<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div class="moz-cite-prefix">Regarding config restructuring see OvmsConfig::upgrade().<br class=""></div></div></blockquote><div class=""><br class=""></div>Looks perfect. I hadn’t seen that before. Concerning how this project is now so big that I can’t keep track of it all 🤔<div class=""><br class=""></div><div class="">Regards, Mark.<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 12 Mar 2020, at 7:12 PM, Michael Balzer <<a href="mailto:dexter@expeedo.de" class="">dexter@expeedo.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class="">
<div class="moz-cite-prefix">Mark,<br class="">
<br class="">
awesome, I'll have a look and try running the new version at the
weekend.<br class="">
<br class="">
Regarding config restructuring see OvmsConfig::upgrade().<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<br class="">
Am 11.03.20 um 08:00 schrieb Mark Webb-Johnson:<br class="">
</div>
<blockquote type="cite" cite="mid:1D56D7C3-54B9-4064-BE5E-30D2485ECE28@webb-johnson.net" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><br class="">
</div>
This seems stable to me now. Running well, with no outstanding
issues (at least in the configuration I am running).
<div class=""><br class="">
</div>
<div class="">The code is all committed to github, and
documentation in the usual place:</div>
<div class=""><br class="">
</div>
<blockquote style="margin: 0 0 0 40px; border: none; padding:
0px;" class=""><a href="https://docs.openvehicles.com/en/latest/server/index.html" class="" moz-do-not-send="true">https://docs.openvehicles.com/en/latest/server/index.html</a></blockquote>
<div class="">
<div class=""><br class="">
</div>
<div class="">I’m now going to look at the OVMS module firmware to see if
it is possible to support this scheme 0x31 in a neat way. The
config ’server.v2’ directory is a little messy at the moment
(password stored there, rather than in password/server.v2, so
the whole config section needs to be read-only).</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 6 Mar 2020, at 12:54 PM, Mark Webb-Johnson
<<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">
<div class=""><br class="">
</div>
Wow, that was a lot more complex than I anticipated (in
particular, making vehicleid’s unique per owner, not
globally unique). 3,000 monolithic lines to 4,000
structured lines. Code has been committed to GitHub, and
is running live on <a href="http://api.openvehicles.com/" class="" moz-do-not-send="true">api.openvehicles.com</a> now.
<div class=""><br class="">
</div>
<div class="">Warning: There may (will) be bugs. If
killed all the obvious ones, but running live is still
showing up some edge cases. I don’t recommend anybody
else runs this in production yet (particularly as
rolling back would be non-trivial, as a result of the
database changes).</div>
<div class=""><br class="">
</div>
<div class="">Major changes include:</div>
<div class=""><br class="">
</div>
<div class="">
<ol class="MailOutline">
<li class="">Complete restructuring, to be plugin
based. This allows optional functionality to be
installed (for example, if you don’t require
drupal integration don’t enable that plugin), as
well as new plugins to be developed. The list of
plugins I am using on my production server are: <span style="caret-color: rgb(0, 0, 0);" class="">VECE,
DbDBI, AuthDrupal, ApiV2, Push, PushAPNS,
PushGCM, PushMAIL, ApiHttp, ApiHttpCore, and
ApiHttpMqapi.<br class="">
<br class="">
</span></li>
<li class=""><font class=""><span style="caret-color: rgb(0, 0, 0);" class="">The
system is designed to be installed and run
from a github clone. Just clone the server
repository, change directory to v3/server,
configure and run appropriately. The
.gitignore file allows changes to be made to
the configuration without affecting the master
github.<br class="">
</span></font><br class="">
</li>
<li class="">Database format upgrades. See
server/ovms_server_v2_to_v2.sql for the schema
changes. If upgrading, you must deploy these
database changes (just ’source’ the script in the
mysql console). The upgrade may take a while (in
particular, the last stage for historical data).<br class="">
<br class="">
</li>
<li class="">The database no longer requires vehicle
IDs to be globally unique. However, there are some
caveats:<br class="">
<br class="">
</li>
<ul class="">
<li class="">The v2 crypto 0x30 scheme only sends
the vehicle ID, not the owner’s username (so if
there are two vehicles in the database with the
same vehicle ID, we don’t know which one is the
correct one). If you use that scheme (as
everything does nowadays), vehicle ID still
needs to be globally unique for you. For this
reason, my Drupal vehicle plugin still checks
and enforces unique IDs. The 0x30 login system
won’t allow you to login to a vehicle who’s ID
has more than one owner. Going forward, as we
move away from 0x30 and ’server password’, this
will become less of an issue.<br class="">
<br class="">
</li>
<li class="">The new v3 crypto 0x31 scheme sends
username as well as vehicle ID, so supports
per-user vehicle IDs.<br class="">
<br class="">
</li>
<li class="">The HTTP API sends username, so
supports per-user vehicle IDs.<br class="">
<br class="">
</li>
<li class="">Perhaps we should move to ‘VIN’ as
vehicle ID?<br class="">
<br class="">
</li>
</ul>
<li class="">The new crypto scheme 0x31 is much
simpler to use, and script. Preferable, IMHO - but
requires SSL/TLS for protection.<br class="">
<br class="">
</li>
<li class="">I’ve added support for API tokens, and
love how they have turned out. I recommend this as
the best approach going forward. Each token
belongs to a particular owner, and has privilege
rights associated with it. Tokens can be created
and revoked by the owner. It is much easier to see
which application (or car) has access to what. For
example, the car module can ask for
username+password, use that to obtain a token,
store it locally and use that for authentication
going forward (with no need to store the server
password at all).<br class="">
<br class="">
</li>
<li class="">Plugin authentication works well.
