shared: add password quality check abstraction layer to support both pwquality and passwdqc

Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
2024-07-22 02:34:54 +00:00 · 2021-08-06 11:40:34 +03:00 · 2021-08-06 11:40:34 +03:00 · d34b1823ca
parent 6377f57fa7
commit d34b1823ca
12 changed files with 54 additions and 47 deletions
--- a/src/cryptenroll/cryptenroll-password.c
+++ b/src/cryptenroll/cryptenroll-password.c
@ -6,7 +6,7 @@
 #include "errno-util.h"
 #include "escape.h"
 #include "memory-util.h"
-#include "pwquality-util.h"
+#include "password-quality-util.h"
 #include "strv.h"

 int load_volume_key_password(
@ -156,7 +156,7 @@ int enroll_password(
                }
        }

-        r = quality_check_password(new_password, /* old */ NULL, /* user */ NULL, &error);
+        r = check_password_quality(new_password, /* old */ NULL, /* user */ NULL, &error);
        if (r < 0) {
                if (ERRNO_IS_NOT_SUPPORTED(r))
                        log_warning("Password quality check is not supported, proceeding anyway.");
--- a/src/firstboot/firstboot.c
+++ b/src/firstboot/firstboot.c
@ -36,10 +36,10 @@
 #include "os-util.h"
 #include "parse-argument.h"
 #include "parse-util.h"
+#include "password-quality-util.h"
 #include "path-util.h"
 #include "pretty-print.h"
 #include "proc-cmdline.h"
-#include "pwquality-util.h"
 #include "random-util.h"
 #include "smack-util.h"
 #include "string-util.h"
@ -790,7 +790,7 @@ static int prompt_root_password(int rfd) {
                        break;
                }

-                r = quality_check_password(*a, /* old */ NULL, "root", &error);
+                r = check_password_quality(*a, /* old */ NULL, "root", &error);
                if (r < 0) {
                        if (ERRNO_IS_NOT_SUPPORTED(r))
                                log_warning("Password quality check is not supported, proceeding anyway.");
--- a/src/home/homectl.c
+++ b/src/home/homectl.c
@ -30,18 +30,18 @@
 #include "pager.h"
 #include "parse-argument.h"
 #include "parse-util.h"
+#include "password-quality-util.h"
 #include "path-util.h"
 #include "percent-util.h"
 #include "pkcs11-util.h"
 #include "pretty-print.h"
 #include "process-util.h"
-#include "pwquality-util.h"
 #include "rlimit-util.h"
 #include "spawn-polkit-agent.h"
 #include "terminal-util.h"
 #include "uid-alloc-range.h"
 #include "user-record.h"
-#include "user-record-pwquality.h"
+#include "user-record-password-quality.h"
 #include "user-record-show.h"
 #include "user-record-util.h"
 #include "user-util.h"
@ -1323,7 +1323,7 @@ static int create_home(int argc, char *argv[], void *userdata) {

                /* If password quality enforcement is disabled, let's at least warn client side */

-                r = user_record_quality_check_password(hr, hr, &error);
+                r = user_record_check_password_quality(hr, hr, &error);
                if (r < 0)
                        log_warning_errno(r, "Specified password does not pass quality checks (%s), proceeding anyway.", bus_error_message(&error, r));
        }
--- a/src/home/homed-home.c
+++ b/src/home/homed-home.c
@ -31,7 +31,6 @@
 #include "mkdir.h"
 #include "path-util.h"
 #include "process-util.h"
-#include "pwquality-util.h"
 #include "quota-util.h"
 #include "resize-fs.h"
 #include "set.h"
@ -40,7 +39,7 @@
 #include "string-table.h"
 #include "strv.h"
 #include "uid-alloc-range.h"
-#include "user-record-pwquality.h"
+#include "user-record-password-quality.h"
 #include "user-record-sign.h"
 #include "user-record-util.h"
 #include "user-record.h"
@ -1513,7 +1512,7 @@ int home_create(Home *h, UserRecord *secret, sd_bus_error *error) {
        if (h->record->enforce_password_policy == false)
                log_debug("Password quality check turned off for account, skipping.");
        else {
-                r = user_record_quality_check_password(h->record, secret, error);
+                r = user_record_check_password_quality(h->record, secret, error);
                if (r < 0)
                        return r;
        }
@ -1888,7 +1887,7 @@ int home_passwd(Home *h,
        if (c->enforce_password_policy == false)
                log_debug("Password quality check turned off for account, skipping.");
        else {
-                r = user_record_quality_check_password(c, merged_secret, error);
+                r = user_record_check_password_quality(c, merged_secret, error);
                if (r < 0)
                        return r;
        }
--- a/src/home/meson.build
+++ b/src/home/meson.build
@ -33,7 +33,7 @@ systemd_homed_sources = files(
        'homed-operation.c',
        'homed-varlink.c',
        'homed.c',
-        'user-record-pwquality.c',
+        'user-record-password-quality.c',
        'user-record-sign.c',
        'user-record-util.c',
 )
@ -52,7 +52,7 @@ homectl_sources = files(
        'homectl-pkcs11.c',
        'homectl-recovery-key.c',
        'homectl.c',
-        'user-record-pwquality.c',
+        'user-record-password-quality.c',
        'user-record-util.c',
 )

--- a/src/home/user-record-password-quality.c
+++ b/src/home/user-record-password-quality.c
@ -4,14 +4,14 @@
 #include "errno-util.h"
 #include "home-util.h"
 #include "libcrypt-util.h"
-#include "pwquality-util.h"
+#include "password-quality-util.h"
 #include "strv.h"
-#include "user-record-pwquality.h"
+#include "user-record-password-quality.h"
 #include "user-record-util.h"

 #if HAVE_PWQUALITY

-int user_record_quality_check_password(
+int user_record_check_password_quality(
                UserRecord *hr,
                UserRecord *secret,
                sd_bus_error *error) {
@ -22,7 +22,7 @@ int user_record_quality_check_password(
        assert(hr);
        assert(secret);

-        /* This is a bit more complex than one might think at first. quality_check_password() would like to know the
+        /* This is a bit more complex than one might think at first. check_password_quality() would like to know the
         * old password to make security checks. We support arbitrary numbers of passwords however, hence we
         * call the function once for each combination of old and new password. */

@ -48,7 +48,7 @@ int user_record_quality_check_password(
                        if (r > 0) /* This is a new password, not suitable as old password */
                                continue;

-                        r = quality_check_password(*pp, *old, hr->user_name, &auxerror);
+                        r = check_password_quality(*pp, *old, hr->user_name, &auxerror);
                        if (r <= 0)
                                goto error;

@ -58,12 +58,11 @@ int user_record_quality_check_password(
                if (called)
                        continue;

-                /* If there are no old passwords, let's call quality_check_password() without any. */
-                r = quality_check_password(*pp, /* old */ NULL, hr->user_name, &auxerror);
+                /* If there are no old passwords, let's call check_password_quality() without any. */
+                r = check_password_quality(*pp, /* old */ NULL, hr->user_name, &auxerror);
                if (r <= 0)
                        goto error;
        }
-
        return 1;

 error:
@ -77,7 +76,7 @@ error:

 #else

-int user_record_quality_check_password(
+int user_record_check_password_quality(
                UserRecord *hr,
                UserRecord *secret,
                sd_bus_error *error) {
--- a/src/home/user-record-password-quality.h
+++ b/src/home/user-record-password-quality.h
@ -4,4 +4,4 @@
 #include "sd-bus.h"
 #include "user-record.h"

