Gitiles
Code Review Sign In
gerrit.nordix.org / codeaurora / busybox / c9f423a93d969e91b82d8ecfb694076b460c8887 / . / libbb / obscure.c
blob: 1112e11cb70f9b47f5818001241b8835a2323a36 [file] [log] [blame]
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]1/* vi: set sw=4 ts=4: */
2/*
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]3 * Mini weak password checker implementation for busybox
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]4 *
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]5 * Copyright (C) 2006 Tito Ragusa <farmatito@tiscali.it>
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]6 *
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]7 * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]8 */
9
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]10/* A good password:
11 1) should contain at least six characters (man passwd);
12 2) empty passwords are not permitted;
13 3) should contain a mix of four different types of characters
14 upper case letters,
15 lower case letters,
16 numbers,
17 special characters such as !@#$%^&*,;".
18 This password types should not be permitted:
19 a) pure numbers: birthdates, social security number, license plate, phone numbers;
20 b) words and all letters only passwords (uppercase, lowercase or mixed)
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]21 as palindromes, consecutive or repetitive letters
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]22 or adjacent letters on your keyboard;
23 c) username, real name, company name or (e-mail?) address
24 in any form (as-is, reversed, capitalized, doubled, etc.).
25 (we can check only against username, gecos and hostname)
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]26 d) common and obvious letter-number replacements
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]27 (e.g. replace the letter O with number 0)
28 such as "M1cr0$0ft" or "P@ssw0rd" (CAVEAT: we cannot check for them
29 without the use of a dictionary).
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]30
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]31 For each missing type of characters an increase of password length is
32 requested.
33
34 If user is root we warn only.
35
36 CAVEAT: some older versions of crypt() truncates passwords to 8 chars,
37 so that aaaaaaaa1Q$ is equal to aaaaaaaa making it possible to fool
38 some of our checks. We don't test for this special case as newer versions
39 of crypt do not truncate passwords.
40*/
41
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]42#include <ctype.h>
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]43#include <unistd.h>
44#include <string.h>
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]45#include <strings.h>
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]46
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]47#include "libbb.h"
48
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]49static int string_checker_helper(const char *p1, const char *p2) __attribute__ ((__pure__));
50
51static int string_checker_helper(const char *p1, const char *p2)
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]52{
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]53 /* as-is or capitalized */
54 if (strcasecmp(p1, p2) == 0
55 /* as sub-string */
56 || strcasestr(p2, p1) != NULL
57 /* invert in case haystack is shorter than needle */
58 || strcasestr(p1, p2) != NULL)
59 return 1;
60 return 0;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]61}
62
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]63static int string_checker(const char *p1, const char *p2)
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]64{
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]65 int size;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]66 /* check string */
67 int ret = string_checker_helper(p1, p2);
68 /* Make our own copy */
69 char *p = bb_xstrdup(p1);
70 /* reverse string */
71 size = strlen(p);
72
73 while (size--) {
74 *p = p1[size];
75 p++;
76 }
77 /* restore pointer */
78 p -= strlen(p1);
79 /* check reversed string */
80 ret |= string_checker_helper(p, p2);
81 /* clean up */
82 memset(p, 0, strlen(p1));
83 free(p);
84 return ret;
85}
86
87#define LOWERCASE 1
88#define UPPERCASE 2
89#define NUMBERS 4
90#define SPECIAL 8
91
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]92static const char *obscure_msg(const char *old_p, const char *new_p, const struct passwd *pw)
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]93{
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]94 int i;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]95 int c;
96 int length;
97 int mixed = 0;
"Robert P. J. Day"c9f423a2006-07-02 19:52:52 +0000[diff] [blame^]98 /* Add 2 for each type of characters to the minlen of password */
"Robert P. J. Day"087b9d62006-07-02 18:35:39 +0000[diff] [blame]99 int size = CONFIG_PASSWORD_MINLEN + 8;
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]100 const char *p;
101 char hostname[255];
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]102
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]103 /* size */
"Robert P. J. Day"087b9d62006-07-02 18:35:39 +0000[diff] [blame]104 if (!new_p || (length = strlen(new_p)) < CONFIG_PASSWORD_MINLEN)
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]105 return("too short");
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]106
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]107 /* no username as-is, as sub-string, reversed, capitalized, doubled */
108 if (string_checker(new_p, pw->pw_name)) {
109 return "similar to username";
110 }
111 /* no gecos as-is, as sub-string, reversed, capitalized, doubled */
112 if (string_checker(new_p, pw->pw_gecos)) {
113 return "similar to gecos";
114 }
115 /* hostname as-is, as sub-string, reversed, capitalized, doubled */
116 if (gethostname(hostname, 255) == 0) {
117 hostname[254] = '\0';
118 if (string_checker(new_p, hostname)) {
119 return "similar to hostname";
120 }
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]121 }
122
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]123 /* Should / Must contain a mix of: */
124 for (i = 0; i < length; i++) {
125 if (islower(new_p[i])) { /* a-z */
126 mixed |= LOWERCASE;
127 } else if (isupper(new_p[i])) { /* A-Z */
128 mixed |= UPPERCASE;
129 } else if (isdigit(new_p[i])) { /* 0-9 */
130 mixed |= NUMBERS;
131 } else { /* special characters */
132 mixed |= SPECIAL;
133 }
134 /* More than 50% similar characters ? */
135 c = 0;
136 p = new_p;
137 while (1) {
138 if ((p = strchr(p, new_p[i])) == NULL) {
139 break;
140 }
141 c++;
142 if (!++p) {
143 break; /* move past the matched char if possible */
144 }
145 }
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]146
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]147 if (c >= (length / 2)) {
148 return "too many similar characters";
149 }
Eric Andersen3124a9e2003-07-30 07:57:06 +0000[diff] [blame]150 }
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]151 for (i=0; i<4; i++)
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]152 if (mixed & (1<<i)) size -= 2;
153 if (length < size)
154 return "too weak";
Bernhard Reutner-Fischera2a647d2006-05-19 12:30:00 +0000[diff] [blame]155
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]156 if (old_p && old_p[0] != '\0') {
157 /* check vs. old password */
158 if (string_checker(new_p, old_p)) {
159 return "similar to old password";
160 }
161 }
162 return NULL;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]163}
164
Rob Landleydfba7412006-03-06 20:47:33 +0000[diff] [blame]165int obscure(const char *old, const char *newval, const struct passwd *pwdp)
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]166{
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]167 const char *msg;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]168
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]169 if ((msg = obscure_msg(old, newval, pwdp))) {
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]170 printf("Bad password: %s.\n", msg);
Rob Landleya13cca92006-04-02 18:57:20 +0000[diff] [blame]171 /* If user is root warn only */
172 return (getuid())? 1 : 0;
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]173 }
Eric Andersen27f64e12002-06-23 04:24:25 +0000[diff] [blame]174 return 0;
175}