zoneminder/src/zm_crypt.cpp

#include "zm.h"
#include "zm_crypt.h"
#include "BCrypt.hpp"
#include "jwt.h"
#include <algorithm>
#include <openssl/sha.h>
#include <string.h>

// returns username if valid, "" if not
std::pair <std::string, unsigned int> verifyToken(std::string jwt_token_str, std::string key) {
  std::string username = "";
  unsigned int token_issued_at = 0;
  try {
    // is it decodable?
    auto decoded = jwt::decode(jwt_token_str);
    auto verifier = jwt::verify()
                        .allow_algorithm(jwt::algorithm::hs256{ key })
                        .with_issuer("ZoneMinder");
  
    // signature verified?
    verifier.verify(decoded);

    // make sure it has fields we need
    if ( decoded.has_payload_claim("type") ) {
      std::string type = decoded.get_payload_claim("type").as_string();
      if ( type != "access" ) {
        Error("Only access tokens are allowed. Please do not use refresh tokens");
        return std::make_pair("", 0);
      }
    } else {
      // something is wrong. All ZM tokens have type
      Error("Missing token type. This should not happen");
      return std::make_pair("",0);
    }
    if ( decoded.has_payload_claim("user") ) {
      username  = decoded.get_payload_claim("user").as_string();
      Debug(1, "Got %s as user claim from token", username.c_str());
    } else {
      Error("User not found in claim");
      return std::make_pair("", 0);
    }

    if ( decoded.has_payload_claim("iat") ) {
      token_issued_at = (unsigned int) (decoded.get_payload_claim("iat").as_int());
      Debug(1, "Got IAT token=%u", token_issued_at);
    } else {
      Error("IAT not found in claim. This should not happen");
      return std::make_pair("", 0);
    }
  } // try
  catch ( const std::exception &e ) {
      Error("Unable to verify token: %s", e.what());
      return std::make_pair("", 0);
  }
  catch (...) {
     Error("unknown exception");
     return std::make_pair("", 0);
  }
  return std::make_pair(username, token_issued_at);
}

bool verifyPassword(const char *username, const char *input_password, const char *db_password_hash) {
  bool password_correct = false;
  if ( strlen(db_password_hash) < 4 ) {
    // actually, shoud be more, but this is min. for next code
    Error("DB Password is too short or invalid to check");
    return false;
  }
  if ( db_password_hash[0] == '*' ) {
    // MYSQL PASSWORD
    Debug(1, "%s is using an MD5 encoded password", username);
    
    SHA_CTX ctx1, ctx2;
    unsigned char digest_interim[SHA_DIGEST_LENGTH];
    unsigned char digest_final[SHA_DIGEST_LENGTH];

    //get first iteration
    SHA1_Init(&ctx1);
    SHA1_Update(&ctx1, input_password, strlen(input_password));
    SHA1_Final(digest_interim, &ctx1);

    //2nd iteration
    SHA1_Init(&ctx2);
    SHA1_Update(&ctx2, digest_interim,SHA_DIGEST_LENGTH);
    SHA1_Final (digest_final, &ctx2);

    char final_hash[SHA_DIGEST_LENGTH * 2 +2];
    final_hash[0] = '*';
    //convert to hex
    for ( int i = 0; i < SHA_DIGEST_LENGTH; i++ )
      sprintf(&final_hash[i*2]+1, "%02X", (unsigned int)digest_final[i]);
    final_hash[SHA_DIGEST_LENGTH *2 + 1] = 0;

    Debug(1, "Computed password_hash:%s, stored password_hash:%s", final_hash, db_password_hash);
    password_correct = (strcmp(db_password_hash, final_hash)==0);
  } else if (
      (db_password_hash[0] == '$')
      &&
      (db_password_hash[1] == '2')
      &&
      (db_password_hash[3] == '$')
      ) {
    // BCRYPT 
    Debug(1, "%s is using a bcrypt encoded password", username);
    BCrypt bcrypt;
    std::string input_hash = bcrypt.generateHash(std::string(input_password));
    password_correct = bcrypt.validatePassword(std::string(input_password), std::string(db_password_hash));
  } else if ( strncmp(db_password_hash, "-ZM-",4) == 0 ) {
    Error("Authentication failed - migration of password not complete. Please log into web console for this user and retry this operation");
    return false;
  } else {
    Warning("%s is using a plain text (not recommended) or scheme not understood", username);
    password_correct = (strcmp(input_password, db_password_hash) == 0);
  } 
  
