system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-21 18:24:38 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

Merge pull request #20425 from Blarse/passwdqc-pr

Browse source 
Add passwdqc support
This commit is contained in:
Luca Boccassi 2023-07-06 20:36:04 +01:00 committed by GitHub
parent 535134bc51 1d8aae4327
commit 25cae3e7bb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 282 additions and 75 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
meson.build
View file

@ -1189,8 +1189,13 @@ else
endif
conf.set10('HAVE_LIBFDISK', have)
want_passwdqc = get_option('passwdqc')
want_pwquality = get_option('pwquality')
if want_pwquality != 'false' and not skip_deps
if want_passwdqc == 'true' and want_pwquality == 'true'
error('passwdqc and pwquality cannot be requested simultaneously')
endif
if want_pwquality != 'false' and want_passwdqc != 'true' and not skip_deps
libpwquality = dependency('pwquality',
version : '>= 1.4.1',
required : want_pwquality == 'true')
@ -1201,6 +1206,16 @@ else
endif
conf.set10('HAVE_PWQUALITY', have)
if not have and want_passwdqc != 'false' and not skip_deps
libpasswdqc = dependency('passwdqc',
required : want_passwdqc == 'true')
have = libpasswdqc.found()
else
have = false
libpasswdqc = []
endif
conf.set10('HAVE_PASSWDQC', have)
want_seccomp = get_option('seccomp')
if want_seccomp != 'false' and not skip_deps
libseccomp = dependency('libseccomp',
@ -4940,6 +4955,7 @@ foreach tuple : [
['microhttpd'],
['openssl'],
['p11kit'],
['passwdqc'],
['pcre2'],
['pwquality'],
['qrencode'],

2
meson_options.txt
View file

@ -381,6 +381,8 @@ option('xenctrl', type : 'combo', choices : ['auto', 'true', 'false'],
description : 'support for Xen kexec')
option('pam', type : 'combo', choices : ['auto', 'true', 'false'],
description : 'PAM support')
option('passwdqc', type : 'combo', choices : ['auto', 'true', 'false'],
description : 'libpasswdqc support')
option('pwquality', type : 'combo', choices : ['auto', 'true', 'false'],
description : 'libpwquality support')
option('microhttpd', type : 'combo', choices : ['auto', 'true', 'false'],

13
src/cryptenroll/cryptenroll-password.c
View file

@ -3,9 +3,10 @@
#include "ask-password-api.h"
#include "cryptenroll-password.h"
#include "env-util.h"
#include "errno-util.h"
#include "escape.h"
#include "memory-util.h"
#include "pwquality-util.h"
#include "password-quality-util.h"
#include "strv.h"
int load_volume_key_password(
@ -155,9 +156,13 @@ int enroll_password(
}
}
r = quality_check_password(new_password, NULL, &error);
if (r < 0)
return log_error_errno(r, "Failed to check password for quality: %m");
r = check_password_quality(new_password, /* old */ NULL, /* user */ NULL, &error);
if (r < 0) {
if (ERRNO_IS_NOT_SUPPORTED(r))
log_warning("Password quality check is not supported, proceeding anyway.");
else
return log_error_errno(r, "Failed to check password quality: %m");
}
if (r == 0)
log_warning("Specified password does not pass quality checks (%s), proceeding anyway.", error);

13
src/firstboot/firstboot.c
View file

@ -19,6 +19,7 @@
#include "creds-util.h"
#include "dissect-image.h"
#include "env-file.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
@ -35,10 +36,10 @@
#include "os-util.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "password-quality-util.h"
#include "path-util.h"
#include "pretty-print.h"
#include "proc-cmdline.h"
#include "pwquality-util.h"
#include "random-util.h"
#include "smack-util.h"
#include "string-util.h"
@ -789,9 +790,13 @@ static int prompt_root_password(int rfd) {
break;
}
r = quality_check_password(*a, "root", &error);
if (r < 0)
return log_error_errno(r, "Failed to check quality of password: %m");
r = check_password_quality(*a, /* old */ NULL, "root", &error);
if (r < 0) {
if (ERRNO_IS_NOT_SUPPORTED(r))
log_warning("Password quality check is not supported, proceeding anyway.");
else
return log_error_errno(r, "Failed to check password quality: %m");
}
if (r == 0)
log_warning("Password is weak, accepting anyway: %s", error);

