added sha512 password hashing, protocol version 13, server version bump

2011-09-21 13:12:08 +00:00 · 2011-09-21 13:12:08 +00:00 · 53330090fb
commit 53330090fb
parent 8344920fdc
6 changed files with 56 additions and 4 deletions
--- a/common/protocol.h
+++ b/common/protocol.h
@ -59,7 +59,7 @@ private:
 	static void initializeHashAuto();
 	bool receiverMayDelete;
 public:
-	static const int protocolVersion = 12;
+	static const int protocolVersion = 13;
 	static void initializeHash();
 	virtual int getItemId() const = 0;
 	bool getReceiverMayDelete() const { return receiverMayDelete; }
--- a/servatrice/servatrice.pro
+++ b/servatrice/servatrice.pro
@ -8,6 +8,7 @@ DEPENDPATH += . src ../common
 INCLUDEPATH += . src ../common
 MOC_DIR = build
 OBJECTS_DIR = build
+LIBS += -lgcrypt

 CONFIG += qt debug
 QT += network sql
@ -18,6 +19,7 @@ HEADERS += src/main.h \
 	src/serversocketinterface.h \
 	src/server_logger.h \
 	src/serversocketthread.h \
+	src/passwordhasher.h \
 	../common/color.h \
 	../common/serializable_item.h \
 	../common/decklist.h \
@ -42,6 +44,7 @@ SOURCES += src/main.cpp \
 	src/serversocketinterface.cpp \
 	src/server_logger.cpp \
 	src/serversocketthread.cpp \
+	src/passwordhasher.cpp \
 	../common/serializable_item.cpp \
 	../common/decklist.cpp \
 	../common/protocol.cpp \
--- a/servatrice/src/main.cpp
+++ b/servatrice/src/main.cpp
@ -23,6 +23,8 @@
 #include <iostream>
 #include <QMetaType>
 #include <QSettings>
+#include <QDateTime>
+#include "passwordhasher.h"
 #include "servatrice.h"
 #include "server_logger.h"
 #include "rng_sfmt.h"
@ -68,6 +70,17 @@ void testRNG()
 	std::cerr << std::endl << std::endl;
 }

+void testHash()
+{
+	const int n = 5000;
+	std::cerr << "Benchmarking password hash function (n =" << n << ")..." << std::endl;
+	QDateTime startTime = QDateTime::currentDateTime();
+	for (int i = 0; i < n; ++i)
+		PasswordHasher::computeHash("aaaaaa", "aaaaaaaaaaaaaaaa");
+	QDateTime endTime = QDateTime::currentDateTime();
+	std::cerr << startTime.secsTo(endTime) << "secs" << std::endl;
+}
+
 void myMessageOutput(QtMsgType /*type*/, const char *msg)
 {
 	logger->logMessage(msg);
@ -93,6 +106,7 @@ int main(int argc, char *argv[])
 	
 	QStringList args = app.arguments();
 	bool testRandom = args.contains("--test-random");
+	bool testHashFunction = args.contains("--test-hash");
 	
 	qRegisterMetaType<QList<int> >("QList<int>");
 	
@ -128,6 +142,8 @@ int main(int argc, char *argv[])
 	
 	if (testRandom)
 		testRNG();
+	if (testHashFunction)
+		testHash();
 	
 	Servatrice *server = new Servatrice(settings);
 	QObject::connect(server, SIGNAL(destroyed()), &app, SLOT(quit()), Qt::QueuedConnection);
--- a/servatrice/src/passwordhasher.cpp
+++ b/servatrice/src/passwordhasher.cpp
@ -0,0 +1,21 @@
+#include "passwordhasher.h"
+#include <stdio.h>
+#include <string.h>
+#include <gcrypt.h>
+
+QString PasswordHasher::computeHash(const QString &password, const QString &salt)
+{
+	const int algo = GCRY_MD_SHA512;
+	const int rounds = 1000;
+
+	QByteArray passwordBuffer = (salt + password).toAscii();
+	int hashLen = gcry_md_get_algo_dlen(algo);
+	char hash[hashLen], tmp[hashLen];
+	gcry_md_hash_buffer(algo, hash, passwordBuffer.data(), passwordBuffer.size());
+	for (int i = 1; i < rounds; ++i) {
+		memcpy(tmp, hash, hashLen);
+		gcry_md_hash_buffer(algo, hash, tmp, hashLen);
+	}
+	return salt + QString(QByteArray(hash, hashLen).toBase64());
+}
+
--- a/servatrice/src/passwordhasher.h
+++ b/servatrice/src/passwordhasher.h
@ -0,0 +1,11 @@
+#ifndef PASSWORDHASHER_H
+#define PASSWORDHASHER_H
+
+#include <QObject>
+
+class PasswordHasher {
+public:
+	static QString computeHash(const QString &password, const QString &salt);
+};
+
+#endif
--- a/servatrice/src/servatrice.cpp
+++ b/servatrice/src/servatrice.cpp
@ -28,6 +28,7 @@
 #include "protocol.h"
 #include "server_logger.h"
 #include "main.h"
+#include "passwordhasher.h"

 void Servatrice_TcpServer::incomingConnection(int socketDescriptor)
 {
@ -185,7 +186,7 @@ AuthenticationResult Servatrice::checkUserPassword(Server_ProtocolHandler *handl
 		checkSql();
 		
 		QSqlQuery query;
-		query.prepare("select a.password, time_to_sec(timediff(now(), date_add(b.time_from, interval b.minutes minute))) < 0, b.minutes <=> 0 from " + dbPrefix + "_users a left join " + dbPrefix + "_bans b on b.id_user = a.id and b.time_from = (select max(c.time_from) from " + dbPrefix + "_bans c where c.id_user = a.id) where a.name = :name and a.active = 1");
+		query.prepare("select a.password_sha512, time_to_sec(timediff(now(), date_add(b.time_from, interval b.minutes minute))) < 0, b.minutes <=> 0 from " + dbPrefix + "_users a left join " + dbPrefix + "_bans b on b.id_user = a.id and b.time_from = (select max(c.time_from) from " + dbPrefix + "_bans c where c.id_user = a.id) where a.name = :name and a.active = 1");
 		query.bindValue(":name", user);
 		if (!execSqlQuery(query)) {
 			qDebug("Login denied: SQL error");
@ -197,7 +198,7 @@ AuthenticationResult Servatrice::checkUserPassword(Server_ProtocolHandler *handl
 				qDebug("Login denied: banned");
 				return PasswordWrong;
 			}
-			if (query.value(0).toString() == password) {
+			if (query.value(0).toString() == PasswordHasher::computeHash(password, query.value(0).toString().left(16))) {
 				qDebug("Login accepted: password right");
 				return PasswordRight;
 			} else {
@ -423,4 +424,4 @@ void Servatrice::shutdownTimeout()
 		deleteLater();
 }

-const QString Servatrice::versionString = "Servatrice 0.20110803";
+const QString Servatrice::versionString = "Servatrice 0.20110921";