Gitiles
Code Review Sign In
gerrit.nordix.org / codeaurora / busybox / 2514302658d4c9655965f90d560b58e6dc92856b / . / libbb / obscure.c
blob: dd8cd319a023a3c4b430cafa23a3d161971a4793 [file] [log] [blame]
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]1/* vi: set sw=4 ts=4: */
2/*
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]3 * Mini weak password checker implementation for busybox
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]4 *
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]5 * Copyright (C) 2006 Tito Ragusa <farmatito@tiscali.it>
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]6 *
Denys Vlasenko0ef64bd2010-08-16 20:14:46 +0200[diff] [blame]7 * Licensed under GPLv2 or later, see file LICENSE in this source tree.
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]8 */
9
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]10/* A good password:
11 1) should contain at least six characters (man passwd);
12 2) empty passwords are not permitted;
13 3) should contain a mix of four different types of characters
14 upper case letters,
15 lower case letters,
16 numbers,
17 special characters such as !@#$%^&*,;".
18 This password types should not be permitted:
19 a) pure numbers: birthdates, social security number, license plate, phone numbers;
20 b) words and all letters only passwords (uppercase, lowercase or mixed)
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]21 as palindromes, consecutive or repetitive letters
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]22 or adjacent letters on your keyboard;
23 c) username, real name, company name or (e-mail?) address
24 in any form (as-is, reversed, capitalized, doubled, etc.).
25 (we can check only against username, gecos and hostname)
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]26 d) common and obvious letter-number replacements
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]27 (e.g. replace the letter O with number 0)
28 such as "M1cr0$0ft" or "P@ssw0rd" (CAVEAT: we cannot check for them
29 without the use of a dictionary).
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]30
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]31 For each missing type of characters an increase of password length is
32 requested.
33
34 If user is root we warn only.
35
36 CAVEAT: some older versions of crypt() truncates passwords to 8 chars,
37 so that aaaaaaaa1Q$ is equal to aaaaaaaa making it possible to fool
38 some of our checks. We don't test for this special case as newer versions
39 of crypt do not truncate passwords.
40*/
41
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]42#include "libbb.h"
43
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]44static int string_checker_helper(const char *p1, const char *p2) __attribute__ ((__pure__));
45
46static int string_checker_helper(const char *p1, const char *p2)
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]47{
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]48 /* as sub-string */
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]49 if (strcasestr(p2, p1) != NULL
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]50 /* invert in case haystack is shorter than needle */
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]51 || strcasestr(p1, p2) != NULL
52 /* as-is or capitalized */
53 /* || strcasecmp(p1, p2) == 0 - 1st strcasestr should catch this too */
54 ) {
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]55 return 1;
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]56 }
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]57 return 0;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]58}
59
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]60static int string_checker(const char *p1, const char *p2)
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]61{
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]62 int size, i;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]63 /* check string */
64 int ret = string_checker_helper(p1, p2);
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]65 /* make our own copy */
Rob Landleyd921b2e2006-08-03 15:41:12 +0000[diff] [blame]66 char *p = xstrdup(p1);
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]67
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]68 /* reverse string */
69 i = size = strlen(p1);
70 while (--i >= 0) {
71 *p++ = p1[i];
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]72 }
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]73 p -= size; /* restore pointer */
74
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]75 /* check reversed string */
76 ret |= string_checker_helper(p, p2);
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]77
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]78 /* clean up */
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]79 memset(p, 0, size);
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]80 free(p);
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]81
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]82 return ret;
83}
84
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]85#define CATEGORIES 4
86
87#define LOWERCASE 1
88#define UPPERCASE 2
89#define NUMBERS 4
90#define SPECIAL 8
91
92#define LAST_CAT 8
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]93
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]94static const char *obscure_msg(const char *old_p, const char *new_p, const struct passwd *pw)
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]95{
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]96 unsigned length;
97 unsigned size;
98 unsigned mixed;
99 unsigned c;
100 unsigned i;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]101 const char *p;
Denis Vlasenko6f1713f2008-02-25 23:23:58 +0000[diff] [blame]102 char *hostname;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]103
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]104 /* size */
"Robert P. J. Day"087b9d62006-07-02 18:35:39 +0000[diff] [blame]105 if (!new_p || (length = strlen(new_p)) < CONFIG_PASSWORD_MINLEN)
Denis Vlasenko079f8af2006-11-27 16:49:31 +0000[diff] [blame]106 return "too short";
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]107
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]108 /* no username as-is, as sub-string, reversed, capitalized, doubled */
109 if (string_checker(new_p, pw->pw_name)) {
110 return "similar to username";
111 }
112 /* no gecos as-is, as sub-string, reversed, capitalized, doubled */
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]113 if (pw->pw_gecos[0] && string_checker(new_p, pw->pw_gecos)) {
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]114 return "similar to gecos";
115 }
116 /* hostname as-is, as sub-string, reversed, capitalized, doubled */
Denis Vlasenko6f1713f2008-02-25 23:23:58 +0000[diff] [blame]117 hostname = safe_gethostname();
118 i = string_checker(new_p, hostname);
119 free(hostname);
120 if (i)
121 return "similar to hostname";
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]122
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]123 /* Should / Must contain a mix of: */
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]124 mixed = 0;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]125 for (i = 0; i < length; i++) {
126 if (islower(new_p[i])) { /* a-z */
127 mixed |= LOWERCASE;
128 } else if (isupper(new_p[i])) { /* A-Z */
129 mixed |= UPPERCASE;
130 } else if (isdigit(new_p[i])) { /* 0-9 */
131 mixed |= NUMBERS;
132 } else { /* special characters */
133 mixed |= SPECIAL;
134 }
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]135 /* Count i'th char */
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]136 c = 0;
137 p = new_p;
138 while (1) {
Denis Vlasenko6bef3d12007-11-06 03:05:54 +0000[diff] [blame]139 p = strchr(p, new_p[i]);
140 if (p == NULL) {
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]141 break;
142 }
143 c++;
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]144 p++;
145 if (!*p) {
146 break;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]147 }
148 }
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]149 /* More than 50% similar characters ? */
150 if (c*2 >= length) {
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]151 return "too many similar characters";
152 }
Eric Andersen3124a9e2003-07-30 07:57:06 +0000[diff] [blame]153 }
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]154
155 size = CONFIG_PASSWORD_MINLEN + 2*CATEGORIES;
Denys Vlasenkofd27fa82010-08-17 17:21:36 +0200[diff] [blame]156 for (i = 1; i <= LAST_CAT; i <<= 1)
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]157 if (mixed & i)
158 size -= 2;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]159 if (length < size)
160 return "too weak";
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]161
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]162 if (old_p && old_p[0]) {
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]163 /* check vs. old password */
164 if (string_checker(new_p, old_p)) {
165 return "similar to old password";
166 }
167 }
Bob Dunlopd71c7702010-08-17 16:01:16 +0200[diff] [blame]168
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]169 return NULL;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]170}
171
Denis Vlasenkodefc1ea2008-06-27 02:52:20 +0000[diff] [blame]172int FAST_FUNC obscure(const char *old, const char *newval, const struct passwd *pw)
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]173{
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]174 const char *msg;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]175
Denis Vlasenkoab24e182006-11-30 16:41:15 +0000[diff] [blame]176 msg = obscure_msg(old, newval, pw);
177 if (msg) {
178 printf("Bad password: %s\n", msg);
179 return 1;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]180 }
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]181 return 0;
182}