Apply PBKDF2 when storing passwords

src/webui/api/appcontroller.cpp

@@ -54,6 +54,7 @@
 #include "base/scanfoldersmodel.h"
 #include "base/utils/fs.h"
 #include "base/utils/net.h"
+#include "base/utils/password.h"
 #include "../webapplication.h"
 
 void AppController::webapiVersionAction()
@@ -198,7 +199,6 @@ void AppController::preferencesAction()
     data["ssl_cert"] = QString::fromLatin1(pref->getWebUiHttpsCertificate());
     // Authentication
     data["web_ui_username"] = pref->getWebUiUsername();
-    data["web_ui_password"] = pref->getWebUiPassword();
     data["bypass_local_auth"] = !pref->isWebUiLocalAuthEnabled();
     data["bypass_auth_subnet_whitelist_enabled"] = pref->isWebUiAuthSubnetWhitelistEnabled();
     QStringList authSubnetWhitelistStringList;
@@ -474,7 +474,7 @@ void AppController::setPreferencesAction()
     if (m.contains("web_ui_username"))
         pref->setWebUiUsername(m["web_ui_username"].toString());
     if (m.contains("web_ui_password"))
-        pref->setWebUiPassword(m["web_ui_password"].toString());
+        pref->setWebUIPassword(Utils::Password::PBKDF2::generate(m["web_ui_password"].toByteArray()));
     if (m.contains("bypass_local_auth"))
         pref->setWebUiLocalAuthEnabled(!m["bypass_local_auth"].toBool());
     if (m.contains("bypass_auth_subnet_whitelist_enabled"))

src/webui/api/authcontroller.cpp

@@ -28,11 +28,9 @@
 
 #include "authcontroller.h"
 
-#include <QCryptographicHash>
-
 #include "base/logger.h"
 #include "base/preferences.h"
-#include "base/utils/string.h"
+#include "base/utils/password.h"
 #include "apierror.h"
 #include "isessionmanager.h"
 
@@ -58,17 +56,14 @@ void AuthController::loginAction()
                        , tr("Your IP address has been banned after too many failed authentication attempts."));
     }
 
-    const QString username {Preferences::instance()->getWebUiUsername()};
-    const QString password {Preferences::instance()->getWebUiPassword()};
+    const Preferences *pref = Preferences::instance();
 
-    QCryptographicHash md5(QCryptographicHash::Md5);
-    md5.addData(passwordFromWeb.toLocal8Bit());
-    const QString passwordFromWebHashed = md5.result().toHex();
+    const QString username {pref->getWebUiUsername()};
+    const QByteArray secret {pref->getWebUIPassword()};
+    const bool usernameEqual = Utils::Password::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8());
+    const bool passwordEqual = Utils::Password::PBKDF2::verify(secret, passwordFromWeb);
 
-    const bool equalUser = Utils::String::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8());
-    const bool equalPass = Utils::String::slowEquals(passwordFromWebHashed.toUtf8(), password.toUtf8());
-
-    if (equalUser && equalPass) {
+    if (usernameEqual && passwordEqual) {
         m_clientFailedLogins.remove(clientAddr);
 
         sessionManager()->sessionStart();

src/webui/www/private/preferences_content.html

@@ -433,7 +433,8 @@
                 <label for="webui_username_text" class="leftLabelSmall">QBT_TR(Username:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="text" id="webui_username_text" />
             </div>
             <div class="formRow">
-                <label for="webui_password_text" class="leftLabelSmall">QBT_TR(Password:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="password" id="webui_password_text" />
+                <label for="webui_password_text" class="leftLabelSmall">QBT_TR(Password:)QBT_TR[CONTEXT=OptionsDialog]</label>
+                <input type="password" id="webui_password_text" placeholder="QBT_TR(Change current password)QBT_TR[CONTEXT=OptionsDialog]" />
             </div>
             <div class="formRow">
                 <input type="checkbox" id="bypass_local_auth_checkbox" />
@@ -980,7 +981,6 @@
 
                     // Authentication
                     $('webui_username_text').setProperty('value', pref.web_ui_username);
-                    $('webui_password_text').setProperty('value', pref.web_ui_password);
                     $('bypass_local_auth_checkbox').setProperty('checked', pref.bypass_local_auth);
                     $('bypass_auth_subnet_whitelist_checkbox').setProperty('checked', pref.bypass_auth_subnet_whitelist_enabled);
                     $('bypass_auth_subnet_whitelist_textarea').setProperty('value', pref.bypass_auth_subnet_whitelist);
@@ -1264,12 +1264,14 @@
             return;
         }
         var web_ui_password = $('webui_password_text').getProperty('value');
-        if (web_ui_password.length < 6) {
+        if ((0 < web_ui_password.length) && (web_ui_password.length < 6)) {
             alert("QBT_TR(The Web UI password must be at least 6 characters long.)QBT_TR[CONTEXT=OptionsDialog]");
             return;
         }
+
         settings.set('web_ui_username', web_ui_username);
-        settings.set('web_ui_password', web_ui_password);
+        if (web_ui_password.length > 0)
+            settings.set('web_ui_password', web_ui_password);
         settings.set('bypass_local_auth', $('bypass_local_auth_checkbox').getProperty('checked'));
         settings.set('bypass_auth_subnet_whitelist_enabled', $('bypass_auth_subnet_whitelist_checkbox').getProperty('checked'));
         settings.set('bypass_auth_subnet_whitelist', $('bypass_auth_subnet_whitelist_textarea').getProperty('value'));