Commit 81bd83b0 authored by Stephane Glondu's avatar Stephane Glondu

Validate passwords with cracklib

parent 5ccdc25d
......@@ -26,12 +26,13 @@ The non-OCaml prerequisites are:
* [ncurses](http://invisible-island.net/ncurses/)
* [uuidgen](https://www.kernel.org/pub/linux/utils/util-linux/)
* [GD-SecurityImage](https://metacpan.org/release/GD-SecurityImage)
* [cracklib](http://sourceforge.net/projects/cracklib)
These libraries and tools are pretty common, and might be directly part
of your operating system. On [Debian](http://www.debian.org/) and its
derivatives, they can be installed with the following command:
sudo apt install build-essential libgmp-dev libpcre3-dev pkg-config m4 libssl-dev libsqlite3-dev wget ca-certificates zip unzip aspcud libncurses-dev uuid-runtime zlib1g-dev libgd-securityimage-perl
sudo apt install build-essential libgmp-dev libpcre3-dev pkg-config m4 libssl-dev libsqlite3-dev wget ca-certificates zip unzip aspcud libncurses-dev uuid-runtime zlib1g-dev libgd-securityimage-perl cracklib-runtime
If you are unfamiliar with OCaml or OPAM, we provide an
`opam-bootstrap.sh` shell script that creates a whole, hopefully
......
......@@ -144,13 +144,16 @@ let is_username =
let add_account ~username ~password ~email =
if is_username username then
match get_password_db_fname () with
| None -> forbidden ()
| Some db_fname ->
if%lwt Lwt_mutex.with_lock password_db_mutex
(do_add_account ~db_fname ~username ~password ~email)
then return None
else return (Some UsernameTaken)
match%lwt Web_signup.cracklib_check password with
| Some e -> return (Some (BadPassword e))
| None ->
match get_password_db_fname () with
| None -> forbidden ()
| Some db_fname ->
if%lwt Lwt_mutex.with_lock password_db_mutex
(do_add_account ~db_fname ~username ~password ~email)
then return None
else return (Some UsernameTaken)
else return (Some BadUsername)
(** CAS authentication *)
......
......@@ -210,6 +210,7 @@ let captcha_error x =
type add_account_error =
| UsernameTaken
| BadUsername
| BadPassword of string
let b58_digits = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
let prng = lazy (pseudo_rng (random_string secure_rng 16))
......
......@@ -104,6 +104,7 @@ val captcha_error :
type add_account_error =
| UsernameTaken
| BadUsername
| BadPassword of string
val generate_token : ?length:int -> unit -> string Lwt.t
......
......@@ -134,3 +134,21 @@ let confirm_link token =
| Some x ->
links := SMap.remove token !links;
Lwt.return (Some x.address)
let cracklib =
let x = "cracklib-check" in (x, [| x |])
let extract_comment x =
let n = String.length x in
match String.rindex_opt x ':' with
| Some i when i < n - 2 ->
let x = String.sub x (i + 2) (n - i - 3) in
if x = "OK" then None else Some x
| _ -> Some "unknown error"
let cracklib_check password =
match String.index_opt password '\n' with
| None ->
let%lwt x = Lwt_process.pmap ~env:[| "LANG=C" |] cracklib password in
Lwt.return (extract_comment x)
| Some _ -> Lwt.return (Some "newline in password")
......@@ -30,3 +30,5 @@ val check_captcha : challenge:string -> response:string -> bool Lwt.t
val send_confirmation_link : string -> unit Lwt.t
val confirm_link : string -> string option Lwt.t
val cracklib_check : string -> string option Lwt.t
......@@ -2096,6 +2096,11 @@ let () =
| Some BadUsername ->
T.generic_page ~title:"Account creation" ~service:signup
"The account creation failed because the username is invalid. Please try again with a different one." () >>= Html.send
| Some (BadPassword e) ->
Printf.ksprintf
(fun x -> T.generic_page ~title:"Account creation" ~service:signup x () >>= Html.send)
"The account creation failed because the password is too weak (%s). Please try again with a different one"
e
)
let extract_automatic_data_draft uuid_s =
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment