diff --git a/src/httprpc.cpp b/src/httprpc.cpp index 6d2dffaf7a1..afdb6784aef 100644 --- a/src/httprpc.cpp +++ b/src/httprpc.cpp @@ -69,8 +69,6 @@ private: }; -/* Pre-base64-encoded authentication token */ -static std::string strRPCUserColonPass; /* Stored RPC timer interface (for unregistration) */ static std::unique_ptr httpRPCTimerInterface; /* List of -rpcauth values */ @@ -101,31 +99,21 @@ static void JSONErrorReply(HTTPRequest* req, UniValue objError, const JSONRPCReq //This function checks username and password against -rpcauth //entries from config file. -static bool multiUserAuthorized(std::string strUserPass) +static bool CheckUserAuthorized(std::string_view user, std::string_view pass) { - if (strUserPass.find(':') == std::string::npos) { - return false; - } - std::string strUser = strUserPass.substr(0, strUserPass.find(':')); - std::string strPass = strUserPass.substr(strUserPass.find(':') + 1); - - for (const auto& vFields : g_rpcauth) { - std::string strName = vFields[0]; - if (!TimingResistantEqual(strName, strUser)) { + for (const auto& fields : g_rpcauth) { + if (!TimingResistantEqual(std::string_view(fields[0]), user)) { continue; } - std::string strSalt = vFields[1]; - std::string strHash = vFields[2]; + const std::string& salt = fields[1]; + const std::string& hash = fields[2]; - static const unsigned int KEY_SIZE = 32; - unsigned char out[KEY_SIZE]; + std::array out; + CHMAC_SHA256(UCharCast(salt.data()), salt.size()).Write(UCharCast(pass.data()), pass.size()).Finalize(out.data()); + std::string hash_from_pass = HexStr(out); - CHMAC_SHA256(reinterpret_cast(strSalt.data()), strSalt.size()).Write(reinterpret_cast(strPass.data()), strPass.size()).Finalize(out); - std::vector hexvec(out, out+KEY_SIZE); - std::string strHashFromPass = HexStr(hexvec); - - if (TimingResistantEqual(strHashFromPass, strHash)) { + if (TimingResistantEqual(hash_from_pass, hash)) { return true; } } @@ -142,15 +130,14 @@ static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUserna if (!userpass_data) return false; strUserPass.assign(userpass_data->begin(), userpass_data->end()); - if (strUserPass.find(':') != std::string::npos) - strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(':')); - - // Check if authorized under single-user field. - // (strRPCUserColonPass is empty when -norpccookiefile is specified). - if (!strRPCUserColonPass.empty() && TimingResistantEqual(strUserPass, strRPCUserColonPass)) { - return true; + size_t colon_pos = strUserPass.find(':'); + if (colon_pos == std::string::npos) { + return false; // Invalid basic auth. } - return multiUserAuthorized(strUserPass); + std::string user = strUserPass.substr(0, colon_pos); + std::string pass = strUserPass.substr(colon_pos + 1); + strAuthUsernameOut = user; + return CheckUserAuthorized(user, pass); } static bool HTTPReq_JSONRPC(const std::any& context, HTTPRequest* req) @@ -291,6 +278,9 @@ static bool HTTPReq_JSONRPC(const std::any& context, HTTPRequest* req) static bool InitRPCAuthentication() { + std::string user; + std::string pass; + if (gArgs.GetArg("-rpcpassword", "") == "") { std::optional cookie_perms{std::nullopt}; @@ -304,18 +294,36 @@ static bool InitRPCAuthentication() cookie_perms = *perm_opt; } - assert(strRPCUserColonPass.empty()); // Only support initializing once - if (!GenerateAuthCookie(&strRPCUserColonPass, cookie_perms)) { + switch (GenerateAuthCookie(cookie_perms, user, pass)) { + case GenerateAuthCookieResult::ERR: return false; - } - if (strRPCUserColonPass.empty()) { + case GenerateAuthCookieResult::DISABLED: LogInfo("RPC authentication cookie file generation is disabled."); - } else { + break; + case GenerateAuthCookieResult::OK: LogInfo("Using random cookie authentication."); + break; } } else { - LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n"); - strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", ""); + LogInfo("Using rpcuser/rpcpassword authentication."); + LogWarning("The use of rpcuser/rpcpassword is less secure, because credentials are configured in plain text. It is recommended that locally-run instances switch to cookie-based auth, or otherwise to use hashed rpcauth credentials. See share/rpcauth in the source directory for more information."); + user = gArgs.GetArg("-rpcuser", ""); + pass = gArgs.GetArg("-rpcpassword", ""); + } + + // If there is a plaintext credential, hash it with a random salt