Apply PBKDF2 when storing passwords

2026-01-01 05:08:05 -06:00 · 2018-11-21 15:15:51 +08:00
parent 8a6cac8338
commit 05d6a29416
14 changed files with 208 additions and 70 deletions
--- a/src/webui/api/appcontroller.cpp
+++ b/src/webui/api/appcontroller.cpp
@@ -54,6 +54,7 @@
 #include "base/scanfoldersmodel.h"
 #include "base/utils/fs.h"
 #include "base/utils/net.h"
+#include "base/utils/password.h"
 #include "../webapplication.h"

 void AppController::webapiVersionAction()
@@ -198,7 +199,6 @@ void AppController::preferencesAction()
    data["ssl_cert"] = QString::fromLatin1(pref->getWebUiHttpsCertificate());
    // Authentication
    data["web_ui_username"] = pref->getWebUiUsername();
-    data["web_ui_password"] = pref->getWebUiPassword();
    data["bypass_local_auth"] = !pref->isWebUiLocalAuthEnabled();
    data["bypass_auth_subnet_whitelist_enabled"] = pref->isWebUiAuthSubnetWhitelistEnabled();
    QStringList authSubnetWhitelistStringList;
@@ -474,7 +474,7 @@ void AppController::setPreferencesAction()
    if (m.contains("web_ui_username"))
        pref->setWebUiUsername(m["web_ui_username"].toString());
    if (m.contains("web_ui_password"))
-        pref->setWebUiPassword(m["web_ui_password"].toString());
+        pref->setWebUIPassword(Utils::Password::PBKDF2::generate(m["web_ui_password"].toByteArray()));
    if (m.contains("bypass_local_auth"))
        pref->setWebUiLocalAuthEnabled(!m["bypass_local_auth"].toBool());
    if (m.contains("bypass_auth_subnet_whitelist_enabled"))
--- a/src/webui/api/authcontroller.cpp
+++ b/src/webui/api/authcontroller.cpp
@@ -28,11 +28,9 @@

 #include "authcontroller.h"

-#include <QCryptographicHash>
-
 #include "base/logger.h"
 #include "base/preferences.h"
-#include "base/utils/string.h"
+#include "base/utils/password.h"
 #include "apierror.h"
 #include "isessionmanager.h"

@@ -58,17 +56,14 @@ void AuthController::loginAction()
                       , tr("Your IP address has been banned after too many failed authentication attempts."));
    }

-    const QString username {Preferences::instance()->getWebUiUsername()};
-    const QString password {Preferences::instance()->getWebUiPassword()};
+    const Preferences *pref = Preferences::instance();

-    QCryptographicHash md5(QCryptographicHash::Md5);
-    md5.addData(passwordFromWeb.toLocal8Bit());
-    const QString passwordFromWebHashed = md5.result().toHex();
+    const QString username {pref->getWebUiUsername()};
+    const QByteArray secret {pref->getWebUIPassword()};
+    const bool usernameEqual = Utils::Password::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8());
+    const bool passwordEqual = Utils::Password::PBKDF2::verify(secret, passwordFromWeb);

-    const bool equalUser = Utils::String::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8());
-    const bool equalPass = Utils::String::slowEquals(passwordFromWebHashed.toUtf8(), password.toUtf8());
-
-    if (equalUser && equalPass) {
+    if (usernameEqual && passwordEqual) {
        m_clientFailedLogins.remove(clientAddr);

        sessionManager()->sessionStart();