首頁 探索 說明
登入
OWEALs
/
busybox
镜像来自 http://git.busybox.net/busybox/
3
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: ee22fe8793
分支列表 標籤列表
busybox
/
libbb
/
obscure.c

obscure.c 5.6 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222 
  1. /* vi: set sw=4 ts=4: */
    2. 

  2. /*
    3. 

  3.  * Mini weak password checker implementation for busybox
    4. 

  4.  *
    5. 

  5.  * Copyright (C) 2006 Tito Ragusa <farmatito@tiscali.it>
    6. 

  6.  *
    7. 

  7.  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
    8. 

  8.  */
    9. 

  9. 

  10. /*	A good password:
    11. 

  11. 	1)	should contain at least six characters (man passwd);
    12. 

  12. 	2)	empty passwords are not permitted;
    13. 

  13. 	3)	should contain a mix of four different types of characters
    14. 

  14. 		upper case letters,
    15. 

  15. 		lower case letters,
    16. 

  16. 		numbers,
    17. 

  17. 		special characters such as !@#$%^&*,;".
    18. 

  18. 	This password types should not  be permitted:
    19. 

  19. 	a)	pure numbers: birthdates, social security number, license plate, phone numbers;
    20. 

  20. 	b)	words and all letters only passwords (uppercase, lowercase or mixed)
    21. 

  21. 		as palindromes, consecutive or repetitive letters
    22. 

  22. 		or adjacent letters on your keyboard;
    23. 

  23. 	c)	username, real name, company name or (e-mail?) address
    24. 

  24. 		in any form (as-is, reversed, capitalized, doubled, etc.).
    25. 

  25. 		(we can check only against username, gecos and hostname)
    26. 

  26. 	d)	common and obvious letter-number replacements
    27. 

  27. 		(e.g. replace the letter O with number 0)
    28. 

  28. 		such as "M1cr0$0ft" or "P@ssw0rd" (CAVEAT: we cannot check for them
    29. 

  29. 		without the use of a dictionary).
    30. 

  30. 

  31. 	For each missing type of characters an increase of password length is
    32. 

  32. 	requested.
    33. 

  33. 

  34. 	If user is root we warn only.
    35. 

  35. 

  36. 	CAVEAT: some older versions of crypt() truncates passwords to 8 chars,
    37. 

  37. 	so that aaaaaaaa1Q$ is equal to aaaaaaaa making it possible to fool
    38. 

  38. 	some of our checks. We don't test for this special case as newer versions
    39. 

  39. 	of crypt do not truncate passwords.
    40. 

  40. */
    41. 

  41. 

  42. #include "libbb.h"
    43. 

  43. 

  44. static int string_checker_helper(const char *p1, const char *p2) __attribute__ ((__pure__));
    45. 

  45. 

  46. static int string_checker_helper(const char *p1, const char *p2)
    47. 

  47. {
    48. 

  48. 	/* as sub-string */
    49. 

  49. 	if (strcasestr(p2, p1) != NULL
    50. 

  50. 	/* invert in case haystack is shorter than needle */
    51. 

  51. 	 || strcasestr(p1, p2) != NULL
    52. 

  52. 	/* as-is or capitalized */
    53. 

  53. 	/* || strcasecmp(p1, p2) == 0 - 1st strcasestr should catch this too */
    54. 

  54. 	) {
    55. 

  55. 		return 1;
    56. 

  56. 	}
    57. 

  57. 	return 0;
    58. 

  58. }
    59. 

  59. 

  60. static int string_checker(const char *p1, const char *p2)
    61. 

  61. {
    62. 

  62. 	int size, i;
    63. 

  63. 	/* check string */
    64. 

  64. 	int ret = string_checker_helper(p1, p2);
    65. 

  65. 	/* make our own copy */
    66. 

  66. 	char *p = xstrdup(p1);
    67. 

  67. 

  68. 	/* reverse string */
    69. 

  69. 	i = size = strlen(p1);
    70. 

