Skip to content

Commit

Permalink
Add bcrypt encryption option to Vend::UserDB
Browse files Browse the repository at this point in the history 
* Full bcrypt support
  + Requires modules Digest::Bcrypt and Crypt::Random.
  + Enabled with "bcrypt" key in catalog UserDB setting.
    - Ex: UserDB  default  bcrypt  1
  + Pads out passwords to 72-character limit of bcrypt to
    increase difficulty of brute-forcing weak passwords.
    - Optional "pepper" (highly recommended) to make padding
      pattern unique per catalog.
  + Defaults to cost of 13.

* Storage follows general guidelines of modular crypt format
  (MCF), both weaning it from the length-based cipher
  identification, but also allowing it to identify a "pre digest"
  against the password (discussed below).
  + Example storage structure:
    $2y$14$F4PQQ6QTuRFo0FBAYP1rhQIqJSTg7iHSS619fmiAOhvk5b5Ui8o6o

* Uses a "more complex than usual" approach to manage the
  identifier than the standard MCF. This complexity is used to
  specify which algorithm "pre digested" the raw password. They
  are as follows:

  + $2y$ - standard, default identifier. Means bcrypt processed
    the raw password directly.

  + $2s$ - s => SHA1. Indicates bcrypt process first runs the raw
    password through the SHA1 algorithm before encrypting. If you
    update passwords originally stored as SHA1 as a background
    process, the resulting bcrypt structures should all have this
    identifier.
    - Example storage structure:
      $2s$14$F4PQQ6QTuRFo0FBAYP1rhQIqJSTg7iHSS619fmiAOhvk5b5Ui8o6o

  + $2m$ - m => MD5. Same as $2s$ but for passwords that are
    originally stored MD5.
    - Example storage structure:
      $2m$14$iJ7kMcGiNXRvBTRBIHVrmw1Rfq224SXd0QzSsKOupop4nZTVhEotA

  + $2n$..$ - n => md5_salted encryption algorithm. '..' are the 2
    salt characters in the original stored password, made available
    so that the "pre digest" step can accurately reproduce the
    salted MD5 structure before bcrypting and comparing.
    - Example storage structure:
      $2n$jQ$14$MZjidwOjuROki9TXdJofsgp2ne2Vrm6JJtLcF+0f51mE1ncee0XZk

  + $2c$..$ - c => crypt(). Same as md5_salted, but with crypt()
    instead.
    - Example storage structure:
      $2c$m4$14$QeCj3irfIJOWoWKHUtNpUQVxwXl8Sl4zRo79d7BRPQpDTSlaCTJv0

  The "pre digested" feature allows a site developer to create
  a background process for updating an existing user table with
  bcrypted passwords even if the table is already encrypted by
  one of the previously supported ciphers. Thus, in a matter of
  minutes to weeks (depending on the size of your user table and
  chosen bcrypt cost) your passwords can be fully upgraded to
  bcrypt without having to wait on the organic process "promote"
  allows, or having to know any of your users' original
  passwords.

* New routine construct_bcrypt() in Vend::UserDB. Takes a
  single hash ref argument with keys "password", "type"
  (optional), and "profile" (optional). Returns a
  properly-formatted bcrypt structure suitable for being stored
  in the password field of the user table of interest.

  Anticipated usage scenario would be for a developer with an
  already encrypted user table (sha1, md5, md5_salted, or crypt)
  to create an Interchange job that slurps in all the encrypted
  passwords, passes them along with the type of encryption that
  created them (described below), and gets in return the
  appropriate bcrypt structure reflecting that original
  encryption type to write back to the user table's password
  field.

  + If "type" is left off, assumes code is encrypting against
    the raw password. Returns structure with identifier $2y$.
    Otherwise, "type" is any of the supported Interchange
    encryption options:

    - sha1 (identifier returned is $2s$)
    - md5 (identifier returned is $2m$)
    - md5_salted (identifier returned is $2n$..$)
    - crypt (identifier returned is $2c$..$)

  + If "profile" is left off, uses "default" profile, which
    is typically the definition for the userdb table. Common
    other profile is "ui", which defines the access table for
    the admin.

  Whatever profile is being used, it must have been set to use
  bcrypt before executing code that calls construct_bcrypt().
  If it's set to anything other than bcrypt, the routine dies
  with an error.

  + Example usage: if my "ui" profile is configured with
    "crypt" (as it is by default), I have crypt() passwords in
    the access table:

    UserDB  ui  crypt 1

    I first change and promote to bcrypt by replacing the above
    with:

    UserDB  ui  promote 1
    UserDB  ui  bcrypt  1
    UserDB  ui  bcrypt_pepper {some reasonably long random string}

    Then, rather than wait for every user to eventually log
    in, I run all my crypt passwords through construct_bcrypt().
    If I have, for example, a password of cWNLm21WqgOKU:

    my $bcrypt_password = Vend::UserDB::construct_bcrypt(
        {
            password => 'cWNLm21WqgOKU',
            type => 'crypt',
            profile => 'ui',
        }
    )

    and $bcrypt_password now holds something like:
    $2c$cW$14$QeCj3irfIJOWoWKHUtNpUQVxwXl8Sl4zRo79d7BRPQpDTSlaCTJv0

    which can directly overwrite cWNLm21WqgOKU in the password
    field.

* "promote" flag has been expanded to recognize intra-bcrypt
  config changes between the cost of a stored password and the
  current cost being used for encryption. E.g., if the current
  cost setting for bcrypt is 14, but the storage structure
  indicates $2y$13$..., promote catches that and updates the
  password in the database to the calculated structure for cost
  14.
  • Loading branch information
@msjohns1
msjohns1 committed Jun 19, 2014
1 parent 8a9a01e commit 3cd3b37
Showing 1 changed file with 204 additions and 8 deletions.
212 changes: 204 additions & 8 deletions lib/Vend/UserDB.pm
View file
Expand Up @@ -24,6 +24,7 @@ use vars qw!
@S_FIELDS @B_FIELDS @P_FIELDS @I_FIELDS
%S_to_B %B_to_S
$USERNAME_GOOD_CHARS
$Has_Bcrypt
!;

use Vend::Data;
Expand All @@ -32,6 +33,27 @@ use Vend::Safe;
use strict;
no warnings qw(uninitialized numeric);

{
local $@;
eval {
require Digest::Bcrypt;
require Crypt::Random;
};
unless ($@) {
$Has_Bcrypt = 1;
}
}

use constant BCOST => 13;

# Map between bcrypt identifier letter and "pre-digested" encryption type
my %cipher_map = qw/
s sha1
m md5
n md5_salted
c default
/;

my $ready = new Vend::Safe;

# The object encryption methods take three arguments: object, password, and
Expand All @@ -44,6 +66,7 @@ my %enc_subs = (
md5 => \&enc_md5,
md5_salted => \&enc_md5_salted,
sha1 => \&enc_sha1,
bcrypt => \&enc_bcrypt,
);

sub enc_default {
Expand Down Expand Up @@ -95,16 +118,185 @@ sub enc_sha1 {
return Vend::Util::sha1_hex(shift);
}

sub enc_bcrypt {
my $obj = shift;
unless ($Has_Bcrypt) {
$obj->log_either('Bcrypt passwords unavailable. Are Digest::Bcrypt and Crypt::Random installed?');
return;
}
my ($password, $salt) = @_;
my $store = bmarshal($salt);
my $opt = $obj->{OPTIONS} || {};

my $bcrypt = Digest::Bcrypt->new;

my $salt =
$store->{salt}
||
Crypt::Random::makerandom_octet(
Length => 16, # bcrypt requirement
Strength => 0, # /dev/urandom instead of /dev/random
)
;
my $cost = bcost($opt, $store);

$bcrypt->cost($cost);
$bcrypt->salt($salt);
$bcrypt->add($obj->brpad($password, $opt, $store->{cipher}));

return bserialize($bcrypt, $store->{cipher});
}

sub bcost {
my $opt = shift;
my $store = shift || {};
return $store->{cost} || $opt->{cost} || BCOST;
}

sub brpad {
my $obj = shift;
my ($data, $opt, $cipher) = @_;

# If passwords are already stored SHA1, MD5, or crypt(),
# and there is no desire to allow promote to organically
# update them, the existing encrypted passwords can be
# bcrypted wholesale and future submission by users will
# "pre-digest" to the original encrypted structure
# for comparison against the bcrypt hashes.
#
# This is indicated by the structure of the cipher:
# * $2c$XX$ - original crypt() password with XX salt
# * $2m$ - plain MD5 digest on password
# * $2n$XX$ - salted MD5 digest on password
# * $2s$ - plain SHA1 digest on password

