Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introducing passwordbasedauthentication based on lcrypt and sha512 #484

Merged
merged 12 commits into from
Apr 29, 2021
Merged

Introducing passwordbasedauthentication based on lcrypt and sha512 #484

merged 12 commits into from
Apr 29, 2021

Conversation

nichtsfrei
Copy link
Member

@nichtsfrei nichtsfrei commented Apr 26, 2021

Introducing passwordbasedauthentication to handle upgrade from MD5 to
sha512 within gvmd.

The decision to write new implementation based on lcrypt and sha512
rather than updating authutils is based on the decision to follow phc
comliance as closely as feasible to allow easier versioning and updating
of hashes for password based logins.

To allow easy handling of correct but dated hashes a new state:
RECOMMEND_UPDATE
is introduced for passwords ontop of valid/invalid.

Therefore a direct dependency of passwordbasedauthentication.c to
authutils.c is chosen to have easier access to the deprecated
functionality.

To create the hash crypt_r is chosen to have a thread safe hashing
possibility, this comes with the costs of portability since not all
crypt libraries do support that. However libcrypt (used by
debian:testing) as well as UFC crypt (used by buster) do.

Due to the limitation of salt to 16 bytes the newly introduced pepper
usage is limited to 4 bytes. This needs to be respected in using
clients, e.g. gvmd and enforced there.

What:

Why:

How:

Checklist:

@nichtsfrei nichtsfrei added backport-to-oldstable This pull request will be backported to the 20.08 branch backport-to-stable This pull request will be backported to the 21.04 branch labels Apr 27, 2021
@nichtsfrei nichtsfrei marked this pull request as draft April 27, 2021 13:40
Introducing passwordbasedauthentication to handle upgrade from MD5 to
sha512 within gvmd.

The decision to write new implementation based on lcrypt and sha512
rather than updating authutils is based on the decision to follow phc
comliance as closely as feasible to allow easier versioning and updating
of hashes for password based logins.

To allow easy handling of correct but dated hashes a new state:
RECOMMEND_UPDATE
is introduced for passwords ontop of valid/invalid.

Therefore a direct dependency of passwordbasedauthentication.c to
authutils.c is chosen to have easier access to the deprecated
functionality.

To create the hash crypt_r is chosen to have a thread safe hashing
possibility, this comes with the costs of portability since not all
crypt libraries do support that. However libcrypt (used by
debian:testing) as well as UFC crypt (used by buster) do.

Due to the limitation of salt to 16 bytes the newly introduced pepper
usage is limited to 4 bytes. This needs to be respected in using
clients, e.g. gvmd and enforced there.
In order to use passwordbasedauthentication.c directly dependable on
authutils.c it should not be installed via CMakeLists.txt for
authutils.h instead it should use passwordbasedauthentication.c
@nichtsfrei nichtsfrei marked this pull request as ready for review April 27, 2021 13:56
@nichtsfrei nichtsfrei marked this pull request as draft April 27, 2021 14:11
@nichtsfrei nichtsfrei marked this pull request as ready for review April 27, 2021 14:19
Since pba_hash does not change the password it is set to const char
Remove .ccls since it is developer specific settings and should not be
within github.

Instead of setting a macro if the internal gensalt_r method or the
external should be used passwordbasedauthentication is guessing based on

ifndef crypt_gensalt_r

if crypt_gensalt_r is defined it is using the external salt function
    otherwise it is using it's own implementation.
The control of using the internal crypt_gensalt_r or the external by
the used lcrypt library is now defined and set within
util/CMakeLists.txt as EXTERNAL_CRYPT_GENSALT_R maco based on the
version of the crypt module; when higher than 3.1.1 than use external
otherwise internal implementation.
util/passwordbasedauthentication.c Outdated Show resolved Hide resolved
util/passwordbasedauthentication.c Show resolved Hide resolved
util/passwordbasedauthentication.c Outdated Show resolved Hide resolved
util/passwordbasedauthentication.c Outdated Show resolved Hide resolved
nichtsfrei and others added 2 commits April 29, 2021 14:16
Co-authored-by: Björn Ricks <bjoern.ricks@gmail.com>
Before doing a memcpy verify the length of hash; when shorter then
CRYPT_OUTPUT_SIZE then use strlen otherwise CRYPT_OUTPUT_SIZE
util/CMakeLists.txt check if CRYPT_M_VERSION is DEFINED before
verifiying if the version is greater than 3.1.1 to prevent:

Unknown arguments specified

while building.
bjoernricks
bjoernricks previously approved these changes Apr 29, 2021
@nichtsfrei nichtsfrei merged commit a62c406 into greenbone:master Apr 29, 2021
bjoernricks added a commit that referenced this pull request Apr 30, 2021
Introducing passwordbasedauthentication based on lcrypt and sha512 (backport #484)
bjoernricks added a commit that referenced this pull request Apr 30, 2021
Introducing passwordbasedauthentication based on lcrypt and sha512 (backport #484)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-to-oldstable This pull request will be backported to the 20.08 branch backport-to-stable This pull request will be backported to the 21.04 branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants