1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
From eb4221096cc581a41f64d7d6b99e8d5be0d470b0 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 27 Oct 2011 18:52:11 +0200
Subject: [PATCH 1/2] authenticator: use salt and sha-512 encryption
---
lib/authenticator.lua | 45 +++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/lib/authenticator.lua b/lib/authenticator.lua
index 724b854..f3af4e3 100644
--- a/lib/authenticator.lua
+++ b/lib/authenticator.lua
@@ -6,6 +6,8 @@ module (..., package.seeall)
require("modelfunctions")
require("format")
require("md5")
+require("posix")
+require("session")
-- This is the sub-authenticator
-- In the future, this will be set based upon configuration
@@ -61,6 +63,45 @@ local get_id = function(self, userid)
return authstruct[userid]
end
+-- verify a plaintextword against a hash
+-- returns:
+-- true if password matches or
+-- false if password does not match
+local verify_password = function(plaintext, pwhash)
+ --[[
+ from man crypt(3):
+
+ If salt is a character string starting with the characters "$id$" fol-
+ lowed by a string terminated by "$":
+
+ $id$salt$encrypted
+
+ then instead of using the DES machine, id identifies the encryption
+ method used and this then determines how the rest of the password
+ string is interpreted. The following values of id are supported:
+
+ ID | Method
+ ---------------------------------------------------------
+ 1 | MD5
+ 2a | Blowfish (not in mainline glibc; added in some
+ | Linux distributions)
+ 5 | SHA-256 (since glibc 2.7)
+ 6 | SHA-512 (since glibc 2.7)
+ ]]--
+ local algo_salt, hash = string.match(pwhash, "^(%$%d%$[a-zA-Z0-9./]+%$)(.*)")
+ if algo_salt ~= nil and hash ~= nil then
+ return (pwhash == posix.crypt(plaintext, algo_salt))
+ end
+ -- fall back to old style md5 checksum
+ return (pwhash == md5.sumhexa(plaintext))
+end
+
+-- generate a salt string
+local mksalt = function()
+ -- use sha-512 algorithm (no 6)
+ return "$6$"..session.random_hash(96).."$"
+end
+
--- public methods
-- This function returns true or false, and
@@ -75,7 +116,7 @@ authenticate = function(self, userid, password)
if not id then
errtxt = "Userid not found"
- elseif id.password ~= md5.sumhexa(password) then
+ elseif not verify_password(password, id.password) then
errtxt = "Invalid password"
end
end
@@ -110,7 +151,7 @@ write_userinfo = function(self, userinfo)
-- Username, password, roles, skin, home are allowed to not exist, just leave the same
id.userid = userinfo.userid
if userinfo.username then id.username = userinfo.username end
- if userinfo.password then id.password = md5.sumhexa(userinfo.password) end
+ if userinfo.password then id.password = posix.crypt(userinfo.password, mksalt()) end
if userinfo.roles then id.roles = table.concat(userinfo.roles, ",") end
if userinfo.skin then id.skin = userinfo.skin end
if userinfo.home then id.home = userinfo.home end
--
1.7.8.2
|
