Merge pull request #1252 from demianalonso/password-salt

Implemented password hashing with salt

7 files changed, 294 insertions, 17 deletions

diff --git a/.gitignore b/.gitignore
index ce0c89d44..342b2965d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,5 @@ nbactions.xml
 .settings
 .idea
 web/.idea
+.idea
+traccar.iml
diff --git a/debug.xml b/debug.xml
index 799f6aa92..01bb66d60 100644
--- a/debug.xml
+++ b/debug.xml
@@ -43,7 +43,7 @@
         id INT PRIMARY KEY AUTO_INCREMENT,
         name VARCHAR(1024) NOT NULL,
         email VARCHAR(256) NOT NULL UNIQUE,
-        password VARCHAR(1024) NOT NULL,
+        hashedPassword VARCHAR(1024) NOT NULL,
         salt VARCHAR(1024) DEFAULT '' NOT NULL,
         readonly BOOLEAN DEFAULT false NOT NULL,
         admin BOOLEAN DEFAULT false NOT NULL,
@@ -133,7 +133,7 @@
     <entry key='database.loginUser'>
         SELECT * 
         FROM user 
-        WHERE email = :email AND password = :password;
+        WHERE email = :email;
     </entry>
 
     <entry key='database.selectUsersAll'>
@@ -141,8 +141,8 @@
     </entry>
 
     <entry key='database.insertUser'>
-        INSERT INTO user (name, email, password, admin) 
-        VALUES (:name, :email, :password, :admin);
+        INSERT INTO user (name, email, hashedPassword, salt, admin)
+        VALUES (:name, :email, :hashedPassword, :salt, :admin);
     </entry>
         
     <entry key='database.updateUser'>
@@ -154,7 +154,7 @@
     </entry>
 
     <entry key='database.updateUserPassword'>
-        UPDATE user SET password = :password WHERE id = :id;
+        UPDATE user SET hashedPassword = :hashedPassword, salt = :salt WHERE id = :id;
     </entry>
     
     <entry key='database.deleteUser'>
diff --git a/src/org/traccar/database/DataManager.java b/src/org/traccar/database/DataManager.java
index ef9e2a31a..1aae7da4e 100644
--- a/src/org/traccar/database/DataManager.java
+++ b/src/org/traccar/database/DataManager.java
@@ -166,8 +166,8 @@ public class DataManager {
         User admin = new User();
         admin.setName("admin");
         admin.setEmail("admin");
-        admin.setPassword("admin");
         admin.setAdmin(true);
+        admin.setPassword("admin");
         admin.setId(QueryBuilder.create(dataSource, properties.getProperty("database.insertUser"))
                 .setObject(admin)
                 .executeUpdate());
@@ -221,10 +221,10 @@ public class DataManager {
     }
 
     public User login(String email, String password) throws SQLException {
-        return QueryBuilder.create(dataSource, properties.getProperty("database.loginUser"))
+        User user = QueryBuilder.create(dataSource, properties.getProperty("database.loginUser"))
                 .setString("email", email)
-                .setBytes("password", Hashing.sha256(password))
                 .executeQuerySingle(new User());
+        return user != null && user.isPasswordValid(password) ? user : null;
     }
 
     public Collection<User> getUsers() throws SQLException {
@@ -243,8 +243,7 @@ public class DataManager {
         QueryBuilder.create(dataSource, properties.getProperty("database.updateUser"))
                 .setObject(user)
                 .executeUpdate();
-        
-        if(user.getPassword() != null) {
+        if(user.getHashedPassword() != null) {
             QueryBuilder.create(dataSource, properties.getProperty("database.updateUserPassword"))
                 .setObject(user)
                 .executeUpdate();
@@ -252,7 +251,7 @@ public class DataManager {
         
