d4708/qBittorrent
1
0
Fork 0
mirror of https://github.com/d47081/qBittorrent.git synced 2025-01-11 23:37:59 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9942 from Chocobo1/pbkdf2

Browse Source 
Do password hashing properly
This commit is contained in:
Mike Tzou 2018-12-06 16:22:22 +08:00 committed by GitHub
commit 6bb4eb825b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 367 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.travis.yml
View File

@ -80,7 +80,7 @@ before_install:
if [ "$TRAVIS_OS_NAME" = "linux" ]; then if [ "$TRAVIS_OS_NAME" = "linux" ]; then
qbtconf="$qbtconf --prefix="$qbt_path" PKG_CONFIG_PATH=/opt/qt55/lib/pkgconfig:$PKG_CONFIG_PATH" qbtconf="$qbtconf --prefix="$qbt_path" PKG_CONFIG_PATH=/opt/qt55/lib/pkgconfig:$PKG_CONFIG_PATH"
else else
qbtconf="$qbtconf --prefix="$qbt_path"" qbtconf="$qbtconf --prefix="$qbt_path" PKG_CONFIG_PATH=/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH"
fi fi
# options for specific branches # options for specific branches
@ -120,7 +120,8 @@ install:
# dependencies # dependencies
brew update > /dev/null brew update > /dev/null
brew outdated "pkg-config" || brew upgrade "pkg-config" brew outdated "pkg-config" || brew upgrade "pkg-config"
brew install colormake ccache zlib qt libtorrent-rasterbar brew install colormake ccache zlib qt openssl libtorrent-rasterbar
PATH="/usr/local/opt/ccache/libexec:$PATH" PATH="/usr/local/opt/ccache/libexec:$PATH"
brew link --force zlib qt brew link --force zlib qt
@ -130,9 +131,9 @@ install:
sudo ln -s /usr/local/opt/qt/mkspecs /usr/local/mkspecs sudo ln -s /usr/local/opt/qt/mkspecs /usr/local/mkspecs
sudo ln -s /usr/local/opt/qt/plugins /usr/local/plugins sudo ln -s /usr/local/opt/qt/plugins /usr/local/plugins
fi
MY_CMAKE_OPENSSL_HINT="-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/" MY_CMAKE_OPENSSL_HINT="-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl/"
fi
fi fi
- | - |
if [ "$TRAVIS_BRANCH" != "$coverity_branch" ]; then if [ "$TRAVIS_BRANCH" != "$coverity_branch" ]; then
@ -159,8 +160,8 @@ script:
# For some reason for RC_1_1 we need to also specify the OpenSSL compiler/linker flags # For some reason for RC_1_1 we need to also specify the OpenSSL compiler/linker flags
# Homebrew doesn't symlink OpenSSL for security reasons # Homebrew doesn't symlink OpenSSL for security reasons
./bootstrap.sh ./bootstrap.sh
./configure $qbtconf CXXFLAGS="$CXXFLAGS $(PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH" pkg-config --cflags openssl) -std=c++14" \ ./configure $qbtconf CXXFLAGS="$CXXFLAGS -std=c++14"
LDFLAGS="$LDFLAGS $(PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig:$PKG_CONFIG_PATH" pkg-config --libs openssl)"
sed -i "" -e "s/^\(CC.*&&\).*$/\1 $CC/" src/Makefile # workaround for Qt & ccache: https://bugreports.qt.io/browse/QTBUG-31034 sed -i "" -e "s/^\(CC.*&&\).*$/\1 $CC/" src/Makefile # workaround for Qt & ccache: https://bugreports.qt.io/browse/QTBUG-31034
sed -i "" -e "s/^\(CXX.*&&\).*$/\1 $CXX/" src/Makefile sed -i "" -e "s/^\(CXX.*&&\).*$/\1 $CXX/" src/Makefile
sed -i "" -e 's/^\(CXXFLAGS.*\)$/\1 -Wno-unused-local-typedefs -Wno-inconsistent-missing-override/' src/Makefile sed -i "" -e 's/^\(CXXFLAGS.*\)$/\1 -Wno-unused-local-typedefs -Wno-inconsistent-missing-override/' src/Makefile

1
CMakeLists.txt
View File

@ -32,6 +32,7 @@ include(FeatureSummary)
# version requirements # version requirements
set(requiredBoostVersion 1.35) set(requiredBoostVersion 1.35)
set(requiredQtVersion 5.5.1) set(requiredQtVersion 5.5.1)
set(requiredOpensslVersion 1.0)
if(WIN32) if(WIN32)
include(winconf) include(winconf)

