RFC: patch to support encrypted passwords

[rcastell]

This patch uses Digest::HMAC_SHA1 to encrypt passwords to the database while also supporting unencrypted passwords in the database.  It uses the username as the hmac key.  Password columns must be expanded to 40 VARCHAR(40) for this to work.

Code Select Expand


diff -ruN NicToolServer-2.07.orig/NicToolServer/Session.pm NicToolServer-2.07/NicToolServer/Session.pm
--- NicToolServer-2.07.orig/NicToolServer/Session.pm    2008-09-12 21:43:53.000000000 -0700
+++ NicToolServer-2.07/NicToolServer/Session.pm 2009-05-03 13:52:44.000000000 -0700
@@ -20,6 +20,7 @@
#

use strict;
+use Digest::HMAC_SHA1 qw(hmac_sha1 hmac_sha1_hex);

@NicToolServer::Session::ISA = qw(NicToolServer);

@@ -79,6 +80,13 @@
         ; # must delete the hashkey or perl maintains attempted_pass as a ref to the hash key's lvalue

     $data->{'user'} = $sth->fetchrow_hashref;
+
+    # RCC - Handle HMAC passwords
+    if ($data->{'user'}->{'password'} =~ /[0-9a-f]{40}/)
+    {
+        $attempted_pass = hmac_sha1_hex($attempted_pass, $data->{'username'});
+    }
+
     return $self->auth_error($error_msg)
         unless ( $attempted_pass eq $data->{'user'}->{'password'} );

diff -ruN NicToolServer-2.07.orig/NicToolServer/User/Sanity.pm NicToolServer-2.07/NicToolServer/User/Sanity.pm
--- NicToolServer-2.07.orig/NicToolServer/User/Sanity.pm        2008-09-12 21:43:53.000000000 -0700
+++ NicToolServer-2.07/NicToolServer/User/Sanity.pm     2009-05-03 13:46:50.000000000 -0700
@@ -21,6 +21,8 @@

use strict;
use Data::Dumper;
+use Digest::HMAC_SHA1 qw(hmac_sha1_hex);
+

@NicToolServer::User::Sanity::ISA = qw(NicToolServer::User);

@@ -125,13 +127,18 @@

     my $dbh = $self->{'dbh'};

-    my $sql = "SELECT password FROM nt_user WHERE nt_user_id = "
+    my $sql = "SELECT password,username FROM nt_user WHERE nt_user_id = "
         . $dbh->quote( $data->{'nt_user_id'} );

     my $sth = $dbh->prepare($sql);
     warn "$sql\n" if $self->debug_sql;
     $sth->execute;
     my @user = $sth->fetchrow;
+    # RCC - Handle HMAC passwords
+    if ($user[0] =~ /[0-9a-f]{40}/)
+    {
+        $data->{'current_password'} = hmac_sha1_hex($user[0], $user[1]);
+    }

     return ( $user[0] eq $data->{'current_password'} ) ? 1 : 0;
}
@@ -253,15 +260,15 @@
         $self->{'errors'}->{'password'} = 1;
         push(
             @{ $self->{'error_messages'} },
-            "Password too short, must be 6-15 characters long."
+            "Password too short, must be 6-30 characters long."
         );
     }

-    if ( length( $data->{'password'} ) > 15 ) {
+    if ( length( $data->{'password'} ) > 30 ) {
         $self->{'errors'}->{'password'} = 1;
         push(
             @{ $self->{'error_messages'} },
-            "Password too long, must be 6-15 characters long."
+            "Password too long, must be 6-30 characters long."
         );
     }

diff -ruN NicToolServer-2.07.orig/NicToolServer/User.pm NicToolServer-2.07/NicToolServer/User.pm
--- NicToolServer-2.07.orig/NicToolServer/User.pm       2008-09-12 21:43:53.000000000 -0700
+++ NicToolServer-2.07/NicToolServer/User.pm    2009-05-03 13:38:30.000000000 -0700
@@ -20,6 +20,7 @@
#

use strict;
+use Digest::HMAC_SHA1 qw(hmac_sha1_hex);

@NicToolServer::User::ISA = qw(NicToolServer);

@@ -175,6 +176,9 @@
# only update the password if the field isn't NULL (has been provided)
#push(@columns, 'password') if (exists($data->{'password'}) && $data->{'password'} ne '');

+    # RCC - use hmac to store the password using the username as a key
+    $data->{'password'} = hmac_sha1_hex($data->{'password'}, $data->{'username'});
+
     my @values;

     my ( $sql, $action, $prev_data );
@@ -247,6 +251,9 @@
     push( @columns, 'password' )
         if ( exists( $data->{'password'} ) && $data->{'password'} ne '' );

+    # RCC - use hmac to store the password using the username as a key
+    $data->{'password'} = hmac_sha1_hex($data->{'password'}, $data->{'username'});
+
     my @values;

     my ( $sql, $action, $prev_data );


[matt]

Thanks!

I will apply this patch before the next NicTool release.

[dazzlin]

There is a mistake in this code.

In the file: NicToolServer-2.07/NicToolServer/User/Sanity.pm

At the sub routine _check_current_password  at the line which in the patch is:

$data->{'current_password'} = hmac_sha1_hex($user[0], $user[1]);

It SHOULD be:

$data->{'current_password'} = hmac_sha1_hex($data->{'current_password'}, $user[1]);

Works for me, now. hope that helps.

[matt]

good catch dazzlin. I have applied this patch in subversion, as well as your correction.