         Context.getPermissionsManager().refresh();
     }
-    
+
     public void removeUser(User user) throws SQLException {
         QueryBuilder.create(dataSource, properties.getProperty("database.deleteUser"))
                 .setObject(user)
diff --git a/src/org/traccar/helper/IgnoreOnSerialization.java b/src/org/traccar/helper/IgnoreOnSerialization.java
new file mode 100644
index 000000000..22ec7ced8
--- /dev/null
+++ b/src/org/traccar/helper/IgnoreOnSerialization.java
@@ -0,0 +1,12 @@
+package org.traccar.helper;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.ElementType.METHOD;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(value = {METHOD})
+public @interface IgnoreOnSerialization {
+}
diff --git a/src/org/traccar/helper/PasswordHash.java b/src/org/traccar/helper/PasswordHash.java
new file mode 100644
index 000000000..98ded0988
--- /dev/null
+++ b/src/org/traccar/helper/PasswordHash.java
@@ -0,0 +1,231 @@
+package org.traccar.helper;
+
+/* 
+ * Password Hashing With PBKDF2 (http://crackstation.net/hashing-security.htm).
+ * Copyright (c) 2013, Taylor Hornby
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice, 
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation 
+ * and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+import java.security.SecureRandom;
+
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.SecretKeyFactory;
+
+import java.math.BigInteger;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+
+/*
+ * PBKDF2 salted password hashing.
+ * Author: havoc AT defuse.ca
+ * www: http://crackstation.net/hashing-security.htm
+ */
+public class PasswordHash {
+    public static final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA1";
+
+    // The following constants may be changed without breaking existing hashes.
+    public static final int SALT_BYTE_SIZE = 24;
+    public static final int HASH_BYTE_SIZE = 24;
+    public static final int PBKDF2_ITERATIONS = 1000;
+
+    public static final int ITERATION_INDEX = 0;
+    public static final int SALT_INDEX = 1;
+    public static final int PBKDF2_INDEX = 2;
+
+    public static class HashingResult {
+
+        public final Integer iterations;
+        public final String hash;
+        public final String salt;
+
+        public HashingResult(Integer iterations, String hash, String salt) {
+            this.hash = hash;
+            this.salt = salt;
+            this.iterations = iterations;
+        }
+    }
+
+    /**
+     * Returns a salted PBKDF2 hash of the password.
+     * 
+     * @param password
+     *            the password to hash
+     * @return a salted PBKDF2 hash of the password
+     */
+    public static HashingResult createHash(String password) {
+        return createHash(password.toCharArray());
+    }
+
+    /**
+     * Returns a salted PBKDF2 hash of the password.
+     * 
+     * @param password
+     *            the password to hash
+     * @return a salted PBKDF2 hash of the password
+     */
+    public static HashingResult createHash(char[] password) {
+        // Generate a random salt
+        SecureRandom random = new SecureRandom();
+        byte[] salt = new byte[SALT_BYTE_SIZE];
+        random.nextBytes(salt);
+
+        // Hash the password
+        byte[] hash = pbkdf2(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE);
+
+        return new HashingResult(PBKDF2_ITERATIONS, toHex(hash), toHex(salt));
+    }
+
+    /**
+     * Validates a password using a hash.
+     * 
+     * @param password
+     *            the password to check
+     * @param correctHash
+     *            the hash of the valid password
+     * @return true if the password is correct, false if not
+     */
+    public static boolean validatePassword(String password, String correctHash)
+            throws NoSuchAlgorithmException, InvalidKeySpecException {
+        return validatePassword(password.toCharArray(), correctHash);
+    }
+
+    /**
+     * Validates a password using a hash.
+     * 
+     * @param password
+     *            the password to check
+     * @param correctHash
+     *            the hash of the valid password
+     * @return true if the password is correct, false if not
+     */
+    public static boolean validatePassword(char[] password, String correctHash)
+            throws NoSuchAlgorithmException, InvalidKeySpecException {
+        // Decode the hash into its parameters
+        String[] params = correctHash.split(":");
+        int iterations = Integer.parseInt(params[ITERATION_INDEX]);
+        return validatePassword(password, iterations, params[SALT_INDEX], params[PBKDF2_INDEX]);
+    }
+
+    public static boolean validatePassword(char[] password, int iterations,
+            String saltHex, String hashHex) {
+        byte[] salt = fromHex(saltHex);
+        byte[] hash = fromHex(hashHex);
+        // Compute the hash of the provided password, using the same salt,
+        // iteration count, and hash length
+        byte[] testHash = pbkdf2(password, salt, iterations, hash.length);
+        // Compare the hashes in constant time. The password is correct if
+        // both hashes match.
+        return slowEquals(hash, testHash);
+    }
+
+    
+    
+    
+    public static boolean slowEquals(String hash1, String hash2) {
+        return slowEquals(fromHex(hash1), fromHex(hash2));
+    }
+
+    /**
+     * Compares two byte arrays in length-constant time. This comparison method
+     * is used so that password hashes cannot be extracted from an on-line
+     * system using a timing attack and then attacked off-line.
+     * 
+     * @param a
+     *            the first byte array
+     * @param b
+     *            the second byte array
+     * @return true if both byte arrays are the same, false if not
+     */
+    private static boolean slowEquals(byte[] a, byte[] b) {
+        int diff = a.length ^ b.length;
+        for (int i = 0; i < a.length && i < b.length; i++)
+            diff |= a[i] ^ b[i];
+        return diff == 0;
+    }
+
+    /**
+     * Computes the PBKDF2 hash of a password.
+     * 
+     * @param password
+     *            the password to hash.
+     * @param salt
+     *            the salt
+     * @param iterations
+     *            the iteration count (slowness factor)
+     * @param bytes
+     *            the length of the hash to compute in bytes
+     * @return the PBDKF2 hash of the password
+     */
+    private static byte[] pbkdf2(char[] password, byte[] salt, int iterations,
+            int bytes) {
+        try {
+            PBEKeySpec spec = new PBEKeySpec(password, salt, iterations,
+                    bytes * 8);
+            SecretKeyFactory skf = SecretKeyFactory
+                    .getInstance(PBKDF2_ALGORITHM);
+            return skf.generateSecret(spec).getEncoded();
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        } catch (InvalidKeySpecException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * Converts a string of hexadecimal characters into a byte array.
+     * 
+     * @param hex
+     *            the hex string
+     * @return the hex string decoded into a byte array
+     */
+    private static byte[] fromHex(String hex) {
+        byte[] binary = new byte[hex.length() / 2];
+        for (int i = 0; i < binary.length; i++) {
+            binary[i] = (byte) Integer.parseInt(
+                    hex.substring(2 * i, 2 * i + 2), 16);
+        }
+        return binary;
+    }
+
+    /**
+     * Converts a byte array into a hexadecimal string.
+     * 
+     * @param array
+     *            the byte array to convert
+     * @return a length*2 character string encoding the byte array
+     */
+    private static String toHex(byte[] array) {
+        BigInteger bi = new BigInteger(1, array);
+        String hex = bi.toString(16);
+        int paddingLength = (array.length * 2) - hex.length();
+        if (paddingLength > 0)
+            return String.format("%0" + paddingLength + "d", 0) + hex;
+        else
+            return hex;
+    }
+
+    
+
+}
\ No newline at end of file
diff --git a/src/org/traccar/http/JsonConverter.java b/src/org/traccar/http/JsonConverter.java
index 6cdba5492..f18470d9d 100644
--- a/src/org/traccar/http/JsonConverter.java
+++ b/src/org/traccar/http/JsonConverter.java
@@ -30,6 +30,8 @@ import javax.json.JsonArrayBuilder;
 import javax.json.JsonObject;
 import javax.json.JsonObjectBuilder;
 import javax.json.JsonValue;
+
+import org.traccar.helper.IgnoreOnSerialization;
 import org.traccar.model.Factory;
 
