2019-05-03 23:40:35 +08:00
|
|
|
#include "zm.h"
|
2019-08-28 22:33:18 +08:00
|
|
|
#include "zm_crypt.h"
|
2019-05-09 04:45:28 +08:00
|
|
|
#include "BCrypt.hpp"
|
2020-03-06 01:29:27 +08:00
|
|
|
#if HAVE_LIBJWT
|
|
|
|
#include <jwt.h>
|
|
|
|
#else
|
|
|
|
#include "jwt_cpp.h"
|
|
|
|
#endif
|
2019-05-03 23:40:35 +08:00
|
|
|
#include <algorithm>
|
2020-03-06 01:29:27 +08:00
|
|
|
#if HAVE_LIBCRYPTO
|
2019-05-09 07:17:31 +08:00
|
|
|
#include <openssl/sha.h>
|
2020-03-06 01:29:27 +08:00
|
|
|
#elif HAVE_GNUTLS_GNUTLS_H
|
|
|
|
#include <gnutls/gnutls.h>
|
|
|
|
#include <gnutls/crypto.h>
|
|
|
|
#endif
|
2019-06-24 23:28:32 +08:00
|
|
|
#include <string.h>
|
2019-05-03 23:40:35 +08:00
|
|
|
|
2019-05-09 04:45:28 +08:00
|
|
|
// returns username if valid, "" if not
|
2020-03-06 01:29:27 +08:00
|
|
|
#if HAVE_LIBJWT
|
|
|
|
std::pair <std::string, unsigned int> verifyToken(std::string jwt_token_str, std::string key) {
|
|
|
|
std::string username = "";
|
|
|
|
unsigned int token_issued_at = 0;
|
|
|
|
int err = 0;
|
|
|
|
jwt_t *jwt = nullptr;
|
|
|
|
|
|
|
|
err = jwt_new(&jwt);
|
|
|
|
if( err ) {
|
|
|
|
Error("Unable to Allocate JWT object");
|
|
|
|
return std::make_pair("", 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
err = jwt_set_alg(jwt, JWT_ALG_HS256, (const unsigned char*)key.c_str(), key.length());
|
|
|
|
if( err ) {
|
|
|
|
jwt_free(jwt);
|
|
|
|
Error("Error setting Algorithm for JWT decode");
|
|
|
|
return std::make_pair("", 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
err = jwt_decode(&jwt, jwt_token_str.c_str(), nullptr, 0);
|
|
|
|
if( err ) {
|
|
|
|
jwt_free(jwt);
|
|
|
|
Error("Could not decode JWT");
|
|
|
|
return std::make_pair("", 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
const char *c_type = jwt_get_grant(jwt, (const char*)"type");
|
|
|
|
if ( !c_type ) {
|
|
|
|
jwt_free(jwt);
|
|
|
|
Error("Missing token type. This should not happen");
|
|
|
|
return std::make_pair("", 0);
|
|
|
|
} else if ( std::string(c_type) != "access" ) {
|
|
|
|
jwt_free(jwt);
|
|
|
|
Error("Only access tokens are allowed. Please do not use refresh tokens");
|
|
|
|
return std::make_pair("", 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
const char *c_username = jwt_get_grant(jwt, (const char*)"user");
|
|
|
|
if( !c_username ) {
|
|
|
|
jwt_free(jwt);
|
|
|
|
Error("User not found in claim");
|
|
|
|
return std::make_pair("", 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
username = std::string(c_username);
|
|
|
|
Debug(1, "Got %s as user claim from token", username.c_str());
|
|
|
|
|
|
|
|
token_issued_at = (unsigned int)jwt_get_grant_int(jwt, "iat");
|
|
|
|
if ( errno == ENOENT ) {
|
|
|
|
jwt_free(jwt);
|
|
|
|
Error("IAT not found in claim. This should not happen");
|
|
|
|
return std::make_pair("", 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
Debug(1, "Got IAT token=%u", token_issued_at);
|
|
|
|
jwt_free(jwt);
|
|
|
|
return std::make_pair(username, token_issued_at);
|
|
|
|
}
|
|
|
|
#else // HAVE_LIBJWT
|
2019-05-12 01:39:40 +08:00
|
|
|
std::pair <std::string, unsigned int> verifyToken(std::string jwt_token_str, std::string key) {
|
2019-05-09 04:45:28 +08:00
|
|
|
std::string username = "";
|
2019-05-12 17:03:16 +08:00
|
|
|
unsigned int token_issued_at = 0;
|
2019-05-09 04:45:28 +08:00
|
|
|
try {
|
|
|
|
// is it decodable?
|
|
|
|
auto decoded = jwt::decode(jwt_token_str);
|
|
|
|
auto verifier = jwt::verify()
|
|
|
|
.allow_algorithm(jwt::algorithm::hs256{ key })
|
|
|
|
.with_issuer("ZoneMinder");
|
|
|
|
|
|
|
|
// signature verified?
