couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject [05/11] couch commit: updated refs/heads/master to 7ab7995
Date Wed, 21 May 2014 16:53:20 GMT
Verify that auth-related properties are well-formed

Passing unexpected values to auth fields can result in server
issues. Notably, setting "iterations" to a string will cause an
infinite loop as the comparison 'when Iteration > Iterations' will
never evaluate to true.

The latest validate_doc_update prevents user docs with this problem
and administrators can deploy that check themselves (and only
administrators can edit design documents).

A server administrator can also insist on lower and upper bounds for
iteration count to reject weakly protected passwords and
resource-hungry passwords respectively.

COUCHDB-2221


Project: http://git-wip-us.apache.org/repos/asf/couchdb-couch/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-couch/commit/67389ff1
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-couch/tree/67389ff1
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-couch/diff/67389ff1

Branch: refs/heads/master
Commit: 67389ff1e2cb8aa227674aa586d4e99f5c9931aa
Parents: 0aa1ed6
Author: Robert Newson <rnewson@apache.org>
Authored: Sun Apr 6 18:31:15 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Wed May 21 15:00:46 2014 +0100

----------------------------------------------------------------------
 src/couch_httpd_auth.erl | 17 +++++++++++++++++
 src/couch_passwords.erl  | 15 +++++++++++----
 2 files changed, 28 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/67389ff1/src/couch_httpd_auth.erl
----------------------------------------------------------------------
diff --git a/src/couch_httpd_auth.erl b/src/couch_httpd_auth.erl
index e10ac25..43d647d 100644
--- a/src/couch_httpd_auth.erl
+++ b/src/couch_httpd_auth.erl
@@ -368,11 +368,28 @@ authenticate(Pass, UserProps) ->
             couch_util:get_value(<<"password_sha">>, UserProps, nil)};
         <<"pbkdf2">> ->
             Iterations = couch_util:get_value(<<"iterations">>, UserProps, 10000),
+            verify_iterations(Iterations),
             {couch_passwords:pbkdf2(Pass, UserSalt, Iterations),
              couch_util:get_value(<<"derived_key">>, UserProps, nil)}
     end,
     couch_passwords:verify(PasswordHash, ExpectedHash).
 
+verify_iterations(Iterations) when is_integer(Iterations) ->
+    Min = list_to_integer(config:get("couch_httpd_auth", "min_iterations", "1")),
+    Max = list_to_integer(config:get("couch_httpd_auth", "max_iterations", "1000000000")),
+    case Iterations < Min of
+        true ->
+            throw({forbidden, <<"Iteration count is too low for this server">>});
+        false ->
+            ok
+    end,
+    case Iterations > Max of
+        true ->
+            throw({forbidden, <<"Iteration count is too high for this server">>});
+        false ->
+            ok
+    end.
+
 auth_name(String) when is_list(String) ->
     [_,_,_,_,_,Name|_] = re:split(String, "[\\W_]", [{return, list}]),
     ?l2b(Name).

http://git-wip-us.apache.org/repos/asf/couchdb-couch/blob/67389ff1/src/couch_passwords.erl
----------------------------------------------------------------------
diff --git a/src/couch_passwords.erl b/src/couch_passwords.erl
index d0f36cc..f038031 100644
--- a/src/couch_passwords.erl
+++ b/src/couch_passwords.erl
@@ -22,12 +22,12 @@
 
 %% legacy scheme, not used for new passwords.
 -spec simple(binary(), binary()) -> binary().
-simple(Password, Salt) ->
+simple(Password, Salt) when is_binary(Password), is_binary(Salt) ->
     ?l2b(couch_util:to_hex(crypto:sha(<<Password/binary, Salt/binary>>))).
 
 %% CouchDB utility functions
 -spec hash_admin_password(binary()) -> binary().
-hash_admin_password(ClearPassword) ->
+hash_admin_password(ClearPassword) when is_binary(ClearPassword) ->
     Iterations = config:get("couch_httpd_auth", "iterations", "10000"),
     Salt = couch_uuids:random(),
     DerivedKey = couch_passwords:pbkdf2(couch_util:to_binary(ClearPassword),
@@ -50,7 +50,10 @@ get_unhashed_admins() ->
 
 %% Current scheme, much stronger.
 -spec pbkdf2(binary(), binary(), integer()) -> binary().
-pbkdf2(Password, Salt, Iterations) ->
+pbkdf2(Password, Salt, Iterations) when is_binary(Password),
+                                        is_binary(Salt),
+                                        is_integer(Iterations),
+                                        Iterations > 0 ->
     {ok, Result} = pbkdf2(Password, Salt, Iterations, ?SHA1_OUTPUT_LENGTH),
     Result.
 
@@ -59,7 +62,11 @@ pbkdf2(Password, Salt, Iterations) ->
 pbkdf2(_Password, _Salt, _Iterations, DerivedLength)
     when DerivedLength > ?MAX_DERIVED_KEY_LENGTH ->
     {error, derived_key_too_long};
-pbkdf2(Password, Salt, Iterations, DerivedLength) ->
+pbkdf2(Password, Salt, Iterations, DerivedLength) when is_binary(Password),
+                                                       is_binary(Salt),
+                                                       is_integer(Iterations),
+                                                       Iterations > 0,
+                                                       is_integer(DerivedLength) ->
     L = ceiling(DerivedLength / ?SHA1_OUTPUT_LENGTH),
     <<Bin:DerivedLength/binary,_/binary>> =
         iolist_to_binary(pbkdf2(Password, Salt, Iterations, L, 1, [])),


Mime
View raw message