strings(context, NULL,
390 "password_quality",
391 "policy_libraries",
392 NULL);
393 if(tmp == NULL)
394 return 0;
396 while(tmp) {
397 ret = add_verifier(context, *tmp);
398 if (ret)
399 return ret;
400 tmp++;
403 return add_verifier(context, check_library);
404 #else
405 return 0;
406 #endif /* HAVE_DLOPEN */
413 static const struct kadm5_pw_policy_check_func *
414 find_func(krb5_context context, const char *name)
416 const struct kadm5_pw_policy_check_func *f;
417 char *module = NULL;
418 const char *p, *func;
419 int i;
421 p = strchr(name, ':');
422 if (p) {
423 func = p + 1;
424 module = strndup(name, p - name);
425 if (module == NULL)
426 return NULL;
427 } else
428 func = name;
430 /* Find module in loaded modules first */
431 for (i = 0; i < num_verifiers; i++) {
432 if (module && strcmp(module, verifiers[i]->name) != 0)
433 continue;
434 for (f = verifiers[i]->funcs; f->name ; f++)
435 if (strcmp(name, f->name) == 0) {
436 if (module)
437 free(module);
438 return f;
441 /* Lets try try the builtin modules */
442 if (module == NULL || strcmp(module, "builtin") == 0) {
443 for (f = builtin_verifier.funcs; f->name ; f++)
444 if (strcmp(func, f->name) == 0) {
445 if (module)
446 free(module);
447 return f;
450 if (module)
451 free(module);
452 return NULL;
455 const char *
456 kadm5_check_password_quality (krb5_context context,
457 krb5_principal principal,
458 krb5_data *pwd_data)
460 const struct kadm5_pw_policy_check_func *proc;
461 static char error_msg[1024];
462 const char *msg;
463 char **v, **vp;
464 int ret;
467 * Check if we should use the old version of policy function.
470 v = krb5_config_get_strings(context, NULL,
471 "password_quality",
472 "policies",
473 NULL);
474 if (v == NULL) {
475 msg = (*passwd_quality_check) (context, principal, pwd_data);
476 krb5_set_error_string(context, "password policy failed: %s", msg);
477 return msg;
480 error_msg[0] = '\0';
482 msg = NULL;
483 for(vp = v; *vp; vp++) {
484 proc = find_func(context, *vp);
485 if (proc == NULL) {
486 msg = "failed to find password verifier function";
487 krb5_set_error_string(context, "Failed to find password policy "
488 "function: %s", *vp);
489 break;
491 ret = (proc->func)(context, principal, pwd_data, NULL,
492 error_msg, sizeof(error_msg));
493 if (ret) {
494 krb5_set_error_string(context, "Password policy "
495 "%s failed with %s",
496 proc->name, error_msg);
497 msg = error_msg;
498 break;
501 krb5_config_free_strings(v);
503 /* If the default quality check isn't used, lets check that the
504 * old quality function the user have set too */
505 if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) {
506 msg = (*passwd_quality_check) (context, principal, pwd_data);
507 if (msg)
508 krb5_set_error_string(context, "(old) password policy "
509 "failed with %s", msg);
512 return msg;