|
|
|
|
verifier.verify(decoded);
|
2019-05-03 23:40:35 +08:00
|
|
|
|
2019-05-09 04:45:28 +08:00
|
|
|
// make sure it has fields we need
|
2019-08-28 22:33:18 +08:00
|
|
|
if ( decoded.has_payload_claim("type") ) {
|
2019-05-09 04:45:28 +08:00
|
|
|
std::string type = decoded.get_payload_claim("type").as_string();
|
2019-08-28 22:33:18 +08:00
|
|
|
if ( type != "access" ) {
|
|
|
|
Error("Only access tokens are allowed. Please do not use refresh tokens");
|
|
|
|
return std::make_pair("", 0);
|
2019-05-09 04:45:28 +08:00
|
|
|
}
|
2019-08-28 22:33:18 +08:00
|
|
|
} else {
|
2019-05-09 04:45:28 +08:00
|
|
|
// something is wrong. All ZM tokens have type
|
2019-08-28 22:33:18 +08:00
|
|
|
Error("Missing token type. This should not happen");
|
2019-05-12 01:39:40 +08:00
|
|
|
return std::make_pair("",0);
|
2019-05-09 04:45:28 +08:00
|
|
|
}
|
2019-08-28 22:33:18 +08:00
|
|
|
if ( decoded.has_payload_claim("user") ) {
|
2019-05-09 04:45:28 +08:00
|
|
|
username = decoded.get_payload_claim("user").as_string();
|
2019-08-28 22:33:18 +08:00
|
|
|
Debug(1, "Got %s as user claim from token", username.c_str());
|
|
|
|
} else {
|
|
|
|
Error("User not found in claim");
|
|
|
|
return std::make_pair("", 0);
|
2019-05-12 01:39:40 +08:00
|
|
|
}
|
|
|
|
|
2019-08-28 22:33:18 +08:00
|
|
|
if ( decoded.has_payload_claim("iat") ) {
|
2019-05-12 17:03:16 +08:00
|
|
|
token_issued_at = (unsigned int) (decoded.get_payload_claim("iat").as_int());
|
2019-08-28 22:33:18 +08:00
|
|
|
Debug(1, "Got IAT token=%u", token_issued_at);
|
|
|
|
} else {
|
|
|
|
Error("IAT not found in claim. This should not happen");
|
|
|
|
return std::make_pair("", 0);
|
2019-05-09 04:45:28 +08:00
|
|
|
}
|
|
|
|
} // try
|
2019-08-28 22:33:18 +08:00
|
|
|
catch ( const std::exception &e ) {
|
2019-05-09 04:45:28 +08:00
|
|
|
Error("Unable to verify token: %s", e.what());
|
2019-08-28 22:33:18 +08:00
|
|
|
return std::make_pair("", 0);
|
2019-05-09 04:45:28 +08:00
|
|
|
}
|
|
|
|
catch (...) {
|
2019-08-28 22:33:18 +08:00
|
|
|
Error("unknown exception");
|
|
|
|
return std::make_pair("", 0);
|
2019-05-09 04:45:28 +08:00
|
|
|
}
|
2019-08-28 22:33:18 +08:00
|
|
|
return std::make_pair(username, token_issued_at);
|
2019-05-03 23:40:35 +08:00
|
|
|
}
|
2020-03-06 01:29:27 +08:00
|
|
|
#endif // HAVE_LIBJWT
|
2019-05-03 23:40:35 +08:00
|
|
|
|
2019-05-04 00:01:13 +08:00
|
|
|
bool verifyPassword(const char *username, const char *input_password, const char *db_password_hash) {
|
2019-05-03 23:40:35 +08:00
|
|
|
bool password_correct = false;
|
2019-06-19 22:31:53 +08:00
|
|
|
if ( strlen(db_password_hash) < 4 ) {
|
2019-05-03 23:40:35 +08:00
|
|
|
// actually, shoud be more, but this is min. for next code
|
2019-06-19 22:31:53 +08:00
|
|
|
Error("DB Password is too short or invalid to check");
|
2019-05-03 23:40:35 +08:00
|
|
|
return false;
|
|
|
|
}
|
2019-06-19 22:31:53 +08:00
|
|
|
if ( db_password_hash[0] == '*' ) {
|
2019-05-03 23:40:35 +08:00
|
|
|
// MYSQL PASSWORD
|
2019-06-19 22:31:53 +08:00
|
|
|
Debug(1, "%s is using an MD5 encoded password", username);
|
2019-05-05 03:20:31 +08:00
|
|
|
|
2020-03-06 01:29:27 +08:00
|
|
