|
 |
ef59e1 |
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
|
|
|
ef59e1 |
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
|
|
|
ef59e1 |
@@ -10,7 +10,7 @@
|
|
|
ef59e1 |
#include <slap.h>
|
|
|
ef59e1 |
|
|
|
ef59e1 |
#ifdef HAVE_CRACKLIB
|
|
|
ef59e1 |
-#include "crack.h"
|
|
|
ef59e1 |
+#include <crack.h>
|
|
|
ef59e1 |
#endif
|
|
|
ef59e1 |
|
|
|
ef59e1 |
#if defined(DEBUG)
|
|
|
ef59e1 |
@@ -34,18 +34,77 @@
|
|
|
ef59e1 |
#define PASSWORD_TOO_SHORT_SZ \
|
|
|
ef59e1 |
"Password for dn=\"%s\" is too short (%d/6)"
|
|
|
ef59e1 |
#define PASSWORD_QUALITY_SZ \
|
|
|
ef59e1 |
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
|
|
|
ef59e1 |
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
|
|
|
ef59e1 |
#define BAD_PASSWORD_SZ \
|
|
|
ef59e1 |
"Bad password for dn=\"%s\" because %s"
|
|
|
ef59e1 |
+#define UNKNOWN_ERROR_SZ \
|
|
|
ef59e1 |
+ "An unknown error occurred, please see your systems administrator"
|
|
|
ef59e1 |
|
|
|
ef59e1 |
typedef int (*validator) (char*);
|
|
|
ef59e1 |
-static int read_config_file (char *);
|
|
|
ef59e1 |
+static int read_config_file ();
|
|
|
ef59e1 |
static validator valid_word (char *);
|
|
|
ef59e1 |
static int set_quality (char *);
|
|
|
ef59e1 |
static int set_cracklib (char *);
|
|
|
ef59e1 |
|
|
|
ef59e1 |
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
|
|
|
ef59e1 |
|
|
|
ef59e1 |
+struct config_entry {
|
|
|
ef59e1 |
+ char* key;
|
|
|
ef59e1 |
+ char* value;
|
|
|
ef59e1 |
+ char* def_value;
|
|
|
ef59e1 |
+} config_entries[] = { { "minPoints", NULL, "3"},
|
|
|
ef59e1 |
+ { "useCracklib", NULL, "1"},
|
|
|
ef59e1 |
+ { "minUpper", NULL, "0"},
|
|
|
ef59e1 |
+ { "minLower", NULL, "0"},
|
|
|
ef59e1 |
+ { "minDigit", NULL, "0"},
|
|
|
ef59e1 |
+ { "minPunct", NULL, "0"},
|
|
|
ef59e1 |
+ { NULL, NULL, NULL }};
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+int get_config_entry_int(char* entry) {
|
|
|
ef59e1 |
+ struct config_entry* centry = config_entries;
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ int i = 0;
|
|
|
ef59e1 |
+ char* key = centry[i].key;
|
|
|
ef59e1 |
+ while (key != NULL) {
|
|
|
ef59e1 |
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
|
|
|
ef59e1 |
+ if ( centry[i].value == NULL ) {
|
|
|
ef59e1 |
+ return atoi(centry[i].def_value);
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+ else {
|
|
|
ef59e1 |
+ return atoi(centry[i].value);
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+ i++;
|
|
|
ef59e1 |
+ key = centry[i].key;
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ return -1;
|
|
|
ef59e1 |
+}
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+void dealloc_config_entries() {
|
|
|
ef59e1 |
+ struct config_entry* centry = config_entries;
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ int i = 0;
|
|
|
ef59e1 |
+ while (centry[i].key != NULL) {
|
|
|
ef59e1 |
+ if ( centry[i].value != NULL ) {
|
|
|
ef59e1 |
+ ber_memfree(centry[i].value);
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+ i++;
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+}
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+char* chomp(char *s)
|
|
|
ef59e1 |
+{
|
|
|
ef59e1 |
+ char* t = ber_memalloc(strlen(s)+1);
|
|
|
ef59e1 |
+ strncpy (t,s,strlen(s)+1);
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ if ( t[strlen(t)-1] == '\n' ) {
|
|
|
ef59e1 |
+ t[strlen(t)-1] = '\0';
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ return t;