  return password_correct;
}
move to wrapper 2019-05-03 23:40:35 +08:00			`#include "zm.h"`
Fix spacing 2019-08-28 22:33:18 +08:00			`#include "zm_crypt.h"`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`#include "BCrypt.hpp"`
			`#include "jwt.h"`
move to wrapper 2019-05-03 23:40:35 +08:00			`#include <algorithm>`
move sha headers out 2019-05-09 07:17:31 +08:00			`#include <openssl/sha.h>`
Fix zmcrypt message (#2645) * added more clarity on zm_crypt authentication errors * fixed variable name 2019-06-24 23:28:32 +08:00			`#include <string.h>`
move to wrapper 2019-05-03 23:40:35 +08:00
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`// returns username if valid, "" if not`
initial plumbing to introduce token expiry and API bans per user 2019-05-12 01:39:40 +08:00			`std::pair <std::string, unsigned int> verifyToken(std::string jwt_token_str, std::string key) {`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`std::string username = "";`
more fixes 2019-05-12 17:03:16 +08:00			`unsigned int token_issued_at = 0;`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`try {`
			`// is it decodable?`
			`auto decoded = jwt::decode(jwt_token_str);`
			`auto verifier = jwt::verify()`
			`.allow_algorithm(jwt::algorithm::hs256{ key })`
			`.with_issuer("ZoneMinder");`

			`// signature verified?`
			`verifier.verify(decoded);`
move to wrapper 2019-05-03 23:40:35 +08:00
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`// make sure it has fields we need`
Fix spacing 2019-08-28 22:33:18 +08:00			`if ( decoded.has_payload_claim("type") ) {`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`std::string type = decoded.get_payload_claim("type").as_string();`
Fix spacing 2019-08-28 22:33:18 +08:00			`if ( type != "access" ) {`
			`Error("Only access tokens are allowed. Please do not use refresh tokens");`
			`return std::make_pair("", 0);`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`}`
Fix spacing 2019-08-28 22:33:18 +08:00			`} else {`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`// something is wrong. All ZM tokens have type`
Fix spacing 2019-08-28 22:33:18 +08:00			`Error("Missing token type. This should not happen");`
initial plumbing to introduce token expiry and API bans per user 2019-05-12 01:39:40 +08:00			`return std::make_pair("",0);`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`}`
Fix spacing 2019-08-28 22:33:18 +08:00			`if ( decoded.has_payload_claim("user") ) {`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`username = decoded.get_payload_claim("user").as_string();`
Fix spacing 2019-08-28 22:33:18 +08:00			`Debug(1, "Got %s as user claim from token", username.c_str());`
			`} else {`
			`Error("User not found in claim");`
			`return std::make_pair("", 0);`
initial plumbing to introduce token expiry and API bans per user 2019-05-12 01:39:40 +08:00			`}`

Fix spacing 2019-08-28 22:33:18 +08:00			`if ( decoded.has_payload_claim("iat") ) {`
more fixes 2019-05-12 17:03:16 +08:00			`token_issued_at = (unsigned int) (decoded.get_payload_claim("iat").as_int());`
Fix spacing 2019-08-28 22:33:18 +08:00			`Debug(1, "Got IAT token=%u", token_issued_at);`
			`} else {`
			`Error("IAT not found in claim. This should not happen");`
			`return std::make_pair("", 0);`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`}`
			`} // try`
Fix spacing 2019-08-28 22:33:18 +08:00			`catch ( const std::exception &e ) {`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`Error("Unable to verify token: %s", e.what());`
Fix spacing 2019-08-28 22:33:18 +08:00			`return std::make_pair("", 0);`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`}`
			`catch (...) {`
Fix spacing 2019-08-28 22:33:18 +08:00			`Error("unknown exception");`
			`return std::make_pair("", 0);`
move JWT/Bcrypt inside zm_crypt 2019-05-09 04:45:28 +08:00			`}`
Fix spacing 2019-08-28 22:33:18 +08:00			`return std::make_pair(username, token_issued_at);`
move to wrapper 2019-05-03 23:40:35 +08:00			`}`

