xref: /freebsd/crypto/heimdal/lib/kadm5/password_quality.c (revision 87c1627502a5dde91e5284118eec8682b60f27a2)
1 /*
2  * Copyright (c) 1997-2000, 2003-2005 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kadm5_locl.h"
35 #include "kadm5-pwcheck.h"
36 
37 #ifdef HAVE_SYS_WAIT_H
38 #include <sys/wait.h>
39 #endif
40 #ifdef HAVE_DLFCN_H
41 #include <dlfcn.h>
42 #endif
43 
44 static int
45 min_length_passwd_quality (krb5_context context,
46 			   krb5_principal principal,
47 			   krb5_data *pwd,
48 			   const char *opaque,
49 			   char *message,
50 			   size_t length)
51 {
52     uint32_t min_length = krb5_config_get_int_default(context, NULL, 6,
53 						      "password_quality",
54 						      "min_length",
55 						      NULL);
56 
57     if (pwd->length < min_length) {
58 	strlcpy(message, "Password too short", length);
59 	return 1;
60     } else
61 	return 0;
62 }
63 
64 static const char *
65 min_length_passwd_quality_v0 (krb5_context context,
66 			      krb5_principal principal,
67 			      krb5_data *pwd)
68 {
69     static char message[1024];
70     int ret;
71 
72     message[0] = '\0';
73 
74     ret = min_length_passwd_quality(context, principal, pwd, NULL,
75 				    message, sizeof(message));
76     if (ret)
77 	return message;
78     return NULL;
79 }
80 
81 
82 static int
83 char_class_passwd_quality (krb5_context context,
84 			   krb5_principal principal,
85 			   krb5_data *pwd,
86 			   const char *opaque,
87 			   char *message,
88 			   size_t length)
89 {
90     const char *classes[] = {
91 	"ABCDEFGHIJKLMNOPQRSTUVWXYZ",
92 	"abcdefghijklmnopqrstuvwxyz",
93 	"1234567890",
94 	"!@#$%^&*()/?<>,.{[]}\\|'~`\" "
95     };
96     int counter = 0, req_classes;
97     size_t i, len;
98     char *pw;
99 
100     req_classes = krb5_config_get_int_default(context, NULL, 3,
101 					      "password_quality",
102 					      "min_classes",
103 					      NULL);
104 
105     len = pwd->length + 1;
106     pw = malloc(len);
107     if (pw == NULL) {
108 	strlcpy(message, "out of memory", length);
109 	return 1;
110     }
111     strlcpy(pw, pwd->data, len);
112     len = strlen(pw);
113 
114     for (i = 0; i < sizeof(classes)/sizeof(classes[0]); i++) {
115 	if (strcspn(pw, classes[i]) < len)
116 	    counter++;
117     }
118     memset(pw, 0, pwd->length + 1);
119     free(pw);
120     if (counter < req_classes) {
121 	snprintf(message, length,
122 	    "Password doesn't meet complexity requirement.\n"
123 	    "Add more characters from the following classes:\n"
124 	    "1. English uppercase characters (A through Z)\n"
125 	    "2. English lowercase characters (a through z)\n"
126 	    "3. Base 10 digits (0 through 9)\n"
127 	    "4. Nonalphanumeric characters (e.g., !, $, #, %%)");
128 	return 1;
129     }
130     return 0;
131 }
132 
133 static int
134 external_passwd_quality (krb5_context context,
135 			 krb5_principal principal,
136 			 krb5_data *pwd,
137 			 const char *opaque,
138 			 char *message,
139 			 size_t length)
140 {
141     krb5_error_code ret;
142     const char *program;
143     char *p;
144     pid_t child;
145     int status;
146     char reply[1024];
147     FILE *in = NULL, *out = NULL, *error = NULL;
148 
149     if (memchr(pwd->data, '\n', pwd->length) != NULL) {
150 	snprintf(message, length, "password contains newline, "
151 		 "not valid for external test");
152 	return 1;
153     }
154 
155     program = krb5_config_get_string(context, NULL,
156 				     "password_quality",
157 				     "external_program",
158 				     NULL);
159     if (program == NULL) {
160 	snprintf(message, length, "external password quality "
161 		 "program not configured");
162 	return 1;
163     }
164 
165     ret = krb5_unparse_name(context, principal, &p);
166     if (ret) {
167 	strlcpy(message, "out of memory", length);
168 	return 1;
169     }
170 
171     child = pipe_execv(&in, &out, &error, program, program, p, NULL);
172     if (child < 0) {
173 	snprintf(message, length, "external password quality "
174 		 "program failed to execute for principal %s", p);
175 	free(p);
176 	return 1;
177     }
178 
179     fprintf(in, "principal: %s\n"
180 	    "new-password: %.*s\n"
181 	    "end\n",
182 	    p, (int)pwd->length, (char *)pwd->data);
183 
184     fclose(in);
185 
186     if (fgets(reply, sizeof(reply), out) == NULL) {
187 
188 	if (fgets(reply, sizeof(reply), error) == NULL) {