$data = $obj->pre_digest($data, $cipher);

# Increase difficulty to brute force passwords by right padding out
# to at least 72 character length. Most effective with "pepper" set
# in catalog config.

while (length ($data) < 72) {
my $md5 = Digest::MD5->new;
$md5->add($opt->{bcrypt_pepper})
if $opt->{bcrypt_pepper};
$data .= $md5->add($data)->b64digest;
}
return $data;
}

sub bserialize {
my $bcrypt = shift;
my $cipher = shift || '$2y$';

my $encoded_salt = substr (MIME::Base64::encode_base64($bcrypt->salt,''),0,-2);

return $cipher .
join (
'$',
sprintf ('%02d', $bcrypt->cost),
$encoded_salt . $bcrypt->b64digest,
)
;
}

sub bmarshal {
local $_ = shift;

my $cipher = '';
s/^(\$2(?:[yms]|[nc]\$..)\$)//
and $cipher = $1;

return {} unless $cipher;

my ($cost, $combined) = grep { /\S/ } split /\$/;
my ($encoded_salt, $hash) = $combined =~ /^(.{22})(.*)$/;

return {} if
$cost < 1
||
$cost > 31
||
$encoded_salt =~ m{[^a-z0-9+/]}i
||
($hash || '-') =~ m{[^a-z0-9+/]}i
;

return {
cipher => $cipher,
salt => MIME::Base64::decode_base64("$encoded_salt=="),
cost => $cost,
hash => $hash,
};
}

sub pre_digest {
my $obj = shift;
my $data = shift;
my $cipher = shift || '';
my ($id, $salt) = grep { /\S/ } split /\$/, $cipher;

# Starts with "2" or not bcrypt
$id =~ s/^2//
or return $data;

# Must have routine key defined in %cipher_map
my $key = $cipher_map{$id}
or return $data;

return $enc_subs{$key}->($obj, $data, $salt);
}

sub construct_bcrypt {
my $opt = shift;

my $bstruct =
__PACKAGE__
-> new(profile => $opt->{profile})
-> do_crypt($opt->{password})
;

die sprintf (
q{Encryption type for profile '%s' must be bcrypt},
$opt->{profile} || 'default'
)
unless substr ($bstruct, 0, 4) eq '$2y$';

return $bstruct unless my $type = $opt->{type};

my %type_map = (crypt => 'c', reverse %cipher_map);
my $cipher = $type_map{ $type }
or die "$type is an unrecognized crypt type";

my $salt =
$cipher eq 'n' ? substr ($opt->{password}, -2) :
$cipher eq 'c' ? substr ($opt->{password}, 0, 2)
: ''
;
$salt &&= '$' . $salt;

$bstruct =~ s/y/$cipher$salt/;

return $bstruct;
}

# Maps the length of the encrypted data to the algorithm that
# produces it. This method will have to be re-evaluated if competing
# algorithms are introduced which produce the same-length value.
# produces it, or the identifier of the format from modular
# crypt format (MCF) in the case of bcrypt.
my %enc_id = qw/
13 default
32 md5
35 md5_salted
40 sha1
13 default
32 md5
35 md5_salted
40 sha1
$2 bcrypt
/;

sub determine_cipher {
my $hash = shift;
my ($cipher) = $hash =~ /^(\$\d+)/;
return $cipher || length ($hash);
}

=head1 NAME
UserDB.pm -- Interchange User Database Functions
Expand Down Expand Up @@ -1550,15 +1742,19 @@ sub login {
my ($cur_method) = grep { $self->{OPTIONS}{ $_ } } keys %enc_subs;
$cur_method ||= 'default';

my $stored_by = $enc_id{ length($db_pass) };
my $stored_by = $enc_id{ determine_cipher($db_pass) };

if (
$cur_method ne $stored_by
||
$cur_method eq 'bcrypt'
&&
bcost($self->{OPTIONS}) != bcost($self->{OPTIONS}, bmarshal($db_pass))
and
$db_pass eq $enc_subs{$stored_by}->($self, $pw, $db_pass)
) {

my $newpass = $enc_subs{$cur_method}->($self, $pw, $db_pass);
my $newpass = $enc_subs{$cur_method}->($self, $pw, Vend::Util::random_string(2));
my $db_newpass = eval {
$self->{DB}->set_field(
$self->{USERNAME},
Expand Down

0 comments on commit 3cd3b37

Please sign in to comment.