101
configure vendored
View File

@ -601,6 +601,8 @@ EXPAND_BINDIR
EXPAND_PREFIX EXPAND_PREFIX
zlib_LIBS zlib_LIBS
zlib_CFLAGS zlib_CFLAGS
openssl_LIBS
openssl_CFLAGS
libtorrent_LIBS libtorrent_LIBS
libtorrent_CFLAGS libtorrent_CFLAGS
BOOST_SYSTEM_LIB BOOST_SYSTEM_LIB
@ -745,6 +747,8 @@ Qt5Svg_CFLAGS
Qt5Svg_LIBS Qt5Svg_LIBS
libtorrent_CFLAGS libtorrent_CFLAGS
libtorrent_LIBS libtorrent_LIBS
openssl_CFLAGS
openssl_LIBS
zlib_CFLAGS zlib_CFLAGS
zlib_LIBS' zlib_LIBS'
@ -1433,6 +1437,10 @@ Some influential environment variables:
C compiler flags for libtorrent, overriding pkg-config C compiler flags for libtorrent, overriding pkg-config
libtorrent_LIBS libtorrent_LIBS
linker flags for libtorrent, overriding pkg-config linker flags for libtorrent, overriding pkg-config
openssl_CFLAGS
C compiler flags for openssl, overriding pkg-config
openssl_LIBS
linker flags for openssl, overriding pkg-config
zlib_CFLAGS C compiler flags for zlib, overriding pkg-config zlib_CFLAGS C compiler flags for zlib, overriding pkg-config
zlib_LIBS linker flags for zlib, overriding pkg-config zlib_LIBS linker flags for zlib, overriding pkg-config
@ -5391,6 +5399,99 @@ $as_echo "yes" >&6; }
fi fi
pkg_failed=no
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl" >&5
$as_echo_n "checking for openssl... " >&6; }
if test -n "$openssl_CFLAGS"; then
pkg_cv_openssl_CFLAGS="$openssl_CFLAGS"
elif test -n "$PKG_CONFIG"; then
if test -n "$PKG_CONFIG" && \
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"openssl >= 1.0\""; } >&5
($PKG_CONFIG --exists --print-errors "openssl >= 1.0") 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }; then
pkg_cv_openssl_CFLAGS=`$PKG_CONFIG --cflags "openssl >= 1.0" 2>/dev/null`
test "x$?" != "x0" && pkg_failed=yes
else
pkg_failed=yes
fi
else
pkg_failed=untried
fi
if test -n "$openssl_LIBS"; then
pkg_cv_openssl_LIBS="$openssl_LIBS"
elif test -n "$PKG_CONFIG"; then
if test -n "$PKG_CONFIG" && \
{ { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"openssl >= 1.0\""; } >&5
($PKG_CONFIG --exists --print-errors "openssl >= 1.0") 2>&5
ac_status=$?
$as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }; then
pkg_cv_openssl_LIBS=`$PKG_CONFIG --libs "openssl >= 1.0" 2>/dev/null`
test "x$?" != "x0" && pkg_failed=yes
else
pkg_failed=yes
fi
else
pkg_failed=untried
fi
if test $pkg_failed = yes; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
_pkg_short_errors_supported=yes
else
_pkg_short_errors_supported=no
fi
if test $_pkg_short_errors_supported = yes; then
openssl_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "openssl >= 1.0" 2>&1`
else
openssl_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "openssl >= 1.0" 2>&1`
fi
# Put the nasty error message in config.log where it belongs
echo "$openssl_PKG_ERRORS" >&5
as_fn_error $? "Package requirements (openssl >= 1.0) were not met:
$openssl_PKG_ERRORS
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
Alternatively, you may set the environment variables openssl_CFLAGS
and openssl_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details." "$LINENO" 5
elif test $pkg_failed = untried; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
Alternatively, you may set the environment variables openssl_CFLAGS
and openssl_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
To get pkg-config, see <http://pkg-config.freedesktop.org/>.
See \`config.log' for more details" "$LINENO" 5; }
else
openssl_CFLAGS=$pkg_cv_openssl_CFLAGS
openssl_LIBS=$pkg_cv_openssl_LIBS
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
$as_echo "yes" >&6; }
CXXFLAGS="$openssl_CFLAGS $CXXFLAGS"
LIBS="$openssl_LIBS $LIBS"
fi
pkg_failed=no pkg_failed=no
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for zlib" >&5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for zlib" >&5
$as_echo_n "checking for zlib... " >&6; } $as_echo_n "checking for zlib... " >&6; }

7
configure.ac
View File

@ -195,6 +195,11 @@ PKG_CHECK_MODULES(libtorrent,
[CXXFLAGS="$libtorrent_CFLAGS $CXXFLAGS" [CXXFLAGS="$libtorrent_CFLAGS $CXXFLAGS"
LIBS="$libtorrent_LIBS $LIBS"]) LIBS="$libtorrent_LIBS $LIBS"])
PKG_CHECK_MODULES(openssl,
[openssl >= 1.0],
[CXXFLAGS="$openssl_CFLAGS $CXXFLAGS"
LIBS="$openssl_LIBS $LIBS"])
PKG_CHECK_MODULES(zlib, PKG_CHECK_MODULES(zlib,
[zlib >= 1.2.5.2], [zlib >= 1.2.5.2],
[CXXFLAGS="$zlib_CFLAGS $CXXFLAGS" [CXXFLAGS="$zlib_CFLAGS $CXXFLAGS"
@ -207,7 +212,7 @@ AC_COMPILE_IFELSE([DETECT_CPP11_PROGRAM()],
QBT_CXX11_FOUND="yes"], QBT_CXX11_FOUND="yes"],
[AC_MSG_RESULT([no]) [AC_MSG_RESULT([no])
QBT_CXX11_FOUND="no"]) QBT_CXX11_FOUND="no"])
# In case of no, check if the compiler can support at least C++11 # In case of no, check if the compiler can support at least C++11
# and if yes, enable it leaving a warning to the user # and if yes, enable it leaving a warning to the user
AS_IF([test "x$QBT_CXX11_FOUND" = "xno"], AS_IF([test "x$QBT_CXX11_FOUND" = "xno"],

1
src/CMakeLists.txt
View File

@ -16,6 +16,7 @@ include(QbtTargetSources)
find_package(Boost ${requiredBoostVersion} REQUIRED) find_package(Boost ${requiredBoostVersion} REQUIRED)
find_package(LibtorrentRasterbar REQUIRED) find_package(LibtorrentRasterbar REQUIRED)
find_package(OpenSSL ${requiredOpensslVersion} REQUIRED)
if (Boost_VERSION VERSION_LESS 106000) if (Boost_VERSION VERSION_LESS 106000)
add_definitions(-DBOOST_NO_CXX11_RVALUE_REFERENCES) add_definitions(-DBOOST_NO_CXX11_RVALUE_REFERENCES)

10
src/app/application.cpp
View File

@ -522,12 +522,12 @@ int Application::exec(const QStringList &params)
// Display some information to the user // Display some information to the user
const QString mesg = QString("\n******** %1 ********\n").arg(tr("Information")) const QString mesg = QString("\n******** %1 ********\n").arg(tr("Information"))
+ tr("To control qBittorrent, access the Web UI at %1") + tr("To control qBittorrent, access the Web UI at %1")
.arg(QString("http://localhost:") + QString::number(pref->getWebUiPort())) + '\n' .arg(QString("http://localhost:") + QString::number(pref->getWebUiPort())) + '\n';
+ tr("The Web UI administrator user name is: %1").arg(pref->getWebUiUsername()) + '\n';
printf("%s", qUtf8Printable(mesg)); printf("%s", qUtf8Printable(mesg));
qDebug() << "Password:" << pref->getWebUiPassword();
if (pref->getWebUiPassword() == "f6fdffe48c908deb0f4c3bd36c032e72") { if (pref->getWebUIPassword() == "ARQ77eY1NUZaQsuDHbIMCA==:0WMRkYTUWVT9wVvdDtHAjU9b3b7uB8NR1Gur2hmQCvCDpm39Q+PsJRJPaCU51dEiz+dTzh8qbPsL8WkFljQYFQ==") {
const QString warning = tr("The Web UI administrator password is still the default one: %1").arg("adminadmin") + '\n' const QString warning = tr("The Web UI administrator username is: %1").arg(pref->getWebUiUsername()) + '\n'
+ tr("The Web UI administrator password is still the default one: %1").arg("adminadmin") + '\n'
+ tr("This is a security risk, please consider changing your password from program preferences.") + '\n'; + tr("This is a security risk, please consider changing your password from program preferences.") + '\n';
printf("%s", qUtf8Printable(warning)); printf("%s", qUtf8Printable(warning));
} }

2
src/base/CMakeLists.txt
View File

@ -54,6 +54,7 @@ utils/fs.h
utils/gzip.h utils/gzip.h
utils/misc.h utils/misc.h
utils/net.h utils/net.h
utils/password.h
utils/random.h utils/random.h
utils/string.h utils/string.h
utils/version.h utils/version.h
@ -123,6 +124,7 @@ utils/fs.cpp
utils/gzip.cpp utils/gzip.cpp
utils/misc.cpp utils/misc.cpp
utils/net.cpp utils/net.cpp
utils/password.cpp
utils/random.cpp utils/random.cpp
utils/string.cpp utils/string.cpp
asyncfilestorage.cpp asyncfilestorage.cpp

2
src/base/base.pri
View File

@ -69,6 +69,7 @@ HEADERS += \
$$PWD/utils/gzip.h \ $$PWD/utils/gzip.h \
$$PWD/utils/misc.h \ $$PWD/utils/misc.h \
$$PWD/utils/net.h \ $$PWD/utils/net.h \
$$PWD/utils/password.h \
$$PWD/utils/random.h \ $$PWD/utils/random.h \
$$PWD/utils/string.h \ $$PWD/utils/string.h \
$$PWD/utils/version.h $$PWD/utils/version.h
@ -133,5 +134,6 @@ SOURCES += \
$$PWD/utils/gzip.cpp \ $$PWD/utils/gzip.cpp \
$$PWD/utils/misc.cpp \ $$PWD/utils/misc.cpp \
$$PWD/utils/net.cpp \ $$PWD/utils/net.cpp \
$$PWD/utils/password.cpp \
$$PWD/utils/random.cpp \ $$PWD/utils/random.cpp \
$$PWD/utils/string.cpp $$PWD/utils/string.cpp

41
src/base/preferences.cpp
View File

@ -29,7 +29,6 @@
#include "preferences.h" #include "preferences.h"
#include <QCryptographicHash>
#include <QDir> #include <QDir>
#include <QLocale> #include <QLocale>
#include <QMutableListIterator> #include <QMutableListIterator>
@ -583,28 +582,16 @@ void Preferences::setWebUiUsername(const QString &username)
setValue("Preferences/WebUI/Username", username); setValue("Preferences/WebUI/Username", username);
} }
QString Preferences::getWebUiPassword() const QByteArray Preferences::getWebUIPassword() const
{ {
QString passHa1 = value("Preferences/WebUI/Password_ha1").toString(); // default: adminadmin
if (passHa1.isEmpty()) { const QByteArray defaultValue = "ARQ77eY1NUZaQsuDHbIMCA==:0WMRkYTUWVT9wVvdDtHAjU9b3b7uB8NR1Gur2hmQCvCDpm39Q+PsJRJPaCU51dEiz+dTzh8qbPsL8WkFljQYFQ==";
QCryptographicHash md5(QCryptographicHash::Md5); return value("Preferences/WebUI/Password_PBKDF2", defaultValue).toByteArray();
md5.addData("adminadmin");
passHa1 = md5.result().toHex();
}
return passHa1;
} }
void Preferences::setWebUiPassword(const QString &newPassword) void Preferences::setWebUIPassword(const QByteArray &password)
{ {
// Do not overwrite current password with its hash setValue("Preferences/WebUI/Password_PBKDF2", password);
if (newPassword == getWebUiPassword())
return;
// Encode to md5 and save
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(newPassword.toLocal8Bit());
setValue("Preferences/WebUI/Password_ha1", md5.result().toHex());
} }
bool Preferences::isWebUiClickjackingProtectionEnabled() const bool Preferences::isWebUiClickjackingProtectionEnabled() const
@ -738,22 +725,14 @@ void Preferences::setDynDNSPassword(const QString &password)
} }
// Advanced settings // Advanced settings
void Preferences::clearUILockPassword() QByteArray Preferences::getUILockPassword() const
{ {
setValue("Locking/password", QString()); return value("Locking/password_PBKDF2").toByteArray();
} }
QString Preferences::getUILockPasswordMD5() const void Preferences::setUILockPassword(const QByteArray &password)
{ {
return value("Locking/password").toString(); setValue("Locking/password_PBKDF2", password);
}
void Preferences::setUILockPassword(const QString &clearPassword)
{
QCryptographicHash md5(QCryptographicHash::Md5);
md5.addData(clearPassword.toLocal8Bit());
QString md5Password = md5.result().toHex();
setValue("Locking/password", md5Password);
} }
bool Preferences::isUILocked() const bool Preferences::isUILocked() const

