credentials_8cpp_source.html

 /*
 Copyright (C) 2017-2018 by the Battle for Wesnoth Project https://www.wesnoth.org/

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2 of the License, or
 (at your option) any later version.
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY.

 See the COPYING file for more details.
 */

 #include "credentials.hpp"

 #include "preferences/general.hpp"
 #include "serialization/unicode.hpp"
 #include "filesystem.hpp"
 #include "log.hpp"
 #include "serialization/string_utils.hpp"

 #include <boost/algorithm/string.hpp>

 #include <algorithm>
 #include <memory>

 #ifndef __APPLE__
 #include <openssl/rc4.h>
 #else
 #include <CommonCrypto/CommonCryptor.h>
 #endif

 #ifdef _WIN32
 #include <boost/range/iterator_range.hpp>
 #include <windows.h>
 #endif

 static lg::log_domain log_config("config");
 #define ERR_CFG LOG_STREAM(err , log_config)

 class secure_buffer : public std::vector<unsigned char>
 {
 public:
     template<typename... T> secure_buffer(T&&... args)
         : vector<unsigned char>(std::forward<T>(args)...)
     {}
     ~secure_buffer()
     {
         std::fill(begin(), end(), '\0');
     }
 };

 struct login_info
 {
     std::string username, server;
     secure_buffer key;
     login_info(const std::string& username, const std::string& server, const secure_buffer& key)
         : username(username), server(server), key(key)
     {}
     login_info(const std::string& username, const std::string& server)
         : username(username), server(server), key()
     {}
     std::size_t size() const
     {
         return 3 + username.size() + server.size() + key.size();
     }
 };

 static std::vector<login_info> credentials;

 // Separate password entries with formfeed
 static const unsigned char CREDENTIAL_SEPARATOR = '\f';

 static secure_buffer encrypt(const secure_buffer& text, const secure_buffer& key);
 static secure_buffer decrypt(const secure_buffer& text, const secure_buffer& key);
 static secure_buffer build_key(const std::string& server, const std::string& login);
 static secure_buffer escape(const secure_buffer& text);
 static secure_buffer unescape(const secure_buffer& text);

 static std::string get_system_username()
 {
     std::string res;
 #ifdef _WIN32
     wchar_t buffer[300];
     DWORD size = 300;
     if(GetUserNameW(buffer, &size)) {
         //size includes a terminating null character.
         assert(size > 0);
         res = unicode_cast<std::string>(boost::iterator_range<wchar_t*>(buffer, buffer + size - 1));
     }
 #else
     if(char* const login = getenv("USER")) {
         res = login;
     }
 #endif
     return res;
 }

 static void clear_credentials()
 {
     // Zero them before clearing.
     // Probably overly paranoid, but doesn't hurt?
     for(auto& cred : credentials) {
         std::fill(cred.username.begin(), cred.username.end(), '\0');
         std::fill(cred.server.begin(), cred.server.end(), '\0');
     }
     credentials.clear();
 }

 static const std::string EMPTY_LOGIN = "@@";

 namespace preferences
 {
     std::string login()
     {
         std::string name = preferences::get("login", EMPTY_LOGIN);
         if(name == EMPTY_LOGIN) {
             name = get_system_username();
         } else if(name.size() > 2 && name.front() == '@' && name.back() == '@') {
             name = name.substr(1, name.size() - 2);
         } else {
             ERR_CFG << "malformed user credentials (did you manually edit the preferences file?)" << std::endl;
         }
         if(name.empty()) {
             return "player";
         }
         return name;
     }

     void set_login(const std::string& login)
     {
         auto login_clean = login;
         boost::trim(login_clean);

         preferences::set("login", '@' + login_clean + '@');
     }

     bool remember_password()
     {
         return preferences::get("remember_password", false);
     }

     void set_remember_password(bool remember)
     {
         preferences::set("remember_password", remember);

         if(remember) {
             load_credentials();
         } else {
             clear_credentials();
         }
     }

     std::string password(const std::string& server, const std::string& login)
     {
         auto login_clean = login;
         boost::trim(login_clean);

