Changeset 33228 in vbox

Timestamp:

Oct 19, 2010 1:12:31 PM (14 years ago)

Author:

vboxsync

Message:

VBoxAuthSimple now requires SHA-256 hashes, no more cleartext passwords

Location:

trunk

Files:

• doc/manual/en_US/user_Frontends.xml (modified) (2 diffs)
• include/iprt/sha.h (modified) (2 diffs)
• src/VBox/Frontends/VBoxManage/VBoxInternalManage.cpp (modified) (5 diffs)
• src/VBox/Frontends/VBoxManage/VBoxManage.h (modified) (1 diff)
• src/VBox/HostServices/auth/simple/VBoxAuthSimple.cpp (modified) (4 diffs)

trunk/doc/manual/en_US/user_Frontends.xml

@@ -391 +391 @@
             Last but not least, you have to configure users and passwords. Here is an example
             for the user "john" with the password "secret":
-            <computeroutput>VBoxManage setextradata "VM name" "VBoxAuthSimple/users/john" "secret"</computeroutput>
-            To specify an empty password, use the special reserved value
-            <computeroutput>[NULL]</computeroutput>.
+            <computeroutput>VBoxManage internalcommands passwordhash "secret"</computeroutput>
+            This will give you the hash value "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b"
+            which you set using
+            <computeroutput>VBoxManage setextradata "VM name" "VBoxAuthSimple/users/john"
+            "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b"</computeroutput>.
             </para>
           </listitem>
@@ -409 +411 @@
         default "external authentication module with any other module. For this,
         VirtualBox provides a well-defined interface that allows you to write your
-        own authentication module; see <xref
-        linkend="vbox-authenticate-sdk" /> for details.</para>
+        own authentication module; see <xref linkend="vbox-authenticate-sdk" />
+        for details.</para>
     </sect2>
 

trunk/include/iprt/sha.h

@@ -39 +39 @@
 #define RTSHA1_HASH_SIZE    20
 /** The length of a SHA-1 digest string. The terminator is not included. */
-#define RTSHA1_DIGEST_LEN  (40)
+#define RTSHA1_STRING_LEN  (40)
 
 /**
@@ -142 +142 @@
 #define RTSHA256_HASH_SIZE      32
 /** The length of a SHA-256 digest string. The terminator is not included. */
-#define RTSHA256_DIGEST_LEN     64
+#define RTSHA256_STRING_LEN     64
 
 /**

trunk/src/VBox/Frontends/VBoxManage/VBoxInternalManage.cpp

@@ -43 +43 @@
 #include <iprt/string.h>
 #include <iprt/uuid.h>
-
+#include <iprt/sha.h>
 
 #include "VBoxManage.h"
@@ -137 +137 @@
         "Commands:\n"
         "\n"
-        "%s%s%s%s%s%s%s%s%s%s%s%s"
+        "%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
         "WARNING: This is a development tool and shall only be used to analyse\n"
         "         problems. It is completely unsupported and will change in\n"
@@ -238 +238 @@
           "       Controls debug logging.\n"
           "\n"
-        : ""
+        : "",
+        (u64Cmd & USAGE_PASSWORDHASH)
+        ? "  passwordhash <passsword>\n"
+          "       Generates a password hash.\n"
+          "\n"
+        :
+          ""
         );
 }
@@ -2007 +2013 @@
 
 /**
+ * Generate a SHA-256 password hash
+ */
+int CmdGeneratePasswordHash(int argc, char **argv, ComPtr<IVirtualBox> aVirtualBox, ComPtr<ISession> aSession)
+{
+    /* one parameter, the password to hash */
+    if (argc != 1)
+        return errorSyntax(USAGE_PASSWORDHASH, "password to hash required");
+
+    uint8_t abDigest[RTSHA256_HASH_SIZE];
+    RTSha256(argv[0], strlen(argv[0]), abDigest);
+    char pszDigest[RTSHA256_STRING_LEN + 1];
+    RTSha256ToString(abDigest, pszDigest, sizeof(pszDigest));
+    RTPrintf("Password hash: %s\n", pszDigest);
+    
+    return 0;
+}
+
+/**
  * Wrapper for handling internal commands
  */
@@ -2045 +2069 @@
     if (!strcmp(pszCmd, "debuglog"))
         return CmdDebugLog(a->argc - 1, &a->argv[1], a->virtualBox, a->session);
+    if (!strcmp(pszCmd, "passwordhash"))
+        return CmdGeneratePasswordHash(a->argc - 1, &a->argv[1], a->virtualBox, a->session);
 
     /* default: */

trunk/src/VBox/Frontends/VBoxManage/VBoxManage.h

@@ -97 +97 @@
 #define USAGE_DEBUGLOG              RT_BIT_64(52)
 #define USAGE_SETHDPARENTUUID       RT_BIT_64(53)
+#define USAGE_PASSWORDHASH          RT_BIT_64(54)
 #define USAGE_ALL                   (~(uint64_t)0)
 /** @} */

trunk/src/VBox/HostServices/auth/simple/VBoxAuthSimple.cpp

@@ -24 +24 @@
 #include <iprt/cdefs.h>
 #include <iprt/uuid.h>
+#include <iprt/sha.h>
 
 #include <VBox/VRDPAuth.h>
@@ -85 +86 @@
         user = (char*)szUser;
 
-    dprintf("VRDPAuth: uuid: %s, user: %s, szPassword: %s\n", uuid, user, szPassword);
-
-#if 0
-    /* this is crude stuff, but let's keep it there as a sample */
-    if (getenv("VBOX_VRDP_AUTH_USER") && getenv("VBOX_VRDP_AUTH_PASSWORD"))
-    {
-
-        if (   !strcmp(getenv("VBOX_VRDP_AUTH_USER"), user)
-            && !strcmp(getenv("VBOX_VRDP_AUTH_PASSWORD"), szPassword))
-        {
-            result = VRDPAuthAccessGranted;
-        }
-    }
-#endif
+    dprintf("VBoxAuth: uuid: %s, user: %s, szPassword: %s\n", uuid, user, szPassword);
 
     ComPtr<IVirtualBox> virtualBox;
@@ -106 +94 @@
     if (SUCCEEDED(rc))
     {
-        Bstr key = BstrFmt("VRDPAuthSimple/users/%s", user);
+        Bstr key = BstrFmt("VBoxAuthSimple/users/%s", user);
         Bstr password;
 
@@ -120 +108 @@
             virtualBox->GetExtraData(key.raw(), password.asOutParam());
 
-        /* we compare the password or check for special NULL marker */
-        if (   (!password.isEmpty() && (password == szPassword))
-            || ((password == "[NULL]") && (!szPassword || (*szPassword == '\0'))))
+        if (!password.isEmpty())
         {
-            result = VRDPAuthAccessGranted;
+            /* calculate hash */
+            uint8_t abDigest[RTSHA256_HASH_SIZE];
+            RTSha256(szPassword, strlen(szPassword), abDigest);
+            char pszDigest[RTSHA256_STRING_LEN + 1];
+            RTSha256ToString(abDigest, pszDigest, sizeof(pszDigest));
+                        
+            if (password == pszDigest)
+                result = VRDPAuthAccessGranted;
         }
     }