9
src/base/preferences.h
View File

@ -193,8 +193,8 @@ public:
void setWebUiAuthSubnetWhitelist(QStringList subnets); void setWebUiAuthSubnetWhitelist(QStringList subnets);
QString getWebUiUsername() const; QString getWebUiUsername() const;
void setWebUiUsername(const QString &username); void setWebUiUsername(const QString &username);
QString getWebUiPassword() const; QByteArray getWebUIPassword() const;
void setWebUiPassword(const QString &newPassword); void setWebUIPassword(const QByteArray &password);
// WebUI security // WebUI security
bool isWebUiClickjackingProtectionEnabled() const; bool isWebUiClickjackingProtectionEnabled() const;
@ -229,9 +229,8 @@ public:
void setDynDNSPassword(const QString &password); void setDynDNSPassword(const QString &password);
// Advanced settings // Advanced settings
void setUILockPassword(const QString &clearPassword); QByteArray getUILockPassword() const;
void clearUILockPassword(); void setUILockPassword(const QByteArray &password);
QString getUILockPasswordMD5() const;
bool isUILocked() const; bool isUILocked() const;
void setUILocked(bool locked); void setUILocked(bool locked);
bool isAutoRunEnabled() const; bool isAutoRunEnabled() const;

120
src/base/utils/password.cpp Normal file
View File

@ -0,0 +1,120 @@
/*
* Bittorrent Client using Qt and libtorrent.
* Copyright (C) 2018 Mike Tzou (Chocobo1)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, the copyright holders give permission to
* link this program with the OpenSSL project's "OpenSSL" library (or with
* modified versions of it that use the same license as the "OpenSSL" library),
* and distribute the linked executables. You must obey the GNU General Public
* License in all respects for all of the code used other than "OpenSSL". If you
* modify file(s), you may extend this exception to your version of the file(s),
* but you are not obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*/
#include "password.h"
#include <array>
#include <openssl/evp.h>
#include <QByteArray>
#include <QList>
#include <QString>
#include "bytearray.h"
#include "random.h"
#include "string.h"
namespace Utils
{
namespace Password
{
namespace PBKDF2
{
const int hashIterations = 100000;
const auto hashMethod = EVP_sha512();
}
}
}
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool Utils::Password::slowEquals(const QByteArray &a, const QByteArray &b)
{
const int lengthA = a.length();
const int lengthB = b.length();
int diff = lengthA ^ lengthB;
for (int i = 0; (i < lengthA) && (i < lengthB); ++i)
diff |= a[i] ^ b[i];
return (diff == 0);
}
QByteArray Utils::Password::PBKDF2::generate(const QString &password)
{
return generate(password.toUtf8());
}
QByteArray Utils::Password::PBKDF2::generate(const QByteArray &password)
{
const std::array<uint32_t, 4> salt {{Random::rand(), Random::rand()
, Random::rand(), Random::rand()}};
std::array<unsigned char, 64> outBuf {};
const int hmacResult = PKCS5_PBKDF2_HMAC(password.constData(), password.size()
, reinterpret_cast<const unsigned char *>(salt.data()), (sizeof(salt[0]) * salt.size())
, hashIterations, hashMethod
, outBuf.size(), outBuf.data());
if (hmacResult != 1)
return {};
const QByteArray saltView = QByteArray::fromRawData(
reinterpret_cast<const char *>(salt.data()), (sizeof(salt[0]) * salt.size()));
const QByteArray outBufView = QByteArray::fromRawData(
reinterpret_cast<const char *>(outBuf.data()), outBuf.size());
return (saltView.toBase64() + ':' + outBufView.toBase64());
}
bool Utils::Password::PBKDF2::verify(const QByteArray &secret, const QString &password)
{
return verify(secret, password.toUtf8());
}
bool Utils::Password::PBKDF2::verify(const QByteArray &secret, const QByteArray &password)
{
const QList<QByteArray> list = ByteArray::splitToViews(secret, ":", QString::SkipEmptyParts);
if (list.size() != 2)
return false;
const QByteArray salt = QByteArray::fromBase64(list[0]);
const QByteArray key = QByteArray::fromBase64(list[1]);
std::array<unsigned char, 64> outBuf {};
const int hmacResult = PKCS5_PBKDF2_HMAC(password.constData(), password.size()
, reinterpret_cast<const unsigned char *>(salt.constData()), salt.size()
, hashIterations, hashMethod
, outBuf.size(), outBuf.data());
if (hmacResult != 1)
return false;
const QByteArray outBufView = QByteArray::fromRawData(
reinterpret_cast<const char *>(outBuf.data()), outBuf.size());
return slowEquals(key, outBufView);
}

