Move new password functions into tlsutility

diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index 1f74a2735a27b09fdf63aae743f552a12bafd987..cb7a76f576c2752dc2efe756e746e366550a82c6 100644 (file)
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -810,4 +810,28 @@ std::string to_string(const errinfo_openssl_error& e)
        return "[errinfo_openssl_error]" + tmp.str() + "\n";
 }
 
+bool ComparePassword(const String hash, const String password, const String salt)
+{
+       String otherHash = HashPassword(password, salt);
+
+       const char *p1 = otherHash.CStr();
+       const char *p2 = hash.CStr();
+
+       volatile char c = 0;
+
+       for (size_t i=0; i<64; ++i)
+               c |= p1[i] ^ p2[i];
+
+       return (c == 0);
+}
+
+String HashPassword(const String& password, const String& salt, const bool shadow)
+{
+       if (shadow)
+               //Using /etc/shadow password format. The 5 means SHA256 is being used
+               return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
+       else
+               return PBKDF2_SHA256(password, salt, 1000);
+}
+
 }

diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp
index 38df7e58756c53e4b10f6dfb389a8cde2ec41cda..3d7b29dbd55c3b928040cf1918e23a1fb1676ec9 100644 (file)
--- a/lib/base/tlsutility.hpp
+++ b/lib/base/tlsutility.hpp
@@ -56,6 +56,8 @@ String SHA1(const String& s, bool binary = false);
 String SHA256(const String& s);
 String RandomString(int length);
 bool VerifyCertificate(const std::shared_ptr<X509>& caCertificate, const std::shared_ptr<X509>& certificate);
+bool ComparePassword(const String hash, const String password, const String Salt);
+String HashPassword(const String& password, const String& salt, const bool shadow = false);
 
 class openssl_error : virtual public std::exception, virtual public boost::exception { };
 

diff --git a/lib/cli/apiusercommand.cpp b/lib/cli/apiusercommand.cpp
index 9d43e120fa3d8b3434bcbc5a49ea17c2a373dda7..1cd5b4858e6dc67f818f00eec9abfa3969ca1c7b 100644 (file)
--- a/lib/cli/apiusercommand.cpp
+++ b/lib/cli/apiusercommand.cpp
@@ -68,7 +68,7 @@ int ApiUserCommand::Run(const boost::program_options::variables_map& vm, const s
        String passwd = vm["passwd"].as<std::string>();
        String salt = vm.count("salt") ? String(vm["salt"].as<std::string>()) : RandomString(8);
 
-       String hashedPassword = ApiUser::CreateHashedPasswordString(passwd, salt, true);
+       String hashedPassword = HashPassword(passwd, salt, true);
 
        std::cout
                << "object ApiUser \"" << user << "\" {\n"

diff --git a/lib/remote/apiuser.cpp b/lib/remote/apiuser.cpp
index ea3eb78497c55e9cf61a1509b5c0f74a95f54853..0e92f9149393b4a60b91bf84939c2fc4be06f3e0 100644 (file)
--- a/lib/remote/apiuser.cpp
+++ b/lib/remote/apiuser.cpp
@@ -31,7 +31,7 @@ void ApiUser::OnConfigLoaded(void)
        ObjectImpl<ApiUser>::OnConfigLoaded();
 
        if (this->GetPasswordHash().IsEmpty())
-               SetPasswordHash(CreateHashedPasswordString(GetPassword(), RandomString(8), true));
+               SetPasswordHash(HashPassword(GetPassword(), RandomString(8), true));
 }
 
 ApiUser::Ptr ApiUser::GetByClientCN(const String& cn)
@@ -44,23 +44,6 @@ ApiUser::Ptr ApiUser::GetByClientCN(const String& cn)
        return nullptr;
 }
 