  70. 	while (--i >= 0) {
    71. 

  71. 		*p++ = p1[i];
    72. 

  72. 	}
    73. 

  73. 	p -= size; /* restore pointer */
    74. 

  74. 

  75. 	/* check reversed string */
    76. 

  76. 	ret |= string_checker_helper(p, p2);
    77. 

  77. 

  78. 	/* clean up */
    79. 

  79. 	nuke_str(p);
    80. 

  80. 	free(p);
    81. 

  81. 

  82. 	return ret;
    83. 

  83. }
    84. 

  84. 

  85. #define CATEGORIES  4
    86. 

  86. 

  87. #define LOWERCASE   1
    88. 

  88. #define UPPERCASE   2
    89. 

  89. #define NUMBERS     4
    90. 

  90. #define SPECIAL     8
    91. 

  91. 

  92. #define LAST_CAT    8
    93. 

  93. 

  94. static const char *obscure_msg(const char *old_p, const char *new_p, const struct passwd *pw)
    95. 

  95. {
    96. 

  96. 	unsigned length;
    97. 

  97. 	unsigned size;
    98. 

  98. 	unsigned mixed;
    99. 

  99. 	unsigned c;
    100. 

  100. 	unsigned i;
    101. 

  101. 	const char *p;
    102. 

  102. 	char *hostname;
    103. 

  103. 

  104. 	/* size */
    105. 

  105. 	if (!new_p || (length = strlen(new_p)) < CONFIG_PASSWORD_MINLEN)
    106. 

  106. 		return "too short";
    107. 

  107. 

  108. 	/* no username as-is, as sub-string, reversed, capitalized, doubled */
    109. 

  109. 	if (string_checker(new_p, pw->pw_name)) {
    110. 

  110. 		return "similar to username";
    111. 

  111. 	}
    112. 

  112. #ifndef __BIONIC__
    113. 

  113. 	/* no gecos as-is, as sub-string, reversed, capitalized, doubled */
    114. 

  114. 	if (pw->pw_gecos[0] && string_checker(new_p, pw->pw_gecos)) {
    115. 

  115. 		return "similar to gecos";
    116. 

  116. 	}
    117. 

  117. #endif
    118. 

  118. 	/* hostname as-is, as sub-string, reversed, capitalized, doubled */
    119. 

  119. 	hostname = safe_gethostname();
    120. 

  120. 	i = string_checker(new_p, hostname);
    121. 

  121. 	free(hostname);
    122. 

  122. 	if (i)
    123. 

  123. 		return "similar to hostname";
    124. 

  124. 

  125. 	/* Should / Must contain a mix of: */
    126. 

  126. 	mixed = 0;
    127. 

  127. 	for (i = 0; i < length; i++) {
    128. 

  128. 		if (islower(new_p[i])) {        /* a-z */
    129. 

  129. 			mixed |= LOWERCASE;
    130. 

  130. 		} else if (isupper(new_p[i])) { /* A-Z */
    131. 

  131. 			mixed |= UPPERCASE;
    132. 

  132. 		} else if (isdigit(new_p[i])) { /* 0-9 */
    133. 

  133. 			mixed |= NUMBERS;
    134. 

  134. 		} else  {                       /* special characters */
    135. 

  135. 			mixed |= SPECIAL;
    136. 

  136. 		}
    137. 

  137. 		/* Count i'th char */
    138. 

  138. 		c = 0;
    139. 

  139. 		p = new_p;
    140. 

  140. 		while (1) {
    141. 

  141. 			p = strchr(p, new_p[i]);
    142. 

  142. 			if (p == NULL) {
    143. 

  143. 				break;
    144. 

  144. 			}
    145. 

  145. 			c++;
    146. 

  146. 			p++;
    147. 

  147. 			if (!*p) {
    148. 

  148. 				break;
    149. 

  149. 			}
    150. 

  150. 		}
    151. 

  151. 		/* More than 50% similar characters ? */
    152. 

  152. 		if (c*2 >= length) {
    153. 

