From: Jean Flach Date: Fri, 22 Dec 2017 11:14:31 +0000 (+0100) Subject: Move new password functions into tlsutility X-Git-Tag: v2.8.2~30 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6387f5442ec92f56f2bdaa7379b7caf02e91938c;p=icinga2 Move new password functions into tlsutility --- diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp index f8bc136ad..04d8ea49f 100644 --- a/lib/base/tlsutility.cpp +++ b/lib/base/tlsutility.cpp @@ -761,4 +761,28 @@ bool VerifyCertificate(const boost::shared_ptr& caCertificate, const boost return rc == 1; } +bool ComparePassword(const String hash, const String password, const String salt) +{ + String otherHash = HashPassword(password, salt); + + const char *p1 = otherHash.CStr(); + const char *p2 = hash.CStr(); + + volatile char c = 0; + + for (size_t i=0; i<64; ++i) + c |= p1[i] ^ p2[i]; + + return (c == 0); +} + +String HashPassword(const String& password, const String& salt, const bool shadow) +{ + if (shadow) + //Using /etc/shadow password format. The 5 means SHA256 is being used + return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000)); + else + return PBKDF2_SHA256(password, salt, 1000); +} + } diff --git a/lib/base/tlsutility.hpp b/lib/base/tlsutility.hpp index 2ab230f6c..96bdc63b0 100644 --- a/lib/base/tlsutility.hpp +++ b/lib/base/tlsutility.hpp @@ -57,6 +57,8 @@ String I2_BASE_API SHA1(const String& s, bool binary = false); String I2_BASE_API SHA256(const String& s); String I2_BASE_API RandomString(int length); bool I2_BASE_API VerifyCertificate(const boost::shared_ptr& caCertificate, const boost::shared_ptr& certificate); +bool I2_BASE_API ComparePassword(const String hash, const String password, const String Salt); +String I2_BASE_API HashPassword(const String& password, const String& salt, const bool shadow = false); class I2_BASE_API openssl_error : virtual public std::exception, virtual public boost::exception { }; diff --git a/lib/cli/apiusercommand.cpp b/lib/cli/apiusercommand.cpp index 9d43e120f..1cd5b4858 100644 --- a/lib/cli/apiusercommand.cpp +++ b/lib/cli/apiusercommand.cpp @@ -68,7 +68,7 @@ int ApiUserCommand::Run(const boost::program_options::variables_map& vm, const s String passwd = vm["passwd"].as(); String salt = vm.count("salt") ? String(vm["salt"].as()) : RandomString(8); - String hashedPassword = ApiUser::CreateHashedPasswordString(passwd, salt, true); + String hashedPassword = HashPassword(passwd, salt, true); std::cout << "object ApiUser \"" << user << "\" {\n" diff --git a/lib/remote/apiuser.cpp b/lib/remote/apiuser.cpp index fb847f9bb..0caac19ff 100644 --- a/lib/remote/apiuser.cpp +++ b/lib/remote/apiuser.cpp @@ -32,7 +32,7 @@ void ApiUser::OnConfigLoaded(void) ObjectImpl::OnConfigLoaded(); if (this->GetPasswordHash().IsEmpty()) - SetPasswordHash(CreateHashedPasswordString(GetPassword(), RandomString(8), true)); + SetPasswordHash(HashPassword(GetPassword(), RandomString(8), true)); } ApiUser::Ptr ApiUser::GetByClientCN(const String& cn) @@ -65,31 +65,17 @@ ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header) const ApiUser::Ptr& user = ApiUser::GetByName(username); /* Deny authentication if 1) given password is empty 2) configured password does not match. */ - if (password.IsEmpty()) - return nullptr; - else if (user && user->GetPassword() != password) + if (!user || password.IsEmpty()) return nullptr; + else { + Dictionary::Ptr passwordDict = user->GetPasswordDict(); + if (!ComparePassword(passwordDict->Get("password"), password, passwordDict->Get("salt"))) + return nullptr; + } return user; } -bool ApiUser::ComparePassword(String password) const -{ - Dictionary::Ptr passwordDict = this->GetPasswordDict(); - String thisPassword = passwordDict->Get("password"); - String otherPassword = CreateHashedPasswordString(password, passwordDict->Get("salt"), false); - - const char *p1 = otherPassword.CStr(); - const char *p2 = thisPassword.CStr(); - - volatile char c = 0; - - for (size_t i=0; i<64; ++i) - c |= p1[i] ^ p2[i]; - - return (c == 0); -} - Dictionary::Ptr ApiUser::GetPasswordDict(void) const { String password = this->GetPasswordHash(); @@ -109,13 +95,3 @@ Dictionary::Ptr ApiUser::GetPasswordDict(void) const return passwordDict; } - -String ApiUser::CreateHashedPasswordString(const String& password, const String& salt, const bool shadow) -{ - if (shadow) - //Using /etc/shadow password format. The 5 means SHA256 is being used - return String("$5$" + salt + "$" + PBKDF2_SHA256(password, salt, 1000)); - else - return PBKDF2_SHA256(password, salt, 1000); - -} diff --git a/lib/remote/apiuser.hpp b/lib/remote/apiuser.hpp index 09ee1a4d0..5aacbae0b 100644 --- a/lib/remote/apiuser.hpp +++ b/lib/remote/apiuser.hpp @@ -39,10 +39,8 @@ public: static ApiUser::Ptr GetByClientCN(const String& cn); static ApiUser::Ptr GetByAuthHeader(const String& auth_header); - static String CreateHashedPasswordString(const String& password, const String& salt, const bool shadow = false); Dictionary::Ptr GetPasswordDict(void) const; - bool ComparePassword(String password) const; }; } diff --git a/lib/remote/httpserverconnection.cpp b/lib/remote/httpserverconnection.cpp index 57f44f22b..8a14b00e1 100644 --- a/lib/remote/httpserverconnection.cpp +++ b/lib/remote/httpserverconnection.cpp @@ -30,6 +30,7 @@ #include "base/logger.hpp" #include "base/objectlock.hpp" #include "base/timer.hpp" +#include "base/tlsutility.hpp" #include "base/utility.hpp" #include diff --git a/test/remote-user.cpp b/test/remote-user.cpp index eafa0e721..1c327bacb 100644 --- a/test/remote-user.cpp +++ b/test/remote-user.cpp @@ -36,7 +36,7 @@ BOOST_AUTO_TEST_CASE(password) String passwd = RandomString(16); String salt = RandomString(8); user->SetPassword("ThisShouldBeIgnored"); - user->SetPasswordHash(ApiUser::CreateHashedPasswordString(passwd, salt, true)); + user->SetPasswordHash(HashPassword(passwd, salt, true)); BOOST_CHECK(user->GetPasswordHash() != passwd); @@ -44,8 +44,8 @@ BOOST_AUTO_TEST_CASE(password) BOOST_CHECK(passwdd); BOOST_CHECK(passwdd->Get("salt") == salt); - BOOST_CHECK(user->ComparePassword(passwd)); - BOOST_CHECK(!user->ComparePassword("wrong password uwu!")); + BOOST_CHECK(ComparePassword(passwdd->Get("password"), passwd, salt)); + BOOST_CHECK(!ComparePassword(passwdd->Get("password"), "wrong password uwu!", salt)); #endif }