         if(!remember_password()) {
             if(!credentials.empty() && credentials[0].username == login_clean && credentials[0].server == server) {
                 auto temp = decrypt(credentials[0].key, build_key(server, login_clean));
                 return std::string(temp.begin(), temp.end());
             } else {
                 return "";
             }
         }
         auto cred = std::find_if(credentials.begin(), credentials.end(), [&](const login_info& cred) {
             return cred.server == server && cred.username == login_clean;
         });
         if(cred == credentials.end()) {
             return "";
         }
         auto temp = decrypt(cred->key, build_key(server, login_clean));
         return std::string(temp.begin(), temp.end());
     }

     void set_password(const std::string& server, const std::string& login, const std::string& key)
     {
         auto login_clean = login;
         boost::trim(login_clean);

         secure_buffer temp(key.begin(), key.end());
         if(!remember_password()) {
             clear_credentials();
             credentials.emplace_back(login_clean, server, encrypt(temp, build_key(server, login_clean)));
             return;
         }
         auto cred = std::find_if(credentials.begin(), credentials.end(), [&](const login_info& cred) {
             return cred.server == server && cred.username == login_clean;
         });
         if(cred == credentials.end()) {
             // This is equivalent to emplace_back, but also returns the iterator to the new element
             cred = credentials.emplace(credentials.end(), login_clean, server);
         }
         cred->key = encrypt(temp, build_key(server, login_clean));
     }

     void load_credentials()
     {
         if(!remember_password()) {
             return;
         }
         clear_credentials();
         std::string cred_file = filesystem::get_credentials_file();
         if(!filesystem::file_exists(cred_file)) {
             return;
         }
         filesystem::scoped_istream stream = filesystem::istream_file(cred_file, false);
         // Credentials file is a binary blob, so use streambuf iterator
         secure_buffer data((std::istreambuf_iterator<char>(*stream)), (std::istreambuf_iterator<char>()));
         data = decrypt(data, build_key("global", get_system_username()));
         if(data.empty() || data[0] != CREDENTIAL_SEPARATOR) {
             ERR_CFG << "Invalid data in credentials file\n";
             return;
         }
         for(const std::string& elem : utils::split(std::string(data.begin(), data.end()), CREDENTIAL_SEPARATOR, utils::REMOVE_EMPTY)) {
             std::size_t at = elem.find_last_of('@');
             std::size_t eq = elem.find_first_of('=', at + 1);
             if(at != std::string::npos && eq != std::string::npos) {
                 secure_buffer key(elem.begin() + eq + 1, elem.end());
                 credentials.emplace_back(elem.substr(0, at), elem.substr(at + 1, eq - at - 1), unescape(key));
             }
         }
     }

     void save_credentials()
     {
         if(!remember_password()) {
             filesystem::delete_file(filesystem::get_credentials_file());
             return;
         }
         secure_buffer credentials_data(1, CREDENTIAL_SEPARATOR);
         std::size_t offset = 1;
         for(const auto& cred : credentials) {
             credentials_data.resize(credentials_data.size() + cred.size(), CREDENTIAL_SEPARATOR);
             std::copy(cred.username.begin(), cred.username.end(), credentials_data.begin() + offset);
             offset += cred.username.size();
             credentials_data[offset++] = '@';
             std::copy(cred.server.begin(), cred.server.end(), credentials_data.begin() + offset);
             offset += cred.server.size();
             credentials_data[offset++] = '=';
             secure_buffer key_escaped = escape(cred.key);
             // Escaping may increase the length, so resize again if so
             credentials_data.resize(credentials_data.size() + key_escaped.size() - cred.key.size());
             std::copy(key_escaped.begin(), key_escaped.end(), credentials_data.begin() + offset);
             offset += key_escaped.size() + 1;
         }
         try {
             filesystem::scoped_ostream credentials_file = filesystem::ostream_file(filesystem::get_credentials_file());
             secure_buffer encrypted = encrypt(credentials_data, build_key("global", get_system_username()));
             credentials_file->write(reinterpret_cast<const char*>(encrypted.data()), encrypted.size());
         } catch(const filesystem::io_exception&) {
             ERR_CFG << "error writing to credentials file '" << filesystem::get_credentials_file() << "'" << std::endl;
         }
     }
 }

