forked from svrjs/svrjs
Added scrypt support for HTTP authentication
This commit is contained in:
parent
d93511e97b
commit
47a793b958
4 changed files with 158 additions and 71 deletions
|
@ -3,7 +3,7 @@
|
|||
"port": 80,
|
||||
"pubport": 80,
|
||||
"page404": "404.html",
|
||||
"timestamp": 1692113030263,
|
||||
"timestamp": 1692387275306,
|
||||
"blacklist": [],
|
||||
"nonStandardCodes": [],
|
||||
"enableCompression": true,
|
||||
|
|
32
svr.js
Normal file → Executable file
32
svr.js
Normal file → Executable file
|
@ -314,6 +314,7 @@ var bruteForceDb = {};
|
|||
|
||||
// PBKDF2 cache
|
||||
var pbkdf2Cache = [];
|
||||
var scryptCache = [];
|
||||
var pbkdf2CacheIntervalId = -1;
|
||||
|
||||
// SVR.JS worker spawn-related
|
||||
|
@ -4458,7 +4459,29 @@ if (!cluster.isPrimary) {
|
|||
}
|
||||
}
|
||||
var hashedPassword = sha256(password + list[_i].salt);
|
||||
if(list[_i].pbkdf2) {
|
||||
if(list[_i].scrypt) {
|
||||
if(!crypto.scrypt) {
|
||||
callServerError(500, undefined, new Error("SVR.JS doesn't support scrypt-hashed passwords on Node.JS versions without scrypt hash support."));
|
||||
return;
|
||||
} else {
|
||||
var cacheEntry = scryptCache.find(function(entry) {
|
||||
return (entry.password == hashedPassword && entry.salt == list[_i].salt)
|
||||
});
|
||||
if(cacheEntry) {
|
||||
cb(cacheEntry.hash);
|
||||
} else {
|
||||
crypto.scrypt(password, list[_i].salt, 64, function(err, derivedKey) {
|
||||
if(err) {
|
||||
callServerError(500, undefined, err);
|
||||
} else {
|
||||
var key = derivedKey.toString("hex");
|
||||
scryptCache.push({hash: key, password: hashedPassword, salt: list[_i].salt, addDate: new Date()});
|
||||
cb(key);
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
} else if(list[_i].pbkdf2) {
|
||||
if(crypto.__disabled__ !== undefined) {
|
||||
callServerError(500, undefined, new Error("SVR.JS doesn't support PBKDF2-hashed passwords on Node.JS versions without crypto support."));
|
||||
return;
|
||||
|
@ -4834,9 +4857,11 @@ function start(init) {
|
|||
if (process.isBun) {
|
||||
serverconsole.locwarnmessage("Bun support is experimental. Some features of SVR.JS, SVR.JS mods and SVR.JS server-side JavaScript may not work as expected.");
|
||||
if(users.some(function(entry) {return entry.pbkdf2;})) serverconsole.locwarnmessage("PBKDF2 password hashing function in Bun blocks the event loop, which may result in denial of service.");
|
||||
if(users.some(function(entry) {return entry.scrypt;})) serverconsole.locwarnmessage("scrypt password hashing function in Bun blocks the event loop, which may result in denial of service.");
|
||||
}
|
||||
if (cluster.isPrimary === undefined) serverconsole.locwarnmessage("You're running SVR.JS on single thread. Reliability may suffer, as the server is stopped after crash.");
|
||||
if (crypto.__disabled__ !== undefined) serverconsole.locwarnmessage("Your Node.JS version doesn't have crypto support! The 'crypto' module is essential for providing cryptographic functionality in Node.js. Without crypto support, certain security features may be unavailable, and some functionality may not work as expected. It's recommended to use a Node.JS version that includes crypto support to ensure the security and proper functioning of your server.");
|
||||