51
src/base/utils/password.h Normal file
View File

@ -0,0 +1,51 @@
/*
* Bittorrent Client using Qt and libtorrent.
* Copyright (C) 2018 Mike Tzou (Chocobo1)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* In addition, as a special exception, the copyright holders give permission to
* link this program with the OpenSSL project's "OpenSSL" library (or with
* modified versions of it that use the same license as the "OpenSSL" library),
* and distribute the linked executables. You must obey the GNU General Public
* License in all respects for all of the code used other than "OpenSSL". If you
* modify file(s), you may extend this exception to your version of the file(s),
* but you are not obligated to do so. If you do not wish to do so, delete this
* exception statement from your version.
*/
#pragma once
class QByteArray;
class QString;
namespace Utils
{
namespace Password
{
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool slowEquals(const QByteArray &a, const QByteArray &b);
namespace PBKDF2
{
QByteArray generate(const QString &password);
QByteArray generate(const QByteArray &password);
bool verify(const QByteArray &secret, const QString &password);
bool verify(const QByteArray &secret, const QByteArray &password);
}
}
}

15
src/base/utils/string.cpp
View File

@ -31,7 +31,6 @@
#include <cmath> #include <cmath>
#include <QByteArray>
#include <QCollator> #include <QCollator>
#include <QLocale> #include <QLocale>
#include <QRegExp> #include <QRegExp>
@ -164,20 +163,6 @@ QString Utils::String::fromDouble(double n, int precision)
return QLocale::system().toString(std::floor(n * prec) / prec, 'f', precision); return QLocale::system().toString(std::floor(n * prec) / prec, 'f', precision);
} }
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool Utils::String::slowEquals(const QByteArray &a, const QByteArray &b)
{
int lengthA = a.length();
int lengthB = b.length();
int diff = lengthA ^ lengthB;
for (int i = 0; (i < lengthA) && (i < lengthB); ++i)
diff |= a[i] ^ b[i];
return (diff == 0);
}
// This is marked as internal in QRegExp.cpp, but is exported. The alternative would be to // This is marked as internal in QRegExp.cpp, but is exported. The alternative would be to
// copy the code from QRegExp::wc2rx(). // copy the code from QRegExp::wc2rx().
QString qt_regexp_toCanonical(const QString &pattern, QRegExp::PatternSyntax patternSyntax); QString qt_regexp_toCanonical(const QString &pattern, QRegExp::PatternSyntax patternSyntax);

7
src/base/utils/string.h
View File

@ -30,10 +30,9 @@
#ifndef UTILS_STRING_H #ifndef UTILS_STRING_H
#define UTILS_STRING_H #define UTILS_STRING_H
#include <QLatin1String>
#include <QString> #include <QString>
class QByteArray;
class QLatin1String;
class TriStateBool; class TriStateBool;
namespace Utils namespace Utils
@ -42,10 +41,6 @@ namespace Utils
{ {
QString fromDouble(double n, int precision); QString fromDouble(double n, int precision);
// Implements constant-time comparison to protect against timing attacks
// Taken from https://crackstation.net/hashing-security.htm
bool slowEquals(const QByteArray &a, const QByteArray &b);
int naturalCompare(const QString &left, const QString &right, const Qt::CaseSensitivity caseSensitivity); int naturalCompare(const QString &left, const QString &right, const Qt::CaseSensitivity caseSensitivity);
template <Qt::CaseSensitivity caseSensitivity> template <Qt::CaseSensitivity caseSensitivity>
bool naturalLessThan(const QString &left, const QString &right) bool naturalLessThan(const QString &left, const QString &right)

