couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject [06/10] couch commit: updated refs/heads/import-master-tmp to 247a772
Date Wed, 23 Apr 2014 10:25:42 GMT
Merge branch '2221-bug-validate-auth-params'


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/bba073d1
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/bba073d1
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/bba073d1

Branch: refs/heads/import-master-tmp
Commit: bba073d13a4dcaed706c9198749e647bd9f6cdb8
Parents: bcb1c7d
Author: Robert Newson <rnewson@apache.org>
Authored: Wed Apr 9 21:45:10 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Wed Apr 23 11:21:18 2014 +0100

----------------------------------------------------------------------
 couch_httpd_auth.erl | 17 +++++++++++++++++
 couch_passwords.erl  | 15 +++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/bba073d1/couch_httpd_auth.erl
----------------------------------------------------------------------
diff --git a/couch_httpd_auth.erl b/couch_httpd_auth.erl
index 08841fb..6888f06 100644
--- a/couch_httpd_auth.erl
+++ b/couch_httpd_auth.erl
@@ -368,11 +368,28 @@ authenticate(Pass, UserProps) ->
             couch_util:get_value(<<"password_sha">>, UserProps, nil)};
         <<"pbkdf2">> ->
             Iterations = couch_util:get_value(<<"iterations">>, UserProps, 10000),
+            verify_iterations(Iterations),
             {couch_passwords:pbkdf2(Pass, UserSalt, Iterations),
              couch_util:get_value(<<"derived_key">>, UserProps, nil)}
     end,
     couch_passwords:verify(PasswordHash, ExpectedHash).
 
+verify_iterations(Iterations) when is_integer(Iterations) ->
+    Min = list_to_integer(couch_config:get("couch_httpd_auth", "min_iterations", "1")),
+    Max = list_to_integer(couch_config:get("couch_httpd_auth", "max_iterations", "1000000000")),
+    case Iterations < Min of
+        true ->
+            throw({forbidden, <<"Iteration count is too low for this server">>});
+        false ->
+            ok
+    end,
+    case Iterations > Max of
+        true ->
+            throw({forbidden, <<"Iteration count is too high for this server">>});
+        false ->
+            ok
+    end.
+
 auth_name(String) when is_list(String) ->
     [_,_,_,_,_,Name|_] = re:split(String, "[\\W_]", [{return, list}]),
     ?l2b(Name).

http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/bba073d1/couch_passwords.erl
----------------------------------------------------------------------
diff --git a/couch_passwords.erl b/couch_passwords.erl
index d9e6836..bbf6d9a 100644
--- a/couch_passwords.erl
+++ b/couch_passwords.erl
@@ -22,12 +22,12 @@
 
 %% legacy scheme, not used for new passwords.
 -spec simple(binary(), binary()) -> binary().
-simple(Password, Salt) ->
+simple(Password, Salt) when is_binary(Password), is_binary(Salt) ->
     ?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
 
 %% CouchDB utility functions
 -spec hash_admin_password(binary()) -> binary().
-hash_admin_password(ClearPassword) ->
+hash_admin_password(ClearPassword) when is_binary(ClearPassword) ->
     Iterations = couch_config:get("couch_httpd_auth", "iterations", "10000"),
     Salt = couch_uuids:random(),
     DerivedKey = couch_passwords:pbkdf2(couch_util:to_binary(ClearPassword),
@@ -50,7 +50,10 @@ get_unhashed_admins() ->
 
 %% Current scheme, much stronger.
 -spec pbkdf2(binary(), binary(), integer()) -> binary().
-pbkdf2(Password, Salt, Iterations) ->
+pbkdf2(Password, Salt, Iterations) when is_binary(Password),
+                                        is_binary(Salt),
+                                        is_integer(Iterations),
+                                        Iterations > 0 ->
     {ok, Result} = pbkdf2(Password, Salt, Iterations, ?SHA1_OUTPUT_LENGTH),
     Result.
 
@@ -59,7 +62,11 @@ pbkdf2(Password, Salt, Iterations) ->
 pbkdf2(_Password, _Salt, _Iterations, DerivedLength)
     when DerivedLength > ?MAX_DERIVED_KEY_LENGTH ->
     {error, derived_key_too_long};
-pbkdf2(Password, Salt, Iterations, DerivedLength) ->
+pbkdf2(Password, Salt, Iterations, DerivedLength) when is_binary(Password),
+                                                       is_binary(Salt),
+                                                       is_integer(Iterations),
+                                                       Iterations > 0,
+                                                       is_integer(DerivedLength) ->
     L = ceiling(DerivedLength / ?SHA1_OUTPUT_LENGTH),
     <<Bin:DerivedLength/binary,_/binary>> =
         iolist_to_binary(pbkdf2(Password, Salt, Iterations, L, 1, [])),


Mime
View raw message