Extend with new mechanisms as required. The
‘Authenticate’ plugin callback is merely passed
username+password and returns the permissions
granted.<br class="">
<br class="">
</li>
<li class="">Push notifications are nicely modular
and extendable. Already supports APNS, GCM, and
MAIL.<br class="">
<br class="">
</li>
<li class="">I’ve called it v3, because this
architecture will be able to cooperate with MQTT
(for things like HTTP API, authentication,
historical data, push notifications, etc).</li>
</ol>
</div>
<div class="">
<div class="">
<div class=""><br class="">
</div>
<div class="">Still todo:</div>
<div class=""><br class="">
</div>
<div class="">
<ul class="MailOutline">
<li class="">An option for automatic vehicle
registration (easy).<br class="">
<br class="">
</li>
<li class="">Improvements to the token
allocation API (in particular to retrieve
existing tokens for specific application usage
such as car modules).<br class="">
<br class="">
</li>
<li class="">A few miscellaneous functions not
often used.<br class="">
<br class="">
</li>
<li class="">Documentation. I’ve documented the
API changes (both v2 protocol for 0x31, and
HTTP API extensions for authentication options
and api tokens), but still to document
installation and configuration instructions
for the server itself.<br class="">
<br class="">
</li>
<li class="">Administrator access. Still
deciding the best way to handle this. Perhaps
’administrative api tokens’.<br class="">
<br class="">
</li>
<li class="">Permissions and Rights. The core is
there, but need to extend to everything and
document what rights are used for what. This
is only relevant for api tokens anyway (as the
other two authentication methods grant ‘*’
rights anyway).</li>
</ul>
</div>
<div class=""><br class="">
</div>
<div class="">Final warning: Please don’t deploy
this in productions systems yet. Changes are
massive.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.</div>
<div class=""><br class="">
</div>
<blockquote type="cite" class="">
<div class="">On 28 Feb 2020, at 3:47 PM, Mark
Webb-Johnson <<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;" class="">
<div class=""><br class="">
</div>
The new framework is running now on my
development bench, and seems good. It was a
major re-structuring, so I’ve upped the
version to 3.0 (particularly as this is going
to end up connecting to MQTT for HTTP API,
database logging, push notifications,
authentication, etc). I should finish my
testing this weekend, then bring it up on <a href="http://api.openvehicles.com/" class="" moz-do-not-send="true">api.openvehicles.com</a>.
Others should migrate to it with care.