|
|
|
ef59e1 |
+}
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
static int set_quality (char *value)
|
|
|
ef59e1 |
{
|
|
|
ef59e1 |
#if defined(DEBUG)
|
|
|
ef59e1 |
@@ -84,12 +143,12 @@
|
|
|
ef59e1 |
char * parameter;
|
|
|
ef59e1 |
validator dealer;
|
|
|
ef59e1 |
} list[] = { { "minPoints", set_quality },
|
|
|
ef59e1 |
- { "useCracklib", set_cracklib },
|
|
|
ef59e1 |
- { "minUpper", set_digit },
|
|
|
ef59e1 |
- { "minLower", set_digit },
|
|
|
ef59e1 |
- { "minDigit", set_digit },
|
|
|
ef59e1 |
- { "minPunct", set_digit },
|
|
|
ef59e1 |
- { NULL, NULL } };
|
|
|
ef59e1 |
+ { "useCracklib", set_cracklib },
|
|
|
ef59e1 |
+ { "minUpper", set_digit },
|
|
|
ef59e1 |
+ { "minLower", set_digit },
|
|
|
ef59e1 |
+ { "minDigit", set_digit },
|
|
|
ef59e1 |
+ { "minPunct", set_digit },
|
|
|
ef59e1 |
+ { NULL, NULL } };
|
|
|
ef59e1 |
int index = 0;
|
|
|
ef59e1 |
|
|
|
ef59e1 |
#if defined(DEBUG)
|
|
|
ef59e1 |
@@ -98,7 +157,7 @@
|
|
|
ef59e1 |
|
|
|
ef59e1 |
while (list[index].parameter != NULL) {
|
|
|
ef59e1 |
if (strlen(word) == strlen(list[index].parameter) &&
|
|
|
ef59e1 |
- strcmp(list[index].parameter, word) == 0) {
|
|
|
ef59e1 |
+ strcmp(list[index].parameter, word) == 0) {
|
|
|
ef59e1 |
#if defined(DEBUG)
|
|
|
ef59e1 |
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
|
|
|
ef59e1 |
#endif
|
|
|
ef59e1 |
@@ -114,13 +173,15 @@
|
|
|
ef59e1 |
return NULL;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
-static int read_config_file (char *keyWord)
|
|
|
ef59e1 |
+static int read_config_file ()
|
|
|
ef59e1 |
{
|
|
|
ef59e1 |
FILE * config;
|
|
|
ef59e1 |
char * line;
|
|
|
ef59e1 |
int returnValue = -1;
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
|
|
|
ef59e1 |
+ line = ber_memcalloc(260, sizeof(char));
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ if ( line == NULL ) {
|
|
|
ef59e1 |
return returnValue;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
@@ -133,6 +194,8 @@
|
|
|
ef59e1 |
return returnValue;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
+ returnValue = 0;
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
while (fgets(line, 256, config) != NULL) {
|
|
|
ef59e1 |
char *start = line;
|
|
|
ef59e1 |
char *word, *value;
|
|
|
ef59e1 |
@@ -145,23 +208,40 @@
|
|
|
ef59e1 |
|
|
|
ef59e1 |
while (isspace(*start) && isascii(*start)) start++;
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- if (! isascii(*start))
|
|
|
ef59e1 |
+ /* If we've got punctuation, just skip the line. */
|
|
|
ef59e1 |
+ if ( ispunct(*start)) {
|
|
|
ef59e1 |
+#if defined(DEBUG)
|
|
|
ef59e1 |
+ /* Debug traces to syslog. */
|
|
|
ef59e1 |
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
|
|
|
ef59e1 |
+#endif
|
|
|
ef59e1 |
continue;
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
|
|
|
ef59e1 |
- if ((value = strtok(NULL, " \t")) == NULL)
|
|
|
ef59e1 |
- continue;
|
|
|
ef59e1 |
+ if( isascii(*start)) {
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ struct config_entry* centry = config_entries;
|
|
|
ef59e1 |
+ int i = 0;
|
|
|
ef59e1 |
+ char* keyWord = centry[i].key;
|
|
|
ef59e1 |
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
|
|
|
ef59e1 |
+ while ( keyWord != NULL ) {
|
|
|
ef59e1 |
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
|
|
|
ef59e1 |
|
|
|
ef59e1 |
#if defined(DEBUG)
|
|
|
ef59e1 |
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
|
|
|
ef59e1 |