 // TODO: Key-stretching (bcrypt was recommended)
 secure_buffer build_key(const std::string& server, const std::string& login)
 {
     std::string sysname = get_system_username();
     secure_buffer result(std::max<std::size_t>(server.size() + login.size() + sysname.size(), 32));
     unsigned char i = 0;
     std::generate(result.begin(), result.end(), [&i]() {return 'x' ^ i++;});
     std::copy(login.begin(), login.end(), result.begin());
     std::copy(sysname.begin(), sysname.end(), result.begin() + login.size());
     std::copy(server.begin(), server.end(), result.begin() + login.size() + sysname.size());
     return result;
 }

 static secure_buffer rc4_crypt(const secure_buffer& text, const secure_buffer& key)
 {
     secure_buffer result(text.size(), '\0');
 #ifndef __APPLE__
     RC4_KEY cipher_key;
     RC4_set_key(&cipher_key, key.size(), key.data());
     const std::size_t block_size = key.size();
     const std::size_t blocks = text.size() / block_size;
     const std::size_t extra = text.size() % block_size;
     for(std::size_t i = 0; i < blocks * block_size; i += block_size) {
         RC4(&cipher_key, block_size, text.data() + i, result.data() + i);
     }
     if(extra) {
         std::size_t i = blocks * block_size;
         RC4(&cipher_key, extra, text.data() + i, result.data() + i);
     }
 #else
     size_t outWritten = 0;
     CCCryptorStatus ccStatus = CCCrypt(kCCDecrypt,
         kCCAlgorithmRC4,
         kCCOptionPKCS7Padding,
         key.data(),
         key.size(),
         nullptr,
         text.data(),
         text.size(),
         result.data(),
         result.size(),
         &outWritten);

     assert(ccStatus == kCCSuccess);
     assert(outWritten == text.size());
 #endif
     return result;
 }

 secure_buffer encrypt(const secure_buffer& text, const secure_buffer& key)
 {
     return rc4_crypt(text, key);
 }

 secure_buffer decrypt(const secure_buffer& text, const secure_buffer& key)
 {
     auto buf = rc4_crypt(text, key);
     while(!buf.empty() && buf.back() == 0) {
         buf.pop_back();
     }
     return buf;
 }

 secure_buffer unescape(const secure_buffer& text)
 {
     secure_buffer unescaped;
     unescaped.reserve(text.size());
     bool escaping = false;
     for(char c : text) {
         if(escaping) {
             if(c == '\xa') {
                 unescaped.push_back('\xc');
             } else if(c == '.') {
                 unescaped.push_back('@');
             } else {
                 unescaped.push_back(c);
             }
             escaping = false;
         } else if(c == '\x1') {
             escaping = true;
         } else {
             unescaped.push_back(c);
         }
     }
     assert(!escaping);
     return unescaped;
 }

 secure_buffer escape(const secure_buffer& text)
 {
     secure_buffer escaped;
     escaped.reserve(text.size());
     for(char c : text) {
         if(c == '\x1') {
             escaped.push_back('\x1');
             escaped.push_back('\x1');
         } else if(c == '\xc') {
             escaped.push_back('\x1');
             escaped.push_back('\xa');
         } else if(c == '@') {
             escaped.push_back('\x1');
             escaped.push_back('.');
         } else {
             escaped.push_back(c);
         }
     }
     return escaped;
 }
login_info::key
secure_buffer key
Definition: credentials.cpp:56

login_info::login_info
login_info(const std::string &username, const std::string &server)
Definition: credentials.cpp:60

rc4_crypt
static secure_buffer rc4_crypt(const secure_buffer &text, const secure_buffer &key)
Definition: credentials.cpp:271

preferences::remember_password
bool remember_password()
Definition: credentials.cpp:138

filesystem::delete_file
bool delete_file(const std::string &filename)
Definition: filesystem.cpp:986

encrypt
static secure_buffer encrypt(const secure_buffer &text, const secure_buffer &key)
Definition: credentials.cpp:307

preferences::set_remember_password
void set_remember_password(bool remember)
Definition: credentials.cpp:143

filesystem::file_exists
static bool file_exists(const bfs::path &fpath)
Definition: filesystem.cpp:262

unicode_cast
ucs4_convert_impl::enableif< TD, typename TS::value_type >::type unicode_cast(const TS &source)
Definition: unicode_cast.hpp:57

lg::log_domain
Definition: log.hpp:104

filesystem::istream_file
filesystem::scoped_istream istream_file(const std::string &fname, bool treat_failure_as_error)
Definition: filesystem.cpp:1005

unescape
static secure_buffer unescape(const secure_buffer &text)
Definition: credentials.cpp:321

std
STL namespace.