logs tweak 2019-05-04 00:01:13 +08:00			`bool verifyPassword(const char username, const char input_password, const char *db_password_hash) {`
move to wrapper 2019-05-03 23:40:35 +08:00			`bool password_correct = false;`
spacing google code style 2019-06-19 22:31:53 +08:00			`if ( strlen(db_password_hash) < 4 ) {`
move to wrapper 2019-05-03 23:40:35 +08:00			`// actually, shoud be more, but this is min. for next code`
spacing google code style 2019-06-19 22:31:53 +08:00			`Error("DB Password is too short or invalid to check");`
move to wrapper 2019-05-03 23:40:35 +08:00			`return false;`
			`}`
spacing google code style 2019-06-19 22:31:53 +08:00			`if ( db_password_hash[0] == '*' ) {`
move to wrapper 2019-05-03 23:40:35 +08:00			`// MYSQL PASSWORD`
spacing google code style 2019-06-19 22:31:53 +08:00			`Debug(1, "%s is using an MD5 encoded password", username);`
fixed SHA1 algo 2019-05-05 03:20:31 +08:00
			`SHA_CTX ctx1, ctx2;`
Moved to openSSL SHA1, initial JWT plugin 2019-05-04 23:52:53 +08:00			`unsigned char digest_interim[SHA_DIGEST_LENGTH];`
			`unsigned char digest_final[SHA_DIGEST_LENGTH];`
fixed SHA1 algo 2019-05-05 03:20:31 +08:00
			`//get first iteration`
			`SHA1_Init(&ctx1);`
			`SHA1_Update(&ctx1, input_password, strlen(input_password));`
			`SHA1_Final(digest_interim, &ctx1);`

			`//2nd iteration`
			`SHA1_Init(&ctx2);`
			`SHA1_Update(&ctx2, digest_interim,SHA_DIGEST_LENGTH);`
typo 2019-05-05 03:27:00 +08:00			`SHA1_Final (digest_final, &ctx2);`
fixed SHA1 algo 2019-05-05 03:20:31 +08:00
Moved to openSSL SHA1, initial JWT plugin 2019-05-04 23:52:53 +08:00			`char final_hash[SHA_DIGEST_LENGTH * 2 +2];`
spacing google code style 2019-06-19 22:31:53 +08:00			`final_hash[0] = '*';`
fixed SHA1 algo 2019-05-05 03:20:31 +08:00			`//convert to hex`
spacing google code style 2019-06-19 22:31:53 +08:00			`for ( int i = 0; i < SHA_DIGEST_LENGTH; i++ )`
			`sprintf(&final_hash[i*2]+1, "%02X", (unsigned int)digest_final[i]);`
			`final_hash[SHA_DIGEST_LENGTH *2 + 1] = 0;`
Moved to openSSL SHA1, initial JWT plugin 2019-05-04 23:52:53 +08:00
spacing google code style 2019-06-19 22:31:53 +08:00			`Debug(1, "Computed password_hash:%s, stored password_hash:%s", final_hash, db_password_hash);`
Moved to openSSL SHA1, initial JWT plugin 2019-05-04 23:52:53 +08:00			`password_correct = (strcmp(db_password_hash, final_hash)==0);`
spacing google code style 2019-06-19 22:31:53 +08:00			`} else if (`
			`(db_password_hash[0] == '$')`
			`&&`
Fix spacing 2019-08-28 22:33:18 +08:00			`(db_password_hash[1] == '2')`
spacing google code style 2019-06-19 22:31:53 +08:00			`&&`
			`(db_password_hash[3] == '$')`
			`) {`
move to wrapper 2019-05-03 23:40:35 +08:00			`// BCRYPT`
spacing google code style 2019-06-19 22:31:53 +08:00			`Debug(1, "%s is using a bcrypt encoded password", username);`
move to wrapper 2019-05-03 23:40:35 +08:00			`BCrypt bcrypt;`
			`std::string input_hash = bcrypt.generateHash(std::string(input_password));`
			`password_correct = bcrypt.validatePassword(std::string(input_password), std::string(db_password_hash));`
Merge branch 'master' into storageareas 2019-06-24 23:35:36 +08:00			`} else if ( strncmp(db_password_hash, "-ZM-",4) == 0 ) {`
			`Error("Authentication failed - migration of password not complete. Please log into web console for this user and retry this operation");`
			`return false;`
spacing google code style 2019-06-19 22:31:53 +08:00			`} else {`
Merge branch 'master' into storageareas 2019-06-24 23:35:36 +08:00			`Warning("%s is using a plain text (not recommended) or scheme not understood", username);`
move to wrapper 2019-05-03 23:40:35 +08:00			`password_correct = (strcmp(input_password, db_password_hash) == 0);`
Fix zmcrypt message (#2645) * added more clarity on zm_crypt authentication errors * fixed variable name 2019-06-24 23:28:32 +08:00			`}`

move to wrapper 2019-05-03 23:40:35 +08:00			`return password_correct;`
spacing google code style 2019-06-19 22:31:53 +08:00			`}`