73
src/gui/mainwindow.cpp
View File

@ -30,7 +30,6 @@
#include <QClipboard> #include <QClipboard>
#include <QCloseEvent> #include <QCloseEvent>
#include <QCryptographicHash>
#include <QDebug> #include <QDebug>
#include <QDesktopServices> #include <QDesktopServices>
#include <QFileDialog> #include <QFileDialog>
@ -69,6 +68,7 @@
#include "base/utils/foreignapps.h" #include "base/utils/foreignapps.h"
#include "base/utils/fs.h" #include "base/utils/fs.h"
#include "base/utils/misc.h" #include "base/utils/misc.h"
#include "base/utils/password.h"
#include "aboutdialog.h" #include "aboutdialog.h"
#include "addnewtorrentdialog.h" #include "addnewtorrentdialog.h"
#include "application.h" #include "application.h"
@ -631,45 +631,41 @@ void MainWindow::toolbarFollowSystem()
Preferences::instance()->setToolbarTextPosition(Qt::ToolButtonFollowStyle); Preferences::instance()->setToolbarTextPosition(Qt::ToolButtonFollowStyle);
} }
void MainWindow::defineUILockPassword() bool MainWindow::defineUILockPassword()
{ {
QString oldPassMd5 = Preferences::instance()->getUILockPasswordMD5();
if (oldPassMd5.isNull())
oldPassMd5 = "";
bool ok = false; bool ok = false;
QString newClearPassword = AutoExpandableDialog::getText(this, tr("UI lock password"), tr("Please type the UI lock password:"), QLineEdit::Password, oldPassMd5, &ok); const QString newPassword = AutoExpandableDialog::getText(this, tr("UI lock password")
if (ok) { , tr("Please type the UI lock password:"), QLineEdit::Password, {}, &ok);
newClearPassword = newClearPassword.trimmed(); if (!ok)
if (newClearPassword.size() < 3) { return false;
QMessageBox::warning(this, tr("Invalid password"), tr("The password should contain at least 3 characters"));
} if (newPassword.size() < 3) {
else { QMessageBox::warning(this, tr("Invalid password"), tr("The password should contain at least 3 characters"));
if (newClearPassword != oldPassMd5) return false;
Preferences::instance()->setUILockPassword(newClearPassword);
QMessageBox::information(this, tr("Password update"), tr("The UI lock password has been successfully updated"));
}
} }
Preferences::instance()->setUILockPassword(Utils::Password::PBKDF2::generate(newPassword));
return true;
} }
void MainWindow::clearUILockPassword() void MainWindow::clearUILockPassword()
{ {
QMessageBox::StandardButton answer = QMessageBox::question(this, tr("Clear the password"), tr("Are you sure you want to clear the password?"), QMessageBox::Yes | QMessageBox::No, QMessageBox::No); const QMessageBox::StandardButton answer = QMessageBox::question(this, tr("Clear the password")
, tr("Are you sure you want to clear the password?"), (QMessageBox::Yes | QMessageBox::No), QMessageBox::No);
if (answer == QMessageBox::Yes) if (answer == QMessageBox::Yes)
Preferences::instance()->clearUILockPassword(); Preferences::instance()->setUILockPassword({});
} }
void MainWindow::on_actionLock_triggered() void MainWindow::on_actionLock_triggered()
{ {
Preferences *const pref = Preferences::instance(); Preferences *const pref = Preferences::instance();
// Check if there is a password // Check if there is a password
if (pref->getUILockPasswordMD5().isEmpty()) { if (pref->getUILockPassword().isEmpty()) {
// Ask for a password if (!defineUILockPassword())
bool ok = false; return;
QString clearPassword = AutoExpandableDialog::getText(this, tr("UI lock password"), tr("Please type the UI lock password:"), QLineEdit::Password, "", &ok);
if (!ok) return;
pref->setUILockPassword(clearPassword);
} }
// Lock the interface // Lock the interface
m_uiLocked = true; m_uiLocked = true;
pref->setUILocked(true); pref->setUILocked(true);
@ -1049,27 +1045,24 @@ bool MainWindow::unlockUI()
{ {
if (m_unlockDlgShowing) if (m_unlockDlgShowing)
return false; return false;
else
m_unlockDlgShowing = true;
bool ok = false; bool ok = false;
QString clearPassword = AutoExpandableDialog::getText(this, tr("UI lock password"), tr("Please type the UI lock password:"), QLineEdit::Password, "", &ok); const QString password = AutoExpandableDialog::getText(this, tr("UI lock password")
m_unlockDlgShowing = false; , tr("Please type the UI lock password:"), QLineEdit::Password, {}, &ok);
if (!ok) return false; if (!ok) return false;
Preferences *const pref = Preferences::instance(); Preferences *const pref = Preferences::instance();
QString realPassMd5 = pref->getUILockPasswordMD5();
QCryptographicHash md5(QCryptographicHash::Md5); const QByteArray secret = pref->getUILockPassword();
md5.addData(clearPassword.toLocal8Bit()); if (!Utils::Password::PBKDF2::verify(secret, password)) {
QString passwordMd5 = md5.result().toHex(); QMessageBox::warning(this, tr("Invalid password"), tr("The password is invalid"));
if (realPassMd5 == passwordMd5) { return false;
m_uiLocked = false;
pref->setUILocked(false);
m_trayIconMenu->setEnabled(true);
return true;
} }
QMessageBox::warning(this, tr("Invalid password"), tr("The password is invalid"));
return false; m_uiLocked = false;
pref->setUILocked(false);
m_trayIconMenu->setEnabled(true);
return true;
} }
void MainWindow::notifyOfUpdate(QString) void MainWindow::notifyOfUpdate(QString)

2
src/gui/mainwindow.h
View File

@ -109,7 +109,7 @@ private slots:
void fullDiskError(BitTorrent::TorrentHandle *const torrent, QString msg) const; void fullDiskError(BitTorrent::TorrentHandle *const torrent, QString msg) const;
void handleDownloadFromUrlFailure(QString, QString) const; void handleDownloadFromUrlFailure(QString, QString) const;
void tabChanged(int newTab); void tabChanged(int newTab);
void defineUILockPassword(); bool defineUILockPassword();
void clearUILockPassword(); void clearUILockPassword();
bool unlockUI(); bool unlockUI();
void notifyOfUpdate(QString); void notifyOfUpdate(QString);

