Rewrote database driver (SQLite) to use eurephia_pwd_crypt(...)

Follow up from commit 062a3c92343a5fa371f8637f8bca88aacca14cc4

2 files changed, 40 insertions, 20 deletions

diff --git a/database/sqlite/administration.c b/database/sqlite/administration.c
index 4b174d9..c8e5a7e 100644
--- a/database/sqlite/administration.c
+++ b/database/sqlite/administration.c
@@ -74,9 +74,9 @@ void xmlReplaceChars(xmlChar *str, char s, char r) {
 // Authenticate admin user against user database
 int eDBadminAuth(eurephiaCTX *ctx, const char *req_access, const char *uname, const char *pwd) {
         dbresult *res = NULL;
-        char *crpwd = NULL;
+        char *crpwd = NULL, *dbpwd = NULL;
         char *activated = NULL, *deactivated = NULL, *blid = NULL;
-        int uid = -1, pwok = 0, access = 0;
+        int uid = -1, access = 0;
         char interface;
 
         DEBUG(ctx, 20, "Function call: eDBadminAuth(ctx, '%s, '%s', 'xxxxxxxx')", req_access, uname);
@@ -103,17 +103,13 @@ int eDBadminAuth(eurephiaCTX *ctx, const char *req_access, const char *uname, co
         //
         // Authenticate user and password
         //
-        crpwd = passwdhash(pwdSHA512, NULL, pwd);
-        assert(crpwd != NULL);
         res = sqlite_query(ctx,
                            "SELECT activated, deactivated, bl.blid, "
-                           "       (password = '%q') AS pwok, uid "
+                           "       password, uid "
                            "  FROM openvpn_users ou"
                            "  LEFT JOIN openvpn_blacklist bl USING (username)"
                            " WHERE ou.username = '%q'",
-                           crpwd, uname);
-        memset(crpwd, 0, strlen_nullsafe(crpwd));
-        free_nullsafe(crpwd);
+                           uname);
 
         if( res == NULL ) {
                 eurephia_log(ctx, LOG_FATAL, 0, "Could not authenticate user against the database");
@@ -124,9 +120,8 @@ int eDBadminAuth(eurephiaCTX *ctx, const char *req_access, const char *uname, co
                 activated   = sqlite_get_value(res, 0, 0);
                 deactivated = sqlite_get_value(res, 0, 1);
                 blid        = sqlite_get_value(res, 0, 2);
-                pwok        = atoi_nullsafe(sqlite_get_value(res, 0, 3));
+                dbpwd       = sqlite_get_value(res, 0, 3);
                 uid         = atoi_nullsafe(sqlite_get_value(res, 0, 4));
-                sqlite_free_results(res);
 
                 if( blid != NULL ) {
                         eurephia_log(ctx, LOG_WARNING, 0,
@@ -147,11 +142,26 @@ int eDBadminAuth(eurephiaCTX *ctx, const char *req_access, const char *uname, co
                         return 0;
                 }
 
-                if( pwok != 1 ) {
-                        eurephia_log(ctx, LOG_WARNING, 0, "Authentication failed,");
+                if( dbpwd == NULL ) {
+                        eurephia_log(ctx, LOG_WARNING, 0, "Authentication failed. DB error.");
                         sqlite_free_results(res);
                         return 0;
+                } else {
+                        int pwdok = 0;
+                        // Verify the password
+                        crpwd = eurephia_pwd_crypt(ctx, pwd, dbpwd);
+                        assert(crpwd != NULL);
+                        pwdok = (strcmp(crpwd, dbpwd) == 0 ? 1 : 0);
+                        memset(crpwd, 0, strlen_nullsafe(crpwd));
+                        memset(dbpwd, 0, strlen_nullsafe(dbpwd));
+                        free_nullsafe(crpwd);
+                        if( pwdok == 0 ) {
+                                eurephia_log(ctx, LOG_WARNING, 0, "Authentication failed.");
+                                sqlite_free_results(res);
+                                return 0;
+                        }
                 }
+                sqlite_free_results(res);
 
