diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/couchdb/couch_httpd_auth.erl | 32 | ||||
-rw-r--r-- | src/couchdb/couch_util.erl | 17 | ||||
-rw-r--r-- | src/erlang-oauth/oauth_hmac_sha1.erl | 2 | ||||
-rw-r--r-- | src/erlang-oauth/oauth_plaintext.erl | 2 |
4 files changed, 38 insertions, 15 deletions
diff --git a/src/couchdb/couch_httpd_auth.erl b/src/couchdb/couch_httpd_auth.erl index a1222df4..5c87f427 100644 --- a/src/couchdb/couch_httpd_auth.erl +++ b/src/couchdb/couch_httpd_auth.erl @@ -71,8 +71,9 @@ default_authentication_handler(Req) -> UserProps -> UserSalt = proplists:get_value(<<"salt">>, UserProps, <<>>), PasswordHash = hash_password(?l2b(Pass), UserSalt), - case proplists:get_value(<<"password_sha">>, UserProps, nil) of - ExpectedHash when ExpectedHash == PasswordHash -> + ExpectedHash = proplists:get_value(<<"password_sha">>, UserProps, nil), + case couch_util:verify(ExpectedHash, PasswordHash) of + true -> Req#httpd{user_ctx=#user_ctx{ name=?l2b(User), roles=proplists:get_value(<<"roles">>, UserProps, []), @@ -268,15 +269,19 @@ cookie_authentication_handler(#httpd{mochi_req=MochiReq}=Req) -> Timeout = to_int(couch_config:get("couch_httpd_auth", "timeout", 600)), ?LOG_DEBUG("timeout ~p", [Timeout]), case (catch erlang:list_to_integer(TimeStr, 16)) of - TimeStamp when CurrentTime < TimeStamp + Timeout - andalso ExpectedHash == Hash -> - TimeLeft = TimeStamp + Timeout - CurrentTime, - ?LOG_DEBUG("Successful cookie auth as: ~p", [User]), - Req#httpd{user_ctx=#user_ctx{ - name=?l2b(User), - roles=proplists:get_value(<<"roles">>, UserProps, []), - user_doc=proplists:get_value(<<"user_doc">>, UserProps, null) - }, auth={FullSecret, TimeLeft < Timeout*0.9}}; + TimeStamp when CurrentTime < TimeStamp + Timeout -> + case couch_util:verify(ExpectedHash, Hash) of + true -> + TimeLeft = TimeStamp + Timeout - CurrentTime, + ?LOG_DEBUG("Successful cookie auth as: ~p", [User]), + Req#httpd{user_ctx=#user_ctx{ + name=?l2b(User), + roles=proplists:get_value(<<"roles">>, UserProps, []), + user_doc=proplists:get_value(<<"user_doc">>, UserProps, null) + }, auth={FullSecret, TimeLeft < Timeout*0.9}}; + _Else -> + Req + end; _Else -> Req end @@ -344,8 +349,9 @@ handle_session_req(#httpd{method='POST', mochi_req=MochiReq}=Req) -> end, UserSalt = proplists:get_value(<<"salt">>, User, <<>>), PasswordHash = hash_password(Password, UserSalt), - case proplists:get_value(<<"password_sha">>, User, nil) of - ExpectedHash when ExpectedHash == PasswordHash -> + ExpectedHash = proplists:get_value(<<"password_sha">>, User, nil), + case couch_util:verify(ExpectedHash, PasswordHash) of + true -> % setup the session cookie Secret = ?l2b(ensure_cookie_auth_secret()), {NowMS, NowS, _} = erlang:now(), diff --git a/src/couchdb/couch_util.erl b/src/couchdb/couch_util.erl index 6edfb781..45d1d336 100644 --- a/src/couchdb/couch_util.erl +++ b/src/couchdb/couch_util.erl @@ -21,6 +21,7 @@ -export([file_read_size/1, get_nested_json_value/2, json_user_ctx/1]). -export([to_binary/1, to_integer/1, to_list/1, url_encode/1]). -export([json_encode/1, json_decode/1]). +-export([verify/2]). -include("couch_db.hrl"). -include_lib("kernel/include/file.hrl"). @@ -423,3 +424,19 @@ json_decode(V) -> _Type:_Error -> throw({invalid_json,V}) end. + +verify([X|RestX], [Y|RestY], Result) -> + verify(RestX, RestY, (X bxor Y) bor Result); +verify([], [], Result) -> + Result == 0. + +verify(<<X/binary>>, <<Y/binary>>) -> + verify(?b2l(X), ?b2l(Y)); +verify(X, Y) when is_list(X) and is_list(Y) -> + case length(X) == length(Y) of + true -> + verify(X, Y, 0); + false -> + false + end; +verify(_X, _Y) -> false. diff --git a/src/erlang-oauth/oauth_hmac_sha1.erl b/src/erlang-oauth/oauth_hmac_sha1.erl index 69064edd..79d59f37 100644 --- a/src/erlang-oauth/oauth_hmac_sha1.erl +++ b/src/erlang-oauth/oauth_hmac_sha1.erl @@ -8,4 +8,4 @@ signature(BaseString, CS, TS) -> base64:encode_to_string(crypto:sha_mac(Key, BaseString)). verify(Signature, BaseString, CS, TS) -> - Signature =:= signature(BaseString, CS, TS). + couch_util:verify(signature(BaseString, CS, TS), Signature). diff --git a/src/erlang-oauth/oauth_plaintext.erl b/src/erlang-oauth/oauth_plaintext.erl index d8085e02..41a1e9b2 100644 --- a/src/erlang-oauth/oauth_plaintext.erl +++ b/src/erlang-oauth/oauth_plaintext.erl @@ -7,4 +7,4 @@ signature(CS, TS) -> oauth_uri:calate("&", [CS, TS]). verify(Signature, CS, TS) -> - Signature =:= signature(CS, TS). + couch_util:verify(signature(CS, TS), Signature). |