Prevent duplicate entries in passphrase wordlists

Replace a QVector for the wordlist with a QSet. This removes all duplicate entries in a given wordlist. Thus, it hinders a malicious wordlist that has the proper length (>4000 entries) but with repetitions (effectively << 4000 entries) to be used and potentially create weaker passphrases than estimated. Example: List with 4000 items but only 64 unique words would lead to only 48 bit of Entropy instead of ~95 bit!
2025-12-04 15:39:34 +01:00 · 2024-06-28 11:24:44 +02:00
parent 9b4e6b4e11
commit c7d318236f
8 changed files with 47 additions and 26 deletions
--- a/tests/TestPassphraseGenerator.cpp
+++ b/tests/TestPassphraseGenerator.cpp
@@ -16,6 +16,7 @@
 */

 #include "TestPassphraseGenerator.h"
+#include "config-keepassx-tests.h"
 #include "core/PassphraseGenerator.h"
 #include "crypto/Crypto.h"

@@ -52,3 +53,18 @@ void TestPassphraseGenerator::testWordCase()
    QRegularExpression regex("^(?:[A-Z][a-z-]* )*[A-Z][a-z-]*$");
    QVERIFY2(regex.match(passphrase).hasMatch(), qPrintable(passphrase));
 }
+
+void TestPassphraseGenerator::testUniqueEntriesInWordlist()
+{
+    PassphraseGenerator generator;
+    // set the limit down, so we don;t have to do a very large file
+    generator.m_minimum_wordlist_length = 4;
+
+    // link to bad wordlist
+    QString path = QString(KEEPASSX_TEST_DATA_DIR).append("/wordlists/bad_wordlist_with_duplicate_entries.wordlist");
+
+    // setting will work, it creates the warning however, and isValid will fail
+    generator.setWordList(path);
+    // so this fails
+    QVERIFY(!generator.isValid());
+}