From 41402fc03374ab7a63daa2472b2affb38fc163f0 Mon Sep 17 00:00:00 2001 From: Benny Baumann Date: Sun, 19 Mar 2017 18:25:21 +0100 Subject: [PATCH] fix: Remove deprecated cryptography no longer needed for backward compat Change-Id: I313eb549647a374f1740d6b0bea1b6e818dd68ed --- src/club/wpia/gigi/util/PasswordHash.java | 34 ++----------------- .../wpia/gigi/util/TestPasswordMigration.java | 20 ++++++++--- 2 files changed, 17 insertions(+), 37 deletions(-) diff --git a/src/club/wpia/gigi/util/PasswordHash.java b/src/club/wpia/gigi/util/PasswordHash.java index 51dffb70..7d2cb334 100644 --- a/src/club/wpia/gigi/util/PasswordHash.java +++ b/src/club/wpia/gigi/util/PasswordHash.java @@ -1,8 +1,5 @@ package club.wpia.gigi.util; -import java.io.UnsupportedEncodingException; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.util.Properties; import com.lambdaworks.crypto.SCryptUtil; @@ -29,6 +26,7 @@ public class PasswordHash { if (password == null || password.isEmpty()) { return null; } + if (hash.contains("$")) { if (SCryptUtil.check(password, hash)) { return hash; @@ -36,36 +34,8 @@ public class PasswordHash { return null; } } - String newhash = sha1(password); - boolean match = true; - if (newhash.length() != hash.length()) { - match = false; - } - for (int i = 0; i < newhash.length(); i++) { - match &= newhash.charAt(i) == hash.charAt(i); - } - if (match) { - return hash(password); - } else { - return null; - } - } - public static String sha1(String password) { - try { - MessageDigest md = MessageDigest.getInstance("SHA1"); - byte[] digest = md.digest(password.getBytes("UTF-8")); - StringBuffer res = new StringBuffer(digest.length * 2); - for (int i = 0; i < digest.length; i++) { - res.append(Integer.toHexString((digest[i] & 0xF0) >> 4)); - res.append(Integer.toHexString(digest[i] & 0xF)); - } - return res.toString(); - } catch (NoSuchAlgorithmException e) { - throw new Error(e); - } catch (UnsupportedEncodingException e) { - throw new Error(e); - } + return null; } public static String hash(String password) { diff --git a/tests/club/wpia/gigi/util/TestPasswordMigration.java b/tests/club/wpia/gigi/util/TestPasswordMigration.java index 17544a0b..1ad8ae8a 100644 --- a/tests/club/wpia/gigi/util/TestPasswordMigration.java +++ b/tests/club/wpia/gigi/util/TestPasswordMigration.java @@ -12,29 +12,39 @@ import club.wpia.gigi.database.GigiPreparedStatement; import club.wpia.gigi.database.GigiResultSet; import club.wpia.gigi.testUtils.ManagedTest; import club.wpia.gigi.testUtils.RegisteredUser; -import club.wpia.gigi.util.PasswordHash; public class TestPasswordMigration extends ManagedTest { @Rule public RegisteredUser ru = new RegisteredUser(); + /** + * Gigi used to support plain SHA-1 password hashes, for compatibility with + * legacy software. Since there currently is only one accepted hash format, + * this test now verifies that plain SHA-1 hashes are no longer accepted nor + * migrated to more recent hash formats. + * + * @see PasswordHash.verifyHash + * @see PasswordHash.hash + * @throws IOException + */ @Test - public void testPasswordMigration() throws IOException { + public void testNoSHA1PasswordMigration() throws IOException { try (GigiPreparedStatement stmt = new GigiPreparedStatement("UPDATE users SET `password`=? WHERE id=?")) { - stmt.setString(1, PasswordHash.sha1("a")); + stmt.setString(1, "86f7e437faa5a7fce15d1ddcb9eaeaea377667b8"); // sha1("a") stmt.setInt(2, ru.getUser().getId()); stmt.execute(); } + String cookie = login(ru.getUser().getEmail(), "a"); - assertTrue(isLoggedin(cookie)); + assertFalse(isLoggedin(cookie)); try (GigiPreparedStatement stmt = new GigiPreparedStatement("SELECT `password` FROM users WHERE id=?")) { stmt.setInt(1, ru.getUser().getId()); GigiResultSet res = stmt.executeQuery(); assertTrue(res.next()); String newHash = res.getString(1); - assertThat(newHash, containsString("$")); + assertThat(newHash, not(containsString("$"))); } } } -- 2.39.2