                 // Check if access level is granted
                 // (SQLite do not handle advanced joins so well, so we need to
diff --git a/database/sqlite/edb-sqlite.c b/database/sqlite/edb-sqlite.c
index ef05536..7a03871 100644
--- a/database/sqlite/edb-sqlite.c
+++ b/database/sqlite/edb-sqlite.c
@@ -229,18 +229,16 @@ int eDBauth_TLS(eurephiaCTX *ctx, const char *org, const char *cname, const char
 int eDBauth_user(eurephiaCTX *ctx, const int certid, const char *username, const char *passwd) 
 {
         dbresult *res = NULL;
-        char *crpwd = NULL, *activated = NULL, *deactivated = NULL, *blid_uname = NULL, *blid_cert;
+        char *crpwd = NULL, *activated = NULL, *deactivated = NULL, *blid_uname = NULL, *blid_cert = NULL;
+        char *dbpwd = NULL;
         int uicid = 0, uid = 0, pwdok = 0;
 
         DEBUG(ctx, 20, "Function call: eDBauth_user(ctx, %i, '%s','xxxxxxxx')", certid, username);
 
 
         // Generate SHA512 hash of password, used for password auth
-        crpwd = passwdhash(pwdSHA512, NULL, passwd);
-
         res = sqlite_query(ctx,
-                           "SELECT uicid, ou.uid, activated, deactivated, bl1.blid, bl2.blid,  "
-                           "       (password = '%s') AS pwdok"
+                           "SELECT uicid, ou.uid, activated, deactivated, bl1.blid, bl2.blid, password "
                            "  FROM openvpn_users ou"
                            "  JOIN openvpn_usercerts uc USING(uid) "
                            "  LEFT JOIN openvpn_blacklist bl1 ON( ou.username = bl1.username) "
@@ -248,7 +246,7 @@ int eDBauth_user(eurephiaCTX *ctx, const int certid, const char *username, const
                            "               FROM openvpn_certificates "
                            "               JOIN openvpn_blacklist USING(digest)) bl2 ON(uc.certid = bl2.certid)"
                            " WHERE uc.certid = '%i' AND ou.username = '%q'",
-                           crpwd, certid, username);
+                           certid, username);
         memset(crpwd, 0, strlen_nullsafe(crpwd));
         free_nullsafe(crpwd);
         if( res == NULL ) {
@@ -263,7 +261,20 @@ int eDBauth_user(eurephiaCTX *ctx, const int certid, const char *username, const
                 deactivated = sqlite_get_value(res, 0, 3);
                 blid_uname  = sqlite_get_value(res, 0, 4);
                 blid_cert   = sqlite_get_value(res, 0, 5);
-                pwdok       = atoi_nullsafe(sqlite_get_value(res, 0, 6));
+                dbpwd       = sqlite_get_value(res, 0, 6);
+
+                if( dbpwd == NULL ) {
+                        eurephia_log(ctx, LOG_WARNING, 0,"Authentication failed for user '%s'. DB error.",
+                                     username);
+                        pwdok = 0;
+                } else {
+                        crpwd = eurephia_pwd_crypt(ctx, passwd, dbpwd);
+                        assert(crpwd != NULL);
+                        pwdok = (strcmp(crpwd, dbpwd) == 0 ? 1 : 0);
+                        memset(crpwd, 0, strlen_nullsafe(crpwd));
+                        memset(dbpwd, 0, strlen_nullsafe(dbpwd));
+                        free_nullsafe(crpwd);
+                }
 
                 if( blid_uname != NULL ) {
                         eurephia_log(ctx, LOG_WARNING, 0, "User account is BLACKLISTED (uid: %i, %s)",
@@ -287,7 +298,6 @@ int eDBauth_user(eurephiaCTX *ctx, const int certid, const char *username, const
                         eurephia_log(ctx, LOG_WARNING, 0,"Authentication failed for user '%s'. Wrong password.",
                                      username);
                         uicid = -1;
-                
                 } else {
                         dbresult *upd = NULL;