6
src/home/homectl.c
View file

@ -30,18 +30,18 @@
#include "pager.h"
#include "parse-argument.h"
#include "parse-util.h"
#include "password-quality-util.h"
#include "path-util.h"
#include "percent-util.h"
#include "pkcs11-util.h"
#include "pretty-print.h"
#include "process-util.h"
#include "pwquality-util.h"
#include "rlimit-util.h"
#include "spawn-polkit-agent.h"
#include "terminal-util.h"
#include "uid-alloc-range.h"
#include "user-record.h"
#include "user-record-pwquality.h"
#include "user-record-password-quality.h"
#include "user-record-show.h"
#include "user-record-util.h"
#include "user-util.h"
@ -1323,7 +1323,7 @@ static int create_home(int argc, char *argv[], void *userdata) {
/* If password quality enforcement is disabled, let's at least warn client side */
r = user_record_quality_check_password(hr, hr, &error);
r = user_record_check_password_quality(hr, hr, &error);
if (r < 0)
log_warning_errno(r, "Specified password does not pass quality checks (%s), proceeding anyway.", bus_error_message(&error, r));
}

7
src/home/homed-home.c
View file

@ -31,7 +31,6 @@
#include "mkdir.h"
#include "path-util.h"
#include "process-util.h"
#include "pwquality-util.h"
#include "quota-util.h"
#include "resize-fs.h"
#include "set.h"
@ -40,7 +39,7 @@
#include "string-table.h"
#include "strv.h"
#include "uid-alloc-range.h"
#include "user-record-pwquality.h"
#include "user-record-password-quality.h"
#include "user-record-sign.h"
#include "user-record-util.h"
#include "user-record.h"
@ -1513,7 +1512,7 @@ int home_create(Home *h, UserRecord *secret, sd_bus_error *error) {
if (h->record->enforce_password_policy == false)
log_debug("Password quality check turned off for account, skipping.");
else {
r = user_record_quality_check_password(h->record, secret, error);
r = user_record_check_password_quality(h->record, secret, error);
if (r < 0)
return r;
}
@ -1888,7 +1887,7 @@ int home_passwd(Home *h,
if (c->enforce_password_policy == false)
log_debug("Password quality check turned off for account, skipping.");
else {
r = user_record_quality_check_password(c, merged_secret, error);
r = user_record_check_password_quality(c, merged_secret, error);
if (r < 0)
return r;
}

4
src/home/meson.build
View file

@ -33,7 +33,7 @@ systemd_homed_sources = files(
'homed-operation.c',
'homed-varlink.c',
'homed.c',
'user-record-pwquality.c',
'user-record-password-quality.c',
'user-record-sign.c',
'user-record-util.c',
)
@ -52,7 +52,7 @@ homectl_sources = files(
'homectl-pkcs11.c',
'homectl-recovery-key.c',
'homectl.c',
'user-record-pwquality.c',
'user-record-password-quality.c',
'user-record-util.c',
)

47
src/home/user-record-pwquality.c → src/home/user-record-password-quality.c
View file

