Convert cleartext passwords to hashes with salt

h2/src/main/org/h2/server/web/WebApp.java

@@ -406,9 +406,9 @@ public class WebApp {
             boolean ssl = Utils.parseBoolean((String) attributes.get("ssl"), false, false);
             prop.setProperty("webSSL", String.valueOf(ssl));
             server.setSSL(ssl);
-            String adminPassword = server.getAdminPassword();
-            if (adminPassword != null && !adminPassword.isEmpty()) {
-                prop.setProperty("adminPassword", adminPassword);
+            byte[] adminPassword = server.getAdminPassword();
+            if (adminPassword != null) {
+                prop.setProperty("adminPassword", StringUtils.convertBytesToHex(adminPassword));
             }
             server.saveProperties(prop);
         } catch (Exception e) {

h2/src/main/org/h2/server/web/WebServer.java

@@ -16,6 +16,7 @@ import java.sql.Connection;
 import java.sql.SQLException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -28,6 +29,7 @@ import java.util.Set;
 import org.h2.engine.Constants;
 import org.h2.engine.SysProperties;
 import org.h2.message.DbException;
+import org.h2.security.SHA256;
 import org.h2.server.Service;
 import org.h2.server.ShutdownHandler;
 import org.h2.store.fs.FileUtils;
@@ -154,7 +156,7 @@ public class WebServer implements Service {
     private final Set<WebThread> running =
             Collections.synchronizedSet(new HashSet<WebThread>());
     private boolean ssl;
-    private String adminPassword;
+    private byte[] adminPassword;
     private final HashMap<String, ConnectionInfo> connInfoMap = new HashMap<>();
 
     private long lastTimeoutCheck;
@@ -279,7 +281,7 @@ public class WebServer implements Service {
                 "webSSL", false);
         allowOthers = SortedProperties.getBooleanProperty(prop,
                 "webAllowOthers", false);
-        adminPassword = SortedProperties.getStringProperty(prop, "adminPassword", null);
+        setAdminPassword(SortedProperties.getStringProperty(prop, "adminPassword", null));
         commandHistoryString = prop.getProperty(COMMAND_HISTORY);
         for (int i = 0; args != null && i < args.length; i++) {
             String a = args[i];
@@ -299,7 +301,7 @@ public class WebServer implements Service {
             } else if (Tool.isOption(a, "-ifNotExists")) {
                 ifExists = false;
             } else if (Tool.isOption(a, "-adminPassword")) {
-                adminPassword = args[++i];
+                setAdminPassword(args[++i]);
             } else if (Tool.isOption(a, "-properties")) {
                 // already set
                 i++;
@@ -683,8 +685,8 @@ public class WebServer implements Service {
                         Boolean.toString(SortedProperties.getBooleanProperty(old, "webAllowOthers", allowOthers)));
                 prop.setProperty("webSSL",
                         Boolean.toString(SortedProperties.getBooleanProperty(old, "webSSL", ssl)));
-                if (adminPassword != null && !adminPassword.isEmpty()) {
-                    prop.setProperty("adminPassword", adminPassword);
+                if (adminPassword != null) {
+                    prop.setProperty("adminPassword", StringUtils.convertBytesToHex(adminPassword));
                 }
                 if (commandHistoryString != null) {
                     prop.setProperty(COMMAND_HISTORY, commandHistoryString);
@@ -855,15 +857,36 @@ public class WebServer implements Service {
         return allowChunked;
     }
 
-    String getAdminPassword() {
+    byte[] getAdminPassword() {
         return adminPassword;
     }
 
+    void setAdminPassword(String password) {
+        if (password == null || password.isEmpty()) {
+            adminPassword = null;
+            return;
+        }
+        if (password.length() == 128) {
+            try {
+                adminPassword = StringUtils.convertHexToBytes(password);
+                return;
+            } catch (Exception ex) {}
+        }
+        byte[] salt = MathUtils.secureRandomBytes(32);
+        byte[] hash = SHA256.getHashWithSalt(password.getBytes(StandardCharsets.UTF_8), salt);
+        byte[] total = Arrays.copyOf(salt, 64);
+        System.arraycopy(hash, 0, total, 32, 32);
+        adminPassword = total;
+    }
+
     boolean checkAdminPassword(String password) {
         if (adminPassword == null) {
             return false;
         }
-        return adminPassword.equals(password);
+        byte[] salt = Arrays.copyOf(adminPassword, 32);
+        byte[] hash = new byte[32];
+        System.arraycopy(adminPassword, 32, hash, 0, 32);
+        return Utils.compareSecure(hash, SHA256.getHashWithSalt(password.getBytes(StandardCharsets.UTF_8), salt));
     }
 
 }