Add strong salted password hashing using PBKDF2

This commit is contained in:
2020-07-10 23:25:13 +02:00
parent 96e413c0b4
commit 1f44d03934
4 changed files with 114 additions and 13 deletions

View File

@ -5,7 +5,9 @@ import static envoy.data.User.UserStatus.ONLINE;
import static envoy.event.HandshakeRejection.*;
import java.time.LocalDateTime;
import java.util.*;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.logging.Logger;
import javax.persistence.NoResultException;
@ -19,7 +21,8 @@ import envoy.server.data.PersistenceManager;
import envoy.server.data.User;
import envoy.server.net.ConnectionManager;
import envoy.server.net.ObjectWriteProxy;
import envoy.server.util.VersionUtils;
import envoy.server.util.PasswordUtil;
import envoy.server.util.VersionUtil;
import envoy.util.Bounds;
import envoy.util.EnvoyLog;
@ -47,7 +50,7 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
// Cache this write proxy for user-independant notifications
UserStatusChangeProcessor.setWriteProxy(writeProxy);
if (!VersionUtils.verifyCompatibility(credentials.getClientVersion())) {
if (!VersionUtil.verifyCompatibility(credentials.getClientVersion())) {
logger.info("The client has the wrong version.");
writeProxy.write(socketID, new HandshakeRejection(WRONG_VERSION));
return;
@ -66,7 +69,7 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
return;
}
// Evaluating the correctness of the password hash
if (!Arrays.equals(credentials.getPasswordHash(), user.getPasswordHash())) {
if (!PasswordUtil.validate(credentials.getPassword(), user.getPasswordHash())) {
logger.info(user + " has entered the wrong password.");
writeProxy.write(socketID, new HandshakeRejection(WRONG_PASSWORD_OR_USER));
return;
@ -97,7 +100,7 @@ public final class LoginCredentialProcessor implements ObjectProcessor<LoginCred
user.setName(credentials.getIdentifier());
user.setLastSeen(LocalDateTime.now());
user.setStatus(ONLINE);
user.setPasswordHash(credentials.getPasswordHash());
user.setPasswordHash(PasswordUtil.hash(credentials.getPassword()));
user.setContacts(new HashSet<>());
persistenceManager.addContact(user);
logger.info("Registered new " + user);