You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by ja...@apache.org on 2010/01/12 20:29:24 UTC

svn commit: r898477 - in /couchdb/trunk: src/couchdb/couch_httpd_auth.erl src/couchdb/couch_util.erl src/erlang-oauth/oauth_hmac_sha1.erl src/erlang-oauth/oauth_plaintext.erl test/etap/040-util.t

Author: jasondavies
Date: Tue Jan 12 19:29:23 2010
New Revision: 898477

URL: http://svn.apache.org/viewvc?rev=898477&view=rev
Log:
Add utility for verifying hashes.

Modified:
    couchdb/trunk/src/couchdb/couch_httpd_auth.erl
    couchdb/trunk/src/couchdb/couch_util.erl
    couchdb/trunk/src/erlang-oauth/oauth_hmac_sha1.erl
    couchdb/trunk/src/erlang-oauth/oauth_plaintext.erl
    couchdb/trunk/test/etap/040-util.t

Modified: couchdb/trunk/src/couchdb/couch_httpd_auth.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_httpd_auth.erl?rev=898477&r1=898476&r2=898477&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_httpd_auth.erl (original)
+++ couchdb/trunk/src/couchdb/couch_httpd_auth.erl Tue Jan 12 19:29:23 2010
@@ -71,8 +71,9 @@
             UserProps ->
                 UserSalt = proplists:get_value(<<"salt">>, UserProps, <<>>),
                 PasswordHash = hash_password(?l2b(Pass), UserSalt),
-                case proplists:get_value(<<"password_sha">>, UserProps, nil) of
-                    ExpectedHash when ExpectedHash == PasswordHash ->                        
+                ExpectedHash = proplists:get_value(<<"password_sha">>, UserProps, nil),
+                case couch_util:verify(ExpectedHash, PasswordHash) of
+                    true ->
                         Req#httpd{user_ctx=#user_ctx{
                             name=?l2b(User),
                             roles=proplists:get_value(<<"roles">>, UserProps, []),
@@ -268,15 +269,19 @@
                 Timeout = to_int(couch_config:get("couch_httpd_auth", "timeout", 600)),
                 ?LOG_DEBUG("timeout ~p", [Timeout]),
                 case (catch erlang:list_to_integer(TimeStr, 16)) of
-                    TimeStamp when CurrentTime < TimeStamp + Timeout
-                    andalso ExpectedHash == Hash ->
-                        TimeLeft = TimeStamp + Timeout - CurrentTime,
-                        ?LOG_DEBUG("Successful cookie auth as: ~p", [User]),
-                        Req#httpd{user_ctx=#user_ctx{
-                            name=?l2b(User),
-                            roles=proplists:get_value(<<"roles">>, UserProps, []),
-                            user_doc=proplists:get_value(<<"user_doc">>, UserProps, null)
-                        }, auth={FullSecret, TimeLeft < Timeout*0.9}};
+                    TimeStamp when CurrentTime < TimeStamp + Timeout ->
+                        case couch_util:verify(ExpectedHash, Hash) of
+                            true ->
+                                TimeLeft = TimeStamp + Timeout - CurrentTime,
+                                ?LOG_DEBUG("Successful cookie auth as: ~p", [User]),
+                                Req#httpd{user_ctx=#user_ctx{
+                                    name=?l2b(User),
+                                    roles=proplists:get_value(<<"roles">>, UserProps, []),
+                                    user_doc=proplists:get_value(<<"user_doc">>, UserProps, null)
+                                }, auth={FullSecret, TimeLeft < Timeout*0.9}};
+                            _Else ->
+                                Req
+                        end;
                     _Else ->
                         Req
                 end
@@ -344,8 +349,9 @@
     end,
     UserSalt = proplists:get_value(<<"salt">>, User, <<>>),
     PasswordHash = hash_password(Password, UserSalt),
-    case proplists:get_value(<<"password_sha">>, User, nil) of
-        ExpectedHash when ExpectedHash == PasswordHash ->
+    ExpectedHash = proplists:get_value(<<"password_sha">>, User, nil),
+    case couch_util:verify(ExpectedHash, PasswordHash) of
+        true ->
             % setup the session cookie
             Secret = ?l2b(ensure_cookie_auth_secret()),
             {NowMS, NowS, _} = erlang:now(),

Modified: couchdb/trunk/src/couchdb/couch_util.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/couchdb/couch_util.erl?rev=898477&r1=898476&r2=898477&view=diff
==============================================================================
--- couchdb/trunk/src/couchdb/couch_util.erl (original)
+++ couchdb/trunk/src/couchdb/couch_util.erl Tue Jan 12 19:29:23 2010
@@ -21,6 +21,7 @@
 -export([file_read_size/1, get_nested_json_value/2, json_user_ctx/1]).
 -export([to_binary/1, to_integer/1, to_list/1, url_encode/1]).
 -export([json_encode/1, json_decode/1]).
+-export([verify/2]).
 
