mirror of
https://github.com/scylladb/scylladb.git
synced 2026-04-20 00:20:47 +00:00
90 lines
2.5 KiB
C++
90 lines
2.5 KiB
C++
/*
|
|
* Copyright (C) 2018-present ScyllaDB
|
|
*/
|
|
|
|
/*
|
|
* SPDX-License-Identifier: LicenseRef-ScyllaDB-Source-Available-1.1
|
|
*/
|
|
|
|
#include "auth/passwords.hh"
|
|
#include "utils/crypt_sha512.hh"
|
|
#include <seastar/core/coroutine.hh>
|
|
|
|
#include <cerrno>
|
|
|
|
extern "C" {
|
|
#include <crypt.h>
|
|
#include <unistd.h>
|
|
}
|
|
|
|
namespace auth::passwords {
|
|
|
|
static thread_local crypt_data tlcrypt = {};
|
|
|
|
namespace detail {
|
|
|
|
void verify_hashing_output(const char * res) {
|
|
if (!res || (res[0] == '*')) {
|
|
throw std::system_error(errno, std::system_category());
|
|
}
|
|
}
|
|
|
|
void verify_scheme(scheme scheme) {
|
|
const sstring random_part_of_salt = "aaaabbbbccccdddd";
|
|
|
|
const sstring salt = sstring(prefix_for_scheme(scheme)) + random_part_of_salt;
|
|
const char* e = crypt_r("fisk", salt.c_str(), &tlcrypt);
|
|
try {
|
|
verify_hashing_output(e);
|
|
} catch (const std::system_error& ex) {
|
|
throw no_supported_schemes();
|
|
}
|
|
}
|
|
|
|
sstring hash_with_salt(const sstring& pass, const sstring& salt) {
|
|
auto res = crypt_r(pass.c_str(), salt.c_str(), &tlcrypt);
|
|
verify_hashing_output(res);
|
|
return res;
|
|
}
|
|
|
|
seastar::future<sstring> hash_with_salt_async(const sstring& pass, const sstring& salt) {
|
|
sstring res;
|
|
// Only SHA-512 hashes for passphrases shorter than 256 bytes can be computed using
|
|
// the __crypt_sha512 method. For other computations, we fall back to the
|
|
// crypt_r implementation from `<crypt.h>`, which can stall.
|
|
if (salt.starts_with(prefix_for_scheme(scheme::sha_512)) && pass.size() <= 255) {
|
|
char buf[128];
|
|
const char * output_ptr = co_await __crypt_sha512(pass.c_str(), salt.c_str(), buf);
|
|
verify_hashing_output(output_ptr);
|
|
res = output_ptr;
|
|
} else {
|
|
const char * output_ptr = crypt_r(pass.c_str(), salt.c_str(), &tlcrypt);
|
|
verify_hashing_output(output_ptr);
|
|
res = output_ptr;
|
|
}
|
|
co_return res;
|
|
}
|
|
|
|
std::string_view prefix_for_scheme(scheme c) noexcept {
|
|
switch (c) {
|
|
case scheme::bcrypt_y: return "$2y$";
|
|
case scheme::bcrypt_a: return "$2a$";
|
|
case scheme::sha_512: return "$6$";
|
|
case scheme::sha_256: return "$5$";
|
|
case scheme::md5: return "$1$";
|
|
}
|
|
}
|
|
|
|
} // namespace detail
|
|
|
|
no_supported_schemes::no_supported_schemes()
|
|
: std::runtime_error("No allowed hashing schemes are supported on this system") {
|
|
}
|
|
|
|
seastar::future<bool> check(const sstring& pass, const sstring& salted_hash) {
|
|
const auto pwd_hash = co_await detail::hash_with_salt_async(pass, salted_hash);
|
|
co_return pwd_hash == salted_hash;
|
|
}
|
|
|
|
} // namespace auth::passwords
|