<div class=""><br class="">
</div>
<div class="">Regarding the authentication, I
have almost finished implementing:</div>
<div class=""><br class="">
</div>
<div class="">
<ul class="MailOutline">
<li class="">An Auth Token facility (with
authtokens stored against an associated
owner ID).</li>
<ul class="">
<li class="">The HTTP API (using
username+password authentication) can
be used to issue new tokens, as well
as enquire on the tokens already
issued.</li>
<li class="">The HTTP API can be used to
enumerate registered vehicles, and
otherwise maintain them.</li>
<li class="">The drupal website
extension will be extended to also
allow viewing and maintenance of
tokens.</li>
<li class="">An authentication token is:</li>
<ul class="">
<li class="">Owner ID (so zero or more
tokens belong to this owner)</li>
<li class="">Token issued by the
server on request (the token itself,
unique, and the primary key)</li>
<li class="">Usage identifier
(identifying the car module, app id,
etc)</li>
<li class="">Usage description (a
textual description of the usage)</li>
<li class="">Permissions (a permission
string identifying what the token
can be used for)</li>
<li class="">Created date+time</li>
<li class="">Updated date+time</li>
</ul>
<li class="">Requests for a new token
are passed the usage identifier and
description as parameters, and
authenticated by username+password.</li>
<ul class="">
<li class="">If a token already exists
for that usage identifier, then the
description is simply updated (along
with updated date+time) and the
token returned.</li>
<li class="">If no token exists, a
random one is created and returned
(along with usage identifier,
description, created and updated
date+times).<br class="">
<br class="">
</li>
</ul>
</ul>
<li class="">An extension to MQTT
authentication API to allow
authentication either by
username+password, or
username+authtoken.<br class="">
<br class="">
</li>
<li class="">An extension to the HTTP API
to allow authentication by
username+token, in addition to the
existing username+password.<br class="">
<br class="">
</li>
<li class="">An extension to the V2 API to
allow authentication by
username+password or username+authtoken,
in addition to the existing
vehicled+serverpassword (crypto scheme
0x31).<br class="">
<br class="">
</li>
<li class="">An extension to the V2 API to
allow for optional automatic
registration of new vehicles (a
successful login with a non-existent
vehicle ID will simply create it with a
random server password).<br class="">
<br class="">
</li>
<li class="">Removed the restriction that
vehicle ID should be unique on the
server (now just unique for each user).<br class="">
<br class="">
</li>
<li class="">The preferred approach for a
new app/car connection will then be:</li>
<ul class="">
<li class="">The user is interactively
asked to select a server and provide
his username+password</li>
<li class="">A usage identifier and
description is generated
programatically</li>
<li class="">The HTTP API is used to
obtain a token (or recall the token if
previously registered)</li>
<li class="">The username, usage
identifier, and token are stored
persistently</li>
<li class="">The username, token, and
vehicle ID is used to login using v2
or v3 protocols<br class="">
<br class="">
</li>
</ul>
<li class="">So, three complementary
authentication mechanisms are provided:</li>
<ul class="">
<li class="">The v2
vehicleid+serverpassword mechanism
(with full permissions to access that
particular vehicle)</li>
<li class="">Username+Password mechanism
(with full permission to maintain
tokens, access all vehicles, and do
everything)</li>
<li class="">Username+Token mechanism
(with permissions specified on the
token)</li>
</ul>
</ul>
<div class=""><br class="">
</div>
<div class="">Comments welcome, and we can
refine the above if necessary, but it is
at least a starting point. I am trying to
maintain as much flexibility as possible,
but at the same time make things easier
for the user. I’ve had four support
requests so far this week for people
messing up either the server they are
using (app api.openvehicles, car
dexters-web), the vehicle ID, or confusion
between all the passwords.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark.<br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 23 Feb 2020, at 8:54
PM, Mark Webb-Johnson <<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break: after-white-space;" class="">
<div dir="auto" style="word-wrap:
break-word; -webkit-nbsp-mode:
space; line-break:
after-white-space;" class="">This
is turning into a bigger job
than I imagined. "Give a mouse a
cookie", and all that.
<div class=""><br class="">
</div>
<div class="">The ovms_server.pl
has gotten horrendous over the
years. Almost 3,000 monolithic
lines of code, 4 server
listeners, three different
types of server, push
notifications, database
synchronisation, etc. I tried
turning on ‘use strict’ and it
showed up a bunch of bugs and
errors.</div>
<div class=""><br class="">
</div>
<div class="">So, I am
refactoring it to a plugin
architecture. That should make
it more maintainable, and also
provide a foundation for it to
work better with the v3 MQTT.
I suggest people hold off from
making any changes to the
server code in the next few
days.</div>
<div class=""><br class="">
</div>
<div class="">Regards, Mark<br class="">
<div class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 21 Feb
2020, at 9:48 PM, Mark
Webb-Johnson <<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8" class="">
<div dir="auto" class="">
<div dir="ltr" class="">Ok. I
will rework a
modular approach.
Should be able to
get this done over
the weekend.</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">Yes,
strict and warn
would help.</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">Mark</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">P.S.
