api/qgsauthcrypto_8cpp_source.html

/***************************************************************************

    qgsauthcrypto.cpp

    ---------------------

    begin                : October 5, 2014

    copyright            : (C) 2014 by Boundless Spatial, Inc. USA

    author               : Larry Shaffer

    email                : lshaffer at boundlessgeo dot com

 ***************************************************************************

 *                                                                         *

 *   This program is free software; you can redistribute it and/or modify  *

 *   it under the terms of the GNU General Public License as published by  *

 *   the Free Software Foundation; either version 2 of the License, or     *

 *   (at your option) any later version.                                   *

 *                                                                         *

 ***************************************************************************/


#include "qgsauthcrypto.h"


#include <QObject>

#include <QtCrypto>


// defines culled from MeePasswords (GPL2)

// https://github.com/ruedigergad/meepasswords/blob/master/entrystorage.h

#define CIPHER_SIGNATURE "aes256-cbc-pkcs7"

#define CIPHER_TYPE "aes256"

#define CIPHER_MODE QCA::Cipher::CBC

#define CIPHER_PADDING QCA::Cipher::PKCS7

#define CIPHER_IV_LENGTH 32

#define CIPHER_PROVIDER "qca-ossl"

#define PASSWORD_HASH_ALGORITHM "sha256"

#define KEY_GEN_ITERATIONS 10000

#define KEY_GEN_LENGTH 16

#define KEY_GEN_IV_LENGTH 16


bool QgsAuthCrypto::isDisabled()

{

  if ( !QCA::isSupported( CIPHER_SIGNATURE, CIPHER_PROVIDER ) )

  {

    qDebug( "Authentication system DISABLED: QCA's qca-ossl (OpenSSL) plugin is missing" );

    return true;

  }

  return false;

}


const QString QgsAuthCrypto::encrypt( const QString &pass, const QString &cipheriv, const QString &text )

{

  if ( QgsAuthCrypto::isDisabled() )

    return QString();


  return encryptdecrypt( pass, cipheriv, text, true );

}


const QString QgsAuthCrypto::decrypt( const QString &pass, const QString &cipheriv, const QString &text )

{

  if ( QgsAuthCrypto::isDisabled() )

    return QString();


  return encryptdecrypt( pass, cipheriv, text, false );

}


static QCA::SymmetricKey passwordKey_( const QString &pass, const QCA::InitializationVector &salt )

{

  const QCA::SecureArray passarray( QByteArray( pass.toUtf8().constData() ) );

  const QCA::SecureArray passhash( QCA::Hash( PASSWORD_HASH_ALGORITHM ).hash( passarray ) );

  return QCA::PBKDF2().makeKey( passhash, salt, KEY_GEN_LENGTH, KEY_GEN_ITERATIONS );

}


void QgsAuthCrypto::passwordKeyHash( const QString &pass, QString *salt, QString *hash, QString *cipheriv )

{

  if ( QgsAuthCrypto::isDisabled() )

    return;


  const QCA::InitializationVector saltiv = QCA::InitializationVector( KEY_GEN_IV_LENGTH );

  const QCA::SymmetricKey key = passwordKey_( pass, saltiv );


  if ( !key.isEmpty() )

  {

    *salt = QCA::arrayToHex( saltiv.toByteArray() );

    qDebug( "salt hex: %s", qPrintable( *salt ) );


    *hash = QCA::arrayToHex( key.toByteArray() );

    qDebug( "hash hex: %s", qPrintable( *hash ) );


    if ( cipheriv )

    {

      *cipheriv = QCA::arrayToHex( QCA::InitializationVector( CIPHER_IV_LENGTH ).toByteArray() );

      qDebug( "cipheriv hex: %s", qPrintable( *cipheriv ) );

    }

  }

}


bool QgsAuthCrypto::verifyPasswordKeyHash( const QString &pass,

    const QString &salt,

    const QString &hash,

    QString *hashderived )

{

  if ( QgsAuthCrypto::isDisabled() )

    return false;


  const QCA::InitializationVector saltiv( QCA::hexToArray( salt ) );

  const QString derived( QCA::arrayToHex( passwordKey_( pass, saltiv ).toByteArray() ) );


  if ( hashderived )

  {

    *hashderived = derived;

  }


  return hash == derived;

