Greenbone Vulnerability Management Libraries
21.4.2
|
Check passwords against a list of pattern. More...
#include "pwpolicy.h"
#include <errno.h>
#include <glib.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
Macros | |
#define | DIM(v) (sizeof (v) / sizeof ((v)[0])) |
#define | DIMof(type, member) DIM (((type *) 0)->member) |
#define | G_LOG_DOMAIN "libgvm base" |
GLib log domain. More... | |
#define | PWPOLICY_FILE_NAME GVM_SYSCONF_DIR "/pwpolicy.conf" |
The name of the pattern file. More... | |
Functions | |
static char * | policy_checking_failed (void) |
static char * | is_keyword (char *string, const char *keyword) |
Check whether a string starts with a keyword. More... | |
static int | search_file (const char *fname, const char *password) |
Search a file for a matching line. More... | |
static char * | parse_pattern_line (char *line, const char *fname, int lineno, char **descp, const char *password, const char *username) |
Parse one line of a pettern file. More... | |
char * | gvm_validate_password (const char *password, const char *username) |
Validate a password against the pattern file. More... | |
void | gvm_disable_password_policy (void) |
Disable all password policy checking. More... | |
Variables | |
static gboolean | disable_password_policy |
Flag indicating that passwords are not checked. More... | |
Check passwords against a list of pattern.
See PWPOLICY_FILE_NAME for a syntax description of the pattern file.
#define DIM | ( | v | ) | (sizeof (v) / sizeof ((v)[0])) |
#define DIMof | ( | type, | |
member | |||
) | DIM (((type *) 0)->member) |
#define G_LOG_DOMAIN "libgvm base" |
GLib log domain.
#define PWPOLICY_FILE_NAME GVM_SYSCONF_DIR "/pwpolicy.conf" |
The name of the pattern file.
This file contains pattern with bad passphrases. The file is line based with maximum length of 255 bytes per line and expected to be in UTF-8 encoding. Each line may either be a comment line, a simple string, a regular expression or a processing instruction. The lines are parsed sequentially.
Comments are indicated by a hash mark ('#') as the first non white-space character of a line followed immediately by a space or end of line. Such a comment line is completely ignored.
Simple strings start after optional leading white-space. They are compared to the password under validation. The comparison is case insensitive for all ASCII characters.
Regular expressions start after optional leading white-space with either a single slash ('/') or an exclamation mark ('!') directly followed by a slash. They extend to the end of the line but may be terminated with another slash which may then only be followed by more white-space. The regular expression are Perl Compatible Regular Expressions (PCRE) and are by default case insensitive. If the regular expression line starts with the exclamation mark, the match is reversed; i.e. an error is returned if the password does not match.
Processing instructions are special comments to control the operation of the policy checking. The start like a comment but the hash mark is immediately followed by a plus ('+') signed, a keyword, an optional colon (':') and an optional value string. The following processing instructions are supported:
#+desc[:] STRING
This is used to return a meaningful error message. STRING is used a the description for all errors up to the next /desc/ or /nodesc/ processing instruction.
#+nodesc
This is syntactic sugar for /desc/ without a value. It switches back to a default error description (pattern file name and line number).
#+search[:] FILENAME
This searches the file with name FILENAME for a match. The comparison is case insensitive for all ASCII characters. This is a simple linear search and stops at the first match. Comments are not allowed in that file. A line in that file may not be longer than 255 characters. An example for such a file is "/usr/share/dict/words".
#+username
This is used to perform checks on the name/password combination. Currently this checks whether the password matches or is included in the password. It may eventually be extended to further tests.
void gvm_disable_password_policy | ( | void | ) |
Disable all password policy checking.
char* gvm_validate_password | ( | const char * | password, |
const char * | username | ||
) |
Validate a password against the pattern file.
[in] | password | The password to check |
[in] | username | The user name or NULL. This is used to check the passphrase against the user name. |
|
static |
Check whether a string starts with a keyword.
Note that the keyword may optionally be terminated by a colon.
string | The string to check |
keyword | The keyword |
string
to the value of the keyword with removed leading spaces is returned.
|
static |
Parse one line of a pettern file.
line | A null terminated buffer with the content of the line. The line terminator has already been stripped. It may be modified after return. |
fname | The name of the pattern file for error reporting |
lineno | The current line number for error reporting |
descp | Pointer to a variable holding the current description string or NULL for no description. |
password | The password to check. |
username | The username to check. |
|
static |
|
static |
Search a file for a matching line.
This is a case insensitive search for a password in a file. The file is assumed to be a simple LF delimited list of words.
fname | Name of the file to search. |
password | Password to search for. |
|
static |
Flag indicating that passwords are not checked.