OpenVAS Libraries  9.0.3
pwpolicy.c File Reference

Check passwords against a list of pattern. More...

#include <glib.h>
#include <glib/gstdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include "pwpolicy.h"
Include dependency graph for pwpolicy.c:

Go to the source code of this file.

Macros

#define DIM(v)   (sizeof(v)/sizeof((v)[0]))
 
#define DIMof(type, member)   DIM(((type *)0)->member)
 
#define G_LOG_DOMAIN   "base plcy"
 GLib log domain. More...
 
#define PWPOLICY_FILE_NAME   OPENVAS_SYSCONF_DIR "/pwpolicy.conf"
 The name of the pattern file. More...
 

Functions

char * openvas_validate_password (const char *password, const char *username)
 Validate a password against the pattern file. More...
 
void openvas_disable_password_policy (void)
 Disable all password policy checking. More...
 

Detailed Description

Check passwords against a list of pattern.

See PWPOLICY_FILE_NAME for a syntax description of the pattern file.

Definition in file pwpolicy.c.

Macro Definition Documentation

◆ DIM

#define DIM (   v)    (sizeof(v)/sizeof((v)[0]))

Definition at line 44 of file pwpolicy.c.

◆ DIMof

#define DIMof (   type,
  member 
)    DIM(((type *)0)->member)

Definition at line 45 of file pwpolicy.c.

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN   "base plcy"

GLib log domain.

Definition at line 52 of file pwpolicy.c.

◆ PWPOLICY_FILE_NAME

#define PWPOLICY_FILE_NAME   OPENVAS_SYSCONF_DIR "/pwpolicy.conf"

The name of the pattern file.

This file contains pattern with bad passphrases. The file is line based with maximum length of 255 bytes per line and expected to be in UTF-8 encoding. Each line may either be a comment line, a simple string, a regular expression or a processing instruction. The lines are parsed sequentially.

Comments are indicated by a hash mark ('#') as the first non white-space character of a line followed immediately by a space or end of line. Such a comment line is completely ignored.

Simple strings start after optional leading white-space. They are compared to the password under validation. The comparison is case insensitive for all ASCII characters.

Regular expressions start after optional leading white-space with either a single slash ('/') or an exclamation mark ('!') directly followed by a slash. They extend to the end of the line but may be terminated with another slash which may then only be followed by more white-space. The regular expression are Perl Compatible Regular Expressions (PCRE) and are by default case insensitive. If the regular expression line starts with the exclamation mark, the match is reversed; i.e. an error is returned if the password does not match.

Processing instructions are special comments to control the operation of the policy checking. The start like a comment but the hash mark is immediately followed by a plus ('+') signed, a keyword, an optional colon (':') and an optional value string. The following processing instructions are supported:

#+desc[:] STRING

This is used to return a meaningful error message. STRING is used a the description for all errors up to the next /desc/ or /nodesc/ processing instruction.

#+nodesc

This is syntactic sugar for /desc/ without a value. It switches back to a default error description (pattern file name and line number).

#+search[:] FILENAME

This searches the file with name FILENAME for a match. The comparison is case insensitive for all ASCII characters. This is a simple linear search and stops at the first match. Comments are not allowed in that file. A line in that file may not be longer than 255 characters. An example for such a file is "/usr/share/dict/words".

#+username

This is used to perform checks on the name/password combination. Currently this checks whether the password matches or is included in the password. It may eventually be extended to further tests.

Definition at line 115 of file pwpolicy.c.

Referenced by openvas_validate_password().

Function Documentation

◆ openvas_disable_password_policy()

void openvas_disable_password_policy ( void  )

Disable all password policy checking.

Definition at line 422 of file pwpolicy.c.

423 {
424  disable_password_policy = TRUE;
425  g_warning ("Password policy checking has been disabled.");
426 }

◆ openvas_validate_password()

char* openvas_validate_password ( const char *  password,
const char *  username 
)

Validate a password against the pattern file.

Parameters
[in]passwordThe password to check
[in]usernameThe user name or NULL. This is used to check the passphrase against the user name.
Returns
NULL on success or a malloced string with an error description.

Definition at line 367 of file pwpolicy.c.

References PWPOLICY_FILE_NAME.

368 {
369  const char *patternfile = PWPOLICY_FILE_NAME;
370  char *ret;
371  FILE *fp;
372  int lineno;
373  size_t len;
374  char line[256];
375  char *desc = NULL;
376 
377  if (disable_password_policy)
378  return NULL;
379 
380  if (!password || !*password)
381  return g_strdup ("Empty password");
382 
383  fp = fopen (patternfile, "r");
384  if (!fp)
385  {
386  g_warning ("error opening '%s': %s", patternfile, g_strerror (errno));
387  return policy_checking_failed ();
388  }
389  lineno = 0;
390  ret = NULL;
391  while (fgets (line, DIM(line)-1, fp))
392  {
393  lineno++;
394  len = strlen (line);
395  if (!len || line[len-1] != '\n')
396  {
397  g_warning ("error reading '%s', line %d: %s",
398  patternfile, lineno,
399  len? "line too long":"line without a LF");
400  ret = policy_checking_failed ();
401  break;
402  }
403  line[--len] = 0; /* Chop the LF. */
404  if (len && line[len-1] == '\r')
405  line[--len] = 0; /* Chop an optional CR. */
406  ret = parse_pattern_line (line, patternfile, lineno, &desc,
407  password, username);
408  if (ret)
409  break;
410  }
411 
412  fclose (fp);
413  g_free (desc);
414  return ret;
415 }
#define PWPOLICY_FILE_NAME
The name of the pattern file.
Definition: pwpolicy.c:115
#define DIM(v)
Definition: pwpolicy.c:44