Explains why
nobody used the
http api on my
server :-)</div>
<div dir="ltr" class=""><br class="">
<blockquote type="cite" class="">On 21
Feb 2020, at
9:35 PM, Michael
Balzer <<a href="mailto:dexter@expeedo.de" class="" moz-do-not-send="true">dexter@expeedo.de</a>>
wrote:<br class="">
<br class="">
</blockquote>
</div>
<blockquote type="cite" class="">
<div dir="ltr" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Thanks Mark,<br class="">
<br class="">
I must have been
blind… but perl
also never fails
to amaze me in
terms of
"compiles fine,
but won't run"
-- $ph isn't
defined anywhere
else. Maybe
"strict" mode
would have told
me about that.<br class="">
<br class="">
And I didn't
think about meta
data in the
hash. You're
right, we need
to pass both
values to the
function. And I
need to rework
my password
hashing…<br class="">
<br class="">
A modular
solution seems
to be best, easy
to add custom
implementations
and to provide
some standard
modules.<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">Am
21.02.20 um
12:15 schrieb
Mark
Webb-Johnson:<br class="">
</div>
<blockquote type="cite" cite="mid:F4FAF182-04FF-4255-AAB6-6D7C1F9F565B@webb-johnson.net" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><br class="">
</div>
An alternative
would be to
implement a
server
authentication
module, and to
‘require’ that
into the
system at
startup:
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class=""><br class="">
require
$config->val('db',’pw_module’,’auth_none.pl’);</blockquote>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class=""><br class="">
</blockquote>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class="">…</blockquote>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class=""><br class="">
</blockquote>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class="">If
(&auth_password_check($passwordhash,
$password))</blockquote>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class=""> ...</blockquote>
<div class="">
<div class=""><br class="">
</div>
<div class="">Provide
a
‘auto_none.pl’:</div>
<div class=""><br class="">
</div>
</div>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class="">
<div class="">
<div class="">#!/usr/bin/perl</div>
</div>
<div class=""><br class="">
</div>
<div class="">sub
auth_password_check</div>
<div class="">
{</div>
<div class="">
my
($hash,$password)
= @_;</div>
<div class=""><br class="">
</div>
<div class="">
return 0;</div>
<div class="">
}</div>
</blockquote>
<div class="">
<div class=""><br class="">
</div>
<div class="">Then
a
‘auth_drupal7.pl’,
‘auth_sha1.pl’, etc.</div>
<div class=""><br class="">
</div>
<div class="">This
could also be
done in a perl
modular
fashion by
having the
module
provided as an
object (using
‘use …’).
Probably
cleaner than
the old-style
require.</div>
<div class=""><br class="">
</div>
<div class="">That
is much more
extendable and
standardised.
In particular,
there is also
code that
syncs Drupal
users to
ovms_owners
(svr_tim) and
if we have a
separate
module that
drupal-dependant
code could be
removed from
ovms_server.pl.</div>
<div class=""><br class="">
</div>
<div class="">Is
that a better
solution?</div>
<div class=""><br class="">
</div>
<div class="">Regards,
Mark.</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On
21 Feb 2020,
at 11:37 AM,
Mark
Webb-Johnson
<<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div style="word-wrap:
break-word;
-webkit-nbsp-mode:
space;
line-break:
after-white-space;" class="">Michael,
<div class=""><br class="">
</div>
<div class="">Just
before your
commit, the
server code
was:</div>
<div class=""><br class="">
</div>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class="">
<div class="">
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">my
$passwordhash
=
$row->{'pass'};</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">if
(&drupal_password_check($passwordhash,
$password))</span></font></div>
</div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">…</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class="">
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">sub
drupal_password_check</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> {</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
($ph,$password) = @_;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$iter_log2 =
index($itoa64,substr($ph,3,1));</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$iter_count =
1 <<
$iter_log2;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$phash =
substr($ph,0,12);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$salt =
substr($ph,4,8);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$hash =
sha512($salt.$password);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> do</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> {</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">
$hash =
sha512($hash.$password);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">
$iter_count--;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> }
while
($iter_count
> 0);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$encoded =
substr($phash
.
&drupal_password_base64_encode($hash,length($hash)),0,55);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">
return
($encoded eq
$ph);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> }</span></font></div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">Your
change was:</div>
<div class=""><br class="">
</div>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class="">
<div class="">
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">#
User password
encoding
function:</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">my
$pw_encode
=
$config->val('db','pw_encode','drupal_password($password)’);</span></font></div>
</div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">…</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class="">
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">my
$passwordhash
=
$row->{'pass'};</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">my
$encoded =
eval
$pw_encode;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">if
($encoded eq
$passwordhash)</span></font></div>
</div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">…</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class="">
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">sub
drupal_password</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> {</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
($password) =
@_;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$iter_log2 =
index($itoa64,substr($ph,3,1));</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$iter_count =
1 <<
$iter_log2;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$phash =
substr($ph,0,12);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$salt =
substr($ph,4,8);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$hash =
sha512($salt.$password);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> do</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> {</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">
$hash =
sha512($hash.$password);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">
$iter_count--;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> }
while
($iter_count
> 0);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> my
$encoded =
substr($phash
.