}


QString QgsAuthCrypto::encryptdecrypt( const QString &passstr,

                                       const QString &cipheriv,

                                       const QString &textstr,

                                       bool encrypt )

{

  QString outtxt = QString();

  if ( QgsAuthCrypto::isDisabled() )

    return outtxt;


  const QCA::InitializationVector iv( QCA::hexToArray( cipheriv ) );


  const QCA::SymmetricKey key( QCA::SecureArray( QByteArray( passstr.toUtf8().constData() ) ) );


  if ( encrypt )

  {

    QCA::Cipher cipher = QCA::Cipher( CIPHER_TYPE, CIPHER_MODE, CIPHER_PADDING,

                                      QCA::Encode, key, iv,

                                      CIPHER_PROVIDER );


    const QCA::SecureArray securedata( textstr.toUtf8() );

    const QCA::SecureArray encrypteddata( cipher.process( securedata ) );

    if ( !cipher.ok() )

    {

      qDebug( "Encryption failed!" );

      return outtxt;

    }

    outtxt = QCA::arrayToHex( encrypteddata.toByteArray() );

    // qDebug( "Encrypted hex: %s", qPrintable( outtxt ) );

  }

  else

  {

    QCA::Cipher cipher = QCA::Cipher( CIPHER_TYPE, CIPHER_MODE, CIPHER_PADDING,

                                      QCA::Decode, key, iv,

                                      CIPHER_PROVIDER );


    const QCA::SecureArray ciphertext( QCA::hexToArray( textstr ) );

    const QCA::SecureArray decrypteddata( cipher.process( ciphertext ) );

    if ( !cipher.ok() )

    {

      qDebug( "Decryption failed!" );

      return outtxt;

    }


    outtxt = QString( decrypteddata.toByteArray() );

    // qDebug( "Decrypted text %s", qPrintable( outtxt ) ); // DO NOT LEAVE THIS LINE UNCOMMENTED

  }


  return outtxt;

}

QgsAuthCrypto::passwordKeyHash
static void passwordKeyHash(const QString &pass, QString *salt, QString *hash, QString *cipheriv=nullptr)
Generate SHA256 hash for master password, with iterations and salt.
Definition: qgsauthcrypto.cpp:68

QgsAuthCrypto::encrypt
static const QString encrypt(const QString &pass, const QString &cipheriv, const QString &text)
Encrypt data using master password.
Definition: qgsauthcrypto.cpp:45

QgsAuthCrypto::verifyPasswordKeyHash
static bool verifyPasswordKeyHash(const QString &pass, const QString &salt, const QString &hash, QString *hashderived=nullptr)
Verify existing master password hash to a re-generated one.
Definition: qgsauthcrypto.cpp:92

QgsAuthCrypto::decrypt
static const QString decrypt(const QString &pass, const QString &cipheriv, const QString &text)
Decrypt data using master password.
Definition: qgsauthcrypto.cpp:53

QgsAuthCrypto::isDisabled
static bool isDisabled()
Whether QCA has the qca-ossl plugin, which a base run-time requirement.
Definition: qgsauthcrypto.cpp:35

KEY_GEN_IV_LENGTH
#define KEY_GEN_IV_LENGTH
Definition: qgsauthcrypto.cpp:33

PASSWORD_HASH_ALGORITHM
#define PASSWORD_HASH_ALGORITHM
Definition: qgsauthcrypto.cpp:30

CIPHER_IV_LENGTH
#define CIPHER_IV_LENGTH
Definition: qgsauthcrypto.cpp:28

KEY_GEN_ITERATIONS
#define KEY_GEN_ITERATIONS
Definition: qgsauthcrypto.cpp:31

CIPHER_PADDING
#define CIPHER_PADDING
Definition: qgsauthcrypto.cpp:27

CIPHER_MODE
#define CIPHER_MODE
Definition: qgsauthcrypto.cpp:26

CIPHER_PROVIDER
#define CIPHER_PROVIDER
Definition: qgsauthcrypto.cpp:29

CIPHER_TYPE
#define CIPHER_TYPE
Definition: qgsauthcrypto.cpp:25

KEY_GEN_LENGTH
#define KEY_GEN_LENGTH
Definition: qgsauthcrypto.cpp:32

CIPHER_SIGNATURE
#define CIPHER_SIGNATURE
Definition: qgsauthcrypto.cpp:24

qgsauthcrypto.h