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
|
|
|
ef59e1 |
#endif
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- returnValue = (*dealer)(value);
|
|
|
ef59e1 |
+ centry[i].value = chomp(value);
|
|
|
ef59e1 |
+ break;
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+ i++;
|
|
|
ef59e1 |
+ keyWord = centry[i].key;
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
-
|
|
|
ef59e1 |
fclose(config);
|
|
|
ef59e1 |
ber_memfree(line);
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
return returnValue;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
@@ -170,7 +250,7 @@
|
|
|
ef59e1 |
if (curlen < nextlen + MEMORY_MARGIN) {
|
|
|
ef59e1 |
#if defined(DEBUG)
|
|
|
ef59e1 |
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
|
|
|
ef59e1 |
- curlen, nextlen + MEMORY_MARGIN);
|
|
|
ef59e1 |
+ curlen, nextlen + MEMORY_MARGIN);
|
|
|
ef59e1 |
#endif
|
|
|
ef59e1 |
ber_memfree(*target);
|
|
|
ef59e1 |
curlen = nextlen + MEMORY_MARGIN;
|
|
|
ef59e1 |
@@ -180,7 +260,7 @@
|
|
|
ef59e1 |
return curlen;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- int
|
|
|
ef59e1 |
+int
|
|
|
ef59e1 |
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
|
|
ef59e1 |
{
|
|
|
ef59e1 |
|
|
|
ef59e1 |
@@ -210,20 +290,22 @@
|
|
|
ef59e1 |
nLen = strlen (pPasswd);
|
|
|
ef59e1 |
if ( nLen < 6) {
|
|
|
ef59e1 |
mem_len = realloc_error_message(&szErrStr, mem_len,
|
|
|
ef59e1 |
- strlen(PASSWORD_TOO_SHORT_SZ) +
|
|
|
ef59e1 |
- strlen(pEntry->e_name.bv_val) + 1);
|
|
|
ef59e1 |
+ strlen(PASSWORD_TOO_SHORT_SZ) +
|
|
|
ef59e1 |
+ strlen(pEntry->e_name.bv_val) + 1);
|
|
|
ef59e1 |
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
|
|
|
ef59e1 |
goto fail;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- /* Read config file */
|
|
|
ef59e1 |
- minQuality = read_config_file("minPoints");
|
|
|
ef59e1 |
+ if (read_config_file() == -1) {
|
|
|
ef59e1 |
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
|
|
|
ef59e1 |
+ }
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- useCracklib = read_config_file("useCracklib");
|
|
|
ef59e1 |
- minUpper = read_config_file("minUpper");
|
|
|
ef59e1 |
- minLower = read_config_file("minLower");
|
|
|
ef59e1 |
- minDigit = read_config_file("minDigit");
|
|
|
ef59e1 |
- minPunct = read_config_file("minPunct");
|
|
|
ef59e1 |
+ minQuality = get_config_entry_int("minPoints");
|
|
|
ef59e1 |
+ useCracklib = get_config_entry_int("useCracklib");
|
|
|
ef59e1 |
+ minUpper = get_config_entry_int("minUpper");
|
|
|
ef59e1 |
+ minLower = get_config_entry_int("minLower");
|
|
|
ef59e1 |
+ minDigit = get_config_entry_int("minDigit");
|
|
|
ef59e1 |
+ minPunct = get_config_entry_int("minPunct");
|
|
|
ef59e1 |
|
|
|
ef59e1 |
/** The password must have at least minQuality strength points with one
|
|
|
ef59e1 |
* point for the first occurrance of a lower, upper, digit and
|
|
|
ef59e1 |
@@ -232,8 +314,6 @@
|
|
|
ef59e1 |
|
|
|
ef59e1 |
for ( i = 0; i < nLen; i++ ) {
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- if ( nQuality >= minQuality ) break;
|
|
|
ef59e1 |
-
|
|
|
ef59e1 |
if ( islower (pPasswd[i]) ) {
|
|
|
ef59e1 |
minLower--;
|
|
|
ef59e1 |
if ( !nLower && (minLower < 1)) {
|
|
|
ef59e1 |
@@ -279,12 +359,23 @@
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
- if ( nQuality < minQuality ) {
|
|
|
ef59e1 |
+ /*
|
|
|
ef59e1 |
+ * If you have a required field, then it should be required in the strength
|
|
|
ef59e1 |
+ * checks.