&drupal_password_base64_encode($hash,length($hash)),0,55);</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">
return
$encoded;</span></font></div>
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class=""> }</span></font></div>
</div>
</blockquote>
<div class="">
<div class=""><br class="">
</div>
<div class="">You
changed the
parameters
from
($ph,$password)
to just
($password),
but the
drupal_password
function still
needs to use
$ph (the hash)
to extract
meta data to
set the
encoding
parameters.</div>
<div class=""><br class="">
</div>
<div class="">The
problem is
that Drupal
(and others)
has a strong
hashing
function with
multiple
iterations.
The meta data
for that is
stored in the
password hash
itself. The
unix crypt
library does
something
similar (with
the encoding
method and
salt stored as
meta data in
the hash).
Just storing
passwords as
straight
hashes (md5,
sha1, etc) is
fundamentally
not secure, as
it is trivial
to use rainbow
tables to
break the
hashes - so
most modern
systems use
iterations,
salts, or
other
techniques to
limit the
effectiveness
of rainbow
tables and
make brute
force
approaches
computationally
unfeasible.</div>
<div class=""><br class="">
</div>
<div class="">For
many systems,
we can only
encode a
password in
the same way
as a previous
encoding if we
know the meta
data of the
previous
encoding (and
that is stored
in the hash).
Hence we need
the hash as a
parameter, to
extract the
meta data to
be able to
encode the new
password in
the same way.</div>
<div class=""><br class="">
</div>
<div class="">This
won’t just
affect drupal,
but any system
with a
non-trivial
password
hashing
function.</div>
<div class=""><br class="">
</div>
<div class="">So,
pw_encode()
needs both the
old hash as
well as the
plaintext
password to
encode. At
which point, I
think it
becomes easier
to make it
simply
pw_check()
returning a
boolean. It
also seems
easier to me
to do that as
a plugin
function
(pw_check vs
pw_encode) as
it will allow
other
non-trivial
hashing
comparisons if
required. For
example, say
you needed to
check the
password
against an
external
lookup (ldap,
etc).</div>
<div class=""><br class="">
</div>
<div class="">Regards,
Mark.</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On
21 Feb 2020,
at 1:12 AM,
Michael Balzer
<<a href="mailto:dexter@expeedo.de" class="" moz-do-not-send="true">dexter@expeedo.de</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class="">
Mark,<br class="">
<br class="">
I did 1b73a7f8
to split the
"create &
compare
password"
function into
separate
"create" &
"compare"
steps, and
introduced the
"pw_encode"
config hook to
be able to
supply just a
custom
"create"
operation.
That
simplifies the
config (see
example).<br class="">
<br class="">
That change
has been
working since
2016 on my
server. I see
you
reintroduced
the "create
& compare"
function as a
separate
function for
the MQTT auth,
but don't see
why that was
needed. I also
don't see why
the separated
function was
broken on your
server. Can
you please
elaborate? I'd
like to
understand
what was going
wrong.<br class="">
<br class="">
With reverting
to the "create
&
compare", this
breaks the
configuration
of servers not
using Drupal.
Essentially,
the new
"pw_check"
hook does just
the previous
"pw_encode"
and adds the
comparison to
that, so I'd
rather opt for
adding a
default
function here
that simply
reuses the
existing
"pw_encode"
hook.<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<br class="">
<div class="moz-cite-prefix">Am
20.02.20 um
04:09 schrieb
Mark
Webb-Johnson:<br class="">
</div>
<blockquote type="cite" cite="mid:F48FF6EE-9CB9-4DB5-8106-BE4CD73C5AE3@webb-johnson.net" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Even stranger.
This
conversation
obviously
triggered
someone to try
it and then
raise a
support ticket
that HTTP API
authentication
didn’t work.
<div class=""><br class="">
</div>
<div class="">It
seems a
change was
made back
in 2016-02-01
23:59:22
(1b73a7f8)
that broke the
pw_encode
function
(drupal_password).
