working on encrypted passwords

2015-03-20 07:00:21 +00:00 · 2015-03-20 07:00:21 +00:00 · fb8324fa51
commit fb8324fa51
parent 1a21b485c1
3 changed files with 95 additions and 3 deletions
--- a/src/apps/relay/turn_admin_server.c
+++ b/src/apps/relay/turn_admin_server.c
@ -3322,7 +3322,7 @@ static void handle_logon_request(ioa_socket_handle s, struct http_request* hr)
 				password_t password;
 				char realm[STUN_MAX_REALM_SIZE+1]="\0";
 				if((*(dbd->get_admin_user))((const u08bits*)uname,(u08bits*)realm,password)>=0) {
-					if(!strcmp(pwd,(char*)password)) {
+					if(!check_password(pwd,(char*)password)) {
 						STRCPY(as->as_login,uname);
 						STRCPY(as->as_realm,realm);
 						as->as_eff_realm[0]=0;
--- a/src/client/ns_turn_msg.c
+++ b/src/client/ns_turn_msg.c
@ -45,6 +45,10 @@

 ///////////

+static void generate_random_nonce(unsigned char *nonce, size_t sz);
+
+///////////
+
 int stun_method_str(u16bits method, char *smethod)
 {
 	int ret = 0;
@ -219,6 +223,90 @@ int stun_produce_integrity_key_str(u08bits *uname, u08bits *realm, u08bits *upwd
 	return 0;
 }

+#define PWD_SALT_SIZE (8)
+
+static void readable_string(unsigned char *orig, unsigned char *out, size_t sz)
+{
+    size_t i = 0;
+    out[0]=0;
+
+    for(i = 0; i < sz; ++i) {
+        sprintf((char*)(out + (i * 2)), "%02x", (unsigned int)orig[i]);
+    }
+}
+
+static void generate_enc_password(const char* pwd, char *result, const unsigned char *orig_salt)
+{
+	unsigned char salt[PWD_SALT_SIZE+1];
+	if(!orig_salt) {
+		generate_random_nonce(salt, PWD_SALT_SIZE);
+	} else {
+		ns_bcopy(orig_salt,salt,PWD_SALT_SIZE);
+		salt[PWD_SALT_SIZE]=0;
+	}
+	unsigned char rsalt[PWD_SALT_SIZE*2+1];
+	readable_string(salt,rsalt,PWD_SALT_SIZE);
+	result[0]='$';
+	result[1]='5';
+	result[2]='$';
+	ns_bcopy((char*)rsalt,result+3,PWD_SALT_SIZE+PWD_SALT_SIZE);
+	result[3+PWD_SALT_SIZE+PWD_SALT_SIZE]='$';
+	unsigned char* out = (unsigned char*)(result+3+PWD_SALT_SIZE+PWD_SALT_SIZE+1);
+	{
+		EVP_MD_CTX ctx;
+#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
+		EVP_DigestInit(&ctx,EVP_sha256());
+#else
+		EVP_DigestInit(&ctx,EVP_sha1());
+#endif
+		EVP_DigestUpdate(&ctx,salt,PWD_SALT_SIZE);
+		EVP_DigestUpdate(&ctx,pwd,strlen(pwd));
+		{
+			unsigned char hash[129];
+			unsigned int keylen = 0;
+			EVP_DigestFinal(&ctx,hash,&keylen);
+			readable_string(hash,out,keylen);
+		}
+		EVP_MD_CTX_cleanup(&ctx);
+	}
+}
+
+void generate_new_enc_password(const char* pwd, char *result)
+{
+	generate_enc_password(pwd, result, NULL);
+}
+
+static int encrypted_password(const char* pin, unsigned char* salt)
+{
+	size_t min_len = 3+PWD_SALT_SIZE+PWD_SALT_SIZE+1+32;
+	if(strlen(pin)>=min_len) {
+		if((pin[0]=='$') && (pin[1]=='5') && (pin[2]=='$') && (pin[3+PWD_SALT_SIZE+PWD_SALT_SIZE]=='$')) {
+			size_t i = 0;
+			for(i=0;i<PWD_SALT_SIZE;++i) {
+				const char* c = pin+3+i+i;
+				char sc[3];
+				sc[0]=c[0];
+				sc[1]=c[1];
+				sc[2]=0;
+				salt[i] = (unsigned char)strtoul(sc,NULL,16);
+			}
+			return 1;
+		}
+	}
+	return 0;
+}
+
+int check_password(const char* pin, const char* pwd)
+{
+	unsigned char salt[PWD_SALT_SIZE];
+	if(!encrypted_password(pwd,salt)) {
+		return strcmp(pin,pwd);
+	}
+	char enc_pin[257];
+	generate_enc_password(pin, enc_pin, salt);
+	return strcmp(enc_pin,pwd);
+}
+
 /////////////////////////////////////////////////////////////////

 static u32bits ns_crc32(const u08bits *buffer, u32bits len);
@ -2377,8 +2465,6 @@ static int decode_oauth_token_normal(const u08bits *server_name, const encoded_o
 	return -1;
 }

-#if !defined(TURN_NO_GCM)
-
 static void generate_random_nonce(unsigned char *nonce, size_t sz) {
 	if(!RAND_bytes(nonce, sz)) {
 		size_t i;
@ -2388,6 +2474,8 @@ static void generate_random_nonce(unsigned char *nonce, size_t sz) {
 	}
 }

+#if !defined(TURN_NO_GCM)
+
 static int encode_oauth_token_aead(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits* nonce0)
 {
 	if(server_name && etoken && key && dtoken && (dtoken->enc_block.key_length<128)) {
--- a/src/client/ns_turn_msg.h
+++ b/src/client/ns_turn_msg.h
@ -213,6 +213,10 @@ int convert_oauth_key_data(const oauth_key_data *oakd, oauth_key *key, char *err
 int decode_oauth_token(const u08bits *server_name, const encoded_oauth_token *etoken, const oauth_key *key, oauth_token *dtoken);
 int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce);

+/* Encrypted password */
+void generate_new_enc_password(const char* pwd, char *result);
+int check_password(const char* pin, const char* pwd);
+
 ///////////////////////////////////////////////////////////////

 #ifdef __cplusplus