7
src/gui/optionsdialog.cpp
View File

@ -59,6 +59,7 @@
#include "base/torrentfileguard.h" #include "base/torrentfileguard.h"
#include "base/unicodestrings.h" #include "base/unicodestrings.h"
#include "base/utils/fs.h" #include "base/utils/fs.h"
#include "base/utils/password.h"
#include "base/utils/random.h" #include "base/utils/random.h"
#include "addnewtorrentdialog.h" #include "addnewtorrentdialog.h"
#include "advancedsettings.h" #include "advancedsettings.h"
@ -728,7 +729,8 @@ void OptionsDialog::saveOptions()
} }
// Authentication // Authentication
pref->setWebUiUsername(webUiUsername()); pref->setWebUiUsername(webUiUsername());
pref->setWebUiPassword(webUiPassword()); if (!webUiPassword().isEmpty())
pref->setWebUIPassword(Utils::Password::PBKDF2::generate(webUiPassword()));
pref->setWebUiLocalAuthEnabled(!m_ui->checkBypassLocalAuth->isChecked()); pref->setWebUiLocalAuthEnabled(!m_ui->checkBypassLocalAuth->isChecked());
pref->setWebUiAuthSubnetWhitelistEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked()); pref->setWebUiAuthSubnetWhitelistEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked());
// Security // Security
@ -1090,7 +1092,6 @@ void OptionsDialog::loadOptions()
setSslCertificate(pref->getWebUiHttpsCertificate()); setSslCertificate(pref->getWebUiHttpsCertificate());
setSslKey(pref->getWebUiHttpsKey()); setSslKey(pref->getWebUiHttpsKey());
m_ui->textWebUiUsername->setText(pref->getWebUiUsername()); m_ui->textWebUiUsername->setText(pref->getWebUiUsername());
m_ui->textWebUiPassword->setText(pref->getWebUiPassword());
m_ui->checkBypassLocalAuth->setChecked(!pref->isWebUiLocalAuthEnabled()); m_ui->checkBypassLocalAuth->setChecked(!pref->isWebUiLocalAuthEnabled());
m_ui->checkBypassAuthSubnetWhitelist->setChecked(pref->isWebUiAuthSubnetWhitelistEnabled()); m_ui->checkBypassAuthSubnetWhitelist->setChecked(pref->isWebUiAuthSubnetWhitelistEnabled());
m_ui->IPSubnetWhitelistButton->setEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked()); m_ui->IPSubnetWhitelistButton->setEnabled(m_ui->checkBypassAuthSubnetWhitelist->isChecked());
@ -1743,7 +1744,7 @@ bool OptionsDialog::webUIAuthenticationOk()
QMessageBox::warning(this, tr("Length Error"), tr("The Web UI username must be at least 3 characters long.")); QMessageBox::warning(this, tr("Length Error"), tr("The Web UI username must be at least 3 characters long."));
return false; return false;
} }
if (webUiPassword().length() < 6) { if (!webUiPassword().isEmpty() && (webUiPassword().length() < 6)) {
QMessageBox::warning(this, tr("Length Error"), tr("The Web UI password must be at least 6 characters long.")); QMessageBox::warning(this, tr("Length Error"), tr("The Web UI password must be at least 6 characters long."));
return false; return false;
} }

9
src/gui/optionsdialog.ui
View File

@ -3074,15 +3074,12 @@ Specify an IPv4 or IPv6 address. You can specify &quot;0.0.0.0&quot; for any IPv
</item> </item>
<item row="3" column="1"> <item row="3" column="1">
<widget class="QLineEdit" name="textWebUiPassword"> <widget class="QLineEdit" name="textWebUiPassword">
<property name="text">
<string/>
</property>
<property name="maxLength">
<number>1000</number>
</property>
<property name="echoMode"> <property name="echoMode">
<enum>QLineEdit::Password</enum> <enum>QLineEdit::Password</enum>
</property> </property>
<property name="placeholderText">
<string>Change current password</string>
</property>
</widget> </widget>
</item> </item>
<item row="4" column="0" colspan="2"> <item row="4" column="0" colspan="2">

4
src/webui/api/appcontroller.cpp
View File

@ -54,6 +54,7 @@
#include "base/scanfoldersmodel.h" #include "base/scanfoldersmodel.h"
#include "base/utils/fs.h" #include "base/utils/fs.h"
#include "base/utils/net.h" #include "base/utils/net.h"
#include "base/utils/password.h"
#include "../webapplication.h" #include "../webapplication.h"
void AppController::webapiVersionAction() void AppController::webapiVersionAction()
@ -198,7 +199,6 @@ void AppController::preferencesAction()
data["ssl_cert"] = QString::fromLatin1(pref->getWebUiHttpsCertificate()); data["ssl_cert"] = QString::fromLatin1(pref->getWebUiHttpsCertificate());
// Authentication // Authentication
data["web_ui_username"] = pref->getWebUiUsername(); data["web_ui_username"] = pref->getWebUiUsername();
data["web_ui_password"] = pref->getWebUiPassword();
data["bypass_local_auth"] = !pref->isWebUiLocalAuthEnabled(); data["bypass_local_auth"] = !pref->isWebUiLocalAuthEnabled();
data["bypass_auth_subnet_whitelist_enabled"] = pref->isWebUiAuthSubnetWhitelistEnabled(); data["bypass_auth_subnet_whitelist_enabled"] = pref->isWebUiAuthSubnetWhitelistEnabled();
QStringList authSubnetWhitelistStringList; QStringList authSubnetWhitelistStringList;
@ -474,7 +474,7 @@ void AppController::setPreferencesAction()
if (m.contains("web_ui_username")) if (m.contains("web_ui_username"))
pref->setWebUiUsername(m["web_ui_username"].toString()); pref->setWebUiUsername(m["web_ui_username"].toString());
if (m.contains("web_ui_password")) if (m.contains("web_ui_password"))
pref->setWebUiPassword(m["web_ui_password"].toString()); pref->setWebUIPassword(Utils::Password::PBKDF2::generate(m["web_ui_password"].toByteArray()));
if (m.contains("bypass_local_auth")) if (m.contains("bypass_local_auth"))
pref->setWebUiLocalAuthEnabled(!m["bypass_local_auth"].toBool()); pref->setWebUiLocalAuthEnabled(!m["bypass_local_auth"].toBool());
if (m.contains("bypass_auth_subnet_whitelist_enabled")) if (m.contains("bypass_auth_subnet_whitelist_enabled"))