if (crypto.__disabled__ !== undefined) serverconsole.locwarnmessage("Your Node.JS version doesn't have crypto support! The 'crypto' module is essential for providing cryptographic functionality in Node.JS. Without crypto support, certain security features may be unavailable, and some functionality may not work as expected. It's recommended to use a Node.JS version that includes crypto support to ensure the security and proper functioning of your server.");
|
||||
if (crypto.__disabled__ === undefined && !crypto.scrypt) serverconsole.locwarnmessage("Your JavaScript runtime doesn't have native scrypt support. HTTP authentication involving scrypt hashes will not work.");
|
||||
if (process.getuid && process.getuid() == 0) serverconsole.locwarnmessage("You're running SVR.JS as root. It's recommended to run SVR.JS as an non-root user. Running SVR.JS as root may increase the risks of OS command execution vulnerabilities.");
|
||||
if (secure && process.versions && process.versions.openssl && process.versions.openssl.substr(0, 2) == "1.") {
|
||||
if (new Date() > new Date("11 September 2023")) {
|
||||
|
@ -5057,6 +5082,9 @@ function start(init) {
|
|||
pbkdf2Cache = pbkdf2Cache.every(function(entry) {
|
||||
return entry.addDate > (new Date() - 3600000);
|
||||
});
|
||||
scryptCache = scryptCache.every(function(entry) {
|
||||
return entry.addDate > (new Date() - 3600000);
|
||||
});
|
||||
}, 3600000);
|
||||
}
|
||||
if (!cluster.isPrimary && cluster.isPrimary !== undefined) {
|
||||
|
|
191
svrpasswd.js
191
svrpasswd.js
|
@ -7,15 +7,15 @@ try {
|
|||
} catch (ex) {
|
||||
var crypto = {};
|
||||
crypto.__disabled__ = null;
|
||||
crypto.createHash = function(type) {
|
||||
crypto.createHash = function (type) {
|
||||
if (type != "SHA256") throw new Error("Hash type not supported!");
|
||||
return {
|
||||
msg: "",
|
||||
update: function(a) {
|
||||
update: function (a) {
|
||||
this.msg = a;
|
||||
return this;
|
||||
},
|
||||
digest: function(ty) {
|
||||
digest: function (ty) {
|
||||
var chrsz = 8;
|
||||
var hexcase = 0;
|
||||
|
||||
|
@ -163,7 +163,7 @@ try {
|
|||
}
|
||||
|
||||
if (!crypto.randomInt) {
|
||||
crypto.randomInt = function(min, max) {
|
||||
crypto.randomInt = function (min, max) {
|
||||
return Math.round(Math.random() * (max - min)) + min;
|
||||
}
|
||||
}
|
||||
|
@ -196,63 +196,58 @@ function saveConfig() {
|
|||
var args = process.argv;
|
||||
var user = "";
|
||||
var action = "change";
|
||||
var hash = "auto";
|
||||
var forcechange = false;
|
||||
if (process.argv.length <= (process.argv[0].indexOf("node") > -1 || process.argv[0].indexOf("bun") > -1 ? 2 : 1)) args.push("-h");
|
||||
for (var i = (process.argv[0].indexOf("node") > -1 || process.argv[0].indexOf("bun") > -1 ? 2 : 1); i < args.length; i++) {
|
||||
if (args[i] == "-h" || args[i] == "--help" || args[i] == "-?" || args[i] == "/h" || args[i] == "/?") {
|
||||
console.log("SVR.JS user tool usage:");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [--sha256|--pbkdf2] [-a|--add|-d|--delete] <username>");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [-x] [-a|--add|-d|--delete] <username>");
|
||||
console.log("-h -? /h /? --help -- Displays help");
|
||||
console.log("-a --add -- Add an user");
|
||||
console.log("-d --delete -- Deletes an user");
|
||||
console.log("--sha256 -- Uses salted SHA256");
|
||||
console.log("--pbkdf2 -- Uses PBKDF2");
|
||||
console.log("-x -- Changes hash algorithm");
|
||||
process.exit(0);
|
||||
