Move new password functions into tlsutility

This commit is contained in:
Jean Flach 2017-12-22 12:14:31 +01:00
parent 6504606e23
commit 6387f5442e
7 changed files with 38 additions and 37 deletions

View File

@ -761,4 +761,28 @@ bool VerifyCertificate(const boost::shared_ptr<X509>& caCertificate, const boost
return rc == 1;
}
bool ComparePassword(const String hash, const String password, const String salt)
{
String otherHash = HashPassword(password, salt);
const char *p1 = otherHash.CStr();
const char *p2 = hash.CStr();
volatile char c = 0;
for (size_t i=0; i<64; ++i)
c |= p1[i] ^ p2[i];
return (c == 0);
}
String HashPassword(const String& password, const String& salt, const bool shadow)
{
if (shadow)
//Using /etc/shadow password format. The 5 means SHA256 is being used
return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
else
return PBKDF2_SHA256(password, salt, 1000);
}
}

View File

@ -57,6 +57,8 @@ String I2_BASE_API SHA1(const String& s, bool binary = false);
String I2_BASE_API SHA256(const String& s);
String I2_BASE_API RandomString(int length);
bool I2_BASE_API VerifyCertificate(const boost::shared_ptr<X509>& caCertificate, const boost::shared_ptr<X509>& certificate);
bool I2_BASE_API ComparePassword(const String hash, const String password, const String Salt);
String I2_BASE_API HashPassword(const String& password, const String& salt, const bool shadow = false);
class I2_BASE_API openssl_error : virtual public std::exception, virtual public boost::exception { };

View File

@ -68,7 +68,7 @@ int ApiUserCommand::Run(const boost::program_options::variables_map& vm, const s
String passwd = vm["passwd"].as<std::string>();
String salt = vm.count("salt") ? String(vm["salt"].as<std::string>()) : RandomString(8);
String hashedPassword = ApiUser::CreateHashedPasswordString(passwd, salt, true);
String hashedPassword = HashPassword(passwd, salt, true);
std::cout
<< "object ApiUser \"" << user << "\" {\n"

View File

@ -32,7 +32,7 @@ void ApiUser::OnConfigLoaded(void)
ObjectImpl<ApiUser>::OnConfigLoaded();
if (this->GetPasswordHash().IsEmpty())
SetPasswordHash(CreateHashedPasswordString(GetPassword(), RandomString(8), true));
SetPasswordHash(HashPassword(GetPassword(), RandomString(8), true));
}
ApiUser::Ptr ApiUser::GetByClientCN(const String& cn)
@ -65,29 +65,15 @@ ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header)
const ApiUser::Ptr& user = ApiUser::GetByName(username);
/* Deny authentication if 1) given password is empty 2) configured password does not match. */
if (password.IsEmpty())
if (!user || password.IsEmpty())
return nullptr;
else if (user && user->GetPassword() != password)
else {
Dictionary::Ptr passwordDict = user->GetPasswordDict();
if (!ComparePassword(passwordDict->Get("password"), password, passwordDict->Get("salt")))
return nullptr;
return user;
}
bool ApiUser::ComparePassword(String password) const
{
Dictionary::Ptr passwordDict = this->GetPasswordDict();
String thisPassword = passwordDict->Get("password");
String otherPassword = CreateHashedPasswordString(password, passwordDict->Get("salt"), false);
const char *p1 = otherPassword.CStr();
const char *p2 = thisPassword.CStr();
volatile char c = 0;
for (size_t i=0; i<64; ++i)
c |= p1[i] ^ p2[i];
return (c == 0);
return user;
}
Dictionary::Ptr ApiUser::GetPasswordDict(void) const
@ -109,13 +95,3 @@ Dictionary::Ptr ApiUser::GetPasswordDict(void) const
return passwordDict;
}
String ApiUser::CreateHashedPasswordString(const String& password, const String& salt, const bool shadow)
{
if (shadow)
//Using /etc/shadow password format. The 5 means SHA256 is being used
return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
else
return PBKDF2_SHA256(password, salt, 1000);
}

View File

@ -39,10 +39,8 @@ public:
static ApiUser::Ptr GetByClientCN(const String& cn);
static ApiUser::Ptr GetByAuthHeader(const String& auth_header);
static String CreateHashedPasswordString(const String& password, const String& salt, const bool shadow = false);
Dictionary::Ptr GetPasswordDict(void) const;
bool ComparePassword(String password) const;
};
}

View File

@ -30,6 +30,7 @@
#include "base/logger.hpp"
#include "base/objectlock.hpp"
#include "base/timer.hpp"
#include "base/tlsutility.hpp"
#include "base/utility.hpp"
#include <boost/thread/once.hpp>

View File

@ -36,7 +36,7 @@ BOOST_AUTO_TEST_CASE(password)
String passwd = RandomString(16);
String salt = RandomString(8);
user->SetPassword("ThisShouldBeIgnored");
user->SetPasswordHash(ApiUser::CreateHashedPasswordString(passwd, salt, true));
user->SetPasswordHash(HashPassword(passwd, salt, true));
BOOST_CHECK(user->GetPasswordHash() != passwd);
@ -44,8 +44,8 @@ BOOST_AUTO_TEST_CASE(password)
BOOST_CHECK(passwdd);
BOOST_CHECK(passwdd->Get("salt") == salt);
BOOST_CHECK(user->ComparePassword(passwd));
BOOST_CHECK(!user->ComparePassword("wrong password uwu!"));
BOOST_CHECK(ComparePassword(passwdd->Get("password"), passwd, salt));
BOOST_CHECK(!ComparePassword(passwdd->Get("password"), "wrong password uwu!", salt));
#endif
}