-int user_record_quality_check_password(UserRecord *hr, UserRecord *secret, sd_bus_error *error);
+int user_record_check_password_quality(UserRecord *hr, UserRecord *secret, sd_bus_error *error);
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@ -128,11 +128,11 @@ shared_sources = files(
        'pager.c',
        'parse-argument.c',
        'parse-helpers.c',
+        'password-quality-util-pwquality.c',
        'pcre2-util.c',
        'pkcs11-util.c',
        'pretty-print.c',
        'ptyfwd.c',
-        'pwquality-util.c',
        'qrcode-util.c',
        'quota-util.c',
        'reboot-util.c',
--- a/src/shared/password-quality-util-pwquality.c
+++ b/src/shared/password-quality-util-pwquality.c
@ -7,7 +7,7 @@
 #include "log.h"
 #include "macro.h"
 #include "memory-util.h"
-#include "pwquality-util.h"
+#include "password-quality-util.h"
 #include "strv.h"

 #if HAVE_PWQUALITY
@ -36,7 +36,7 @@ int dlopen_pwquality(void) {
                        DLSYM_ARG(pwquality_strerror));
 }

-void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq) {
+static void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq) {
        char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
        const char *path;
        int r;
@ -69,7 +69,7 @@ void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq) {
                          sym_pwquality_strerror(buf, sizeof(buf), r, NULL));
 }

-int pwq_allocate_context(pwquality_settings_t **ret) {
+static int pwq_allocate_context(pwquality_settings_t **ret) {
        _cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
        char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
        void *auxerror;
@ -96,8 +96,6 @@ int pwq_allocate_context(pwquality_settings_t **ret) {
        return 0;
 }

-#define N_SUGGESTIONS 6
-
 int suggest_passwords(void) {
        _cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
        _cleanup_strv_free_erase_ char **suggestions = NULL;
@ -132,7 +130,7 @@ int suggest_passwords(void) {
        return 1;
 }

-int quality_check_password(const char *password, const char *old, const char *username, char **ret_error) {
+int check_password_quality(const char *password, const char *old, const char *username, char **ret_error) {
        _cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
        char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
        void *auxerror;
@ -146,7 +144,6 @@ int quality_check_password(const char *password, const char *old, const char *us

        r = sym_pwquality_check(pwq, password, old, username, &auxerror);
        if (r < 0) {
-
                if (ret_error) {
                        _cleanup_free_ char *e = NULL;

--- a/src/shared/password-quality-util-pwquality.h
+++ b/src/shared/password-quality-util-pwquality.h
@ -21,21 +21,7 @@ int dlopen_pwquality(void);

 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(pwquality_settings_t*, sym_pwquality_free_settings, NULL);

-void pwq_maybe_disable_dictionary(pwquality_settings_t *pwq);
-int pwq_allocate_context(pwquality_settings_t **ret);
 int suggest_passwords(void);
-int quality_check_password(const char *password, const char *old, const char *username, char **ret_error);
-
-#else
-
-static inline int suggest_passwords(void) {
-        return 0;
-}
-
-static inline int quality_check_password(const char *password, const char *old, const char *username, char **ret_error) {
-        if (ret_error)
-                *ret_error = NULL;
-        return 1; /* all good */
-}
+int check_password_quality(const char *password, const char *old, const char *username, char **ret_error);

 #endif
--- a/src/shared/password-quality-util.h
+++ b/src/shared/password-quality-util.h
@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#define N_SUGGESTIONS 6
+
+#if HAVE_PWQUALITY
+
+#include "password-quality-util-pwquality.h"
+
+#else
+
+static inline int suggest_passwords(void) {
+        return 0;
+}
+
+static inline int check_password_quality(
+                const char *password,
+                const char *old,
+                const char *username,
+                char **ret_error) {
+        if (ret_error)
+                *ret_error = NULL;
+        return 1; /* all good */
+}
+
+#endif
--- a/src/test/test-dlopen-so.c
+++ b/src/test/test-dlopen-so.c
@ -10,9 +10,9 @@
 #include "libfido2-util.h"
 #include "macro.h"
 #include "main-func.h"
+#include "password-quality-util-pwquality.h"
 #include "pcre2-util.h"
 #include "pkcs11-util.h"
-#include "pwquality-util.h"
 #include "qrcode-util.h"
 #include "tests.h"
 #include "tpm2-util.h"