preferences::set
void set(const std::string &key, bool value)
Definition: general.cpp:160

unicode.hpp

preferences::save_credentials
void save_credentials()
Definition: credentials.cpp:226

log_config
static lg::log_domain log_config("config")

filesystem::ostream_file
filesystem::scoped_ostream ostream_file(const std::string &fname, std::ios_base::openmode mode, bool create_directory)
Definition: filesystem.cpp:1043

login_info::username
std::string username
Definition: credentials.cpp:55

escape
static secure_buffer escape(const secure_buffer &text)
Definition: credentials.cpp:346

schema_validation::at
static std::string at(const std::string &file, int line)
Definition: schema_validator.cpp:33

secure_buffer::secure_buffer
secure_buffer(T &&... args)
Definition: credentials.cpp:44

preferences::get
std::string get(const std::string &key)
Definition: general.cpp:208

login_info
Definition: credentials.cpp:53

utf8::size
std::size_t size(const std::string &str)
Length in characters of a UTF-8 string.
Definition: unicode.cpp:86

clear_credentials
static void clear_credentials()
Definition: credentials.cpp:99

preferences::set_login
void set_login(const std::string &login)
Definition: credentials.cpp:130

secure_buffer
Definition: credentials.cpp:41

filesystem::scoped_istream
std::unique_ptr< std::istream > scoped_istream
Definition: filesystem.hpp:38

preferences::set_password
void set_password(const std::string &server, const std::string &login, const std::string &key)
Definition: credentials.cpp:177

preferences
Modify, read and display user preferences.
Definition: preferences_dialog.hpp:35

credentials.hpp

preferences::login
std::string login()
Definition: credentials.cpp:114

CREDENTIAL_SEPARATOR
static const unsigned char CREDENTIAL_SEPARATOR
Definition: credentials.cpp:72

filesystem::scoped_ostream
std::unique_ptr< std::ostream > scoped_ostream
Definition: filesystem.hpp:39

get_system_username
static std::string get_system_username()
Definition: credentials.cpp:80

i
std::size_t i
Definition: function.cpp:940

decrypt
static secure_buffer decrypt(const secure_buffer &text, const secure_buffer &key)
Definition: credentials.cpp:312

filesystem::io_exception
An exception object used when an IO error occurs.
Definition: filesystem.hpp:47

EMPTY_LOGIN
static const std::string EMPTY_LOGIN
Definition: credentials.cpp:110

preferences::password
std::string password(const std::string &server, const std::string &login)
Definition: credentials.cpp:154

general.hpp

filesystem.hpp
Declarations for File-IO.

string_utils.hpp

credentials
static std::vector< login_info > credentials
Definition: credentials.cpp:69

secure_buffer::~secure_buffer
~secure_buffer()
Definition: credentials.cpp:47

ERR_CFG
#define ERR_CFG
Definition: credentials.cpp:39

utils::split
std::vector< std::string > split(const config_attribute_value &val)
Definition: config_attribute_value.cpp:436

preferences::load_credentials
void load_credentials()
Definition: credentials.cpp:198

filesystem::get_credentials_file
std::string get_credentials_file()
Definition: filesystem_common.cpp:132

utils::REMOVE_EMPTY
Definition: string_utils.hpp:41

log.hpp
Standard logging facilities (interface).

utils::trim
void trim(std::string_view &s)
Definition: string_utils.cpp:62

login_info::size
std::size_t size() const
Definition: credentials.cpp:63

login_info::login_info
login_info(const std::string &username, const std::string &server, const secure_buffer &key)
Definition: credentials.cpp:57

build_key
static secure_buffer build_key(const std::string &server, const std::string &login)
Definition: credentials.cpp:259

c
mock_char c
Definition: test_formula_core.cpp:67