|
#ifndef SHA_DIGEST_LENGTH
|
|
|
|
#define SHA_DIGEST_LENGTH 20
|
|
|
|
#endif
|
|
|
|
|
2019-05-04 23:52:53 +08:00
|
|
|
unsigned char digest_interim[SHA_DIGEST_LENGTH];
|
|
|
|
unsigned char digest_final[SHA_DIGEST_LENGTH];
|
2020-03-06 01:29:27 +08:00
|
|
|
|
|
|
|
#if HAVE_LIBCRYPTO
|
|
|
|
SHA_CTX ctx1, ctx2;
|
|
|
|
|
2019-05-05 03:20:31 +08:00
|
|
|
//get first iteration
|
|
|
|
SHA1_Init(&ctx1);
|
|
|
|
SHA1_Update(&ctx1, input_password, strlen(input_password));
|
|
|
|
SHA1_Final(digest_interim, &ctx1);
|
|
|
|
|
|
|
|
//2nd iteration
|
|
|
|
SHA1_Init(&ctx2);
|
|
|
|
SHA1_Update(&ctx2, digest_interim,SHA_DIGEST_LENGTH);
|
2019-05-05 03:27:00 +08:00
|
|
|
SHA1_Final (digest_final, &ctx2);
|
2020-03-06 01:29:27 +08:00
|
|
|
#elif HAVE_GNUTLS_GNUTLS_H
|
|
|
|
//get first iteration
|
|
|
|
gnutls_hash_fast(GNUTLS_DIG_SHA1, input_password, strlen(input_password), digest_interim);
|
|
|
|
//2nd iteration
|
|
|
|
gnutls_hash_fast(GNUTLS_DIG_SHA1, digest_interim, SHA_DIGEST_LENGTH, digest_final);
|
|
|
|
#else
|
|
|
|
Error("Authentication Error. ZoneMinder not built with GnuTLS or Openssl");
|
|
|
|
return false;
|
|
|
|
#endif
|
2019-05-05 03:20:31 +08:00
|
|
|
|
2019-05-04 23:52:53 +08:00
|
|
|
char final_hash[SHA_DIGEST_LENGTH * 2 +2];
|
2019-06-19 22:31:53 +08:00
|
|
|
final_hash[0] = '*';
|
2019-05-05 03:20:31 +08:00
|
|
|
//convert to hex
|
2019-06-19 22:31:53 +08:00
|
|
|
for ( int i = 0; i < SHA_DIGEST_LENGTH; i++ )
|
|
|
|
sprintf(&final_hash[i*2]+1, "%02X", (unsigned int)digest_final[i]);
|
|
|
|
final_hash[SHA_DIGEST_LENGTH *2 + 1] = 0;
|
2019-05-04 23:52:53 +08:00
|
|
|
|
2019-06-19 22:31:53 +08:00
|
|
|
Debug(1, "Computed password_hash:%s, stored password_hash:%s", final_hash, db_password_hash);
|
2019-05-04 23:52:53 +08:00
|
|
|
password_correct = (strcmp(db_password_hash, final_hash)==0);
|
2019-06-19 22:31:53 +08:00
|
|
|
} else if (
|
|
|
|
(db_password_hash[0] == '$')
|
|
|
|
&&
|
2019-08-28 22:33:18 +08:00
|
|
|
(db_password_hash[1] == '2')
|
2019-06-19 22:31:53 +08:00
|
|
|
&&
|
|
|
|
(db_password_hash[3] == '$')
|
|
|
|
) {
|
2019-05-03 23:40:35 +08:00
|
|
|
// BCRYPT
|
2019-06-19 22:31:53 +08:00
|
|
|
Debug(1, "%s is using a bcrypt encoded password", username);
|
2019-05-03 23:40:35 +08:00
|
|
|
BCrypt bcrypt;
|
|
|
|
std::string input_hash = bcrypt.generateHash(std::string(input_password));
|
|
|
|
password_correct = bcrypt.validatePassword(std::string(input_password), std::string(db_password_hash));
|
2019-06-24 23:35:36 +08:00
|
|
|
} else if ( strncmp(db_password_hash, "-ZM-",4) == 0 ) {
|
|
|
|
Error("Authentication failed - migration of password not complete. Please log into web console for this user and retry this operation");
|
|
|
|
return false;
|
2019-06-19 22:31:53 +08:00
|
|
|
} else {
|
2019-06-24 23:35:36 +08:00
|
|
|
Warning("%s is using a plain text (not recommended) or scheme not understood", username);
|
2019-05-03 23:40:35 +08:00
|
|
|
password_correct = (strcmp(input_password, db_password_hash) == 0);
|
2019-06-24 23:28:32 +08:00
|
|
|
}
|
|
|
|
|
2019-05-03 23:40:35 +08:00
|
|
|
return password_correct;
|
2019-06-19 22:31:53 +08:00
|
|
|
}
|