RaspberryBASIC.org Forum

[John]

I posted an updated ScriptBasic version on Raspbery BASIC that supports a database with encrypted (MD5) passwords.

[AIR]

It just needs to store username, randomly generated hash and encrypted password for user.

The encrypted password is supposed to be created using the randomly generated hash to 'salt' the password generation AND the resulting check, with the hash being retrieved along with the encrypted password from the DB in order to perform the verification.

The Scriptbasic version is missing this....

AIR.

[John]

I've already gone after extra points with the DB addition.

Isn't MD5 encryption enough for a login GUI example?

[AIR]

You're not salting the md5 with a hash, and you're not generating and storing the hash or retrieving the hash to perform the verification.

The hash has to be unique for each account too.

AIR.

[John]

I'm not storing the Password. I'm storing a 16 byte MD5 hash of it. Login will be successful if the user entered MD5 hashed password matches the MD5 version of it in the database. A 1/2 mil solar power converter I wrote BACnet interface for used MD5 as it's API encryption method to control it externally.

I added duplicate UserID checking / error reporting and fixed the MD5 HEX string to be a fixed 32 byte length.

Happy New Year!

[jalih]

You're not salting the md5 with a hash, and you're not generating and storing the hash or retrieving the hash to perform the verification.

The hash has to be unique for each account too.

I currently generate 32 byte random buffer from the cryptographically strong random source and convert it to hex string for the salt. Key for user chosen password is generated with PBKDF2 algorithm using previously randomly generated salt and 10000 iterations as parameters. Username, key and salt is then stored into database.

[John]

The method I'm using is how this forum software encrypts passwords. I don't use salt but known to use sugar from time to time. 

[John]

It seems I have everything I need to enhance the Nim IUP version to match what I did in ScriptBasic.

Hope to have something soon,

I was hoping someone would  take a shot at upgrading the Python initial example to bring it to current challenge specs.

[John]

I really miss UltraEdit on the RPi.

Here is the Nim login.nim example on my Laptop Ubuntu 64. My guess is Unity is a slightly different desktop than what is installed with a standard Ubuntu desktop install.

[John]

I updated the Nim submission to match the ScriptBasic latest version.

I surely learned a few things about Nim along the way. 

Q. How do you convert a cstring for a function that requires a Nim string?

That one took some digging. 

[AIR]

Updated C submission.

The libc 'crypt' function is configured to use a SHA-512 hashed password, which was generated using the default 5000 hash iterations.

Full source with arm64 binary, required png grahpic, sqlite3 database, and sql dump attached.

EDIT:  the password for both the 'guest' and 'admin' accounts is...'password'.