} else if (args[i] == "-a" || args[i] == "--add") {
|
||||
if (action != "change") {
|
||||
console.log("Multiple actions specified.");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [--sha256|--pbkdf2] [-a|--add|-d|--delete] <username>");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [-x] [-a|--add|-d|--delete] <username>");
|
||||
console.log("-h -? /h /? --help -- Displays help");
|
||||
console.log("-a --add -- Add an user");
|
||||
console.log("-d --delete -- Deletes an user");
|
||||
console.log("--sha256 -- Uses salted SHA256");
|
||||
console.log("--pbkdf2 -- Uses PBKDF2");
|
||||
console.log("-x -- Changes hash algorithm");
|
||||
process.exit(1);
|
||||
}
|
||||
action = "add";
|
||||
} else if (args[i] == "-d" || args[i] == "--delete") {
|
||||
if (action != "change") {
|
||||
console.log("Multiple actions specified.");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [--sha256|--pbkdf2] [-a|--add|-d|--delete] <username>");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [-x] [-a|--add|-d|--delete] <username>");
|
||||
console.log("-h -? /h /? --help -- Displays help");
|
||||
console.log("-a --add -- Add an user");
|
||||
console.log("-d --delete -- Deletes an user");
|
||||
console.log("--sha256 -- Uses salted SHA256");
|
||||
console.log("--pbkdf2 -- Uses PBKDF2");
|
||||
console.log("-x -- Changes hash algorithm");
|
||||
process.exit(1);
|
||||
}
|
||||
action = "delete";
|
||||
} else if (args[i] == "--sha256" || args[i] == "--pbkdf2") {
|
||||
if (hash != "auto") {
|
||||
console.log("Multiple hash types specified.");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [--sha256|--pbkdf2] [-a|--add|-d|--delete] <username>");
|
||||
} else if (args[i] == "-x") {
|
||||
if (forcechange) {
|
||||
console.log("Multiple -x options specified.");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [-x] [-a|--add|-d|--delete] <username>");
|
||||
console.log("-h -? /h /? --help -- Displays help");
|
||||
console.log("-a --add -- Add an user");
|
||||
console.log("-d --delete -- Deletes an user");
|
||||
console.log("--sha256 -- Uses salted SHA256");
|
||||
console.log("--pbkdf2 -- Uses PBKDF2");
|
||||
console.log("-x -- Changes hash algorithm");
|
||||
process.exit(1);
|
||||
}
|
||||
hash = (args[i] == "--sha256" ? "sha256" : "pbkdf2");
|
||||
forcechange = true;
|
||||
} else {
|
||||
if (user != "") {
|
||||
console.log("Multiple users specified.");
|
||||
onsole.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [--sha256|--pbkdf2] [-a|--add|-d|--delete] <username>");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [-x] [-a|--add|-d|--delete] <username>");
|
||||
console.log("-h -? /h /? --help -- Displays help");
|
||||
console.log("-a --add -- Add an user");
|
||||
console.log("-d --delete -- Deletes an user");
|
||||
console.log("--sha256 -- Uses salted SHA256");
|
||||
console.log("--pbkdf2 -- Uses PBKDF2");
|
||||
console.log("-x -- Changes hash algorithm");
|
||||
process.exit(1);
|
||||
}
|
||||
user = args[i];
|
||||
|
@ -261,25 +256,14 @@ for (var i = (process.argv[0].indexOf("node") > -1 || process.argv[0].indexOf("b
|
|||
|
||||
if (user == "") {
|
||||
console.log("No user specified.");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [--sha256|--pbkdf2] [-a|--add|-d|--delete] <username>");
|
||||
console.log("node svrpasswd.js [-h] [--help] [-?] [/h] [/?] [-x] [-a|--add|-d|--delete] <username>");