@ -4,33 +4,25 @@
#include "errno-util.h"
#include "home-util.h"
#include "libcrypt-util.h"
#include "pwquality-util.h"
#include "password-quality-util.h"
#include "strv.h"
#include "user-record-pwquality.h"
#include "user-record-password-quality.h"
#include "user-record-util.h"
#if HAVE_PWQUALITY
#if HAVE_PASSWDQC || HAVE_PWQUALITY
int user_record_quality_check_password(
int user_record_check_password_quality(
UserRecord *hr,
UserRecord *secret,
sd_bus_error *error) {
_cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
_cleanup_free_ char *auxerror = NULL;
int r;
assert(hr);
assert(secret);
r = pwq_allocate_context(&pwq);
if (ERRNO_IS_NOT_SUPPORTED(r))
return 0;
if (r < 0)
return log_debug_errno(r, "Failed to allocate libpwquality context: %m");
/* This is a bit more complex than one might think at first. pwquality_check() would like to know the
/* This is a bit more complex than one might think at first. check_password_quality() would like to know the
* old password to make security checks. We support arbitrary numbers of passwords however, hence we
* call the function once for each combination of old and new password. */
@ -56,10 +48,9 @@ int user_record_quality_check_password(
if (r > 0) /* This is a new password, not suitable as old password */
continue;
r = sym_pwquality_check(pwq, *pp, *old, hr->user_name, &auxerror);
if (r < 0)
return sd_bus_error_setf(error, BUS_ERROR_LOW_PASSWORD_QUALITY, "Password too weak: %s",
sym_pwquality_strerror(buf, sizeof(buf), r, auxerror));
r = check_password_quality(*pp, *old, hr->user_name, &auxerror);
if (r <= 0)
goto error;
called = true;
}
@ -67,19 +58,25 @@ int user_record_quality_check_password(
if (called)
continue;
/* If there are no old passwords, let's call pwquality_check() without any. */
r = sym_pwquality_check(pwq, *pp, NULL, hr->user_name, &auxerror);
if (r < 0)
return sd_bus_error_setf(error, BUS_ERROR_LOW_PASSWORD_QUALITY, "Password too weak: %s",
sym_pwquality_strerror(buf, sizeof(buf), r, auxerror));
/* If there are no old passwords, let's call check_password_quality() without any. */
r = check_password_quality(*pp, /* old */ NULL, hr->user_name, &auxerror);
if (r <= 0)
goto error;
}
return 1;
error:
if (r == 0)
return sd_bus_error_setf(error, BUS_ERROR_LOW_PASSWORD_QUALITY,
"Password too weak: %s", auxerror);
if (ERRNO_IS_NOT_SUPPORTED(r))
return 0;
return log_debug_errno(r, "Failed to check password quality: %m");
}
#else
int user_record_quality_check_password(
int user_record_check_password_quality(
UserRecord *hr,
UserRecord *secret,
sd_bus_error *error) {

2
src/home/user-record-pwquality.h → src/home/user-record-password-quality.h
View file

@ -4,4 +4,4 @@
#include "sd-bus.h"
#include "user-record.h"
int user_record_quality_check_password(UserRecord *hr, UserRecord *secret, sd_bus_error *error);
int user_record_check_password_quality(UserRecord *hr, UserRecord *secret, sd_bus_error *error);

3
src/shared/meson.build
View file

@ -128,11 +128,12 @@ shared_sources = files(
'pager.c',
'parse-argument.c',
'parse-helpers.c',
'password-quality-util-passwdqc.c',
'password-quality-util-pwquality.c',
'pcre2-util.c',
'pkcs11-util.c',
'pretty-print.c',
'ptyfwd.c',
'pwquality-util.c',
'qrcode-util.c',
'quota-util.c',
'reboot-util.c',