before storage. + if (!user.empty() || !pass.empty()) { + // Generate a random 16 byte hex salt. + std::array raw_salt; + GetStrongRandBytes(raw_salt); + std::string salt = HexStr(raw_salt); + + // Compute HMAC. + std::array out; + CHMAC_SHA256(UCharCast(salt.data()), salt.size()).Write(UCharCast(pass.data()), pass.size()).Finalize(out.data()); + std::string hash = HexStr(out); + + g_rpcauth.push_back({user, salt, hash}); } if (!gArgs.GetArgs("-rpcauth").empty()) { diff --git a/src/rpc/request.cpp b/src/rpc/request.cpp index 30f4a4f51be..79cab2d8d25 100644 --- a/src/rpc/request.cpp +++ b/src/rpc/request.cpp @@ -97,12 +97,14 @@ static fs::path GetAuthCookieFile(bool temp=false) static bool g_generated_cookie = false; -bool GenerateAuthCookie(std::string* cookie_out, std::optional cookie_perms) +GenerateAuthCookieResult GenerateAuthCookie(const std::optional& cookie_perms, + std::string& user, + std::string& pass) { const size_t COOKIE_SIZE = 32; unsigned char rand_pwd[COOKIE_SIZE]; GetRandBytes(rand_pwd); - std::string cookie = COOKIEAUTH_USER + ":" + HexStr(rand_pwd); + const std::string rand_pwd_hex{HexStr(rand_pwd)}; /** the umask determines what permissions are used to create this file - * these are set to 0077 in common/system.cpp. @@ -110,27 +112,27 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional cookie std::ofstream file; fs::path filepath_tmp = GetAuthCookieFile(true); if (filepath_tmp.empty()) { - return true; // -norpccookiefile + return GenerateAuthCookieResult::DISABLED; // -norpccookiefile } file.open(filepath_tmp); if (!file.is_open()) { LogWarning("Unable to open cookie authentication file %s for writing", fs::PathToString(filepath_tmp)); - return false; + return GenerateAuthCookieResult::ERR; } - file << cookie; + file << COOKIEAUTH_USER << ":" << rand_pwd_hex; file.close(); fs::path filepath = GetAuthCookieFile(false); if (!RenameOver(filepath_tmp, filepath)) { LogWarning("Unable to rename cookie authentication file %s to %s", fs::PathToString(filepath_tmp), fs::PathToString(filepath)); - return false; + return GenerateAuthCookieResult::ERR; } if (cookie_perms) { std::error_code code; fs::permissions(filepath, cookie_perms.value(), fs::perm_options::replace, code); if (code) { LogWarning("Unable to set permissions on cookie authentication file %s", fs::PathToString(filepath)); - return false; + return GenerateAuthCookieResult::ERR; } } @@ -138,9 +140,9 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional cookie LogInfo("Generated RPC authentication cookie %s\n", fs::PathToString(filepath)); LogInfo("Permissions used for cookie: %s\n", PermsToSymbolicString(fs::status(filepath).permissions())); - if (cookie_out) - *cookie_out = cookie; - return true; + user = COOKIEAUTH_USER; + pass = rand_pwd_hex; + return GenerateAuthCookieResult::OK; } bool GetAuthCookie(std::string *cookie_out) diff --git a/src/rpc/request.h b/src/rpc/request.h index 24887e8691c..2fb234c1973 100644 --- a/src/rpc/request.h +++ b/src/rpc/request.h @@ -23,8 +23,25 @@ UniValue JSONRPCRequestObj(const std::string& strMethod, const UniValue& params, UniValue JSONRPCReplyObj(UniValue result, UniValue error, std::optional id, JSONRPCVersion jsonrpc_version); UniValue JSONRPCError(int code, const std::string& message); -/** Generate a new RPC authentication cookie and write it to disk */ -bool GenerateAuthCookie(std::string* cookie_out, std::optional cookie_perms=std::nullopt); +enum class GenerateAuthCookieResult : uint8_t { + DISABLED, // -norpccookiefile + ERR, + OK, +}; + +/** + * Generate a new RPC authentication cookie and write it to disk + * @param[in] cookie_perms Filesystem permissions to use for the cookie file. + * @param[out] user Generated username, only set if `OK` is returned. + * @param[out] pass Generated password, only set if `OK` is returned. + * @retval GenerateAuthCookieResult::DISABLED Authentication via cookie is disabled. + * @retval GenerateAuthCookieResult::ERROR Error occurred, auth data could not be saved to disk. + * @retval GenerateAuthCookieResult::OK Auth data was generated, saved to disk and in `user` and `pass`. + */ +GenerateAuthCookieResult GenerateAuthCookie(const std::optional& cookie_perms, + std::string& user, + std::string& pass); + /** Read the RPC authentication cookie from disk */ bool GetAuthCookie(std::string *cookie_out); /** Delete RPC authentication cookie from disk */