|
||||
console.log("-h -? /h /? --help -- Displays help");
|
||||
console.log("-a --add -- Add an user");
|
||||
console.log("-d --delete -- Deletes an user");
|
||||
console.log("--sha256 -- Uses salted SHA256");
|
||||
console.log("--pbkdf2 -- Uses PBKDF2");
|
||||
console.log("-x -- Changes hash algorithm");
|
||||
process.exit(1);
|
||||
}
|
||||
|
||||
if (hash == "auto") {
|
||||
if(crypto.__disabled__ !== "undefined") {
|
||||
hash = "sha256";
|
||||
} else if(process.isBun) {
|
||||
hash = "sha256"; //Prevent PBKDF2 function event loop block in Bun
|
||||
} else {
|
||||
hash = "pbkdf2"; //Secure by default
|
||||
}
|
||||
}
|
||||
|
||||
function getUserIndex(username) {
|
||||
var ind = -1
|
||||
for (var i = 0; i < users.length; i++) {
|
||||
|
@ -314,8 +298,10 @@ function password(callback) {
|
|||
});
|
||||
rl.prompt();
|
||||
process.stdout.writeold = process.stdout.write;
|
||||
process.stdout.write = function(s){process.stdout.writeold(s.replace(/[^\r\n]/g,""));};
|
||||
rl.once('line', (line) => {
|
||||
process.stdout.write = function (s) {
|
||||
process.stdout.writeold(s.replace(/[^\r\n]/g, ""));
|
||||
};
|
||||
rl.once('line', function (line) {
|
||||
process.stdout.write = process.stdout.writeold;
|
||||
var rl = readline.createInterface({
|
||||
input: process.stdin,
|
||||
|
@ -324,17 +310,56 @@ function password(callback) {
|
|||
});
|
||||
rl.prompt();
|
||||
process.stdout.writeold = process.stdout.write;
|
||||
process.stdout.write = function(s){process.stdout.writeold(s.replace(/[^\r\n]/g,""));};
|
||||
rl.on('line', (line2) => {
|
||||
process.stdout.write = function (s) {
|
||||
process.stdout.writeold(s.replace(/[^\r\n]/g, ""));
|
||||
};
|
||||
rl.on('line', function (line2) {
|
||||
process.stdout.write = process.stdout.writeold;
|
||||
rl.close();
|
||||
if (line != line2) callback(false);
|
||||
else callback(line);
|
||||
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
function promptAlgorithms(callback, bypass, pbkdf2, scrypt) {
|
||||
if (bypass) {
|
||||
if (scrypt) {
|
||||
callback("scrypt");
|
||||
} else if(pbkdf2) {
|
||||
callback("pbkdf2");
|
||||
} else {
|
||||
callback("sha256");
|
||||
}
|
||||
return;
|
||||
}
|
||||
var algorithms = {
|
||||
sha256: "Salted SHA256 (1 iteration) - fastest and uses least memory, but less secure",
|
||||
pbkdf2: "PBKDF2 (PBKDF2-HMAC-SHA512, 36250 iterations) - more secure and uses less memory, but slower",
|
||||
scrypt: "scrypt (N=2^14, r=8, p=1) - faster and more secure, but uses more memory"
|
||||
}
|
||||
if (!crypto.scrypt || process.isBun) delete algorithms.scrypt;
|
||||
if (!crypto.pbkdf2 || process.isBun) delete algorithms.pbkdf2;
|
||||
var algorithmNames = Object.keys(algorithms);
|
||||
if (algorithmNames.length < 2) callback(algorithmNames[0]);
|
||||
console.log("Select password hashing algorithm. Available algorithms:");
|
||||
for (var i = 0; i < algorithmNames.length; i++) {
|
||||
console.log(algorithmNames[i] + " - " + algorithms[algorithmNames[i]]);
|
||||
}
|
||||
var rl = readline.createInterface({
|
||||
input: process.stdin,
|
||||
output: process.stdout,
|
||||
prompt: 'Algorithm: '
|
||||
});
|
||||
rl.prompt();
|
||||
rl.on('line', function (line) {
|
||||
rl.close();
|
||||
line = line.trim();
|
||||
if (!algorithms[line]) callback(false);
|
||||
else callback(line);
|
||||
});
|
||||
}
|
||||
|
||||
