detect and use sha512-crypt for stored password hash.

author Moonman <shitposterclub@gmail.com>

Sun, 14 Jul 2019 16:48:42 +0000 (09:48 -0700)

committer Moonman <shitposterclub@gmail.com>

Sun, 14 Jul 2019 16:48:42 +0000 (09:48 -0700)
author Moonman <shitposterclub@gmail.com>
Sun, 14 Jul 2019 16:48:42 +0000 (09:48 -0700)
committer Moonman <shitposterclub@gmail.com>
Sun, 14 Jul 2019 16:48:42 +0000 (09:48 -0700)
diff --git a/lib/pleroma/plugs/authentication_plug.ex b/lib/pleroma/plugs/authentication_plug.ex

index da4ed4226620215ea1ca50f3e98588fc5088aaeb..48dc1f818742f6ac1efe1bd27f61b73bba21c39d 100644 (file)
--- a/lib/pleroma/plugs/authentication_plug.ex
+++ b/lib/pleroma/plugs/authentication_plug.ex
@@ -6,11 +6,24 @@ defmodule Pleroma.Plugs.AuthenticationPlug do
    alias Comeonin.Pbkdf2
    import Plug.Conn
    alias Pleroma.User
+  require Logger
  
    def init(options) do
      options
    end
  
+  def checkpw(password, password_hash) do
+    cond do
+      String.starts_with?(password_hash, "$pbkdf2") ->
+        Pbkdf2.checkpw(password, password_hash)
+      String.starts_with?(password_hash, "$6") ->
+        :crypt.crypt(password, password_hash) == password_hash
+      true ->
+        Logger.error("Password hash not recognized")
+        false
+    end
+  end
+
    def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
  
    def call(
diff --git a/lib/pleroma/web/auth/pleroma_authenticator.ex b/lib/pleroma/web/auth/pleroma_authenticator.ex

index a9164ad9837960c2ca9e9c7d8549517987967025..f4234b743c509909cc8c28cbe63dfe27aed7ce1f 100644 (file)
--- a/lib/pleroma/web/auth/pleroma_authenticator.ex
+++ b/lib/pleroma/web/auth/pleroma_authenticator.ex
@@ -3,7 +3,7 @@
  # SPDX-License-Identifier: AGPL-3.0-only
  
  defmodule Pleroma.Web.Auth.PleromaAuthenticator do
-  alias Comeonin.Pbkdf2
+  alias Pleroma.Plugs.AuthenticationPlug
    alias Pleroma.Registration
    alias Pleroma.Repo
    alias Pleroma.User
@@ -16,7 +16,7 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
    def get_user(%Plug.Conn{} = conn) do
      with {:ok, {name, password}} <- fetch_credentials(conn),
           {_, %User{} = user} <- {:user, fetch_user(name)},
-         {_, true} <- {:checkpw, Pbkdf2.checkpw(password, user.password_hash)} do
+         {_, true} <- {:checkpw, AuthenticationPlug.checkpw(password, user.password_hash)} do
        {:ok, user}
      else
        error ->
diff --git a/lib/pleroma/web/common_api/utils.ex b/lib/pleroma/web/common_api/utils.ex

index 8e482eef7b88f9e9520e40e70b039598e0ee3d01..e013188cfb93818ee6d5c8945d53dc0c25700dfb 100644 (file)
--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@@ -6,11 +6,11 @@ defmodule Pleroma.Web.CommonAPI.Utils do
    import Pleroma.Web.Gettext
  
    alias Calendar.Strftime
-  alias Comeonin.Pbkdf2
    alias Pleroma.Activity
    alias Pleroma.Config
    alias Pleroma.Formatter
    alias Pleroma.Object
+  alias Pleroma.Plugs.AuthenticationPlug
    alias Pleroma.Repo
    alias Pleroma.User
    alias Pleroma.Web.ActivityPub.Utils
@@ -371,7 +371,7 @@ defmodule Pleroma.Web.CommonAPI.Utils do
  
    def confirm_current_password(user, password) do
      with %User{local: true} = db_user <- User.get_cached_by_id(user.id),
-         true <- Pbkdf2.checkpw(password, db_user.password_hash) do
+         true <- AuthenticationPlug.checkpw(password, db_user.password_hash) do
        {:ok, db_user}
      else
        _ -> {:error, dgettext("errors", "Invalid password.")}
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex

index b1863528f36f3b1df42d5b4972905d3e017e9224..c10c66ff2a0d77feec72b76be71f604f4ef0ba65 100644 (file)
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -7,10 +7,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
  
    require Logger
  
-  alias Comeonin.Pbkdf2
    alias Pleroma.Activity
    alias Pleroma.Emoji
    alias Pleroma.Notification
+  alias Pleroma.Plugs.AuthenticationPlug
    alias Pleroma.User
    alias Pleroma.Web
    alias Pleroma.Web.ActivityPub.ActivityPub
@@ -96,7 +96,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
      name = followee.nickname
  
      with %User{} = user <- User.get_cached_by_nickname(username),
-         true <- Pbkdf2.checkpw(password, user.password_hash),
+         true <- AuthenticationPlug.checkpw(password, user.password_hash),
           %User{} = _followed <- User.get_cached_by_id(id),
           {:ok, follower} <- User.follow(user, followee),
           {:ok, _activity} <- ActivityPub.follow(follower, followee) do
author	Moonman <shitposterclub@gmail.com>
	Sun, 14 Jul 2019 16:48:42 +0000 (09:48 -0700)
committer	Moonman <shitposterclub@gmail.com>
	Sun, 14 Jul 2019 16:48:42 +0000 (09:48 -0700)
lib/pleroma/plugs/authentication_plug.ex		patch \| blob \| history
lib/pleroma/web/auth/pleroma_authenticator.ex		patch \| blob \| history
lib/pleroma/web/common_api/utils.ex		patch \| blob \| history
lib/pleroma/web/twitter_api/controllers/util_controller.ex		patch \| blob \| history