It was also
weird because
we had
drupal_password
and
drupal_password_check
functions,
doing pretty
much the same
thing (one
used by HTTP
API and the
other by MQ
authentication).</div>
<div class=""><br class="">
</div>
<div class="">I
standardised
to use a new
pw_check
(overridable
in the config)
parameter,
which defaults
to:</div>
<div class=""><br class="">
</div>
<blockquote style="margin:
0 0 0 40px;
border: none;
padding: 0px;" class="">
<div class=""><font class="" face="Andale
Mono"><span style="font-style:
normal;
font-size:
14px;" class="">drupal_password_check($passwordhash,$password)</span></font></div>
</blockquote>
<div class="">
<div class=""><br class="">
</div>
<div class="">and
stopped using
the pw_encode
config value.
I also changed
the MQ
authentication
stuff to use
the same
pw_check
parameter (so
both
authentication
uses are now
able to be
changed in the
same config).
If using
something
other than
drupal, just
need to change
the pw_check
parameter in
the config.</div>
<div class=""><br class="">
</div>
<div class="">I
realise that
this may break
other users of
the server,
but it doesn’t
seem a
difficult fix
to make, and
is a much
better
approach.</div>
<div class=""><br class="">
</div>
<div class="">Regards,
Mark</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On
19 Feb 2020,
at 1:53 PM,
Mark
Webb-Johnson
<<a href="mailto:mark@webb-johnson.net" class="" moz-do-not-send="true">mark@webb-johnson.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Strange.
I have zero
using mine.
Must be a EU
thing?<br class="">
<br class="">
I’ll keep it
in mind and
try not to
break
anything.<br class="">
<br class="">
Regards, Mark.<br class="">
<br class="">
<blockquote type="cite" class="">On 18
Feb 2020, at
8:41 PM,
Michael Balzer
<<a href="mailto:dexter@expeedo.de" class="" moz-do-not-send="true">dexter@expeedo.de</a>>
wrote:<br class="">
<br class="">
Mark,<br class="">
<br class="">
grep "main:
http" in the
log: yes, I've
got some users
accessing the
API
frequently.<br class="">
<br class="">
Usage is
mostly
/api/charge
followed by
/api/status
&
/api/historical,
but almost all
calls have
been used
during the
last days.<br class="">
<br class="">
Regards,<br class="">
Michael<br class="">
<br class="">
<br class="">
Am 18.02.20 um
04:28 schrieb
Mark
Webb-Johnson:<br class="">
<blockquote type="cite" class="">Is
anyone here
using the HTTP
API at all?<br class="">
<br class="">
It seems so
tied to the v2
protocol, as
to not be much
use.<br class="">
<br class="">
Regards, Mark.<br class="">
_______________________________________________<br class="">
OvmsDev
mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</blockquote>
<br class="">
<br class="">
-- <br class="">
Michael Balzer
* Helkenberger
Weg 9 *
D-58256
Ennepetal<br class="">
Fon 02333 /
833 5735 *
Handy 0176 /
206 989 26<br class="">
<br class="">
<br class="">
_______________________________________________<br class="">
OvmsDev
mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</blockquote>
<br class="">
_______________________________________________<br class="">
OvmsDev
mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</div>
_______________________________________________<br class="">
OvmsDev
mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="160">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
<span class="">_______________________________________________</span><br class="">
<span class="">OvmsDev
mailing list</span><br class="">
<span class=""><a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a></span><br class="">
<span class=""><a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a></span><br class="">
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev" class="" moz-do-not-send="true">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
OvmsDev mailing list<br class="">
<a href="mailto:OvmsDev@lists.openvehicles.com" class="" moz-do-not-send="true">OvmsDev@lists.openvehicles.com</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
OvmsDev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OvmsDev@lists.openvehicles.com">OvmsDev@lists.openvehicles.com</a>
<a class="moz-txt-link-freetext" href="http://lists.openvehicles.com/mailman/listinfo/ovmsdev">http://lists.openvehicles.com/mailman/listinfo/ovmsdev</a>
</pre>
</blockquote>
<br class="">
<br class="">
<pre class="moz-signature" cols="144">--
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26
</pre>
</div>
_______________________________________________<br class="">OvmsDev mailing list<br class=""><a href="mailto:OvmsDev@lists.openvehicles.com" class="">OvmsDev@lists.openvehicles.com</a><br class="">http://lists.openvehicles.com/mailman/listinfo/ovmsdev<br class=""></div></blockquote></div><br class=""></div></body></html>