|
|
|
ef59e1 |
+ */
|
|
|
ef59e1 |
+
|
|
|
ef59e1 |
+ if (
|
|
|
ef59e1 |
+ (minLower > 0 ) ||
|
|
|
ef59e1 |
+ (minUpper > 0 ) ||
|
|
|
ef59e1 |
+ (minDigit > 0 ) ||
|
|
|
ef59e1 |
+ (minPunct > 0 ) ||
|
|
|
ef59e1 |
+ (nQuality < minQuality)
|
|
|
ef59e1 |
+ ) {
|
|
|
ef59e1 |
mem_len = realloc_error_message(&szErrStr, mem_len,
|
|
|
ef59e1 |
- strlen(PASSWORD_QUALITY_SZ) +
|
|
|
ef59e1 |
- strlen(pEntry->e_name.bv_val) + 2);
|
|
|
ef59e1 |
+ strlen(PASSWORD_QUALITY_SZ) +
|
|
|
ef59e1 |
+ strlen(pEntry->e_name.bv_val) + 2);
|
|
|
ef59e1 |
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
|
|
|
ef59e1 |
- nQuality, minQuality);
|
|
|
ef59e1 |
+ nQuality, minQuality);
|
|
|
ef59e1 |
goto fail;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
@@ -306,7 +397,7 @@
|
|
|
ef59e1 |
for ( j = 0; j < 3; j++ ) {
|
|
|
ef59e1 |
|
|
|
ef59e1 |
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
|
|
|
ef59e1 |
- CRACKLIB_DICTPATH, ext[j]);
|
|
|
ef59e1 |
+ CRACKLIB_DICTPATH, ext[j]);
|
|
|
ef59e1 |
|
|
|
ef59e1 |
if (( fp = fopen ( filename, "r")) == NULL ) {
|
|
|
ef59e1 |
|
|
|
ef59e1 |
@@ -326,9 +417,9 @@
|
|
|
ef59e1 |
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
|
|
|
ef59e1 |
if ( r != NULL ) {
|
|
|
ef59e1 |
mem_len = realloc_error_message(&szErrStr, mem_len,
|
|
|
ef59e1 |
- strlen(BAD_PASSWORD_SZ) +
|
|
|
ef59e1 |
- strlen(pEntry->e_name.bv_val) +
|
|
|
ef59e1 |
- strlen(r));
|
|
|
ef59e1 |
+ strlen(BAD_PASSWORD_SZ) +
|
|
|
ef59e1 |
+ strlen(pEntry->e_name.bv_val) +
|
|
|
ef59e1 |
+ strlen(r));
|
|
|
ef59e1 |
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
|
|
|
ef59e1 |
goto fail;
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
@@ -342,15 +433,15 @@
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
|
|
|
ef59e1 |
#endif
|
|
|
ef59e1 |
-
|
|
|
ef59e1 |
+ dealloc_config_entries();
|
|
|
ef59e1 |
*ppErrStr = strdup ("");
|
|
|
ef59e1 |
ber_memfree(szErrStr);
|
|
|
ef59e1 |
return (LDAP_SUCCESS);
|
|
|
ef59e1 |
|
|
|
ef59e1 |
fail:
|
|
|
ef59e1 |
+ dealloc_config_entries();
|
|
|
ef59e1 |
*ppErrStr = strdup (szErrStr);
|
|
|
ef59e1 |
ber_memfree(szErrStr);
|
|
|
ef59e1 |
return (EXIT_FAILURE);
|
|
|
ef59e1 |
|
|
|
ef59e1 |
}
|
|
|
ef59e1 |
-
|