142
src/shared/password-quality-util-passwdqc.c Normal file
View file

@ -0,0 +1,142 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "dlfcn-util.h"
#include "errno-util.h"
#include "log.h"
#include "macro.h"
#include "memory-util.h"
#include "password-quality-util.h"
#include "strv.h"
#if HAVE_PASSWDQC
static void *passwdqc_dl = NULL;
void (*sym_passwdqc_params_reset)(passwdqc_params_t *params);
int (*sym_passwdqc_params_load)(passwdqc_params_t *params, char **reason, const char *pathname);
int (*sym_passwdqc_params_parse)(passwdqc_params_t *params, char **reason, int argc, const char *const *argv);
void (*sym_passwdqc_params_free)(passwdqc_params_t *params);
const char *(*sym_passwdqc_check)(const passwdqc_params_qc_t *params, const char *newpass, const char *oldpass, const struct passwd *pw);
char *(*sym_passwdqc_random)(const passwdqc_params_qc_t *params);
int dlopen_passwdqc(void) {
return dlopen_many_sym_or_warn(
&passwdqc_dl, "libpasswdqc.so.1", LOG_DEBUG,
DLSYM_ARG(passwdqc_params_reset),
DLSYM_ARG(passwdqc_params_load),
DLSYM_ARG(passwdqc_params_parse),
DLSYM_ARG(passwdqc_params_free),
DLSYM_ARG(passwdqc_check),
DLSYM_ARG(passwdqc_random));
}
static int pwqc_allocate_context(passwdqc_params_t **ret) {
_cleanup_(sym_passwdqc_params_freep) passwdqc_params_t *params = NULL;
_cleanup_free_ char *load_reason = NULL;
int r;
assert(ret);
r = dlopen_passwdqc();
if (r < 0)
return r;
params = new0(passwdqc_params_t, 1);
if (!params)
return log_oom();
sym_passwdqc_params_reset(params);
r = sym_passwdqc_params_load(params, &load_reason, "/etc/passwdqc.conf");
if (r < 0) {
if (!load_reason)
return log_oom();
log_debug("Failed to load passwdqc configuration file, ignoring: %s", load_reason);
}
*ret = TAKE_PTR(params);
return 0;
}
int suggest_passwords(void) {
_cleanup_(sym_passwdqc_params_freep) passwdqc_params_t *params = NULL;
_cleanup_strv_free_erase_ char **suggestions = NULL;
_cleanup_(erase_and_freep) char *joined = NULL;
int r;
r = pwqc_allocate_context(&params);
if (r < 0) {
if (ERRNO_IS_NOT_SUPPORTED(r))
return 0;
return log_error_errno(r, "Failed to allocate libpasswdqc context: %m");
}
suggestions = new0(char*, N_SUGGESTIONS+1);
if (!suggestions)
return log_oom();
for (size_t i = 0; i < N_SUGGESTIONS; i++) {
suggestions[i] = sym_passwdqc_random(&params->qc);
if (!suggestions[i])
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to generate password, ignoring");
}
joined = strv_join(suggestions, " ");
if (!joined)
return log_oom();
printf("Password suggestions: %s\n", joined);
return 1;
}
int check_password_quality(
const char *password,
const char *old,
const char *username,
char **ret_error) {
_cleanup_(sym_passwdqc_params_freep) passwdqc_params_t *params = NULL;
const char *check_reason;
int r;
assert(password);
r = pwqc_allocate_context(&params);
if (r < 0)
return log_debug_errno(r, "Failed to allocate libpasswdqc context: %m");
if (username) {
const struct passwd pw = {
.pw_name = (char *) username,
/*
* passwdqc_check() could use this information to check
* whether the password is based on the personal login information,
* but we cannot provide it.
*/
.pw_passwd = (char *) "",
.pw_gecos = (char *) "",
.pw_dir = (char *) "",
.pw_shell = (char *) ""
};
check_reason = sym_passwdqc_check(&params->qc, password, old, &pw);
} else
check_reason = sym_passwdqc_check(&params->qc, password, old, /* pw */ NULL);
if (check_reason) {
if (ret_error) {
char *e = strdup(check_reason);
if (!e)
return log_oom();
*ret_error = e;
}
return 0; /* all bad */
}
return 1; /* all good */
}
#endif

23
src/shared/password-quality-util-passwdqc.h Normal file
View file

@ -0,0 +1,23 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#include "macro.h"
#if HAVE_PASSWDQC
#include <passwdqc.h>
extern void (*sym_passwdqc_params_reset)(passwdqc_params_t *params);
extern int (*sym_passwdqc_params_load)(passwdqc_params_t *params, char **reason, const char *pathname);
extern int (*sym_passwdqc_params_parse)(passwdqc_params_t *params, char **reason, int argc, const char *const *argv);
extern void (*sym_passwdqc_params_free)(passwdqc_params_t *params);
extern const char *(*sym_passwdqc_check)(const passwdqc_params_qc_t *params, const char *newpass, const char *oldpass, const struct passwd *pw);
extern char *(*sym_passwdqc_random)(const passwdqc_params_qc_t *params);
int dlopen_passwdqc(void);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(passwdqc_params_t*, sym_passwdqc_params_free, NULL);
int suggest_passwords(void);
int check_password_quality(const char *password, const char *old, const char *username, char **ret_error);
#endif

24
src/shared/pwquality-util.c → src/shared/password-quality-util-pwquality.c
View file

