Skip to content

Commit 773cee1

Browse files
royjacobsonroyjacobson
authored
security: Fix the password hashing in UserRegistry. (#1702)
1 parent ec22e73 commit 773cee1

File tree

2 files changed

+19
-15
lines changed

2 files changed

+19
-15
lines changed

src/server/acl/user.cc

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4,17 +4,28 @@
44

55
#include "server/acl/user.h"
66

7-
#include <xxhash.h>
7+
#include <openssl/sha.h>
88

99
namespace dfly {
1010

11+
namespace {
12+
std::string StringSHA256(std::string_view password) {
13+
std::string hash;
14+
hash.resize(SHA256_DIGEST_LENGTH);
15+
SHA256(reinterpret_cast<const unsigned char*>(password.data()), password.size(),
16+
reinterpret_cast<unsigned char*>(hash.data()));
17+
return hash;
18+
}
19+
20+
} // namespace
21+
1122
User::User() {
1223
// acl_categories_ = AclCat::ACL_CATEGORY_ADMIN;
1324
}
1425

1526
void User::Update(UpdateRequest&& req) {
1627
if (req.password) {
17-
SetPassword(*req.password);
28+
SetPasswordHash(*req.password);
1829
}
1930

2031
if (req.plus_acl_categories) {
@@ -30,19 +41,19 @@ void User::Update(UpdateRequest&& req) {
3041
}
3142
}
3243

33-
void User::SetPassword(std::string_view password) {
34-
password_ = HashPassword(password);
44+
void User::SetPasswordHash(std::string_view password) {
45+
password_hash_ = StringSHA256(password);
3546
}
3647

3748
bool User::HasPassword(std::string_view password) const {
38-
if (!password_) {
49+
if (!password_hash_) {
3950
if (password == "nopass") {
4051
return true;
4152
}
4253
return false;
4354
}
4455
// hash password and compare
45-
return *password_ == HashPassword(password);
56+
return *password_hash_ == StringSHA256(password);
4657
}
4758

4859
void User::SetAclCategories(uint64_t cat) {
@@ -70,8 +81,4 @@ bool User::IsActive() const {
7081
return is_active_;
7182
}
7283

73-
uint32_t User::HashPassword(std::string_view password) const {
74-
return XXH3_64bits(password.data(), password.size());
75-
}
76-
7784
} // namespace dfly

src/server/acl/user.h

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -147,15 +147,12 @@ class User final {
147147
// For is_active flag
148148
void SetIsActive(bool is_active);
149149

150-
// Helper function for hashing passwords
151-
uint32_t HashPassword(std::string_view password) const;
152-
153150
// For passwords
154-
void SetPassword(std::string_view password);
151+
void SetPasswordHash(std::string_view password);
155152

156153
// when optional is empty, the special `nopass` password is implied
157154
// password hashed with xx64
158-
std::optional<uint64_t> password_;
155+
std::optional<std::string> password_hash_;
159156
uint32_t acl_categories_{AclCat::ACL_CATEGORY_NONE};
160157

161158
// we have at least 221 commands including a bunch of subcommands

0 commit comments

Comments
 (0)