189 	    snprintf(message, length, "external password quality "
190 		     "program failed without error");
191 
192 	} else {
193 	    reply[strcspn(reply, "\n")] = '\0';
194 	    snprintf(message, length, "External password quality "
195 		     "program failed: %s", reply);
196 	}
197 
198 	fclose(out);
199 	fclose(error);
200 	wait_for_process(child);
201 	return 1;
202     }
203     reply[strcspn(reply, "\n")] = '\0';
204 
205     fclose(out);
206     fclose(error);
207 
208     status = wait_for_process(child);
209 
210     if (SE_IS_ERROR(status) || SE_PROCSTATUS(status) != 0) {
211 	snprintf(message, length, "external program failed: %s", reply);
212 	free(p);
213 	return 1;
214     }
215 
216     if (strcmp(reply, "APPROVED") != 0) {
217 	snprintf(message, length, "%s", reply);
218 	free(p);
219 	return 1;
220     }
221 
222     free(p);
223 
224     return 0;
225 }
226 
227 
228 static kadm5_passwd_quality_check_func_v0 passwd_quality_check =
229 	min_length_passwd_quality_v0;
230 
231 struct kadm5_pw_policy_check_func builtin_funcs[] = {
232     { "minimum-length", min_length_passwd_quality },
233     { "character-class", char_class_passwd_quality },
234     { "external-check", external_passwd_quality },
235     { NULL, NULL }
236 };
237 struct kadm5_pw_policy_verifier builtin_verifier = {
238     "builtin",
239     KADM5_PASSWD_VERSION_V1,
240     "Heimdal builtin",
241     builtin_funcs
242 };
243 
244 static struct kadm5_pw_policy_verifier **verifiers;
245 static int num_verifiers;
246 
247 /*
248  * setup the password quality hook
249  */
250 
251 #ifndef RTLD_NOW
252 #define RTLD_NOW 0
253 #endif
254 
255 void
256 kadm5_setup_passwd_quality_check(krb5_context context,
257 				 const char *check_library,
258 				 const char *check_function)
259 {
260 #ifdef HAVE_DLOPEN
261     void *handle;
262     void *sym;
263     int *version;
264     const char *tmp;
265 
266     if(check_library == NULL) {
267 	tmp = krb5_config_get_string(context, NULL,
268 				     "password_quality",
269 				     "check_library",
270 				     NULL);
271 	if(tmp != NULL)
272 	    check_library = tmp;
273     }
274     if(check_function == NULL) {
275 	tmp = krb5_config_get_string(context, NULL,
276 				     "password_quality",
277 				     "check_function",
278 				     NULL);
279 	if(tmp != NULL)
280 	    check_function = tmp;
281     }
282     if(check_library != NULL && check_function == NULL)
283 	check_function = "passwd_check";
284 
285     if(check_library == NULL)
286 	return;
287     handle = dlopen(check_library, RTLD_NOW);
288     if(handle == NULL) {
289 	krb5_warnx(context, "failed to open `%s'", check_library);
290 	return;
291     }
292     version = (int *) dlsym(handle, "version");
293     if(version == NULL) {
294 	krb5_warnx(context,
295 		   "didn't find `version' symbol in `%s'", check_library);
296 	dlclose(handle);
297 	return;
298     }
299     if(*version != KADM5_PASSWD_VERSION_V0) {
300 	krb5_warnx(context,
301 		   "version of loaded library is %d (expected %d)",
302 		   *version, KADM5_PASSWD_VERSION_V0);
303 	dlclose(handle);
304 	return;
305     }
306     sym = dlsym(handle, check_function);
307     if(sym == NULL) {
308 	krb5_warnx(context,
309 		   "didn't find `%s' symbol in `%s'",
310 		   check_function, check_library);
311 	dlclose(handle);
312 	return;
313     }
314     passwd_quality_check = (kadm5_passwd_quality_check_func_v0) sym;
315 #endif /* HAVE_DLOPEN */
316 }
317 
318 #ifdef HAVE_DLOPEN
319 
320 static krb5_error_code
321 add_verifier(krb5_context context, const char *check_library)
322 {
323     struct kadm5_pw_policy_verifier *v, **tmp;
324     void *handle;
325     int i;
326 
327     handle = dlopen(check_library, RTLD_NOW);
328     if(handle == NULL) {
329 	krb5_warnx(context, "failed to open `%s'", check_library);
330 	return ENOENT;
331     }
332     v = (struct kadm5_pw_policy_verifier *) dlsym(handle, "kadm5_password_verifier");
333     if(v == NULL) {
334 	krb5_warnx(context,
335 		   "didn't find `kadm5_password_verifier' symbol "
336 		   "in `%s'", check_library);
337 	dlclose(handle);
338 	return ENOENT;
339     }
340     if(v->version != KADM5_PASSWD_VERSION_V1) {
341 	krb5_warnx(context,
342 		   "version of loaded library is %d (expected %d)",
343 		   v->version, KADM5_PASSWD_VERSION_V1);
344 	dlclose(handle);
345 	return EINVAL;
346     }
347     for (i = 0; i < num_verifiers; i++) {
