Protect password when registering using shared secret

2016-07-05 17:18:19 +01:00 · 2016-07-05 17:18:19 +01:00 · caf33b2d9b
parent ef535178ff
commit caf33b2d9b
2 changed files with 15 additions and 7 deletions
--- a/scripts/register_new_matrix_user
+++ b/scripts/register_new_matrix_user
@ -25,12 +25,17 @@ import urllib2
 import yaml


-def request_registration(user, password, server_location, shared_secret):
+def request_registration(user, password, server_location, shared_secret, admin=False):
    mac = hmac.new(
        key=shared_secret,
-        msg=user,
        digestmod=hashlib.sha1,
-    ).hexdigest()
+    )
+
+    mac.update(user)
+    mac.update(password)
+    mac.update("admin" if admin else "notadmin")
+
+    mac = mac.hexdigest()

    data = {
        "user": user,
--- a/synapse/rest/client/v1/register.py
+++ b/synapse/rest/client/v1/register.py
@ -324,6 +324,8 @@ class RegisterRestServlet(ClientV1RestServlet):
            raise SynapseError(400, "Shared secret registration is not enabled")

        user = register_json["user"].encode("utf-8")
+        password = register_json["password"].encode("utf-8")
+        admin = register_json.get("admin", None)

        # str() because otherwise hmac complains that 'unicode' does not
        # have the buffer interface
@ -331,11 +333,12 @@ class RegisterRestServlet(ClientV1RestServlet):

        want_mac = hmac.new(
            key=self.hs.config.registration_shared_secret,
-            msg=user,
            digestmod=sha1,
-        ).hexdigest()
-
-        password = register_json["password"].encode("utf-8")
+        )
+        want_mac.update(user)
+        want_mac.update(password)
+        want_mac.update("admin" if admin else "notadmin")
+        want_mac = want_mac.hexdigest()

        if compare_digest(want_mac, got_mac):
            handler = self.handlers.registration_handler