From f98f7ad1b9c1aede0ddefecfefb73919564d73ed Mon Sep 17 00:00:00 2001 From: Moonman Date: Sun, 14 Jul 2019 09:48:42 -0700 Subject: [PATCH 1/2] detect and use sha512-crypt for stored password hash. --- lib/pleroma/plugs/authentication_plug.ex | 13 +++++++++++++ lib/pleroma/web/auth/pleroma_authenticator.ex | 4 ++-- lib/pleroma/web/common_api/utils.ex | 4 ++-- .../web/twitter_api/controllers/util_controller.ex | 4 ++-- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/lib/pleroma/plugs/authentication_plug.ex b/lib/pleroma/plugs/authentication_plug.ex index da4ed4226..48dc1f818 100644 --- a/lib/pleroma/plugs/authentication_plug.ex +++ b/lib/pleroma/plugs/authentication_plug.ex @@ -6,11 +6,24 @@ defmodule Pleroma.Plugs.AuthenticationPlug do alias Comeonin.Pbkdf2 import Plug.Conn alias Pleroma.User + require Logger def init(options) do options end + def checkpw(password, password_hash) do + cond do + String.starts_with?(password_hash, "$pbkdf2") -> + Pbkdf2.checkpw(password, password_hash) + String.starts_with?(password_hash, "$6") -> + :crypt.crypt(password, password_hash) == password_hash + true -> + Logger.error("Password hash not recognized") + false + end + end + def call(%{assigns: %{user: %User{}}} = conn, _), do: conn def call( diff --git a/lib/pleroma/web/auth/pleroma_authenticator.ex b/lib/pleroma/web/auth/pleroma_authenticator.ex index a9164ad98..f4234b743 100644 --- a/lib/pleroma/web/auth/pleroma_authenticator.ex +++ b/lib/pleroma/web/auth/pleroma_authenticator.ex @@ -3,7 +3,7 @@ # SPDX-License-Identifier: AGPL-3.0-only defmodule Pleroma.Web.Auth.PleromaAuthenticator do - alias Comeonin.Pbkdf2 + alias Pleroma.Plugs.AuthenticationPlug alias Pleroma.Registration alias Pleroma.Repo alias Pleroma.User @@ -16,7 +16,7 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do def get_user(%Plug.Conn{} = conn) do with {:ok, {name, password}} <- fetch_credentials(conn), {_, %User{} = user} <- {:user, fetch_user(name)}, - {_, true} <- {:checkpw, Pbkdf2.checkpw(password, user.password_hash)} do + {_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)} do {:ok, user} else error -> diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex index 8e482eef7..e013188cf 100644 --- a/lib/pleroma/web/common_api/utils.ex +++ b/lib/pleroma/web/common_api/utils.ex @@ -6,11 +6,11 @@ defmodule Pleroma.Web.CommonAPI.Utils do import Pleroma.Web.Gettext alias Calendar.Strftime - alias Comeonin.Pbkdf2 alias Pleroma.Activity alias Pleroma.Config alias Pleroma.Formatter alias Pleroma.Object + alias Pleroma.Plugs.AuthenticationPlug alias Pleroma.Repo alias Pleroma.User alias Pleroma.Web.ActivityPub.Utils @@ -371,7 +371,7 @@ defmodule Pleroma.Web.CommonAPI.Utils do def confirm_current_password(user, password) do with %User{local: true} = db_user <- User.get_cached_by_id(user.id), - true <- Pbkdf2.checkpw(password, db_user.password_hash) do + true <- AuthenticationPlug.checkpw(password, db_user.password_hash) do {:ok, db_user} else _ -> {:error, dgettext("errors", "Invalid password.")} diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex index b1863528f..c10c66ff2 100644 --- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex +++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex @@ -7,10 +7,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do require Logger - alias Comeonin.Pbkdf2 alias Pleroma.Activity alias Pleroma.Emoji alias Pleroma.Notification + alias Pleroma.Plugs.AuthenticationPlug alias Pleroma.User alias Pleroma.Web alias Pleroma.Web.ActivityPub.ActivityPub @@ -96,7 +96,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do name = followee.nickname with %User{} = user <- User.get_cached_by_nickname(username), - true <- Pbkdf2.checkpw(password, user.password_hash), + true <- AuthenticationPlug.checkpw(password, user.password_hash), %User{} = _followed <- User.get_cached_by_id(id), {:ok, follower} <- User.follow(user, followee), {:ok, _activity} <- ActivityPub.follow(follower, followee) do From 105f437ce91e1416f10ad90f56dfd47d16913f40 Mon Sep 17 00:00:00 2001 From: Moonman Date: Mon, 15 Jul 2019 08:36:51 -0700 Subject: [PATCH 2/2] formatting --- lib/pleroma/plugs/authentication_plug.ex | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/pleroma/plugs/authentication_plug.ex b/lib/pleroma/plugs/authentication_plug.ex index 48dc1f818..eec514892 100644 --- a/lib/pleroma/plugs/authentication_plug.ex +++ b/lib/pleroma/plugs/authentication_plug.ex @@ -16,8 +16,10 @@ defmodule Pleroma.Plugs.AuthenticationPlug do cond do String.starts_with?(password_hash, "$pbkdf2") -> Pbkdf2.checkpw(password, password_hash) + String.starts_with?(password_hash, "$6") -> :crypt.crypt(password, password_hash) == password_hash + true -> Logger.error("Password hash not recognized") false