detect and use sha512-crypt for stored password hash.

2019-07-14 09:48:42 -07:00 · 2019-07-14 09:48:42 -07:00 · f98f7ad1b9
commit f98f7ad1b9
parent cef4337f95
4 changed files with 19 additions and 6 deletions
--- a/lib/pleroma/plugs/authentication_plug.ex
+++ b/lib/pleroma/plugs/authentication_plug.ex
@ -6,11 +6,24 @@ defmodule Pleroma.Plugs.AuthenticationPlug do
  alias Comeonin.Pbkdf2
  import Plug.Conn
  alias Pleroma.User
+  require Logger

  def init(options) do
    options
  end

+  def checkpw(password, password_hash) do
+    cond do
+      String.starts_with?(password_hash, "$pbkdf2") ->
+        Pbkdf2.checkpw(password, password_hash)
+      String.starts_with?(password_hash, "$6") ->
+        :crypt.crypt(password, password_hash) == password_hash
+      true ->
+        Logger.error("Password hash not recognized")
+        false
+    end
+  end
+
  def call(%{assigns: %{user: %User{}}} = conn, _), do: conn

  def call(
--- a/lib/pleroma/web/auth/pleroma_authenticator.ex
+++ b/lib/pleroma/web/auth/pleroma_authenticator.ex
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.Auth.PleromaAuthenticator do
-  alias Comeonin.Pbkdf2
+  alias Pleroma.Plugs.AuthenticationPlug
  alias Pleroma.Registration
  alias Pleroma.Repo
  alias Pleroma.User
@ -16,7 +16,7 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
  def get_user(%Plug.Conn{} = conn) do
    with {:ok, {name, password}} <- fetch_credentials(conn),
         {_, %User{} = user} <- {:user, fetch_user(name)},
-         {_, true} <- {:checkpw, Pbkdf2.checkpw(password, user.password_hash)} do
+         {_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)} do
      {:ok, user}
    else
      error ->
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@ -6,11 +6,11 @@ defmodule Pleroma.Web.CommonAPI.Utils do
  import Pleroma.Web.Gettext

  alias Calendar.Strftime
-  alias Comeonin.Pbkdf2
  alias Pleroma.Activity
  alias Pleroma.Config
  alias Pleroma.Formatter
  alias Pleroma.Object
+  alias Pleroma.Plugs.AuthenticationPlug
  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.Utils
@ -371,7 +371,7 @@ defp shortname(name) do

  def confirm_current_password(user, password) do
    with %User{local: true} = db_user <- User.get_cached_by_id(user.id),
-         true <- Pbkdf2.checkpw(password, db_user.password_hash) do
+         true <- AuthenticationPlug.checkpw(password, db_user.password_hash) do
      {:ok, db_user}
    else
      _ -> {:error, dgettext("errors", "Invalid password.")}
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@ -7,10 +7,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do

  require Logger

-  alias Comeonin.Pbkdf2
  alias Pleroma.Activity
  alias Pleroma.Emoji
  alias Pleroma.Notification
+  alias Pleroma.Plugs.AuthenticationPlug
  alias Pleroma.User
  alias Pleroma.Web
  alias Pleroma.Web.ActivityPub.ActivityPub
@ -96,7 +96,7 @@ def do_remote_follow(conn, %{
    name = followee.nickname

    with %User{} = user <- User.get_cached_by_nickname(username),
-         true <- Pbkdf2.checkpw(password, user.password_hash),
+         true <- AuthenticationPlug.checkpw(password, user.password_hash),
         %User{} = _followed <- User.get_cached_by_id(id),
         {:ok, follower} <- User.follow(user, followee),
         {:ok, _activity} <- ActivityPub.follow(follower, followee) do