19
src/webui/api/authcontroller.cpp
View File

@ -28,11 +28,9 @@
#include "authcontroller.h" #include "authcontroller.h"
#include <QCryptographicHash>
#include "base/logger.h" #include "base/logger.h"
#include "base/preferences.h" #include "base/preferences.h"
#include "base/utils/string.h" #include "base/utils/password.h"
#include "apierror.h" #include "apierror.h"
#include "isessionmanager.h" #include "isessionmanager.h"
@ -58,17 +56,14 @@ void AuthController::loginAction()
, tr("Your IP address has been banned after too many failed authentication attempts.")); , tr("Your IP address has been banned after too many failed authentication attempts."));
} }
const QString username {Preferences::instance()->getWebUiUsername()}; const Preferences *pref = Preferences::instance();
const QString password {Preferences::instance()->getWebUiPassword()};
QCryptographicHash md5(QCryptographicHash::Md5); const QString username {pref->getWebUiUsername()};
md5.addData(passwordFromWeb.toLocal8Bit()); const QByteArray secret {pref->getWebUIPassword()};
const QString passwordFromWebHashed = md5.result().toHex(); const bool usernameEqual = Utils::Password::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8());
const bool passwordEqual = Utils::Password::PBKDF2::verify(secret, passwordFromWeb);
const bool equalUser = Utils::String::slowEquals(usernameFromWeb.toUtf8(), username.toUtf8()); if (usernameEqual && passwordEqual) {
const bool equalPass = Utils::String::slowEquals(passwordFromWebHashed.toUtf8(), password.toUtf8());
if (equalUser && equalPass) {
m_clientFailedLogins.remove(clientAddr); m_clientFailedLogins.remove(clientAddr);
sessionManager()->sessionStart(); sessionManager()->sessionStart();

10
src/webui/www/private/preferences_content.html
View File

@ -433,7 +433,8 @@
<label for="webui_username_text" class="leftLabelSmall">QBT_TR(Username:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="text" id="webui_username_text" /> <label for="webui_username_text" class="leftLabelSmall">QBT_TR(Username:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="text" id="webui_username_text" />
</div> </div>
<div class="formRow"> <div class="formRow">
<label for="webui_password_text" class="leftLabelSmall">QBT_TR(Password:)QBT_TR[CONTEXT=OptionsDialog]</label><input type="password" id="webui_password_text" /> <label for="webui_password_text" class="leftLabelSmall">QBT_TR(Password:)QBT_TR[CONTEXT=OptionsDialog]</label>
<input type="password" id="webui_password_text" placeholder="QBT_TR(Change current password)QBT_TR[CONTEXT=OptionsDialog]" />
</div> </div>
<div class="formRow"> <div class="formRow">
<input type="checkbox" id="bypass_local_auth_checkbox" /> <input type="checkbox" id="bypass_local_auth_checkbox" />
@ -980,7 +981,6 @@
// Authentication // Authentication
$('webui_username_text').setProperty('value', pref.web_ui_username); $('webui_username_text').setProperty('value', pref.web_ui_username);
$('webui_password_text').setProperty('value', pref.web_ui_password);
$('bypass_local_auth_checkbox').setProperty('checked', pref.bypass_local_auth); $('bypass_local_auth_checkbox').setProperty('checked', pref.bypass_local_auth);
$('bypass_auth_subnet_whitelist_checkbox').setProperty('checked', pref.bypass_auth_subnet_whitelist_enabled); $('bypass_auth_subnet_whitelist_checkbox').setProperty('checked', pref.bypass_auth_subnet_whitelist_enabled);
$('bypass_auth_subnet_whitelist_textarea').setProperty('value', pref.bypass_auth_subnet_whitelist); $('bypass_auth_subnet_whitelist_textarea').setProperty('value', pref.bypass_auth_subnet_whitelist);
@ -1264,12 +1264,14 @@
return; return;
} }
var web_ui_password = $('webui_password_text').getProperty('value'); var web_ui_password = $('webui_password_text').getProperty('value');
if (web_ui_password.length < 6) { if ((0 < web_ui_password.length) && (web_ui_password.length < 6)) {
alert("QBT_TR(The Web UI password must be at least 6 characters long.)QBT_TR[CONTEXT=OptionsDialog]"); alert("QBT_TR(The Web UI password must be at least 6 characters long.)QBT_TR[CONTEXT=OptionsDialog]");
return; return;
} }
settings.set('web_ui_username', web_ui_username); settings.set('web_ui_username', web_ui_username);
settings.set('web_ui_password', web_ui_password); if (web_ui_password.length > 0)
settings.set('web_ui_password', web_ui_password);
settings.set('bypass_local_auth', $('bypass_local_auth_checkbox').getProperty('checked')); settings.set('bypass_local_auth', $('bypass_local_auth_checkbox').getProperty('checked'));
settings.set('bypass_auth_subnet_whitelist_enabled', $('bypass_auth_subnet_whitelist_checkbox').getProperty('checked')); settings.set('bypass_auth_subnet_whitelist_enabled', $('bypass_auth_subnet_whitelist_checkbox').getProperty('checked'));
settings.set('bypass_auth_subnet_whitelist', $('bypass_auth_subnet_whitelist_textarea').getProperty('value')); settings.set('bypass_auth_subnet_whitelist', $('bypass_auth_subnet_whitelist_textarea').getProperty('value'));