@ -7,7 +7,7 @@
#include "log.h"
#include "macro.h"
#include "memory-util.h"
#include "pwquality-util.h"
#include "password-quality-util.h"
#include "strv.h"
#if HAVE_PWQUALITY
@ -36,7 +36,7 @@ int dlopen_pwquality(void) {
DLSYM_ARG(pwquality_strerror));
}
void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq) {
static void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq) {
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
const char *path;
int r;
@ -69,7 +69,7 @@ void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq) {
sym_pwquality_strerror(buf, sizeof(buf), r, NULL));
}
int pwq_allocate_context(pwquality_settings_t **ret) {
static int pwq_allocate_context(pwquality_settings_t **ret) {
_cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
@ -96,8 +96,6 @@ int pwq_allocate_context(pwquality_settings_t **ret) {
return 0;
}
#define N_SUGGESTIONS 6
int suggest_passwords(void) {
_cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
_cleanup_strv_free_erase_ char **suggestions = NULL;
@ -107,10 +105,11 @@ int suggest_passwords(void) {
int r;
r = pwq_allocate_context(&pwq);
if (ERRNO_IS_NOT_SUPPORTED(r))
return 0;
if (r < 0)
if (r < 0) {
if (ERRNO_IS_NOT_SUPPORTED(r))
return 0;
return log_error_errno(r, "Failed to allocate libpwquality context: %m");
}
suggestions = new0(char*, N_SUGGESTIONS+1);
if (!suggestions)
@ -127,11 +126,11 @@ int suggest_passwords(void) {
if (!joined)
return log_oom();
log_info("Password suggestions: %s", joined);
printf("Password suggestions: %s\n", joined);
return 1;
}
int quality_check_password(const char *password, const char *username, char **ret_error) {
int check_password_quality(const char *password, const char *old, const char *username, char **ret_error) {
_cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
@ -140,14 +139,11 @@ int quality_check_password(const char *password, const char *username, char **re
assert(password);
r = pwq_allocate_context(&pwq);
if (ERRNO_IS_NOT_SUPPORTED(r))
return 0;
if (r < 0)
return log_debug_errno(r, "Failed to allocate libpwquality context: %m");
r = sym_pwquality_check(pwq, password, NULL, username, &auxerror);
r = sym_pwquality_check(pwq, password, old, username, &auxerror);
if (r < 0) {
if (ret_error) {
_cleanup_free_ char *e = NULL;

16
src/shared/pwquality-util.h → src/shared/password-quality-util-pwquality.h
View file

@ -21,21 +21,7 @@ int dlopen_pwquality(void);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(pwquality_settings_t*, sym_pwquality_free_settings, NULL);
void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq);
int pwq_allocate_context(pwquality_settings_t **ret);
int suggest_passwords(void);
int quality_check_password(const char *password, const char *username, char **ret_error);
#else
static inline int suggest_passwords(void) {
return 0;
}
static inline int quality_check_password(const char *password, const char *username, char **ret_error) {
if (ret_error)
*ret_error = NULL;
return 1; /* all good */
}
int check_password_quality(const char *password, const char *old, const char *username, char **ret_error);
#endif

30
src/shared/password-quality-util.h Normal file
View file

@ -0,0 +1,30 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#define N_SUGGESTIONS 6
#if HAVE_PASSWDQC
#include "password-quality-util-passwdqc.h"
#elif HAVE_PWQUALITY
#include "password-quality-util-pwquality.h"
#else
static inline int suggest_passwords(void) {
return 0;
}
static inline int check_password_quality(
const char *password,
const char *old,
const char *username,
char **ret_error) {
if (ret_error)
*ret_error = NULL;
return 1; /* all good */
}
#endif

7
src/test/test-dlopen-so.c
View file

@ -10,9 +10,10 @@
#include "libfido2-util.h"
#include "macro.h"
#include "main-func.h"
#include "password-quality-util-passwdqc.h"
#include "password-quality-util-pwquality.h"
#include "pcre2-util.h"
#include "pkcs11-util.h"
#include "pwquality-util.h"
#include "qrcode-util.h"
#include "tests.h"
#include "tpm2-util.h"
@ -32,6 +33,10 @@ static int run(int argc, char **argv) {
assert_se(dlopen_cryptsetup() >= 0);
#endif
#if HAVE_PASSWDQC
assert_se(dlopen_passwdqc() >= 0);
#endif
#if HAVE_PWQUALITY
assert_se(dlopen_pwquality() >= 0);
#endif