 public class JsonConverter {
@@ -88,6 +90,9 @@ public class JsonConverter {
         Method[] methods = object.getClass().getMethods();
         
         for (Method method : methods) {
+            if(method.isAnnotationPresent(IgnoreOnSerialization.class)) {
+                continue;
+            }
             if (method.getName().startsWith("get") && method.getParameterTypes().length == 0) {
                 String name = Introspector.decapitalize(method.getName().substring(3));
                 try {
diff --git a/src/org/traccar/model/User.java b/src/org/traccar/model/User.java
index 410bc4d74..f7c55c0d6 100644
--- a/src/org/traccar/model/User.java
+++ b/src/org/traccar/model/User.java
@@ -15,7 +15,9 @@
  */
 package org.traccar.model;
 
-import org.traccar.helper.Hashing;
+import org.traccar.helper.IgnoreOnSerialization;
+import org.traccar.helper.PasswordHash;
+import org.traccar.helper.PasswordHash.HashingResult;
 
 public class User implements Factory {
 
@@ -35,11 +37,18 @@ public class User implements Factory {
     private String email;
     public String getEmail() { return email; }
     public void setEmail(String email) { this.email = email; }
-    
-    private byte[] password;
-    public byte[] getPassword() { return password; }
-    public void setPassword(String password) { this.password = Hashing.sha256(password); }
-    
+
+    private String hashedPassword;
+    @IgnoreOnSerialization
+    public String getHashedPassword() { return hashedPassword; }
+    public void setHashedPassword(String hashedPassword) {
+        this.hashedPassword = hashedPassword;
+    }
+
+    private String salt;
+    @IgnoreOnSerialization
+    public String getSalt() { return salt; }
+    public void setSalt(String salt) { this.salt = salt; }
     private boolean readonly;
     
     private boolean admin;
@@ -59,4 +68,23 @@ public class User implements Factory {
     private double longitude;
     
     private int zoom;
+
+    private String password;
+    public String getPassword() { return password; }
+    public void setPassword(String password) {
+        this.password = password;
+        if(this.password != null && !this.password.trim().equals("")) {
+            this.hashPassword(password);
+        }
+    }
+
+    public boolean isPasswordValid(String inputPassword) {
+        return PasswordHash.validatePassword(inputPassword.toCharArray(), PasswordHash.PBKDF2_ITERATIONS, this.salt, this.hashedPassword);
+    }
+    
+    public void hashPassword(String password) {
+        HashingResult hashingResult = PasswordHash.createHash(password);
+        this.hashedPassword = hashingResult.hash;
+        this.salt = hashingResult.salt;
+    }
 }