mirror of https://github.com/Icinga/icinga2.git
Move new password functions into tlsutility
This commit is contained in:
parent
6504606e23
commit
6387f5442e
|
@ -761,4 +761,28 @@ bool VerifyCertificate(const boost::shared_ptr<X509>& caCertificate, const boost
|
|||
return rc == 1;
|
||||
}
|
||||
|
||||
bool ComparePassword(const String hash, const String password, const String salt)
|
||||
{
|
||||
String otherHash = HashPassword(password, salt);
|
||||
|
||||
const char *p1 = otherHash.CStr();
|
||||
const char *p2 = hash.CStr();
|
||||
|
||||
volatile char c = 0;
|
||||
|
||||
for (size_t i=0; i<64; ++i)
|
||||
c |= p1[i] ^ p2[i];
|
||||
|
||||
return (c == 0);
|
||||
}
|
||||
|
||||
String HashPassword(const String& password, const String& salt, const bool shadow)
|
||||
{
|
||||
if (shadow)
|
||||
//Using /etc/shadow password format. The 5 means SHA256 is being used
|
||||
return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
|
||||
else
|
||||
return PBKDF2_SHA256(password, salt, 1000);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -57,6 +57,8 @@ String I2_BASE_API SHA1(const String& s, bool binary = false);
|
|||
String I2_BASE_API SHA256(const String& s);
|
||||
String I2_BASE_API RandomString(int length);
|
||||
bool I2_BASE_API VerifyCertificate(const boost::shared_ptr<X509>& caCertificate, const boost::shared_ptr<X509>& certificate);
|
||||
bool I2_BASE_API ComparePassword(const String hash, const String password, const String Salt);
|
||||
String I2_BASE_API HashPassword(const String& password, const String& salt, const bool shadow = false);
|
||||
|
||||
class I2_BASE_API openssl_error : virtual public std::exception, virtual public boost::exception { };
|
||||
|
||||
|
|
|
@ -68,7 +68,7 @@ int ApiUserCommand::Run(const boost::program_options::variables_map& vm, const s
|
|||
String passwd = vm["passwd"].as<std::string>();
|
||||
String salt = vm.count("salt") ? String(vm["salt"].as<std::string>()) : RandomString(8);
|
||||
|
||||
String hashedPassword = ApiUser::CreateHashedPasswordString(passwd, salt, true);
|
||||
String hashedPassword = HashPassword(passwd, salt, true);
|
||||
|
||||
std::cout
|
||||
<< "object ApiUser \"" << user << "\" {\n"
|
||||
|
|
|
@ -32,7 +32,7 @@ void ApiUser::OnConfigLoaded(void)
|
|||
ObjectImpl<ApiUser>::OnConfigLoaded();
|
||||
|
||||
if (this->GetPasswordHash().IsEmpty())
|
||||
SetPasswordHash(CreateHashedPasswordString(GetPassword(), RandomString(8), true));
|
||||
SetPasswordHash(HashPassword(GetPassword(), RandomString(8), true));
|
||||
}
|
||||
|
||||
ApiUser::Ptr ApiUser::GetByClientCN(const String& cn)
|
||||
|
@ -65,29 +65,15 @@ ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header)
|
|||
const ApiUser::Ptr& user = ApiUser::GetByName(username);
|
||||
|
||||
/* Deny authentication if 1) given password is empty 2) configured password does not match. */
|
||||
if (password.IsEmpty())
|
||||
if (!user || password.IsEmpty())
|
||||
return nullptr;
|
||||
else if (user && user->GetPassword() != password)
|
||||
else {
|
||||
Dictionary::Ptr passwordDict = user->GetPasswordDict();
|
||||
if (!ComparePassword(passwordDict->Get("password"), password, passwordDict->Get("salt")))
|
||||
return nullptr;
|
||||
|
||||
return user;
|
||||
}
|
||||
|
||||
bool ApiUser::ComparePassword(String password) const
|
||||
{
|
||||
Dictionary::Ptr passwordDict = this->GetPasswordDict();
|
||||
String thisPassword = passwordDict->Get("password");
|
||||
String otherPassword = CreateHashedPasswordString(password, passwordDict->Get("salt"), false);
|
||||
|
||||
const char *p1 = otherPassword.CStr();
|
||||
const char *p2 = thisPassword.CStr();
|
||||
|
||||
volatile char c = 0;
|
||||
|
||||
for (size_t i=0; i<64; ++i)
|
||||
c |= p1[i] ^ p2[i];
|
||||
|
||||
return (c == 0);
|
||||
return user;
|
||||
}
|
||||
|
||||
Dictionary::Ptr ApiUser::GetPasswordDict(void) const
|
||||
|
@ -109,13 +95,3 @@ Dictionary::Ptr ApiUser::GetPasswordDict(void) const
|
|||
|
||||
return passwordDict;
|
||||
}
|
||||
|
||||
String ApiUser::CreateHashedPasswordString(const String& password, const String& salt, const bool shadow)
|
||||
{
|
||||
if (shadow)
|
||||
//Using /etc/shadow password format. The 5 means SHA256 is being used
|
||||
return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
|
||||
else
|
||||
return PBKDF2_SHA256(password, salt, 1000);
|
||||
|
||||
}
|
||||
|
|
|
@ -39,10 +39,8 @@ public:
|
|||
|
||||
static ApiUser::Ptr GetByClientCN(const String& cn);
|
||||
static ApiUser::Ptr GetByAuthHeader(const String& auth_header);
|
||||
static String CreateHashedPasswordString(const String& password, const String& salt, const bool shadow = false);
|
||||
|
||||
Dictionary::Ptr GetPasswordDict(void) const;
|
||||
bool ComparePassword(String password) const;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
#include "base/logger.hpp"
|
||||
#include "base/objectlock.hpp"
|
||||
#include "base/timer.hpp"
|
||||
#include "base/tlsutility.hpp"
|
||||
#include "base/utility.hpp"
|
||||
#include <boost/thread/once.hpp>
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ BOOST_AUTO_TEST_CASE(password)
|
|||
String passwd = RandomString(16);
|
||||
String salt = RandomString(8);
|
||||
user->SetPassword("ThisShouldBeIgnored");
|
||||
user->SetPasswordHash(ApiUser::CreateHashedPasswordString(passwd, salt, true));
|
||||
user->SetPasswordHash(HashPassword(passwd, salt, true));
|
||||
|
||||
BOOST_CHECK(user->GetPasswordHash() != passwd);
|
||||
|
||||
|
@ -44,8 +44,8 @@ BOOST_AUTO_TEST_CASE(password)
|
|||
|
||||
BOOST_CHECK(passwdd);
|
||||
BOOST_CHECK(passwdd->Get("salt") == salt);
|
||||
BOOST_CHECK(user->ComparePassword(passwd));
|
||||
BOOST_CHECK(!user->ComparePassword("wrong password uwu!"));
|
||||
BOOST_CHECK(ComparePassword(passwdd->Get("password"), passwd, salt));
|
||||
BOOST_CHECK(!ComparePassword(passwdd->Get("password"), "wrong password uwu!", salt));
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue