Merge pull request #20425 from Blarse/passwdqc-pr

Add passwdqc support

Author: bluca

meson.build

@@ -1189,8 +1189,13 @@ else
 endif
 conf.set10('HAVE_LIBFDISK', have)
 
+want_passwdqc = get_option('passwdqc')
 want_pwquality = get_option('pwquality')
-if want_pwquality != 'false' and not skip_deps
+if want_passwdqc == 'true' and want_pwquality == 'true'
+        error('passwdqc and pwquality cannot be requested simultaneously')
+endif
+
+if want_pwquality != 'false' and want_passwdqc != 'true' and not skip_deps
         libpwquality = dependency('pwquality',
                                   version : '>= 1.4.1',
                                   required : want_pwquality == 'true')
@@ -1201,6 +1206,16 @@ else
 endif
 conf.set10('HAVE_PWQUALITY', have)
 
+if not have and want_passwdqc != 'false' and not skip_deps
+        libpasswdqc = dependency('passwdqc',
+                                 required : want_passwdqc == 'true')
+        have = libpasswdqc.found()
+else
+        have = false
+        libpasswdqc = []
+endif
+conf.set10('HAVE_PASSWDQC', have)
+
 want_seccomp = get_option('seccomp')
 if want_seccomp != 'false' and not skip_deps
         libseccomp = dependency('libseccomp',
@@ -4940,6 +4955,7 @@ foreach tuple : [
         ['microhttpd'],
         ['openssl'],
         ['p11kit'],
+        ['passwdqc'],
         ['pcre2'],
         ['pwquality'],
         ['qrencode'],

meson_options.txt

@@ -381,6 +381,8 @@ option('xenctrl', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'support for Xen kexec')
 option('pam', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'PAM support')
+option('passwdqc', type : 'combo', choices : ['auto', 'true', 'false'],
+       description : 'libpasswdqc support')
 option('pwquality', type : 'combo', choices : ['auto', 'true', 'false'],
        description : 'libpwquality support')
 option('microhttpd', type : 'combo', choices : ['auto', 'true', 'false'],

src/cryptenroll/cryptenroll-password.c

@@ -3,9 +3,10 @@
 #include "ask-password-api.h"
 #include "cryptenroll-password.h"
 #include "env-util.h"
+#include "errno-util.h"
 #include "escape.h"
 #include "memory-util.h"
-#include "pwquality-util.h"
+#include "password-quality-util.h"
 #include "strv.h"
 
 int load_volume_key_password(
@@ -155,9 +156,13 @@ int enroll_password(
                 }
         }
 
-        r = quality_check_password(new_password, NULL, &error);
-        if (r < 0)
-                return log_error_errno(r, "Failed to check password for quality: %m");
+        r = check_password_quality(new_password, /* old */ NULL, /* user */ NULL, &error);
+        if (r < 0) {
+                if (ERRNO_IS_NOT_SUPPORTED(r))
+                        log_warning("Password quality check is not supported, proceeding anyway.");
+                else
+                        return log_error_errno(r, "Failed to check password quality: %m");
+        }
         if (r == 0)
                 log_warning("Specified password does not pass quality checks (%s), proceeding anyway.", error);
 

src/firstboot/firstboot.c

@@ -19,6 +19,7 @@
 #include "creds-util.h"
 #include "dissect-image.h"
 #include "env-file.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "fileio.h"
 #include "fs-util.h"
@@ -35,10 +36,10 @@
 #include "os-util.h"
 #include "parse-argument.h"
 #include "parse-util.h"
+#include "password-quality-util.h"
 #include "path-util.h"
 #include "pretty-print.h"
 #include "proc-cmdline.h"
-#include "pwquality-util.h"
 #include "random-util.h"
 #include "smack-util.h"
 #include "string-util.h"
@@ -789,9 +790,13 @@ static int prompt_root_password(int rfd) {
                         break;
                 }
 
-                r = quality_check_password(*a, "root", &error);
-                if (r < 0)
-                        return log_error_errno(r, "Failed to check quality of password: %m");
+                r = check_password_quality(*a, /* old */ NULL, "root", &error);
+                if (r < 0) {
+                        if (ERRNO_IS_NOT_SUPPORTED(r))
+                                log_warning("Password quality check is not supported, proceeding anyway.");
+                        else
+                                return log_error_errno(r, "Failed to check password quality: %m");
+                }
                 if (r == 0)
                         log_warning("Password is weak, accepting anyway: %s", error);
 

src/home/homectl.c

@@ -30,18 +30,18 @@
 #include "pager.h"
 #include "parse-argument.h"
 #include "parse-util.h"
+#include "password-quality-util.h"
 #include "path-util.h"
 #include "percent-util.h"
 #include "pkcs11-util.h"
 #include "pretty-print.h"
 #include "process-util.h"
-#include "pwquality-util.h"
 #include "rlimit-util.h"
 #include "spawn-polkit-agent.h"
 #include "terminal-util.h"
 #include "uid-alloc-range.h"
 #include "user-record.h"
-#include "user-record-pwquality.h"
+#include "user-record-password-quality.h"
 #include "user-record-show.h"
 #include "user-record-util.h"
 #include "user-util.h"
@@ -1323,7 +1323,7 @@ static int create_home(int argc, char *argv[], void *userdata) {
 
                 /* If password quality enforcement is disabled, let's at least warn client side */
 
-                r = user_record_quality_check_password(hr, hr, &error);
+                r = user_record_check_password_quality(hr, hr, &error);
                 if (r < 0)
                         log_warning_errno(r, "Specified password does not pass quality checks (%s), proceeding anyway.", bus_error_message(&error, r));
         }

src/home/homed-home.c

@@ -31,7 +31,6 @@
 #include "mkdir.h"
 #include "path-util.h"
 #include "process-util.h"
-#include "pwquality-util.h"
 #include "quota-util.h"
 #include "resize-fs.h"
 #include "set.h"
@@ -40,7 +39,7 @@
 #include "string-table.h"
 #include "strv.h"
 #include "uid-alloc-range.h"
-#include "user-record-pwquality.h"
+#include "user-record-password-quality.h"
 #include "user-record-sign.h"
 #include "user-record-util.h"
 #include "user-record.h"
@@ -1513,7 +1512,7 @@ int home_create(Home *h, UserRecord *secret, sd_bus_error *error) {
         if (h->record->enforce_password_policy == false)
                 log_debug("Password quality check turned off for account, skipping.");
         else {
-                r = user_record_quality_check_password(h->record, secret, error);
+                r = user_record_check_password_quality(h->record, secret, error);
                 if (r < 0)
                         return r;
         }
@@ -1888,7 +1887,7 @@ int home_passwd(Home *h,
         if (c->enforce_password_policy == false)
                 log_debug("Password quality check turned off for account, skipping.");
         else {
-                r = user_record_quality_check_password(c, merged_secret, error);
+                r = user_record_check_password_quality(c, merged_secret, error);
                 if (r < 0)
                         return r;
         }

src/home/meson.build

@@ -33,7 +33,7 @@ systemd_homed_sources = files(
         'homed-operation.c',
         'homed-varlink.c',
         'homed.c',
-        'user-record-pwquality.c',
+        'user-record-password-quality.c',
         'user-record-sign.c',
         'user-record-util.c',
 )
@@ -52,7 +52,7 @@ homectl_sources = files(
         'homectl-pkcs11.c',
         'homectl-recovery-key.c',
         'homectl.c',
-        'user-record-pwquality.c',
+        'user-record-password-quality.c',
         'user-record-util.c',
 )
 

src/home/user-record-pwquality.c renamed to src/home/user-record-password-quality.c

@@ -4,33 +4,25 @@
 #include "errno-util.h"
 #include "home-util.h"
 #include "libcrypt-util.h"
-#include "pwquality-util.h"
+#include "password-quality-util.h"
 #include "strv.h"
-#include "user-record-pwquality.h"
+#include "user-record-password-quality.h"
 #include "user-record-util.h"
 
-#if HAVE_PWQUALITY
+#if HAVE_PASSWDQC || HAVE_PWQUALITY
 
-int user_record_quality_check_password(
+int user_record_check_password_quality(
                 UserRecord *hr,
                 UserRecord *secret,
                 sd_bus_error *error) {
 
-        _cleanup_(sym_pwquality_free_settingsp) pwquality_settings_t *pwq = NULL;
-        char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
-        void *auxerror;
+        _cleanup_free_ char *auxerror = NULL;
         int r;
 
         assert(hr);
         assert(secret);
 
-        r = pwq_allocate_context(&pwq);
-        if (ERRNO_IS_NOT_SUPPORTED(r))
-                return 0;
-        if (r < 0)
-                return log_debug_errno(r, "Failed to allocate libpwquality context: %m");
-
-        /* This is a bit more complex than one might think at first. pwquality_check() would like to know the
+        /* This is a bit more complex than one might think at first. check_password_quality() would like to know the
          * old password to make security checks. We support arbitrary numbers of passwords however, hence we
          * call the function once for each combination of old and new password. */
 
@@ -56,30 +48,35 @@ int user_record_quality_check_password(
                         if (r > 0) /* This is a new password, not suitable as old password */
                                 continue;
 
-                        r = sym_pwquality_check(pwq, *pp, *old, hr->user_name, &auxerror);
-                        if (r < 0)
-                                return sd_bus_error_setf(error, BUS_ERROR_LOW_PASSWORD_QUALITY, "Password too weak: %s",
-                                                         sym_pwquality_strerror(buf, sizeof(buf), r, auxerror));
+                        r = check_password_quality(*pp, *old, hr->user_name, &auxerror);
+                        if (r <= 0)
+                                goto error;
 
                         called = true;
                 }
 
                 if (called)
                         continue;
 
-                /* If there are no old passwords, let's call pwquality_check() without any. */
-                r = sym_pwquality_check(pwq, *pp, NULL, hr->user_name, &auxerror);
-                if (r < 0)
-                        return sd_bus_error_setf(error, BUS_ERROR_LOW_PASSWORD_QUALITY, "Password too weak: %s",
-                                                 sym_pwquality_strerror(buf, sizeof(buf), r, auxerror));
+                /* If there are no old passwords, let's call check_password_quality() without any. */
+                r = check_password_quality(*pp, /* old */ NULL, hr->user_name, &auxerror);
+                if (r <= 0)
+                        goto error;
         }
-
         return 1;
+
+error:
+        if (r == 0)
+                return sd_bus_error_setf(error, BUS_ERROR_LOW_PASSWORD_QUALITY,
+                                         "Password too weak: %s", auxerror);
+        if (ERRNO_IS_NOT_SUPPORTED(r))
+                return 0;
+        return log_debug_errno(r, "Failed to check password quality: %m");
 }
 
 #else
 
-int user_record_quality_check_password(
+int user_record_check_password_quality(
                 UserRecord *hr,
                 UserRecord *secret,
                 sd_bus_error *error) {

src/home/user-record-pwquality.h renamed to src/home/user-record-password-quality.h

@@ -4,4 +4,4 @@
 #include "sd-bus.h"
 #include "user-record.h"
 
-int user_record_quality_check_password(UserRecord *hr, UserRecord *secret, sd_bus_error *error);
+int user_record_check_password_quality(UserRecord *hr, UserRecord *secret, sd_bus_error *error);

src/shared/meson.build

@@ -128,11 +128,12 @@ shared_sources = files(
         'pager.c',
         'parse-argument.c',
         'parse-helpers.c',
+        'password-quality-util-passwdqc.c',
+        'password-quality-util-pwquality.c',
         'pcre2-util.c',
         'pkcs11-util.c',
         'pretty-print.c',
         'ptyfwd.c',
-        'pwquality-util.c',
         'qrcode-util.c',
         'quota-util.c',
         'reboot-util.c',