From edc64b8336ab61b9850a3f427d3fe816e9c6c46a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20L?= <contact@slepin.fr>
Date: Thu, 8 Nov 2018 00:52:26 +0100
Subject: [PATCH] auth: get rid of mbedtls

---
 .gitmodules    |  3 --
 CMakeLists.txt | 13 ++------
 deps/mbedtls   |  1 -
 src/Config.cpp | 85 +++++++++++++++++++++-----------------------------
 src/Config.h   |  5 ---
 5 files changed, 38 insertions(+), 69 deletions(-)
 delete mode 100644 .gitmodules
 delete mode 160000 deps/mbedtls

diff --git a/.gitmodules b/.gitmodules
deleted file mode 100644
index a85f0ae6..00000000
--- a/.gitmodules
+++ /dev/null
@@ -1,3 +0,0 @@
-[submodule "deps/mbedtls"]
-	path = deps/mbedtls
-	url = https://github.com/ARMmbed/mbedtls
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 2e694452..50d81520 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -15,9 +15,6 @@ find_package(Qt5Core REQUIRED)
 find_package(Qt5WebSockets REQUIRED)
 find_package(Qt5Widgets REQUIRED)
 
-add_subdirectory(deps/mbedtls EXCLUDE_FROM_ALL)
-set(ENABLE_PROGRAMS false)
-
 set(obs-websocket_SOURCES
 	src/obs-websocket.cpp
 	src/WSServer.cpp
@@ -52,22 +49,17 @@ add_library(obs-websocket MODULE
 	${obs-websocket_SOURCES}
 	${obs-websocket_HEADERS})
 
-add_dependencies(obs-websocket mbedcrypto)
-
 include_directories(
 	"${LIBOBS_INCLUDE_DIR}/../UI/obs-frontend-api"
 	${Qt5Core_INCLUDES}
 	${Qt5WebSockets_INCLUDES}
-	${Qt5Widgets_INCLUDES}
-	${mbedcrypto_INCLUDES}
-	"${CMAKE_SOURCE_DIR}/deps/mbedtls/include")
+	${Qt5Widgets_INCLUDES})
 
 target_link_libraries(obs-websocket
 	libobs
 	Qt5::Core
 	Qt5::WebSockets
-	Qt5::Widgets
-	mbedcrypto)
+	Qt5::Widgets)
 
 # --- End of section ---
 
@@ -165,7 +157,6 @@ endif()
 if(UNIX AND NOT APPLE)
 	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11")
 
-	target_compile_options(mbedcrypto PRIVATE -fPIC)
 	set_target_properties(obs-websocket PROPERTIES PREFIX "")
 	target_link_libraries(obs-websocket
 		obs-frontend-api)
diff --git a/deps/mbedtls b/deps/mbedtls
deleted file mode 160000
index 1a6a15c7..00000000
--- a/deps/mbedtls
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 1a6a15c795922f05bd2ea17addf27eddcd256a15
diff --git a/src/Config.cpp b/src/Config.cpp
index e9ba8487..eb819c8c 100644
--- a/src/Config.cpp
+++ b/src/Config.cpp
@@ -16,11 +16,11 @@ You should have received a copy of the GNU General Public License along
 with this program. If not, see <https://www.gnu.org/licenses/>
 */
 
-#include <mbedtls/base64.h>
-#include <mbedtls/sha256.h>
 #include <obs-frontend-api.h>
 #include <util/config-file.h>
-#include <string>
+
+#include <QCryptographicHash>
+#include <QRandomGenerator>
 
 #define SECTION_NAME "WebsocketAPI"
 #define PARAM_ENABLE "ServerEnabled"
@@ -69,19 +69,15 @@ Config::Config() :
 			SECTION_NAME, PARAM_SALT, QT_TO_UTF8(Salt));
 	}
 
-	mbedtls_entropy_init(&entropy);
-	mbedtls_ctr_drbg_init(&rng);
-	mbedtls_ctr_drbg_seed(&rng, mbedtls_entropy_func, &entropy, nullptr, 0);
-
 	SessionChallenge = GenerateSalt();
 }
 
-Config::~Config() {
-	mbedtls_ctr_drbg_free(&rng);
-	mbedtls_entropy_free(&entropy);
+Config::~Config()
+{
 }
 
-void Config::Load() {
+void Config::Load()
+{
 	config_t* obsConfig = obs_frontend_get_global_config();
 
 	ServerEnabled = config_get_bool(obsConfig, SECTION_NAME, PARAM_ENABLE);
@@ -95,7 +91,8 @@ void Config::Load() {
 	Salt = config_get_string(obsConfig, SECTION_NAME, PARAM_SALT);
 }
 