 -include("couch_db.hrl").
 -include_lib("kernel/include/file.hrl").
@@ -423,3 +424,19 @@
         _Type:_Error ->
             throw({invalid_json,V})
     end.
+
+verify([X|RestX], [Y|RestY], Result) ->
+    verify(RestX, RestY, (X bxor Y) bor Result);
+verify([], [], Result) ->
+    Result == 0.
+
+verify(<<X/binary>>, <<Y/binary>>) ->
+    verify(?b2l(X), ?b2l(Y));
+verify(X, Y) when is_list(X) and is_list(Y) ->
+    case length(X) == length(Y) of
+        true ->
+            verify(X, Y, 0);
+        false ->
+            false
+    end;
+verify(_X, _Y) -> false.

Modified: couchdb/trunk/src/erlang-oauth/oauth_hmac_sha1.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/erlang-oauth/oauth_hmac_sha1.erl?rev=898477&r1=898476&r2=898477&view=diff
==============================================================================
--- couchdb/trunk/src/erlang-oauth/oauth_hmac_sha1.erl (original)
+++ couchdb/trunk/src/erlang-oauth/oauth_hmac_sha1.erl Tue Jan 12 19:29:23 2010
@@ -8,4 +8,4 @@
   base64:encode_to_string(crypto:sha_mac(Key, BaseString)).
 
 verify(Signature, BaseString, CS, TS) ->
-  Signature =:= signature(BaseString, CS, TS).
+  couch_util:verify(signature(BaseString, CS, TS), Signature).

Modified: couchdb/trunk/src/erlang-oauth/oauth_plaintext.erl
URL: http://svn.apache.org/viewvc/couchdb/trunk/src/erlang-oauth/oauth_plaintext.erl?rev=898477&r1=898476&r2=898477&view=diff
==============================================================================
--- couchdb/trunk/src/erlang-oauth/oauth_plaintext.erl (original)
+++ couchdb/trunk/src/erlang-oauth/oauth_plaintext.erl Tue Jan 12 19:29:23 2010
@@ -7,4 +7,4 @@
   oauth_uri:calate("&", [CS, TS]).
 
 verify(Signature, CS, TS) ->
-  Signature =:= signature(CS, TS).
+  couch_util:verify(signature(CS, TS), Signature).

Modified: couchdb/trunk/test/etap/040-util.t
URL: http://svn.apache.org/viewvc/couchdb/trunk/test/etap/040-util.t?rev=898477&r1=898476&r2=898477&view=diff
==============================================================================
--- couchdb/trunk/test/etap/040-util.t (original)
+++ couchdb/trunk/test/etap/040-util.t Tue Jan 12 19:29:23 2010
@@ -17,7 +17,7 @@
     test_util:init_code_path(),
     application:start(crypto),
 
-    etap:plan(11),
+    etap:plan(16),
     case (catch test()) of
         ok ->
             etap:end_tests();
@@ -88,4 +88,16 @@
     etap:ok(not couch_util:should_flush(),
         "Checking to flush invokes GC."),
 
+    % verify
+    etap:is(true, couch_util:verify("It4Vooya", "It4Vooya"),
+         "String comparison."),
+    etap:is(false, couch_util:verify("It4VooyaX", "It4Vooya"),
+         "String comparison (unequal lengths)."),
+    etap:is(true, couch_util:verify(<<"ahBase3r">>, <<"ahBase3r">>),
+        "Binary comparison."),
+    etap:is(false, couch_util:verify(<<"ahBase3rX">>, <<"ahBase3r">>),
+        "Binary comparison (unequal lengths)."),
+    etap:is(false, couch_util:verify(nil, <<"ahBase3r">>),
+        "Binary comparison with atom."),
+
     ok.