From 6721535cf4d0734a3305ccabc3f3b61f8adec902 Mon Sep 17 00:00:00 2001
From: "Dmitriy A. Gerasimov" <dmitriy.gerasimov@demlabs.net>
Date: Fri, 8 Nov 2019 18:20:38 +0700
Subject: [PATCH] [+] dap_server_http_db_auth_tool [+] some scripts
---
CMakeLists.txt | 12 ++
dap_defines.h | 21 ++++
dap_server_http_db_auth_tool.c | 95 +++++++++++++++
include/db_auth.h | 3 +
scripts/dap_domain_create | 24 ++++
scripts/dap_domain_list | 3 +
scripts/dap_user_change_password | 37 ++++++
scripts/dap_user_create | 73 ++++++++++++
scripts/dap_user_update | 22 ++++
scripts/set_subscription_for_client | 38 ++++++
src/db_auth.c | 172 ++++++++++++----------------
11 files changed, 399 insertions(+), 101 deletions(-)
create mode 100644 dap_defines.h
create mode 100644 dap_server_http_db_auth_tool.c
create mode 100755 scripts/dap_domain_create
create mode 100755 scripts/dap_domain_list
create mode 100644 scripts/dap_user_change_password
create mode 100755 scripts/dap_user_create
create mode 100755 scripts/dap_user_update
create mode 100644 scripts/set_subscription_for_client
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6e54282..7e6d4fe 100755
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -5,9 +5,21 @@ file(GLOB DAP_SERVER_HTTP_DB_AUTH_SOURCES src/*.c)
file(GLOB DAP_SERVER_HTTP_DB_AUTH_HEADERS include/*.h)
add_library(${PROJECT_NAME} STATIC ${DAP_SERVER_HTTP_DB_AUTH_SOURCES} ${DAP_SERVER_HTTP_DB_AUTH_HEADERS})
+add_executable(${PROJECT_NAME}_tool ${DAP_SERVER_HTTP_DB_AUTH_SOURCES} ${DAP_SERVER_HTTP_DB_AUTH_HEADERS} dap_server_http_db_auth_tool.c )
target_link_libraries(${PROJECT_NAME} dap_crypto dap_stream dap_server_http_db )
+target_link_libraries(${PROJECT_NAME}_tool dap_crypto dap_stream dap_server_http_db )
target_include_directories(${PROJECT_NAME} PUBLIC include)
target_include_directories(${PROJECT_NAME} PRIVATE src)
+target_include_directories(${PROJECT_NAME}_tool PRIVATE include)
+target_include_directories(${PROJECT_NAME}_tool PRIVATE src)
+
+INSTALL(TARGETS ${PROJECT_NAME}_tool DESTINATION ${CMAKE_INSTALL_PREFIX}/bin )
+INSTALL(
+ DIRECTORY scripts/
+ DESTINATION ${CMAKE_INSTALL_PREFIX}/sbin
+ FILES_MATCHING PATTERN "*" PATTERN "*"
+ PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ
+ )
diff --git a/dap_defines.h b/dap_defines.h
new file mode 100644
index 0000000..cff99e5
--- /dev/null
+++ b/dap_defines.h
@@ -0,0 +1,21 @@
+#pragma once
+#define DAP_APP_NAME NODE_NETNAME "-node"
+
+//#ifdef _WIN32
+// #define SYSTEM_PREFIX "%USERPROFILE%/opt/"DAP_APP_NAME
+//#else
+ #define SYSTEM_PREFIX "/opt/"DAP_APP_NAME
+// #define SYSTEM_PREFIX "opt/"DAP_APP_NAME
+//#endif
+
+#define LOCAL_PREFIX "~/."DAP_APP_NAME
+
+#define SYSTEM_CONFIGS_DIR SYSTEM_PREFIX"/etc"
+#define LOCAL_CONFIGS_DIR LOCAL_PREFIX"/etc"
+#define SYSTEM_LOGS_DIR SYSTEM_PREFIX"/var/log"
+
+#define SYSTEM_CONFIG_GLOBAL_FILENAME SYSTEM_PREFIX"/etc/"DAP_APP_NAME".cfg"
+#define LOCAL_CONFIG_GLOBAL LOCAL_PREFIX"/etc/"DAP_APP_NAME".cfg"
+
+#define SYSTEM_PID_FILE_PATH SYSTEM_PREFIX"/run/"DAP_APP_NAME".pid"
+#define LOCAL_PID_FILE_PATH SYSTEM_PREFIX"/run/"DAP_APP_NAME".pid"
diff --git a/dap_server_http_db_auth_tool.c b/dap_server_http_db_auth_tool.c
new file mode 100644
index 0000000..25a6c85
--- /dev/null
+++ b/dap_server_http_db_auth_tool.c
@@ -0,0 +1,95 @@
+/*
+ * Authors:
+ * Dmitriy A. Gearasimov <naeper@demlabs.net>
+ * CellFrame https://cellframe.net
+ * DeM Labs Inc. https://demlabs.net
+ * Copyright (c) 2017-2019
+ * All rights reserved.
+
+ This file is part of DAP (Deus Applications Prototypes) the open source project
+
+ DAP (Deus Applicaions Prototypes) is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ DAP is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with any DAP based project. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+//#include "dap_client.h"
+#include "dap_common.h"
+#include "dap_config.h"
+
+#ifdef _WIN32
+#include "registry.h"
+#endif
+
+#include "dap_defines.h"
+
+#include "db_auth.h"
+
+static void s_help(const char * a_app_name)
+{
+ printf ("\t%s tool. Usage:\n\n", a_app_name);
+ printf("\tGet password hash\n");
+ printf("%s password_hash <Password>\n",a_app_name);
+ exit(-1);
+}
+
+int main(int argc, const char * argv[])
+{
+#ifdef _WIN32
+ dap_sprintf(s_sys_dir_path, "%s/%s", regGetUsrPath(), DAP_APP_NAME);
+ l_sys_dir_path_len = strlen(s_sys_dir_path);
+#endif
+
+ // set_default_locale();
+ // command_execution_string = shell_script_filename = (char *) NULL;
+
+ memcpy(s_sys_dir_path + l_sys_dir_path_len, SYSTEM_CONFIGS_DIR, sizeof(SYSTEM_CONFIGS_DIR) );
+ dap_common_init( DAP_APP_NAME " Console interface", NULL );
+ dap_log_level_set( L_CRITICAL );
+ dap_config_init( s_sys_dir_path );
+ memset(s_sys_dir_path + l_sys_dir_path_len, '\0', MAX_PATH - l_sys_dir_path_len);
+
+ if((g_config = dap_config_open(DAP_APP_NAME)) == NULL) {
+ printf("Can't init general configurations " DAP_APP_NAME ".cfg\n");
+ exit(-1);
+ }
+
+ if (argc<2 ){
+ fprintf(stderr, "Have only %d params but need 2 at least.", argc);
+ s_help(argv[0]);
+ }
+
+ if ( strcmp(argv[1],"password_hash")==0 ){
+ if ( argc < 3){
+ fprintf(stderr, "Have only %d params but need 3 at least for command \"password_hash\". Need password string to produce password hash!", argc);
+ s_help( argv[0]);
+ }
+ const char * l_password = argv[2];
+ char * l_passwd_hash = dap_server_db_hash_password_b64 ( l_password);
+ if( l_passwd_hash){
+ printf( "%s",l_passwd_hash);
+ DAP_DELETE( l_passwd_hash);
+ }else
+ fprintf(stderr, "Can't produce hash from \"%s\"",l_password);
+ }else{
+ fprintf(stderr, "Unknown command \"%s\"", argv[1]);
+ s_help( argv[0] );
+ }
+ return 0;
+
+}
+
diff --git a/include/db_auth.h b/include/db_auth.h
index ac0d6ad..af32bea 100755
--- a/include/db_auth.h
+++ b/include/db_auth.h
@@ -70,6 +70,9 @@ bool db_auth_change_password(const char *user, const char* new_password);
bool check_user_password(const char* user, const char* password);
+unsigned char* dap_server_db_hash_password(const char* a_password);
+char* dap_server_db_hash_password_b64(const char* a_password);
+
void db_auth_http_proc(enc_http_delegate_t *dg, void * arg);
void db_auth_traffic_track_callback(dap_server_t *srv);
diff --git a/scripts/dap_domain_create b/scripts/dap_domain_create
new file mode 100755
index 0000000..eb791c2
--- /dev/null
+++ b/scripts/dap_domain_create
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo "Creating the new user for dapserver authorization"
+
+if [ $# -eq 1 ]; then
+ domain=$1
+else
+ read -p "Enter domain name: " domain
+ if [ -z "$domain" ]; then
+ echo "[CRITICAL] Need domain name to create new record in the database"
+ exit 1
+ fi
+
+fi
+
+mongodomain=`mongo dapDb --eval "db.dap_domains.distinct( \"_id\", { domain : \"$domain\" })"`
+mongodomain=`echo "$mongodomain" | tail -1 | tr -d "[] "`
+
+if [ -z $mongodomain ]; then
+ mongo dapDb --eval "db.dap_domains.insert( {domain:\"$domain\" } )"
+else
+ echo "[CRITICAL] Domain name $domain is already present"
+fi
+
diff --git a/scripts/dap_domain_list b/scripts/dap_domain_list
new file mode 100755
index 0000000..f54f2ad
--- /dev/null
+++ b/scripts/dap_domain_list
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+mongo dapDb --eval "db.dap_domains.find()"
diff --git a/scripts/dap_user_change_password b/scripts/dap_user_change_password
new file mode 100644
index 0000000..9325bcb
--- /dev/null
+++ b/scripts/dap_user_change_password
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+echo "Creating the new user for dapserver authorization"
+
+read -p "Enter login: " login
+if [ -z "$login" ]; then
+ echo "[CRITICAL] Need username to create new login record in the database"
+ exit 1
+fi
+
+result=$(mongo dapDb --eval "db.dap_users.find( { login : \"${login}\" } )" | wc -l)
+
+if [ $result -eq 2 ]; then
+ echo "Login not found in DataBase"
+ exit 2
+fi
+
+read -p "Enter new password: " password
+if [ -z "$password" ]; then
+ echo "[CRITICAL] Need secure password to create new login record in the database"
+ exit 3
+fi
+
+salt=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8; echo '')
+
+echo -n "${password}${salt}" | openssl dgst -sha512 -binary > temp.txt
+echo -n "${salt}" | openssl dgst -sha512 -binary >> temp.txt
+b64=$(cat temp.txt | base64)
+b64urlstring=$(echo $b64 | tr "+/" "-_" | tr -d ' =')
+b64salt=$(echo -n ${salt} | base64 | tr "+/" "-_" | tr -d ' =')
+rm temp.txt
+
+mongo dapDb --eval "db.dap_users.update( { login : \"${login}\"}, { \$set: { passwordHash : \"${b64urlstring}\", salt : \"${b64salt}\" } } )"
+
+
+
+
diff --git a/scripts/dap_user_create b/scripts/dap_user_create
new file mode 100755
index 0000000..3ad0a28
--- /dev/null
+++ b/scripts/dap_user_create
@@ -0,0 +1,73 @@
+#!/bin/sh
+
+echo "Creating the new user for dapserver authorization"
+
+if [ $# -eq 1 ]; then
+ echo "Need two parametrs ( email and password )"
+ exit 5
+fi
+
+if [ $# -eq 2 ]; then
+
+ email=$1
+ password=$2
+
+ is_correct_email=$(echo $email | grep -E "^.+@.+[.].+$")
+ if [ -z $is_correct_email ]; then
+ echo Error! Bad email address. Use first parametr email, second - password
+ exit 4
+ fi
+else
+
+ read -p "Enter login: " login
+ if [ -z "$login" ]; then
+ echo "[CRITICAL] Need username to create new login record in the database"
+ exit 1
+ fi
+
+ read -p "Enter password: " password
+ if [ -z "$password" ]; then
+ echo "[CRITICAL] Need secure password to create new login record in the database"
+ exit 2
+ fi
+
+ read -p "Enter email: " email
+
+ if [ -n "$email" ]; then
+ is_correct_email=$(echo $email | grep -E "^.+@.+[.].+$")
+ if [ -z $is_correct_email ]; then
+ echo Error! Bad email address.
+ exit 4
+ fi
+ fi
+
+ read -p "Enter first_name ( can skip ): " first_name
+ read -p "Enter last_name ( can skip ): " last_name
+
+fi
+
+domain=klvn.io
+
+salt=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 8; echo '')
+
+mongodomain=$(mongo dapDb --eval "db.dap_domains.distinct( \"_id\", { domain : \"${domain}\" })" )
+mongodomain=$(echo "$mongodomain" | tail -1 | tr -d "[] ")
+
+if [ -z $mongodomain ]; then
+ echo "domain not find in database"
+ exit 3
+fi
+
+password_hash=$(/opt/cellframe-node/bin/dap_server_http_db_auth_tool password_hash ${password})
+echo "Password hash $password_hash"
+if [ -z "$login" ]; then
+ login=$email
+fi
+
+registration_date=$(date -u "+%Y-%m-%d %T")
+expired_date=$(date -u -d '+ 3 day' '+%Y-%m-%d %T')
+
+mongo dapDb --eval "db.dap_users.insert( { login : \"${login}\", email : \"${email}\", passwordHash : \"${password_hash}\",
+salt : \"${b64salt}\", domainId : ${mongodomain}, profile: { first_name : \"${first_name}\",
+last_name : \"${last_name}\" }, registration_date : ISODate(\"${registration_date}\"), expire_date : ISODate(\"${expired_date}\"), contacts: [] } )"
+
diff --git a/scripts/dap_user_update b/scripts/dap_user_update
new file mode 100755
index 0000000..fafb295
--- /dev/null
+++ b/scripts/dap_user_update
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+echo "Update user for dapserver authorization"
+
+if [ $# -lt 3 ] || [ $# -gt 4 ]; then
+ echo "Need three or four parametrs ( login, first_name, last_name, password ( if want change) )."
+ exit 1
+fi
+
+if [ $# -eq 3 ]; then
+ mongo dapDb --eval "db.dap_users.update( { login : \"${1}\"}, { \$set: { \"profile.first_name\" : \"${2}\", \"profile.last_name\" : \"${3}\" } } )"
+ exit 0
+fi
+
+password=${4}
+
+password_hash=$(/opt/cellframe-node/bin/dap_server_http_db_auth_tool password_hash ${password})
+echo "Password hash $password_hash"
+
+
+mongo dapDb --eval "db.dap_users.update( { login : \"${1}\"}, { \$set: { passwordHash : \"${password_hash}\", \"profile.first_name\" : \"${2}\", \"profile.last_name\" : \"${3}\" } } )"
+
diff --git a/scripts/set_subscription_for_client b/scripts/set_subscription_for_client
new file mode 100644
index 0000000..8be3eb7
--- /dev/null
+++ b/scripts/set_subscription_for_client
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+: 'Выдача подпиÑки клиенту. Входные данные: логин и количеÑтво дней на которое
+выпиÑываетÑÑ/продлÑетÑÑ Ð¿Ð¾Ð´Ð¿Ð¸Ñка, ( отÑчет идет от момента иÑÐ¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ Ñкрипта, еÑли
+подпиÑка еще Ð°ÐºÑ‚Ð¸Ð²Ð½Ð°Ñ Ñ‚Ð¾ продлÑетÑÑ Ð½Ð° N дней )'
+
+echo "Set user subscription"
+
+if [ $# -ne "2" ]; then
+ echo "Error! Need two parametrs login(email?) and count day's subscribtion"
+ exit 1
+fi
+
+result=$(mongo dapDb --eval "db.dap_users.find( { login : \"${1}\" } )" | wc -l)
+
+if [ $result -eq 2 ]; then
+ echo "Login not found in DataBase"
+ exit 2
+fi
+
+iso_date_expire=$(mongo dapDb --eval "db.dap_users.find( { login: \"${1}\" }, { expire_date : 1, _id : 0 } )" )
+iso_date_expire=$(echo $iso_date_expire | grep -E -o "ISODate.+)" | grep -E -o "[0-9]+.+Z")
+
+iso_date_expire_in_sec=$(date -d $iso_date_expire "+%s")
+now_date_in_sec=$(date "+%s")
+
+date_diff=`expr $iso_date_expire_in_sec - $now_date_in_sec`
+
+if [ $date_diff -lt 0 ]; then
+ result_date=$(date -u -d '+ '${2}' day' '+%Y-%m-%d %T')
+else
+ result_date=$(date -u -d "$iso_date_expire + ${2} day" "+%Y-%m-%d %T")
+fi
+
+mongo dapDb --eval "db.dap_users.update( { login : \"${1}\"}, { \$set: { expire_date : ISODate(\"${result_date}\") }} )"
+
+echo "Subscription update for client to: " $result_date
+
diff --git a/src/db_auth.c b/src/db_auth.c
index 1e18491..dc4a6c1 100755
--- a/src/db_auth.c
+++ b/src/db_auth.c
@@ -56,10 +56,6 @@ static pthread_mutex_t mutex_on_auth_hash = PTHREAD_MUTEX_INITIALIZER;
static bool mongod_is_running(void);
-static unsigned char* hash_password(const unsigned char* password,
- unsigned char* salt,
- size_t salt_size);
-
static const char *l_db_name;
int db_auth_init(const char* db_name)
@@ -328,38 +324,18 @@ bool db_auth_change_password(const char* user, const char* new_password)
bson_error_t error;
- char salt[9]={0};
- dap_random_string_fill(salt,sizeof(salt));
-
-
- unsigned const char * password_hash = hash_password(new_password, salt, 8);
- char salt_b64[8*2] = {0};
- dap_enc_base64_encode(salt, 8, salt_b64,DAP_ENC_DATA_TYPE_B64_URLSAFE);
- if (!password_hash) {
- log_it(L_WARNING,"Can not memmory allocate");
- return false;
- }
- unsigned char * password_hash_b64 = calloc(4 * DB_AUTH_HASH_LENGTH, sizeof(char));
+ char * password_hash_b64 = dap_server_db_hash_password_b64(new_password);
- if (!password_hash_b64) {
- free((char*)password_hash);
- log_it(L_WARNING,"Can not memmory allocate");
- return false;
- }
-
- dap_enc_base64_encode(password_hash, DB_AUTH_HASH_LENGTH * 2, password_hash_b64,DAP_ENC_DATA_TYPE_B64_URLSAFE);
-
-
- if (*password_hash_b64 == 0) {
+ if (password_hash_b64 == NULL) {
log_it(L_WARNING,"Bad hash(based64) for user password");
return false;
}
bson_t *update = BCON_NEW ("$set", "{",
- "passwordHash", BCON_UTF8 (password_hash_b64),
- "salt", BCON_UTF8 (salt_b64),"}");
+ "passwordHash", BCON_UTF8 (password_hash_b64),
+ "}");
if (!mongoc_collection_update (collection_dap_users, MONGOC_UPDATE_NONE, doc_dap_user, update, NULL, &error)) {
log_it(L_WARNING,"%s", error.message);
@@ -377,7 +353,7 @@ bool db_auth_change_password(const char* user, const char* new_password)
if(doc_dap_user)
bson_destroy(doc_dap_user);
- free((char*)password_hash); free((char*)password_hash_b64);
+ DAP_DELETE( password_hash_b64 );
log_it(L_INFO, "user: %s change password to %s", user, new_password);
return true;
@@ -390,10 +366,10 @@ bool db_auth_change_password(const char* user, const char* new_password)
* @param password
* @return false if user password not correct
*/
-bool check_user_password(const char* user, const char* password)
+bool check_user_password(const char* a_user, const char* a_password)
{
- if ( exist_user_in_db(user) == false ){
- log_it(L_WARNING,"User %s is not present in DB",user);
+ if ( exist_user_in_db(a_user) == false ){
+ log_it(L_WARNING,"User %s is not present in DB",a_user);
return false;
}
@@ -403,7 +379,7 @@ bool check_user_password(const char* user, const char* password)
mongo_client, l_db_name, "dap_users");
bson_t *query = bson_new();
- BSON_APPEND_UTF8 (query, "login", user);
+ BSON_APPEND_UTF8 (query, "login", a_user);
bson_iter_t iter;
bson_t *doc;
@@ -422,25 +398,16 @@ bool check_user_password(const char* user, const char* password)
dap_enc_base64_decode(salt, 16, salt_from_b64,DAP_ENC_DATA_TYPE_B64);
- unsigned const char* password_hash = hash_password(password, salt_from_b64, 8);
- if (!password_hash) {
- log_it(L_ERROR, "Can not memmory allocate");
- return NULL;
- }
-
- unsigned char * password_hash_b64 = calloc(4 * DB_AUTH_HASH_LENGTH, sizeof(char));
+ char* l_password_hash_b64 = dap_server_db_hash_password_b64(a_password);
- if (!password_hash_b64) {
- free((char*)password_hash);
+ if (!l_password_hash_b64) {
log_it(L_ERROR, "Can not memmory allocate");
return NULL;
}
- dap_enc_base64_encode(password_hash, DB_AUTH_HASH_LENGTH * 2, password_hash_b64,DAP_ENC_DATA_TYPE_B64);
-
if (bson_iter_init (&iter, doc) && bson_iter_find (&iter, "passwordHash"))
{
- if ( memcmp(password_hash_b64, bson_iter_value(&iter)->value.v_utf8.str,
+ if ( memcmp(l_password_hash_b64, bson_iter_value(&iter)->value.v_utf8.str,
DB_AUTH_HASH_LENGTH * 2) == 0 )
is_correct_password = true;
}
@@ -456,7 +423,7 @@ bool check_user_password(const char* user, const char* password)
if(doc)
bson_destroy(doc);
- free((char*)password_hash); free((char*)password_hash_b64);
+ DAP_DELETE( l_password_hash_b64 );
return is_correct_password;
}
@@ -518,6 +485,46 @@ static bool db_auth_save_cookie_inform_in_db(const char* login, char* cookie)
return result;
}
+
+/**
+ * @brief dap_server_db_hash_password
+ * @param password
+ * @return
+ */
+unsigned char* dap_server_db_hash_password(const char* a_password)
+{
+ static const unsigned char s_salt[]={ 0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08 };
+ static const size_t s_salt_size=sizeof (s_salt);
+
+ unsigned char *md = DAP_NEW_Z_SIZE(unsigned char, DB_AUTH_HASH_LENGTH * 2);
+
+ size_t a_password_length = strlen(a_password);
+ size_t l_str_length = a_password_length + s_salt_size;
+ unsigned char *l_str = DAP_NEW_Z_SIZE(unsigned char, l_str_length);
+
+ memcpy(l_str, a_password, a_password_length);
+ memcpy(l_str + a_password_length, s_salt, s_salt_size);
+ SHA3_512(md, l_str, l_str_length);
+ SHA3_512(md + DB_AUTH_HASH_LENGTH, s_salt, s_salt_size);
+
+ DAP_DELETE( l_str );
+ return md;
+}
+
+char* dap_server_db_hash_password_b64(const char* a_password)
+{
+ unsigned char* l_hash = dap_server_db_hash_password( a_password);
+ char * l_hash_str = DAP_NEW_Z_SIZE(char, 4 * DB_AUTH_HASH_LENGTH+1 ) ;
+
+ if (!l_hash_str) {
+ DAP_DELETE( (char*)l_hash);
+ log_it(L_ERROR, "Can not memmory allocate");
+ return NULL;
+ }
+
+ dap_enc_base64_encode(l_hash, DB_AUTH_HASH_LENGTH * 2, l_hash_str,DAP_ENC_DATA_TYPE_B64_URLSAFE);
+ return l_hash_str;
+}
/**
* @brief db_auth_login Authorization with user/password
* @param login ( login = email )
@@ -556,16 +563,7 @@ int db_auth_login(const char* login, const char* password,
bson_iter_t iter;
- char salt[16] = {0}; char salt_from_b64[8]={0};
- if (bson_iter_init (&iter, doc) && bson_iter_find (&iter, "salt"))
- memcpy(salt,bson_iter_value(&iter)->value.v_utf8.str,16);
- else {
- log_it(L_ERROR, "Not find Salt in user"); return 0;
- }
-
- dap_enc_base64_decode(salt, 16, salt_from_b64,DAP_ENC_DATA_TYPE_B64_URLSAFE);
-
- unsigned const char* password_hash = hash_password(password, salt_from_b64, 8);
+ unsigned const char* password_hash = dap_server_db_hash_password(password);
if (!password_hash) {
log_it(L_ERROR, "Can not memmory allocate");
return 0;
@@ -581,17 +579,16 @@ int db_auth_login(const char* login, const char* password,
dap_enc_base64_encode(password_hash, DB_AUTH_HASH_LENGTH * 2, password_hash_b64,DAP_ENC_DATA_TYPE_B64_URLSAFE);
- if (bson_iter_init (&iter, doc) && bson_iter_find (&iter, "expire_date"))
- {
+ if (bson_iter_init (&iter, doc) && bson_iter_find (&iter, "expire_date")) {
if ( bson_iter_date_time(&iter) / 1000 < time(NULL) )
{
log_it(L_WARNING, "Subscribe %s has been expiried", login);
return 4;
}
- }
+ }else
+ log_it(L_NOTICE, "Haven't found expire_date in collection");
- if (bson_iter_init (&iter, doc) && bson_iter_find (&iter, "passwordHash"))
- {
+ if (bson_iter_init (&iter, doc) && bson_iter_find (&iter, "passwordHash")) {
if ( memcmp(password_hash_b64, bson_iter_value(&iter)->value.v_utf8.str,
DB_AUTH_HASH_LENGTH * 2) == 0 )
{
@@ -671,7 +668,11 @@ int db_auth_login(const char* login, const char* password,
pthread_mutex_lock(&mutex_on_auth_hash);
HASH_ADD_STR(auths,cookie,(*ai));
pthread_mutex_unlock(&mutex_on_auth_hash);
+ }else{
+ log_it(L_WARNING, "Input password has hash %s but expected to have %s",password_hash_b64, bson_iter_value(&iter)->value.v_utf8.str );
}
+ }else{
+ log_it(L_WARNING, "No passwordHash in data");
}
free(password_hash_b64);
@@ -738,36 +739,22 @@ db_auth_info_t * db_auth_register(const char *user,const char *password,
(mongo_client, l_db_name, "dap_users");
bson_error_t error;
- char salt[9]={0};
- dap_random_string_fill(salt, sizeof (salt));
- unsigned const char * password_hash = hash_password(password, salt, 8);
- char salt_b64[8*2] = {0};