var userindex = getUserIndex(user);
|
||||
if (action == "add" && userindex != -1) {
|
||||
console.log("User alerady exists.");
|
||||
|
@ -348,37 +373,71 @@ if (action == "delete") {
|
|||
saveConfig();
|
||||
console.log("User deleted successfully");
|
||||
} else if (action == "add") {
|
||||
password(function(password) {
|
||||
if (!password) {
|
||||
console.log("Passwords don't match!");
|
||||
promptAlgorithms(function (algorithm) {
|
||||
if (!algorithm) {
|
||||
console.log("Invalid algorithm!");
|
||||
process.exit(1);
|
||||
} else {
|
||||
var salt = generateSalt();
|
||||
users.push({
|
||||
name: user,
|
||||
pass: (hash == "sha256" ? sha256(password + salt) : crypto.pbkdf2Sync(password, salt, 36250, 64, "sha512")),
|
||||
salt: salt,
|
||||
pbkdf2: (hash == "sha256" ? undefined : true)
|
||||
password(function (password) {
|
||||
if (!password) {
|
||||
console.log("Passwords don't match!");
|
||||
process.exit(1);
|
||||
} else {
|
||||
var salt = generateSalt();
|
||||
var hash = "";
|
||||
if (algorithm == "scrypt") {
|
||||
hash = crypto.scryptSync(password, salt, 64).toString("hex");
|
||||
} else if (algorithm == "pbkdf2") {
|
||||
hash = crypto.pbkdf2Sync(password, salt, 36250, 64, "sha512").toString("hex");
|
||||
} else {
|
||||
hash = sha256(password + salt);
|
||||
}
|
||||
users.push({
|
||||
name: user,
|
||||
pass: hash,
|
||||
salt: salt,
|
||||
pbkdf2: (algorithm == "pbkdf2" ? true : undefined),
|
||||
scrypt: (algorithm == "scrypt" ? true : undefined),
|
||||
__svrpasswd_l2: true
|
||||
});
|
||||
saveConfig();
|
||||
console.log("User added successfully");
|
||||
}
|
||||
});
|
||||
saveConfig();
|
||||
console.log("User added successfully");
|
||||
}
|
||||
});
|
||||
} else {
|
||||
password(function(password) {
|
||||
if (!password) {
|
||||
console.log("Passwords don't match!");
|
||||
promptAlgorithms(function (algorithm) {
|
||||
if (!algorithm) {
|
||||
console.log("Invalid algorithm!");
|
||||
process.exit(1);
|
||||
} else {
|
||||
var salt = generateSalt();
|
||||
users[userindex] = {
|
||||
name: user,
|
||||
pass: (hash == "sha256" ? sha256(password + salt) : crypto.pbkdf2Sync(password, salt, 36250, 64, "sha512")),
|
||||
salt: salt,
|
||||
pbkdf2: (hash == "sha256" ? undefined : true)
|
||||
};
|
||||
saveConfig();
|
||||
console.log("Password changed successfully");
|
||||
password(function (password) {
|
||||
if (!password) {
|
||||
console.log("Passwords don't match!");
|
||||
process.exit(1);
|
||||
} else {
|
||||
var salt = generateSalt();
|
||||
var hash = "";
|
||||
if (algorithm == "scrypt") {
|
||||
hash = crypto.scryptSync(password, salt, 64).toString("hex");
|
||||
} else if (algorithm == "pbkdf2") {
|
||||
hash = crypto.pbkdf2Sync(password, salt, 36250, 64, "sha512").toString("hex");
|
||||
} else {
|
||||
hash = sha256(password + salt);
|
||||
}
|
||||
users[userindex] = {
|
||||
name: user,
|
||||
pass: hash,
|
||||
salt: salt,
|
||||
pbkdf2: (algorithm == "pbkdf2" ? true : undefined),
|
||||
scrypt: (algorithm == "scrypt" ? true : undefined),
|
||||
__svrpasswd_l2: true
|
||||
};
|
||||
saveConfig();
|
||||
console.log("Password changed successfully");
|
||||
}
|
||||
});
|
||||
}
|
||||
});
|
||||
}, (users[userindex].__svrpasswd_l2 && !forcechange), users[userindex].pbkdf2, users[userindex].scrypt);
|
||||
}
|
||||
|
|
|
@ -1 +1 @@
|
|||
2
|
||||
3
|
Reference in a new issue