  153. 			return "too many similar characters";
    154. 

  154. 		}
    155. 

  155. 	}
    156. 

  156. 

  157. 	size = CONFIG_PASSWORD_MINLEN + 2*CATEGORIES;
    158. 

  158. 	for (i = 1; i <= LAST_CAT; i <<= 1)
    159. 

  159. 		if (mixed & i)
    160. 

  160. 			size -= 2;
    161. 

  161. 	if (length < size)
    162. 

  162. 		return "too weak";
    163. 

  163. 

  164. 	if (old_p && old_p[0]) {
    165. 

  165. 		/* check vs. old password */
    166. 

  166. 		if (string_checker(new_p, old_p)) {
    167. 

  167. 			return "similar to old password";
    168. 

  168. 		}
    169. 

  169. 	}
    170. 

  170. 

  171. 	return NULL;
    172. 

  172. }
    173. 

  173. 

  174. int FAST_FUNC obscure(const char *old, const char *newval, const struct passwd *pw)
    175. 

  175. {
    176. 

  176. 	const char *msg;
    177. 

  177. 

  178. 	msg = obscure_msg(old, newval, pw);
    179. 

  179. 	if (msg) {
    180. 

  180. 		printf("Bad password: %s\n", msg);
    181. 

  181. 		return 1;
    182. 

  182. 	}
    183. 

  183. 	return 0;
    184. 

  184. }
    185. 

  185. 

  186. #if ENABLE_UNIT_TEST
    187. 

  187. 

  188. /* Test obscure_msg() instead of obscure() in order not to print anything. */
    189. 

  189. 

  190. static const struct passwd pw = {
    191. 

  191. 	.pw_name = (char *)"johndoe",
    192. 

  192. 	.pw_gecos = (char *)"John Doe",
    193. 

  193. };
    194. 

  194. 

  195. BBUNIT_DEFINE_TEST(obscure_weak_pass)
    196. 

  196. {
    197. 

  197. 	/* Empty password */
    198. 

  198. 	BBUNIT_ASSERT_NOTNULL(obscure_msg("Ad4#21?'S|", "", &pw));
    199. 

  199. 	/* Pure numbers */
    200. 

  200. 	BBUNIT_ASSERT_NOTNULL(obscure_msg("Ad4#21?'S|", "23577315", &pw));
    201. 

  201. 	/* Similar to pw_name */
    202. 

  202. 	BBUNIT_ASSERT_NOTNULL(obscure_msg("Ad4#21?'S|", "johndoe123%", &pw));
    203. 

  203. 	/* Similar to pw_gecos, reversed */
    204. 

  204. 	BBUNIT_ASSERT_NOTNULL(obscure_msg("Ad4#21?'S|", "eoD nhoJ^44@", &pw));
    205. 

  205. 	/* Similar to the old password */
    206. 

  206. 	BBUNIT_ASSERT_NOTNULL(obscure_msg("Ad4#21?'S|", "d4#21?'S", &pw));
    207. 

  207. 	/* adjacent letters */
    208. 

  208. 	BBUNIT_ASSERT_NOTNULL(obscure_msg("Ad4#21?'S|", "qwerty123", &pw));
    209. 

  209. 	/* Many similar chars */
    210. 

  210. 	BBUNIT_ASSERT_NOTNULL(obscure_msg("Ad4#21?'S|", "^33Daaaaaa1", &pw));
    211. 

  211. 

  212. 	BBUNIT_ENDTEST;
    213. 

  213. }
    214. 

  214. 

  215. BBUNIT_DEFINE_TEST(obscure_strong_pass)
    216. 

  216. {
    217. 

  217. 	BBUNIT_ASSERT_NULL(obscure_msg("Rt4##2&:'|", "}(^#rrSX3S*22", &pw));
    218. 

  218. 

  219. 	BBUNIT_ENDTEST;
    220. 

  220. }
    221. 

  221. 

  222. #endif /* ENABLE_UNIT_TEST */
    223.