F #2899: Replace SHA1 by SHA256

* Add new SHA256 hashing function * Change user password from SHA1 to SHA256 automatically
2025-03-16 22:50:10 +03:00 · 2019-03-01 12:30:24 +01:00 · 2019-03-01 12:30:24 +01:00 · 90425c2559
commit 90425c2559
parent dcb1ab9861
11 changed files with 61 additions and 23 deletions
--- a/include/AuthRequest.h
+++ b/include/AuthRequest.h
@ -168,8 +168,9 @@ public:
    bool core_authenticate()
    {
        string sha1_session = one_util::sha1_digest(session);
+        string sha256_session = one_util::sha256_digest(session);

-        return (password == sha1_session);
+        return (password == sha1_session) || (password == sha256_session);
    }

 private:
--- a/include/Image.h
+++ b/include/Image.h
@ -707,11 +707,11 @@ private:
    };

    /**
-     *  "Encrypts" the password with SHA1 digest
+     *  "Encrypts" the password with SHA256 digest
     *  @param password
-     *  @return sha1 encrypted password
+     *  @return sha256 encrypted password
     */
-    static string sha1_digest(const string& pass);
+    static string sha256_digest(const string& pass);

 protected:

--- a/include/NebulaUtil.h
+++ b/include/NebulaUtil.h
@ -49,7 +49,14 @@ namespace one_util
     */
    std::string sha1_digest(const std::string& in);

-   /**
+    /**
+     *  sha256 digest
+     *  @param in the string to be hashed
+     *  @return sha256 hash of str
+     */
+    std::string sha256_digest(const std::string& in);
+
+    /**
    *  Base 64 encoding
    *    @param in the string to encoded
    *    @return a pointer to the encoded string (must be freed) or 0 in case of
--- a/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb
+++ b/src/authm_mad/remotes/server_cipher/server_cipher_auth.rb
@ -15,7 +15,7 @@
 #--------------------------------------------------------------------------- #

 require 'openssl'
-require 'digest/sha1'
+require 'digest/sha2'

 require 'base64'
 require 'fileutils'
@ -40,7 +40,7 @@ class OpenNebula::ServerCipherAuth

        if !srv_passwd.empty?
            # truncate token to 32-bytes for Ruby >= 2.4
-            @key = Digest::SHA1.hexdigest(@srv_passwd)[0..31]
+            @key = Digest::SHA256.hexdigest(@srv_passwd)[0..31]
        else
            @key = ""
        end
--- a/src/cli/one_helper/oneuser_helper.rb
+++ b/src/cli/one_helper/oneuser_helper.rb
@ -65,9 +65,9 @@ class OneUserHelper < OpenNebulaHelper::OneHelper
            password = OpenNebula::X509Auth.escape_dn(password)
        end

-        if options[:sha1] || options[:driver] == OpenNebula::User::CIPHER_AUTH
-            require 'digest/sha1'
-            password = Digest::SHA1.hexdigest(password)
+        if options[:sha256] || options[:driver] == OpenNebula::User::CIPHER_AUTH
+            require 'digest/sha2'
+            password = Digest::SHA256.hexdigest(password)
        end

        return 0, password
--- a/src/cli/oneuser
+++ b/src/cli/oneuser
@ -72,11 +72,10 @@ CommandParser::CmdParser.new(ARGV) do
        :description => 'Read password from file'
    }

-    SHA1 = {
-        :name => 'sha1',
-        :large => '--sha1',
-        :description => "The password will be hashed using the sha1\n" \
-                        ' ' * 31 << 'algorithm'
+    SHA256 = {
+        :name => 'sha256',
+        :large => '--sha256',
+        :description => 'The password will be hashed using the sha256 algorithm'
    }

    SSH = {
@ -203,7 +202,7 @@ CommandParser::CmdParser.new(ARGV) do
        :description => 'enable stdin password'
    }

-    auth_options = [READ_FILE, SHA1, SSH, X509, KEY, CERT, DRIVER]
+    auth_options = [READ_FILE, SHA256, SSH, X509, KEY, CERT, DRIVER]

    create_options = auth_options.clone.unshift(GROUP_CREATE)

