squidy/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2025-12-21 16:07:23 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9942 from Chocobo1/pbkdf2

Browse Source 
Do password hashing properly
This commit is contained in:
Mike Tzou
2018-12-06 16:22:22 +08:00
committed by GitHub
parent 1eef5b6876 593052dd93
commit 6bb4eb825b
21 changed files with 367 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
src/base/utils/password.cpp Normal file
View File

@@ -0,0 +1,120 @@
/*
* Bittorrent Client using Qt and libtorrent.
* Copyright (C) 2018 Mike Tzou (Chocobo1)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, the copyright holders give permission to
* link this program with the OpenSSL project's "OpenSSL" library (or with
* modified versions of it that use the same license as the "OpenSSL" library),
* and distribute the linked executables. You must obey the GNU General Public
* License in all respects for all of the code used other than "OpenSSL". If you
* modify file(s), you may extend this exception to your version of the file(s),
* but you are not obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*/
#include "password.h"
#include <array>
#include <openssl/evp.h>
#include <QByteArray>
#include <QList>
#include <QString>
#include "bytearray.h"
#include "random.h"
#include "string.h"
namespace Utils
{
namespace Password
{
namespace PBKDF2
{
const int hashIterations = 100000;
const auto hashMethod = EVP_sha512();
}
}
}
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool Utils::Password::slowEquals(const QByteArray &a, const QByteArray &b)
{
const int lengthA = a.length();
const int lengthB = b.length();
int diff = lengthA ^ lengthB;
for (int i = 0; (i < lengthA) && (i < lengthB); ++i)
diff |= a[i] ^ b[i];
return (diff == 0);
}
QByteArray Utils::Password::PBKDF2::generate(const QString &password)
{
return generate(password.toUtf8());
}
QByteArray Utils::Password::PBKDF2::generate(const QByteArray &password)
{
const std::array<uint32_t, 4> salt {{Random::rand(), Random::rand()
, Random::rand(), Random::rand()}};
std::array<unsigned char, 64> outBuf {};
const int hmacResult = PKCS5_PBKDF2_HMAC(password.constData(), password.size()
, reinterpret_cast<const unsigned char *>(salt.data()), (sizeof(salt[0]) * salt.size())
, hashIterations, hashMethod
, outBuf.size(), outBuf.data());
if (hmacResult != 1)
return {};
const QByteArray saltView = QByteArray::fromRawData(
reinterpret_cast<const char *>(salt.data()), (sizeof(salt[0]) * salt.size()));
const QByteArray outBufView = QByteArray::fromRawData(
reinterpret_cast<const char *>(outBuf.data()), outBuf.size());
return (saltView.toBase64() + ':' + outBufView.toBase64());
}
bool Utils::Password::PBKDF2::verify(const QByteArray &secret, const QString &password)
{
return verify(secret, password.toUtf8());
}
bool Utils::Password::PBKDF2::verify(const QByteArray &secret, const QByteArray &password)
{
const QList<QByteArray> list = ByteArray::splitToViews(secret, ":", QString::SkipEmptyParts);
if (list.size() != 2)
return false;
const QByteArray salt = QByteArray::fromBase64(list[0]);
const QByteArray key = QByteArray::fromBase64(list[1]);
std::array<unsigned char, 64> outBuf {};
const int hmacResult = PKCS5_PBKDF2_HMAC(password.constData(), password.size()
, reinterpret_cast<const unsigned char *>(salt.constData()), salt.size()
, hashIterations, hashMethod
, outBuf.size(), outBuf.data());
if (hmacResult != 1)
return false;
const QByteArray outBufView = QByteArray::fromRawData(
reinterpret_cast<const char *>(outBuf.data()), outBuf.size());
return slowEquals(key, outBufView);
}

51
src/base/utils/password.h Normal file
View File

@@ -0,0 +1,51 @@
/*
* Bittorrent Client using Qt and libtorrent.
* Copyright (C) 2018 Mike Tzou (Chocobo1)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, the copyright holders give permission to
* link this program with the OpenSSL project's "OpenSSL" library (or with
* modified versions of it that use the same license as the "OpenSSL" library),
* and distribute the linked executables. You must obey the GNU General Public
* License in all respects for all of the code used other than "OpenSSL". If you
* modify file(s), you may extend this exception to your version of the file(s),
* but you are not obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*/
#pragma once
class QByteArray;
class QString;
namespace Utils
{
namespace Password
{
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool slowEquals(const QByteArray &a, const QByteArray &b);
namespace PBKDF2
{
QByteArray generate(const QString &password);
QByteArray generate(const QByteArray &password);
bool verify(const QByteArray &secret, const QString &password);
bool verify(const QByteArray &secret, const QByteArray &password);
}
}
}

15
src/base/utils/string.cpp
View File

@@ -31,7 +31,6 @@
#include <cmath>
#include <QByteArray>
#include <QCollator>
#include <QLocale>
#include <QRegExp>
@@ -164,20 +163,6 @@ QString Utils::String::fromDouble(double n, int precision)
return QLocale::system().toString(std::floor(n * prec) / prec, 'f', precision);
}
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool Utils::String::slowEquals(const QByteArray &a, const QByteArray &b)
{
int lengthA = a.length();
int lengthB = b.length();
int diff = lengthA ^ lengthB;
for (int i = 0; (i < lengthA) && (i < lengthB); ++i)
diff |= a[i] ^ b[i];
return (diff == 0);
}
// This is marked as internal in QRegExp.cpp, but is exported. The alternative would be to
// copy the code from QRegExp::wc2rx().
QString qt_regexp_toCanonical(const QString &pattern, QRegExp::PatternSyntax patternSyntax);

7
src/base/utils/string.h
View File

@@ -30,10 +30,9 @@
#ifndef UTILS_STRING_H
#define UTILS_STRING_H
#include <QLatin1String>
#include <QString>
class QByteArray;
class QLatin1String;
class TriStateBool;
namespace Utils
@@ -42,10 +41,6 @@ namespace Utils
{
QString fromDouble(double n, int precision);
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool slowEquals(const QByteArray &a, const QByteArray &b);
int naturalCompare(const QString &left, const QString &right, const Qt::CaseSensitivity caseSensitivity);
template <Qt::CaseSensitivity caseSensitivity>
bool naturalLessThan(const QString &left, const QString &right)