348 	if (strcmp(v->name, verifiers[i]->name) == 0)
349 	    break;
350     }
351     if (i < num_verifiers) {
352 	krb5_warnx(context, "password verifier library `%s' is already loaded",
353 		   v->name);
354 	dlclose(handle);
355 	return 0;
356     }
357 
358     tmp = realloc(verifiers, (num_verifiers + 1) * sizeof(*verifiers));
359     if (tmp == NULL) {
360 	krb5_warnx(context, "out of memory");
361 	dlclose(handle);
362 	return 0;
363     }
364     verifiers = tmp;
365     verifiers[num_verifiers] = v;
366     num_verifiers++;
367 
368     return 0;
369 }
370 
371 #endif
372 
373 krb5_error_code
374 kadm5_add_passwd_quality_verifier(krb5_context context,
375 				  const char *check_library)
376 {
377 #ifdef HAVE_DLOPEN
378 
379     if(check_library == NULL) {
380 	krb5_error_code ret;
381 	char **tmp;
382 
383 	tmp = krb5_config_get_strings(context, NULL,
384 				      "password_quality",
385 				      "policy_libraries",
386 				      NULL);
387 	if(tmp == NULL || *tmp == NULL)
388 	    return 0;
389 
390 	while (*tmp) {
391 	    ret = add_verifier(context, *tmp);
392 	    if (ret)
393 		return ret;
394 	    tmp++;
395 	}
396 	return 0;
397     } else {
398 	return add_verifier(context, check_library);
399     }
400 #else
401     return 0;
402 #endif /* HAVE_DLOPEN */
403 }
404 
405 /*
406  *
407  */
408 
409 static const struct kadm5_pw_policy_check_func *
410 find_func(krb5_context context, const char *name)
411 {
412     const struct kadm5_pw_policy_check_func *f;
413     char *module = NULL;
414     const char *p, *func;
415     int i;
416 
417     p = strchr(name, ':');
418     if (p) {
419 	size_t len = p - name + 1;
420 	func = p + 1;
421 	module = malloc(len);
422 	if (module == NULL)
423 	    return NULL;
424 	strlcpy(module, name, len);
425     } else
426 	func = name;
427 
428     /* Find module in loaded modules first */
429     for (i = 0; i < num_verifiers; i++) {
430 	if (module && strcmp(module, verifiers[i]->name) != 0)
431 	    continue;
432 	for (f = verifiers[i]->funcs; f->name ; f++)
433 	    if (strcmp(func, f->name) == 0) {
434 		if (module)
435 		    free(module);
436 		return f;
437 	    }
438     }
439     /* Lets try try the builtin modules */
440     if (module == NULL || strcmp(module, "builtin") == 0) {
441 	for (f = builtin_verifier.funcs; f->name ; f++)
442 	    if (strcmp(func, f->name) == 0) {
443 		if (module)
444 		    free(module);
445 		return f;
446 	    }
447     }
448     if (module)
449 	free(module);
450     return NULL;
451 }
452 
453 const char *
454 kadm5_check_password_quality (krb5_context context,
455 			      krb5_principal principal,
456 			      krb5_data *pwd_data)
457 {
458     const struct kadm5_pw_policy_check_func *proc;
459     static char error_msg[1024];
460     const char *msg;
461     char **v, **vp;
462     int ret;
463 
464     /*
465      * Check if we should use the old version of policy function.
466      */
467 
468     v = krb5_config_get_strings(context, NULL,
469 				"password_quality",
470 				"policies",
471 				NULL);
472     if (v == NULL) {
473 	msg = (*passwd_quality_check) (context, principal, pwd_data);
474 	if (msg)
475 	    krb5_set_error_message(context, 0, "password policy failed: %s", msg);
476 	return msg;
477     }
478 
479     error_msg[0] = '\0';
480 
481     msg = NULL;
482     for(vp = v; *vp; vp++) {
483 	proc = find_func(context, *vp);
484 	if (proc == NULL) {
485 	    msg = "failed to find password verifier function";
486 	    krb5_set_error_message(context, 0, "Failed to find password policy "
487 				   "function: %s", *vp);
488 	    break;
489 	}
490 	ret = (proc->func)(context, principal, pwd_data, NULL,
491 			   error_msg, sizeof(error_msg));
492 	if (ret) {
493 	    krb5_set_error_message(context, 0, "Password policy "
494 				   "%s failed with %s",
495 				   proc->name, error_msg);
496 	    msg = error_msg;
497 	    break;
498 	}
499     }
500     krb5_config_free_strings(v);
501 
502     /* If the default quality check isn't used, lets check that the
503      * old quality function the user have set too */
504     if (msg == NULL && passwd_quality_check != min_length_passwd_quality_v0) {
505 	msg = (*passwd_quality_check) (context, principal, pwd_data);
506 	if (msg)
507 	    krb5_set_error_message(context, 0, "(old) password policy "
508 				   "failed with %s", msg);
509 
510     }
511     return msg;
512 }
513