TheLanc3/rustdesk
1
0
Fork 0
mirror of https://github.com/rustdesk/rustdesk.git synced 2026-06-25 17:54:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

refact(password): encrypt (#15073)

Browse Source 
* refact(password): encrypt

Signed-off-by: fufesou <linlong1266@gmail.com>

* refact(password): simplify preset password

Signed-off-by: fufesou <linlong1266@gmail.com>

* update hbb_common

Signed-off-by: fufesou <linlong1266@gmail.com>

* refact(password): clear password, do not clear salt

* refact(password): update hbb_common

Signed-off-by: fufesou <linlong1266@gmail.com>

* refact(password): merge import

Signed-off-by: fufesou <linlong1266@gmail.com>

---------

Signed-off-by: fufesou <linlong1266@gmail.com>
This commit is contained in:
fufesou
2026-05-26 11:11:25 +08:00
committed by GitHub
parent 0af6b7ede9
commit 1f26e452fc
5 changed files with 33 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
src/server/connection.rs
View File

@@ -30,8 +30,11 @@ use cidr_utils::cidr::IpCidr;
#[cfg(target_os = "android")]
use hbb_common::protobuf::EnumOrUnknown;
use hbb_common::{
config::decode_permanent_password_h1_from_storage,
config::{self, keys, Config, TrustedDevice},
config::{
self, decode_permanent_password_h1_from_storage, decode_preset_password_h1_from_storage,
keys, local_permanent_password_storage_is_usable_for_auth,
preset_permanent_password_storage_is_usable_for_auth, Config, TrustedDevice,
},
fs::{self, can_enable_overwrite_detection, JobType},
futures::{SinkExt, StreamExt},
get_time, get_version_number,
@@ -412,8 +415,9 @@ impl Connection {
let _raii_id = raii::ConnectionID::new(id);
let _raii_control_permissions_id =
raii::ControlPermissionsID::new(id, &control_permissions);
let salt = Config::get_effective_permanent_password_salt();
let hash = Hash {
salt: Config::get_salt(),
salt,
challenge: Config::get_auto_password(6),
..Default::default()
};
@@ -2109,6 +2113,16 @@ impl Connection {
self.validate_password_plain(storage)
}
fn validate_preset_password_storage(&self, storage: &str, salt: &str) -> bool {
if salt.is_empty() {
return self.validate_password_plain(storage);
}
let Some(h1) = decode_preset_password_h1_from_storage(storage) else {
return false;
};
self.verify_h1(&h1[..])
}
// This is coarse brute-force protection for the current temporary password value.
// We only care whether the active temporary password itself was presented correctly,
// not whether later authorization steps succeed. A successful temporary-password
@@ -2180,23 +2194,22 @@ impl Connection {
log::info!("Permanent password accepted via logon-screen fallback");
}
};
// Since hashed storage uses a prefix-based encoding, a hard plaintext that
// happens to look like hashed storage could be mis-detected. Validate local storage
// and hard/preset plaintext via separate paths to avoid that ambiguity.
let (local_storage, _) = Config::get_local_permanent_password_storage_and_salt();
// Strictly check storage usability before auth so malformed encrypted/hash storage
// cannot fall back to being accepted as legacy plaintext.
let (local_storage, local_salt) =
Config::get_local_permanent_password_storage_and_salt();
if !local_storage.is_empty() {
if self.validate_password_storage(&local_storage) {
if local_permanent_password_storage_is_usable_for_auth(&local_storage, &local_salt)
&& self.validate_password_storage(&local_storage)
{
print_fallback();
return true;
}
} else {
let hard = config::HARD_SETTINGS
.read()
.unwrap()
.get("password")
.cloned()
.unwrap_or_default();
if !hard.is_empty() && self.validate_password_plain(&hard) {
let (hard, salt) = Config::get_preset_password_storage_and_salt();
if preset_permanent_password_storage_is_usable_for_auth(&hard, &salt)
&& self.validate_preset_password_storage(&hard, &salt)
{
print_fallback();
return true;
}