Code: C

1. /* logon2.c
2.  *
3.  * version 1.4
4.  *
5.  * GUI Logon Screen Challenge Submission
6.  * C version, using GTK3
7.  *
8.  * Written by Armando I. Rivera (AIR)
9.  *
10.  * Compile:  gcc logon2.c $(pkg-config --libs --cflags gtk+-3.0 sqlite3) -lcrypt -o logon2
11. */
12.  
13. #define _GNU_SOURCE
14. #include <gtk/gtk.h>
15. #include <stdio.h>
16. #include <crypt.h>
17. #include <sqlite3.h>
18.  
19. GtkWidget *window, *layout, *image, *btnLogin, *chkBox;
20. GtkWidget *lblUser, *lblPass, *txtUser, *txtPass,*err_label;
21.  
22. void chkBox_cb (GtkToggleButton *toggle_button, gpointer data) {
23.       if (gtk_toggle_button_get_active (toggle_button)) {
24.           g_object_set(data,"visibility",TRUE,NULL);
25.       }else{
26.           g_object_set(data,"visibility",FALSE,NULL);
27.       }
28. }
29.  
30. void txtPass_cb( GtkWidget *widget, gpointer data ) {
31.     g_object_set(data,"label","",NULL);
32. }
33.  
34. void txtUser_cb( GtkWidget *widget, gpointer data ) {
35.     gtk_widget_grab_focus(data);
36. }
37.  
38. int checkPassword(gchar *user, gchar *passwd) {
39.     sqlite3_stmt *stmt = NULL;
40.     sqlite3 *db;
41.     gchar *zErrMsg = 0;
42.     int rc;
43.     gchar *sql,*stored_password=0,*stored_salt;
44.     gchar *hashed_password;
45.  
46.     if (g_file_test("auth.db",G_FILE_TEST_EXISTS) == FALSE){
47.       return(1);
48.     }    
49.  
50.     if (rc = sqlite3_open("auth.db", &db)) {
51.        return(2);
52.     }
53.     asprintf(&sql,"select username,password,salt from Users where username is '%s'",user);
54.    
55.     if (rc = sqlite3_prepare_v2(db, sql,-1,&stmt,0) != SQLITE_OK ) {
56.         return(-1);
57.     }
58.  
59.     free(sql);
60.    
61.     if (sqlite3_step(stmt) == SQLITE_ROW) {
62.         stored_password = (gchar*)sqlite3_column_text(stmt,1);
63.         stored_salt = (gchar*)sqlite3_column_text(stmt,2);
64.         hashed_password= crypt(passwd,stored_salt);
65.         return g_strcmp0 (hashed_password, stored_password);
66.     }else{
67.         return(3);
68.     }
69. }
70.  
71. void onClick( GtkWidget *widget, gpointer data ) {
72.     gchar *user_name, *user_password;
73.     int result;
74.     g_object_get(txtUser,"text",&user_name,NULL);
75.     g_object_get(txtPass,"text",&user_password,NULL);
76.    
77.     result = checkPassword(user_name, user_password);
78.  
79.     switch (result) {
80.         case 0:
81.             g_print("User '%s' now logged in!\n",user_name);
82.             gtk_main_quit();
83.             break;
84.         case 1:
85.             gtk_label_set_markup(GTK_LABEL(err_label), "<span color=\"red\" font_desc=\"16.0\">** Database Not Found **</span>");
86.             g_print("'auth.db' database not found\n");
87.             break;
88.         case 2:
89.             gtk_label_set_markup(GTK_LABEL(err_label), "<span color=\"red\" font_desc=\"16.0\">** Database Not Accessible**</span>");
90.             g_print("Unable to read 'auth.db' database\n");
91.             break;
92.         case 3:
93.             gtk_label_set_markup(GTK_LABEL(err_label), "<span color=\"red\" font_desc=\"16.0\">** Unknown User **</span>");
94.             g_print("Unknown User Account for '%s'\n",user_name);
95.             break;
96.         default:
97.             gtk_label_set_markup(GTK_LABEL(err_label), "<span color=\"red\" font_desc=\"16.0\">** Invalid Password **</span>");
98.             g_print("Incorrect password for User '%s'!\n",user_name);
99.     }
100. }
101.  
102. int main( int argc, char *argv[])
103. {
104.  
105.  
106.     gtk_init(&argc, &argv);
107.    
108.     layout = gtk_layout_new(NULL, NULL);
109.  
110.     window = g_object_new(GTK_TYPE_WINDOW,
111.                         "type",GTK_WINDOW_TOPLEVEL,
112.                         "title","Login",
113.                         "default-width",660,
114.                         "default-height",370,
115.                         "resizable",FALSE,
116.                         "window-position",GTK_WIN_POS_CENTER,
117.                         "child",layout,
118.                         "decorated",0,
119.                         NULL);
120.  
121.     image = g_object_new(GTK_TYPE_IMAGE,"file","logon.png",NULL);
122.     g_object_set(layout,"child",image,"margin",10,NULL);
123.    
124.     lblUser = g_object_new(GTK_TYPE_LABEL,"use-markup",TRUE,"label","<span font_desc=\"16.0\">Username:</span>",NULL);
125.     lblPass = g_object_new(GTK_TYPE_LABEL,"use-markup",TRUE,"label","<span font_desc=\"16.0\">Password:</span>",NULL);
126.     err_label = g_object_new(GTK_TYPE_LABEL, "width-request", 270,NULL);
127.  
128.     txtUser = g_object_new(GTK_TYPE_ENTRY,NULL);
129.     txtPass = g_object_new(GTK_TYPE_ENTRY,"visibility",FALSE,NULL);
130.    
131.     chkBox = g_object_new(GTK_TYPE_CHECK_BUTTON,"label","Show Password",NULL);
132.  
133.     btnLogin = g_object_new(GTK_TYPE_BUTTON,"label","Login","width-request",170,NULL);
134.  
135.     gtk_layout_put(GTK_LAYOUT(layout), lblUser, 330, 112-30);
136.     gtk_layout_put(GTK_LAYOUT(layout), lblPass, 330, 162-30);
137.     gtk_layout_put(GTK_LAYOUT(layout), txtUser, 460, 110-30);
138.     gtk_layout_put(GTK_LAYOUT(layout), txtPass, 460, 160-30);
139.     gtk_layout_put(GTK_LAYOUT(layout), chkBox, 460, 210-30);
140.     gtk_layout_put(GTK_LAYOUT(layout), btnLogin, 460, 250-30);
141.     gtk_layout_put(GTK_LAYOUT(layout), err_label, 300, 16);
142.  
143.     g_signal_connect (window, "destroy", G_CALLBACK (gtk_main_quit), NULL);
144.     g_signal_connect (btnLogin, "clicked", G_CALLBACK (onClick), NULL);
145.     g_signal_connect (chkBox, "toggled", G_CALLBACK (chkBox_cb), txtPass);
146.     g_signal_connect (txtPass, "changed", G_CALLBACK (txtPass_cb), err_label);
147.     g_signal_connect (txtPass, "activate", G_CALLBACK (onClick), txtPass);
148.     g_signal_connect (txtUser, "activate", G_CALLBACK (txtUser_cb), txtPass);
149.    
150.     gtk_widget_show_all(window);
151.  
152.     gtk_main();
153.  
154.     return 0;
155. }
156.  
157.  
158.  

AIR.

[John]

Will you be posting this to Raspberry BASIC with some screenshots?

[John]

AIR,

A response from Antonio.

Hi,

  I just committed some of the changes to tecmake.mak in IUP SVN.

Best,

Scuri

BTW, other changes should be set on the user environment. Like:

USE_LUA53=YES
USE_PKGCONFIG=YES
USE_GTK3=YES
LUA51=$(TECTOOLS_HOME)/lua51
LUA_SFX=51

[paulwratt]

I really miss UltraEdit on the RPi.

you can use the SSH, SFTP, FTP options

[John]

Great idea!