--- a/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb
+++ b/src/cloud/common/CloudAuth/SunstoneCloudAuth.rb
@ -23,11 +23,11 @@ module SunstoneCloudAuth

            one_pass = get_password(username, 'core')

-            if one_pass && one_pass == Digest::SHA1.hexdigest(password)
+            if one_pass && one_pass == Digest::SHA256.hexdigest(password)
                return username
            end
        end

        return nil
    end
-end
+end
--- a/src/common/NebulaUtil.cc
+++ b/src/common/NebulaUtil.cc
@ -211,6 +211,23 @@ string one_util::sha1_digest(const string& in)
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */

+string one_util::sha256_digest(const string& in)
+{
+    unsigned char digest[SHA256_DIGEST_LENGTH];
+    stringstream oss;
+
+    SHA256((unsigned char*) in.c_str(), in.length(), digest);
+
+    for(int i = 0; i < SHA256_DIGEST_LENGTH; i++)
+         oss << setfill('0') << setw(2) << hex << nouppercase
+             << (unsigned int) digest[i];
+
+    return oss.str();
+}
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
 string * one_util::aes256cbc_encrypt(const string& in, const string password)
 {
    EVP_CIPHER_CTX *ctx;
@ -262,7 +279,7 @@ string one_util::random_password()

    sstr << rand();

-    return sha1_digest(sstr.str());
+    return sha256_digest(sstr.str());
 }

 /* -------------------------------------------------------------------------- */
--- a/src/sunstone/sunstone-server.rb
+++ b/src/sunstone/sunstone-server.rb
@ -281,7 +281,7 @@ helpers do
            session[:display_name] = user[DISPLAY_NAME_XPATH] || user['NAME']

            csrftoken_plain = Time.now.to_f.to_s + SecureRandom.base64
-            session[:csrftoken] = Digest::MD5.hexdigest(csrftoken_plain)
+            session[:csrftoken] = Digest::SHA256.hexdigest(csrftoken_plain)

            group = OpenNebula::Group.new_with_id(OpenNebula::Group::SELF, client)
            rc = group.info
--- a/src/um/User.cc
+++ b/src/um/User.cc
@ -346,7 +346,7 @@ int User::set_password(const string& passwd, string& error_str)
    {
        if (auth_driver == UserPool::CORE_AUTH)
        {
-            password = one_util::sha1_digest(passwd);
+            password = one_util::sha256_digest(passwd);
        }
        else
        {
--- a/src/um/UserPool.cc
+++ b/src/um/UserPool.cc
@ -173,7 +173,7 @@ UserPool::UserPool(SqlDB * db,
    allocate(&server_uid,
             SERVER_NAME,
             GroupPool::ONEADMIN_ID,
-             one_util::sha1_digest(random),
+             one_util::sha256_digest(random),
             "server_cipher",
             true,
             gids,
@ -374,7 +374,7 @@ int UserPool::allocate (

    if (auth_driver == UserPool::CORE_AUTH)
    {
-        upass = one_util::sha1_digest(password);
+        upass = one_util::sha256_digest(password);
    }

    if (gids.empty())
@ -661,6 +661,19 @@ bool UserPool::authenticate_internal(User *        user,

    AuthRequest ar(user_id, group_ids);

+    // -------------------------------------------------------------------------
+    // Update SHA1 to SHA256
+    // -------------------------------------------------------------------------
+    if (password == one_util::sha1_digest(token))
+    {
+        int rc = user->set_password(token, error_str);
+
+        if ( rc == 0 )
+        {
+            update(user);
+        }
+    }
+
    // -------------------------------------------------------------------------
    // Check if token is a login or session token, and set EGID if needed
    // -------------------------------------------------------------------------
@ -704,6 +717,7 @@ bool UserPool::authenticate_internal(User *        user,
    }

    user->unlock();
+
    // -------------------------------------------------------------------------
    // Not a valid token, perform authentication
    // -------------------------------------------------------------------------