Code style

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index cb7a76f576c2752dc2efe756e746e366550a82c6..6ad0c5ad2af0f70ee7f76758cee32fcfb952cedf 100644 (file)
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -810,28 +810,34 @@ std::string to_string(const errinfo_openssl_error& e)
        return "[errinfo_openssl_error]" + tmp.str() + "\n";
 }
 
-bool ComparePassword(const String hash, const String password, const String salt)
+bool ComparePassword(const String& hash, const String& password, const String& salt)
 {
-       String otherHash = HashPassword(password, salt);
+       String otherHash = PBKDF2_SHA256(password, salt, 1000);
+       VERIFY(otherHash.GetLength() == 64 && hash.GetLength() == 64);
 
        const char *p1 = otherHash.CStr();
        const char *p2 = hash.CStr();
 
+       /* By Novelocrat, https://stackoverflow.com/a/25374036 */
        volatile char c = 0;
 
-       for (size_t i=0; i<64; ++i)
+       for (size_t i = 0; i < 64; ++i)
                c |= p1[i] ^ p2[i];
 
        return (c == 0);
 }
 
-String HashPassword(const String& password, const String& salt, const bool shadow)
+/* Returns a String in the format $algorithm$salt$hash or returns an empty string in case of an error */
+String CreateHashedPasswordString(const String& password, const String& salt, int algorithm)
 {
-       if (shadow)
-               //Using /etc/shadow password format. The 5 means SHA256 is being used
-               return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
-       else
-               return PBKDF2_SHA256(password, salt, 1000);
+       // We currently only support SHA256
+       if (algorithm != 5)
+               return String();
+
+       if (salt.FindFirstOf('$') != String::NPos)
+               return String();
+
+       return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
 }
 
 }

diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp
index 3d7b29dbd55c3b928040cf1918e23a1fb1676ec9..31bb4e46683ea67c3a788c6cc9652ffdee72a11d 100644 (file)
--- a/lib/base/tlsutility.hpp
+++ b/lib/base/tlsutility.hpp
@@ -56,8 +56,8 @@ String SHA1(const String& s, bool binary = false);
 String SHA256(const String& s);
 String RandomString(int length);
 bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate);
-bool ComparePassword(const String hash, const String password, const String Salt);
-String HashPassword(const String& password, const String& salt, const bool shadow = false);
+bool ComparePassword(const String& hash, const String& password, const String& Salt);
+String CreateHashedPasswordString(const String& password, const String& salt, int algorithm = 5);
 
 class openssl_error : virtual public std::exception, virtual public boost::exception { };
 

diff --git a/lib/cli/apiusercommand.cpp b/lib/cli/apiusercommand.cpp
index 6eb5c3bf32b53ec7f6bb82f558c004a7cd8a7c85..188691ae0dd8efd8c4bd213e700e9758d2ae539d 100644 (file)
--- a/lib/cli/apiusercommand.cpp
+++ b/lib/cli/apiusercommand.cpp
@@ -44,7 +44,7 @@ void ApiUserCommand::InitParameters(boost::program_options::options_description&
 {
        visibleDesc.add_options()
                ("user", po::value<std::string>(), "API username")
-               ("passwd", po::value<std::string>(), "Password in clear text")
+               ("password", po::value<std::string>(), "Password in clear text")
                ("salt", po::value<std::string>(), "Optional salt (default: 8 random chars)")
                ("oneline", "Print only the password hash");
 }
@@ -63,8 +63,8 @@ int ApiUserCommand::Run(const boost::program_options::variables_map& vm, const s
        } else
                user = vm["user"].as<std::string>();
 
-       if (!vm.count("passwd")) {
-               Log(LogCritical, "cli", "Password (--passwd) must be specified.");
+       if (!vm.count("password")) {
+               Log(LogCritical, "cli", "Password (--password) must be specified.");
                return 1;
        }
 
@@ -76,7 +76,11 @@ int ApiUserCommand::Run(const boost::program_options::variables_map& vm, const s
                return 1;
        }
 
-       String hashedPassword = HashPassword(passwd, salt, true);
+       String hashedPassword = CreateHashedPasswordString(passwd, salt, 5);
+       if (hashedPassword == String()) {
+               Log(LogCritical, "cli") << "Failed to hash password \"" << passwd << "\" with salt \"" << salt << "\"";
+               return 1;
+       }
 
        if (vm.count("oneline"))
                std::cout << '"' << hashedPassword << "\"\n";

diff --git a/lib/remote/apiuser.cpp b/lib/remote/apiuser.cpp
index 0e92f9149393b4a60b91bf84939c2fc4be06f3e0..3fa025d83978f6e1d28c7761456239d310e8d1f0 100644 (file)
--- a/lib/remote/apiuser.cpp
+++ b/lib/remote/apiuser.cpp
@@ -30,8 +30,12 @@ void ApiUser::OnConfigLoaded(void)
 {
        ObjectImpl<ApiUser>::OnConfigLoaded();
 
-       if (this->GetPasswordHash().IsEmpty())
-               SetPasswordHash(HashPassword(GetPassword(), RandomString(8), true));
+       if (GetPasswordHash().IsEmpty()) {
+               String hashedPassword = CreateHashedPasswordString(GetPassword(), RandomString(8), 5);
+               VERIFY(hashedPassword != String());
+               SetPasswordHash(hashedPassword);
+               SetPassword("********");
+       }
 }
 
 ApiUser::Ptr ApiUser::GetByClientCN(const String& cn)

diff --git a/test/remote-user.cpp b/test/remote-user.cpp
index 1c327bacbe664fcfda890c5d1a97d38eb54b03b1..2979285b9adad3ebe4214bbb88451981acc2b721 100644 (file)
--- a/test/remote-user.cpp
+++ b/test/remote-user.cpp
@@ -36,7 +36,7 @@ BOOST_AUTO_TEST_CASE(password)
        String passwd = RandomString(16);
        String salt = RandomString(8);
        user->SetPassword("ThisShouldBeIgnored");
-       user->SetPasswordHash(HashPassword(passwd, salt, true));
+       user->SetPasswordHash(CreateHashedPasswordString(passwd, salt, true));
 
        BOOST_CHECK(user->GetPasswordHash() != passwd);