Add optional libpasswdqc support for new LUKS passwords

If password is entered through terminal (no keyfile specified) and
cryptsetup is compiled with --enable-passwdqc[=/etc/passwdqc.conf],
default system passwdqc settings are used to check password quality.
parent e97048dd
......@@ -97,12 +97,14 @@ AC_DEFUN([NO_FIPS], [
dnl ==========================================================================
dnl pwquality library (cryptsetup CLI only)
AC_ARG_ENABLE([pwquality], AS_HELP_STRING([--enable-pwquality],[enable password quality checking]),
[with_pwquality=$enableval],
[with_pwquality=no])
AC_ARG_ENABLE([pwquality],
AS_HELP_STRING([--enable-pwquality],
[enable password quality checking using pwquality library]),
[with_pwquality=$enableval],
[with_pwquality=no])
if test "x$with_pwquality" = "xyes"; then
AC_DEFINE(ENABLE_PWQUALITY, 1, [Enable password quality checking])
AC_DEFINE(ENABLE_PWQUALITY, 1, [Enable password quality checking using pwquality library])
PKG_CHECK_MODULES([PWQUALITY], [pwquality >= 1.0.0],,
AC_MSG_ERROR([You need pwquality library.]))
......@@ -110,6 +112,32 @@ if test "x$with_pwquality" = "xyes"; then
PWQUALITY_STATIC_LIBS="$PWQUALITY_LIBS -lcrack -lz"
fi
dnl ==========================================================================
dnl passwdqc library (cryptsetup CLI only)
AC_ARG_ENABLE([passwdqc],
AS_HELP_STRING([--enable-passwdqc],
[enable password quality checking using passwdqc library]),
[enable_passwdqc=$enableval],
[enable_passwdqc=no])
case "$enable_passwdqc" in
yes|no) ;;
/*)
AC_DEFINE_UNQUOTED([PASSWDQC_CONFIG_FILE], ["$enable_passwdqc"], [passwdqc library config file])
enable_passwdqc=yes ;;
*) AC_MSG_ERROR([Unrecognized --enable-passwdqc parameter.]) ;;
esac
if test "x$enable_passwdqc" = "xyes"; then
AC_DEFINE(ENABLE_PASSWDQC, 1, [Enable password quality checking using passwdqc library])
PASSWDQC_LIBS="-lpasswdqc"
fi
if test "x$with_pwquality$enable_passwdqc" = "xyesyes"; then
AC_MSG_ERROR([--enable-pwquality and --enable-passwdqc are mutually incompatible.])
fi
dnl ==========================================================================
dnl Crypto backend functions
......@@ -345,6 +373,8 @@ AC_SUBST([DEVMAPPER_STATIC_LIBS])
AC_SUBST([PWQUALITY_LIBS])
AC_SUBST([PWQUALITY_STATIC_LIBS])
AC_SUBST([PASSWDQC_LIBS])
AC_SUBST([CRYPTO_CFLAGS])
AC_SUBST([CRYPTO_LIBS])
AC_SUBST([CRYPTO_STATIC_LIBS])
......
......@@ -879,7 +879,7 @@ This option applies only to \fIluksFormat\fR, \fIluksAddKey\fR and
password quality checking support.
For more info about password quality check, see manual page
for \fBpwquality.conf(5)\fR.
for \fBpwquality.conf(5)\fR and \fBpasswdqc.conf(5)\fR.
.TP
.B "\-\-version"
Show the program version.
......
......@@ -20,7 +20,8 @@ cryptsetup_SOURCES = \
cryptsetup_LDADD = \
$(top_builddir)/lib/libcryptsetup.la \
@POPT_LIBS@ \
@PWQUALITY_LIBS@
@PWQUALITY_LIBS@ \
@PASSWDQC_LIBS@
cryptsetup_CFLAGS = $(AM_CFLAGS) -Wall
......
......@@ -23,8 +23,8 @@
int opt_force_password = 0;
#if ENABLE_PWQUALITY
#include <pwquality.h>
#if defined ENABLE_PWQUALITY
# include <pwquality.h>
static int tools_check_pwquality(const char *password)
{
......@@ -58,12 +58,40 @@ static int tools_check_pwquality(const char *password)
pwquality_free_settings(pwq);
return r;
}
#else /* ENABLE_PWQUALITY */
#elif defined ENABLE_PASSWDQC
# include <passwdqc.h>
static int tools_check_pwquality(const char *password)
{
passwdqc_params_t params;
char *parse_reason;
const char *check_reason;
passwdqc_params_reset(&params);
# ifdef PASSWDQC_CONFIG_FILE
if (passwdqc_params_load(&params, &parse_reason, PASSWDQC_CONFIG_FILE)) {
log_err(_("Cannot check password quality: %s\n"),
(parse_reason ? parse_reason : "Out of memory"));
free(parse_reason);
return -EINVAL;
}
# endif
check_reason = passwdqc_check(&params.qc, password, NULL, NULL);
if (check_reason) {
log_err(_("Password quality check failed: Bad passphrase (%s)\n"),
check_reason);
return -EPERM;
}
return 0;
}
#else /* !(ENABLE_PWQUALITY || ENABLE_PASSWDQC) */
static int tools_check_pwquality(const char *password)
{
return 0;
}
#endif /* ENABLE_PWQUALITY */
#endif /* ENABLE_PWQUALITY || ENABLE_PASSWDQC */
int tools_is_cipher_null(const char *cipher)
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment