Remove support for the old unsalted SHA-1 passwords.

author Steinar H. Gunderson <sgunderson@bigfoot.com>

Fri, 20 Nov 2015 00:47:21 +0000 (01:47 +0100)

committer Steinar H. Gunderson <sgunderson@bigfoot.com>

Fri, 20 Nov 2015 00:47:21 +0000 (01:47 +0100)
author Steinar H. Gunderson <sgunderson@bigfoot.com>
Fri, 20 Nov 2015 00:47:21 +0000 (01:47 +0100)
committer Steinar H. Gunderson <sgunderson@bigfoot.com>
Fri, 20 Nov 2015 00:47:21 +0000 (01:47 +0100)
diff --git a/doc/modules.txt b/doc/modules.txt

index c0b88a6aeef252e8167695c6b47ea47094cd7b74..4ac07451fa8dc1251e56099c27469554fb22f61f 100644 (file)
--- a/doc/modules.txt
+++ b/doc/modules.txt
@@ -7,8 +7,6 @@ PerlMagick                  perlmagick                 Scaling etc.
  MIME::Types                 libmime-types-perl         Sending the right MIME types
  DBD::Pg                     libdbd-pg-perl             PostgreSQL connection
  Image::ExifTool             libimage-exiftool-perl     Parsing EXIF data
  MIME::Types                 libmime-types-perl         Sending the right MIME types
  DBD::Pg                     libdbd-pg-perl             PostgreSQL connection
  Image::ExifTool             libimage-exiftool-perl     Parsing EXIF data
-Digest::SHA1                libdigest-sha1-perl        Verifying passwords
-Digest::HMAC_SHA1           libdigest-hmac-perl        Verifying digest passwords
  Crypt::Eksblowfish::Bcrypt  libcrypt-eksblowfish-perl  Verifying passwords
  HTML::TagCloud              libhtml-tagcloud-perl      Tag cloud on /+tags/
  jpegtran                    libjpeg-progs              Lossless JPEG rotation
  Crypt::Eksblowfish::Bcrypt  libcrypt-eksblowfish-perl  Verifying passwords
  HTML::TagCloud              libhtml-tagcloud-perl      Tag cloud on /+tags/
  jpegtran                    libjpeg-progs              Lossless JPEG rotation
diff --git a/perl/Sesse/pr0n/Common.pm b/perl/Sesse/pr0n/Common.pm

index f98d16fe28dbba3e77719e61c7d94a520574e83e..a6a8de4b52f82cd9db3138a8dc1fadea065d05e1 100644 (file)
--- a/perl/Sesse/pr0n/Common.pm
+++ b/perl/Sesse/pr0n/Common.pm
@@ -13,8 +13,6 @@ use DBD::Pg;
  use Image::Magick;
  use IO::String;
  use POSIX;
  use Image::Magick;
  use IO::String;
  use POSIX;
-use Digest::SHA;
-use Digest::HMAC_SHA1;
  use MIME::Base64;
  use MIME::Types;
  use LWP::Simple;
  use MIME::Base64;
  use MIME::Types;
  use LWP::Simple;
@@ -342,35 +340,16 @@ sub check_basic_auth {
         my ($raw_user, $pass) = split /:/, MIME::Base64::decode_base64($auth);
         my ($user, $takenby) = extract_takenby($raw_user);
  
         my ($raw_user, $pass) = split /:/, MIME::Base64::decode_base64($auth);
         my ($user, $takenby) = extract_takenby($raw_user);
  
-       my $ref = $dbh->selectrow_hashref('SELECT sha1password,cryptpassword FROM users WHERE username=? AND vhost=?',
+       my $ref = $dbh->selectrow_hashref('SELECT cryptpassword FROM users WHERE username=? AND vhost=?',
                 undef, $user, Sesse::pr0n::Common::get_server_name($r));
                 undef, $user, Sesse::pr0n::Common::get_server_name($r));
-       my ($sha1_matches, $bcrypt_matches) = (0, 0);
-       if (defined($ref) && defined($ref->{'sha1password'})) {
-               $sha1_matches = (Digest::SHA::sha1_base64($pass) eq $ref->{'sha1password'});
-       }
-       if (defined($ref) && defined($ref->{'cryptpassword'})) {
-               $bcrypt_matches = (Crypt::Eksblowfish::Bcrypt::bcrypt($pass, $ref->{'cryptpassword'}) eq $ref->{'cryptpassword'});
-       }
-
-       if (!defined($ref) || (!$sha1_matches && !$bcrypt_matches)) {
+       my $bcrypt_matches = 0;
+       if (!defined($ref) || Crypt::Eksblowfish::Bcrypt::bcrypt($pass, $ref->{'cryptpassword'}) ne $ref->{'cryptpassword'}) {
                 $r->content_type('text/plain; charset=utf-8');
                 log_warn($r, "Authentication failed for $user/$takenby");
                 return undef;
         }
         log_info($r, "Authentication succeeded for $user/$takenby");
  
                 $r->content_type('text/plain; charset=utf-8');
                 log_warn($r, "Authentication failed for $user/$takenby");
                 return undef;
         }
         log_info($r, "Authentication succeeded for $user/$takenby");
  
-       # Make sure we can use bcrypt authentication in the future with this password.
-       # Also remove old-style SHA1 password when we migrate.
-       if (!$bcrypt_matches) {
-               my $salt = get_pseudorandom_bytes(16);  # Doesn't need to be cryptographically secur.
-               my $hash = "\$2a\$07\$" . Crypt::Eksblowfish::Bcrypt::en_base64($salt);
-               my $cryptpassword = Crypt::Eksblowfish::Bcrypt::bcrypt($pass, $hash);
-               $dbh->do('UPDATE users SET sha1password=NULL,cryptpassword=? WHERE username=? AND vhost=?',
-                       undef, $cryptpassword, $user, Sesse::pr0n::Common::get_server_name($r))
-                       or die "Couldn't update: " . $dbh->errstr;
-               log_info($r, "Updated bcrypt hash for $user");
-       }
-
         return ($user, $takenby);
  }
  
         return ($user, $takenby);
  }
  
diff --git a/sql/pr0n.sql b/sql/pr0n.sql

index 36d82d6d532009042904ca5f79f14519261f01b8..10cca1c49b9ef0a9a92200d62200dde93f2044e2 100644 (file)
--- a/sql/pr0n.sql
+++ b/sql/pr0n.sql
@@ -73,9 +73,8 @@ CREATE TABLE shadow_files (
  
  CREATE TABLE users (
      username character varying NOT NULL,
  
  CREATE TABLE users (
      username character varying NOT NULL,
-    sha1password character(27),
      vhost character varying NOT NULL,
      vhost character varying NOT NULL,
-    cryptpassword character varying
+    cryptpassword character varying NOT NULL
  );
  
  -- Mainly used for manual queries -- usually too slow to be very useful
  );
  
  -- Mainly used for manual queries -- usually too slow to be very useful
author	Steinar H. Gunderson <sgunderson@bigfoot.com>
	Fri, 20 Nov 2015 00:47:21 +0000 (01:47 +0100)
committer	Steinar H. Gunderson <sgunderson@bigfoot.com>
	Fri, 20 Nov 2015 00:47:21 +0000 (01:47 +0100)
doc/modules.txt		patch \| blob \| history
perl/Sesse/pr0n/Common.pm		patch \| blob \| history
sql/pr0n.sql		patch \| blob \| history