- dap_enc_base64_encode(salt, 8, salt_b64,DAP_ENC_DATA_TYPE_B64_URLSAFE);
- if (!password_hash) {
- log_it(L_ERROR, "Can not memmory allocate");
- return NULL;
- }
-
- unsigned char * password_hash_b64 = calloc(4 * DB_AUTH_HASH_LENGTH, sizeof(char));
+ char * l_password_hash_b64 = dap_server_db_hash_password_b64(password);
- if (!password_hash_b64) {
- free((char*)password_hash);
+ if (!l_password_hash_b64) {
log_it(L_ERROR, "Can not memmory allocate");
return NULL;
}
- dap_enc_base64_encode(password_hash, DB_AUTH_HASH_LENGTH * 2, password_hash_b64,DAP_ENC_DATA_TYPE_B64_URLSAFE);
-
- if (*password_hash_b64 == 0) {
+ if (*l_password_hash_b64 == 0) {
log_it(L_ERROR, "Bad hash(based64) for user password");
return NULL;
}
bson_t *doc = BCON_NEW("login", user,
- "passwordHash", password_hash_b64,
- "salt",salt_b64,
+ "passwordHash", l_password_hash_b64,
"domainId", BCON_OID((bson_oid_t*)bson_iter_value(&iter)->value.v_oid.bytes),
"email", email,
"profile",
@@ -776,8 +763,7 @@ db_auth_info_t * db_auth_register(const char *user,const char *password,
"last_name", last_name,
"}",
"contacts" , "[","]");
- free((char*)password_hash);
- free(password_hash_b64);
+ free(l_password_hash_b64);
if (!mongoc_collection_insert (collection, MONGOC_INSERT_NONE, doc, NULL, &error)) {
log_it (L_WARNING, "%s\n", error.message);
@@ -862,19 +848,17 @@ db_auth_info_t * db_auth_register_channel(const char* name_channel, const char*
mongoc_client_get_collection (mongo_client, l_db_name, "dap_channels");
bson_error_t error;
- char salt[9]={0};
- dap_random_string_fill(salt, sizeof (salt));
- unsigned const char * password_hash = hash_password(password, salt, 8);
+
+ char * l_password_hash_b64 = dap_server_db_hash_password_b64(password);
bson_t *doc = BCON_NEW("name_channel", name_channel,
- "passwordHash", password_hash,
- "salt",salt,
+ "passwordHash", l_password_hash_b64,
"domainId", BCON_OID((bson_oid_t*)bson_iter_value(&iter)->value.v_oid.bytes),
"subscribers", "[","]",
"last_id_message", BCON_INT32(0),
"messages","[","]");
- free((char*)password_hash);
+ DAP_DELETE( l_password_hash_b64 );
if (!mongoc_collection_insert (collection, MONGOC_INSERT_NONE, doc, NULL, &error)) {
log_it (L_ERROR, "%s\n", error.message);
bson_destroy(query);
@@ -1171,21 +1155,7 @@ static bool mongod_is_running()
return true;
}
-inline static unsigned char* hash_password(const unsigned char* password, unsigned char* salt, size_t salt_size)
-{
- unsigned char *md = (unsigned char*) malloc (DB_AUTH_HASH_LENGTH * 2);
- size_t len_pswd = strlen(password);
- size_t length_str = len_pswd + salt_size;
- char str[length_str];
-
- memcpy(str, password, len_pswd);
- memcpy(str + len_pswd, salt, salt_size);
- SHA3_512(md, str, length_str);
- SHA3_512(md + DB_AUTH_HASH_LENGTH, salt, salt_size);
-
- return md;
-}
/// Check user data for correct input.
/// @param before_parsing Line size before parsing.
--
GitLab