gui+su+base: Store hashed passwords and use those to log in

Unsalted SHA256 passwords are still a long way from being secure, but at least we're not storing plaintext anymore.
2024-12-14 12:48:13 +01:00 · 2024-12-14 12:48:13 +01:00 · 6dcdc43dc2
commit 6dcdc43dc2
parent 00382421b2
3 changed files with 26 additions and 4 deletions
--- a/base/etc/shadow
+++ b/base/etc/shadow
@ -1,3 +1,3 @@
-root:toor:0:0:99999:7:::
+root:ce5ca673d13b36118d54a7cf13aeb0ca012383bf771e713421b4d1fd841f539a:0:0:99999:7:::
 wind:!:0:0:99999:7:::
-selene:moon:0:0:99999:7:::
+selene:9e78b43ea00edcac8299e0cc8df7f6f913078171335f733a21d5d911b6999132:0:0:99999:7:::
--- a/gui/loginui.cpp
+++ b/gui/loginui.cpp
@ -8,6 +8,7 @@
 */

 #include <luna/RefString.h>
+#include <luna/SHA.h>
 #include <os/ArgumentParser.h>
 #include <os/Config.h>
 #include <os/File.h>
@ -33,6 +34,14 @@ enum Stage

 static constexpr ui::Color BACKGROUND_COLOR = ui::Color::from_rgb(89, 89, 89);

+Result<String> hash_password(StringView& view)
+{
+    SHA256 sha;
+    sha.append((const u8*)view.chars(), view.length());
+    auto digest = TRY(sha.digest());
+    return digest.to_string();
+}
+
 Result<int> luna_main(int argc, char** argv)
 {
    os::ArgumentParser parser;
@ -156,7 +165,9 @@ Result<int> luna_main(int argc, char** argv)
                return;
            }

-            if (strcmp(data.chars(), passwd))
+            auto result = hash_password(data).release_value();
+
+            if (strcmp(result.chars(), passwd))
            {
                error.set_text("Incorrect password.");
                input.clear();
--- a/utils/su.cpp
+++ b/utils/su.cpp
@ -1,6 +1,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
+#include <luna/SHA.h>
 #include <os/ArgumentParser.h>
 #include <pwd.h>
 #include <shadow.h>
@ -13,6 +14,14 @@
 static struct termios orig;
 static int fd = -1;

+Result<String> hash_password(const char* pw)
+{
+    SHA256 sha;
+    sha.append((const u8*)pw, strlen(pw));
+    auto digest = TRY(sha.digest());
+    return digest.to_string();
+}
+
 void restore_terminal()
 {
    tcsetattr(fd, TCSANOW, &orig);
@ -176,7 +185,9 @@ Result<int> luna_main(int argc, char** argv)
        char* pass = getpass();
        if (!pass) return 1;

-        if (strcmp(pass, passwd))
+        auto result = hash_password(pass).release_value();
+
+        if (strcmp(result.chars(), passwd))
        {
            fprintf(stderr, "%s: wrong password!\n", argv[0]);
            return 1;