Don't use bcrypt on Windows

ThomasTJdev · ThomasTJdev · commit 4539fd810d05 · 2020-04-29T07:45:47.000+02:00
diff --git a/nmqtt.nim b/nmqtt.nim
@@ -712,9 +712,16 @@ proc onConnect(ctx: MqttCtx, pkt: Pkt) {.async.} =
     # Check password and username
     if mqttbroker.passwords.len() > 0:
       let pass = mqttbroker.passwords.getOrDefault(ctx.username)
-      if pass == "" or pass[0..59] != makePassword(ctx.password, pass[60..pass.len-1], pass[0..59]):
-        await denyConnect(ctx, ConnRefBadUserPwd)
-        return
+      when defined(Windows):
+        ## TODO: Windows is using MD5 for storing the password, which is not
+        ##       safe in any way.
+        if pass == "" or pass[0..31] != makePassword(ctx.password, pass[32..pass.len-1], ""):
+          await denyConnect(ctx, ConnRefBadUserPwd)
+          return
+      else:
+        if pass == "" or pass[0..59] != makePassword(ctx.password, pass[60..pass.len-1], pass[0..59]):
+          await denyConnect(ctx, ConnRefBadUserPwd)
+          return
 
     # 3.1.2.2 Protocol Level
     if ctx.proto != "MQTT":
diff --git a/nmqtt.nimble b/nmqtt.nimble
@@ -11,8 +11,10 @@ skipDirs      = @["tests", "nmqtt"]
 
 # Dependencies
 requires "nim >= 1.0.6"
-requires "bcrypt >= 0.2.1"
 requires "cligen >= 0.9.45"
+when not defined(Windows):
+  requires "bcrypt >= 0.2.1"
+
 
 from strutils import format
 
diff --git a/nmqtt/nmqtt_password.nim b/nmqtt/nmqtt_password.nim
@@ -57,6 +57,9 @@ proc nmqttPassword(adduser=false, batch=false, deluser=false, args: seq[string])
   ## Main handler
   echo "Running nmqtt_password v" & nmqttVersion
 
+  when defined(Windows):
+    echo "\nWARNING: On Windows passwords will only be hashed with MD5.\n"
+
   if args.len() == 0:
     echo "Error, missing parameters. Run again with --help."
     quit()
diff --git a/nmqtt/utils/passwords.nim b/nmqtt/utils/passwords.nim
@@ -1,17 +1,19 @@
-import md5, bcrypt, random
+import md5, random
+
+when not defined(Windows):
+  import bcrypt
 
 
 var urandom: File
 let useUrandom = urandom.open("/dev/urandom")
 
 
-template makeSessionKey*(): string =
-  ## Creates a random key to be used to authorize a session.
-  bcrypt.hash(makeSalt(), genSalt(8))
-
 template makePassword*(password, salt: string, comparingTo = ""): string =
   ## Creates an MD5 hash by combining password and salt.
-  bcrypt.hash(getMD5(salt & getMD5(password)), if comparingTo != "": comparingTo else: genSalt(8))
+  when defined(Windows):
+    getMD5(salt & getMD5(password))
+  else:
+    bcrypt.hash(getMD5(salt & getMD5(password)), if comparingTo != "": comparingTo else: genSalt(8))
 
 proc makeSalt*(): string =
   ## Generate random salt. Uses cryptographically secure /dev/urandom