-bool ApiUser::ComparePassword(String password) const
-{
-       Dictionary::Ptr passwordDict = this->GetPasswordDict();
-       String thisPassword = passwordDict->Get("password");
-       String otherPassword = CreateHashedPasswordString(password, passwordDict->Get("salt"), false);
-
-       const char *p1 = otherPassword.CStr();
-       const char *p2 = thisPassword.CStr();
-
-       volatile char c = 0;
-
-       for (size_t i=0; i<64; ++i)
-               c |= p1[i] ^ p2[i];
-
-       return (c == 0);
-}
-
 Dictionary::Ptr ApiUser::GetPasswordDict(void) const
 {
        String password = this->GetPasswordHash();
@@ -80,13 +63,3 @@ Dictionary::Ptr ApiUser::GetPasswordDict(void) const
 
        return passwordDict;
 }
-
-String ApiUser::CreateHashedPasswordString(const String& password, const String& salt, const bool shadow)
-{
-       if (shadow)
-               //Using /etc/shadow password format. The 5 means SHA256 is being used
-               return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000));
-       else
-               return PBKDF2_SHA256(password, salt, 1000);
-
-}

diff --git a/lib/remote/apiuser.hpp b/lib/remote/apiuser.hpp
index eeae3c77bcf5b1d7e5ae2c04cc4688891add8835..4e3f673f28e41e3cf2241cce863ac7ce5e09f6a0 100644 (file)
--- a/lib/remote/apiuser.hpp
+++ b/lib/remote/apiuser.hpp
@@ -38,10 +38,8 @@ public:
        virtual void OnConfigLoaded(void) override;
 
        static ApiUser::Ptr GetByClientCN(const String& cn);
-       static String CreateHashedPasswordString(const String& password, const String& salt, const bool shadow = false);
 
        Dictionary::Ptr GetPasswordDict(void) const;
-       bool ComparePassword(String password) const;
 };
 
 }

diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp
index 4fbd774b725e49355c57232d83a22ee93796f572..8962258e32f4bda2086fbfb463c56d66034ac7e4 100644 (file)
--- a/lib/remote/httpserverconnection.cpp
+++ b/lib/remote/httpserverconnection.cpp
@@ -28,6 +28,7 @@
 #include "base/objectlock.hpp"
 #include "base/utility.hpp"
 #include "base/logger.hpp"
+#include "base/tlsutility.hpp"
 #include "base/exception.hpp"
 #include "base/convert.hpp"
 #include <boost/thread/once.hpp>
@@ -157,8 +158,13 @@ void HttpServerConnection::ProcessMessageAsync(HttpRequest& request)
                user = ApiUser::GetByName(username);
 
                /* Deny authentication if 1) given password is empty 2) configured password does not match. */
-               if (password.IsEmpty() || !user || !user->ComparePassword(password))
+               if (!user || password.IsEmpty())
                        user.reset();
+               else {
+                       Dictionary::Ptr passwordDict = user->GetPasswordDict();
+                       if (!ComparePassword(passwordDict->Get("password"), password, passwordDict->Get("salt")))
+                               user.reset();
+               }
        }
 
        String requestUrl = request.RequestUrl->Format();

diff --git a/test/remote-user.cpp b/test/remote-user.cpp
index eafa0e72153e989fc6ae7d987517502506bf2230..1c327bacbe664fcfda890c5d1a97d38eb54b03b1 100644 (file)
--- a/test/remote-user.cpp
+++ b/test/remote-user.cpp
@@ -36,7 +36,7 @@ BOOST_AUTO_TEST_CASE(password)
        String passwd = RandomString(16);
        String salt = RandomString(8);
        user->SetPassword("ThisShouldBeIgnored");
-       user->SetPasswordHash(ApiUser::CreateHashedPasswordString(passwd, salt, true));
+       user->SetPasswordHash(HashPassword(passwd, salt, true));
 
        BOOST_CHECK(user->GetPasswordHash() != passwd);
 
@@ -44,8 +44,8 @@ BOOST_AUTO_TEST_CASE(password)
 
        BOOST_CHECK(passwdd);
        BOOST_CHECK(passwdd->Get("salt") == salt);
-       BOOST_CHECK(user->ComparePassword(passwd));
-       BOOST_CHECK(!user->ComparePassword("wrong password uwu!"));
+       BOOST_CHECK(ComparePassword(passwdd->Get("password"), passwd, salt));
+       BOOST_CHECK(!ComparePassword(passwdd->Get("password"), "wrong password uwu!", salt));
 #endif
 }