-void Config::Save() {
+void Config::Save() 
+{
 	config_t* obsConfig = obs_frontend_get_global_config();
 
 	config_set_bool(obsConfig, SECTION_NAME, PARAM_ENABLE, ServerEnabled);
@@ -113,46 +110,41 @@ void Config::Save() {
 	config_save(obsConfig);
 }
 
-QString Config::GenerateSalt() {
+QString Config::GenerateSalt()
+{
+	auto random = QRandomGenerator::global();
+
 	// Generate 32 random chars
-	unsigned char* randomChars = (unsigned char*)bzalloc(32);
-	mbedtls_ctr_drbg_random(&rng, randomChars, 32);
+	QByteArray randomChars(32, '\0');
+	random->fillRange((quint32*)randomChars.data(), randomChars.size() / 4);
 
 	// Convert the 32 random chars to a base64 string
-	char* salt = (char*)bzalloc(64);
-	size_t saltBytes;
-	mbedtls_base64_encode(
-		(unsigned char*)salt, 64, &saltBytes,
-		randomChars, 32);
+	QString salt = randomChars.toBase64();
 
-	bfree(randomChars);
 	return salt;
 }
 
-QString Config::GenerateSecret(QString password, QString salt) {
+QString Config::GenerateSecret(QString password, QString salt)
+{
 	// Concatenate the password and the salt
 	QString passAndSalt = "";
 	passAndSalt += password;
 	passAndSalt += salt;
 
-	// Generate a SHA256 hash of the password
-	unsigned char* challengeHash = (unsigned char*)bzalloc(32);
-	mbedtls_sha256(
-		(unsigned char*)passAndSalt.toUtf8().constData(), passAndSalt.length(),
-		challengeHash, 0);
+	// Generate a SHA256 hash of the password and salt
+	auto challengeHash = QCryptographicHash::hash(
+		passAndSalt.toUtf8(),
+		QCryptographicHash::Algorithm::Sha256
+	);
 
 	// Encode SHA256 hash to Base64
-	char* challenge = (char*)bzalloc(64);
-	size_t challengeBytes = 0;
-	mbedtls_base64_encode(
-		(unsigned char*)challenge, 64, &challengeBytes,
-		challengeHash, 32);
+	QString challenge = challengeHash.toBase64();
 
-	bfree(challengeHash);
 	return challenge;
 }
 
-void Config::SetPassword(QString password) {
+void Config::SetPassword(QString password)
+{
 	QString newSalt = GenerateSalt();
 	QString newChallenge = GenerateSecret(password, newSalt);
 
@@ -160,37 +152,32 @@ void Config::SetPassword(QString password) {
 	this->Secret = newChallenge;
 }
 
-bool Config::CheckAuth(QString response) {
+bool Config::CheckAuth(QString response)
+{
 	// Concatenate auth secret with the challenge sent to the user
 	QString challengeAndResponse = "";
 	challengeAndResponse += Secret;
 	challengeAndResponse += SessionChallenge;
 
 	// Generate a SHA256 hash of challengeAndResponse
-	unsigned char* hash = (unsigned char*)bzalloc(32);
-	mbedtls_sha256(
-		(unsigned char*)challengeAndResponse.toUtf8().constData(),
-		challengeAndResponse.length(),
-		hash, 0);
+	auto hash = QCryptographicHash::hash(
+		challengeAndResponse.toUtf8(),
+		QCryptographicHash::Algorithm::Sha256
+	);
 
 	// Encode the SHA256 hash to Base64
-	char* expectedResponse = (char*)bzalloc(64);
-	size_t base64_size = 0;
-	mbedtls_base64_encode(
-		(unsigned char*)expectedResponse, 64, &base64_size,
-		hash, 32);
+	QString expectedResponse = hash.toBase64();
 
 	bool authSuccess = false;
-	if (response == QString(expectedResponse)) {
+	if (response == expectedResponse) {
 		SessionChallenge = GenerateSalt();
 		authSuccess = true;
 	}
 
-	bfree(hash);
-	bfree(expectedResponse);
 	return authSuccess;
 }
 
-Config* Config::Current() {
+Config* Config::Current()
+{
 	return _instance;
 }
diff --git a/src/Config.h b/src/Config.h
index 02f4fb2f..80f3c0cd 100644
--- a/src/Config.h
+++ b/src/Config.h
@@ -21,9 +21,6 @@ with this program. If not, see <https://www.gnu.org/licenses/>
 
 #include <QString>
 
-#include <mbedtls/entropy.h>
-#include <mbedtls/ctr_drbg.h>
-
 class Config {
 	public:
 		Config();
@@ -53,8 +50,6 @@ class Config {
 
 	private:
 		static Config* _instance;
-		mbedtls_entropy_context entropy;
-		mbedtls_ctr_drbg_context rng;
 };
 
 #endif // CONFIG_H