2 * Prototypes for the kadmin password strength checking plugin.
4 * Developed by Derrick Brashear and Ken Hornstein of Sine Nomine Associates,
5 * on behalf of Stanford University
6 * Extensive modifications by Russ Allbery <eagle@eyrie.org>
7 * Copyright 2006, 2007, 2009, 2012, 2013
8 * The Board of Trustees of the Leland Stanford Junior University
10 * See LICENSE for licensing terms.
13 #ifndef PLUGIN_INTERNAL_H
14 #define PLUGIN_INTERNAL_H 1
17 #include <portable/krb5.h>
18 #include <portable/macros.h>
24 #ifdef HAVE_KRB5_PWQUAL_PLUGIN_H
25 # include <krb5/pwqual_plugin.h>
27 typedef struct krb5_pwqual_moddata_st *krb5_pwqual_moddata;
30 /* Error strings returned (and displayed to the user) for various failures. */
31 #define ERROR_ASCII "password contains non-ASCII or control characters"
32 #define ERROR_DICT "password found in list of common passwords"
33 #define ERROR_LETTER "password is only letters and spaces"
34 #define ERROR_SHORT "password is too short"
35 #define ERROR_USERNAME "password based on username or principal"
38 * MIT Kerberos uses this type as an abstract data type for any data that a
39 * password quality check needs to carry. Reuse it since then we get type
40 * checking for at least the MIT plugin.
42 struct krb5_pwqual_moddata_st {
43 long minimum_length; /* Minimum password length */
44 bool ascii; /* Whether to require printable ASCII */
45 bool nonletter; /* Whether to require a non-letter */
46 char *dictionary; /* Base path to CrackLib dictionary */
47 bool have_cdb; /* Whether we have a CDB dictionary */
48 int cdb_fd; /* File descriptor of CDB dictionary */
50 struct cdb cdb; /* Open CDB dictionary data */
56 /* Default to a hidden visibility for all internal functions. */
57 #pragma GCC visibility push(hidden)
59 /* Initialize the plugin and set up configuration. */
60 krb5_error_code strength_init(krb5_context, const char *dictionary,
61 krb5_pwqual_moddata *);
64 * Check a password. Returns 0 if okay. On error, sets the Kerberos error
65 * message and returns a Kerberos status code.
67 krb5_error_code strength_check(krb5_context, krb5_pwqual_moddata,
68 const char *principal, const char *password);
70 /* Free the internal plugin state. */
71 void strength_close(krb5_context, krb5_pwqual_moddata);
74 * CDB handling. strength_init_cdb gets the dictionary configuration and sets
75 * up the CDB database, strength_check_cdb checks it, and strength_close_cdb
76 * handles freeing resources.
78 * If not built with CDB support, provide some stubs for check and close.
79 * init is always a real function, which reports an error if CDB is
82 krb5_error_code strength_init_cdb(krb5_context, krb5_pwqual_moddata);
84 krb5_error_code strength_check_cdb(krb5_context, krb5_pwqual_moddata,
85 const char *password);
86 void strength_close_cdb(krb5_context, krb5_pwqual_moddata);
88 # define strength_check_cdb(c, d, p) 0
89 # define strength_close_cdb(c, d) /* empty */
93 * CrackLib handling. strength_init_cracklib gets the dictionary
94 * configuration does some sanity checks on it, and strength_check_cracklib
95 * checks the password against CrackLib.
97 krb5_error_code strength_init_cracklib(krb5_context, krb5_pwqual_moddata,
98 const char *dictionary);
99 krb5_error_code strength_check_cracklib(krb5_context, krb5_pwqual_moddata,
100 const char *password);
102 /* Check whether the password is based on the principal in some way. */
103 krb5_error_code strength_check_principal(krb5_context, krb5_pwqual_moddata,
104 const char *principal,
105 const char *password);
108 * Obtain configuration settings from krb5.conf. These are wrappers around
109 * the krb5_appdefault_* APIs that handle setting the section name, obtaining
110 * the local default realm and using it to find settings, and doing any
111 * necessary conversion.
113 void strength_config_boolean(krb5_context, const char *, bool *)
114 __attribute__((__nonnull__));
115 void strength_config_number(krb5_context, const char *, long *)
116 __attribute__((__nonnull__));
117 void strength_config_string(krb5_context, const char *, char **)
118 __attribute__((__nonnull__));
121 * Store a particular password quality error in the Kerberos context. The
122 * _system variant uses errno for the error code and appends the strerror
123 * results to the message. All versions return the error code set.
125 krb5_error_code strength_error_class(krb5_context, const char *format, ...)
126 __attribute__((__nonnull__, __format__(printf, 2, 3)));
127 krb5_error_code strength_error_dict(krb5_context, const char *format, ...)
128 __attribute__((__nonnull__, __format__(printf, 2, 3)));
129 krb5_error_code strength_error_generic(krb5_context, const char *format, ...)
130 __attribute__((__nonnull__, __format__(printf, 2, 3)));
131 krb5_error_code strength_error_system(krb5_context, const char *format, ...)
132 __attribute__((__nonnull__, __format__(printf, 2, 3)));
133 krb5_error_code strength_error_tooshort(krb5_context, const char *format, ...)
134 __attribute__((__nonnull__, __format__(printf, 2, 3)));
136 /* Undo default visibility change. */
137 #pragma GCC visibility pop
141 #endif /* !PLUGIN_INTERNAL_H */