From 290c436046327d9f04b7d12b5fda19f4dc14f574 Mon Sep 17 00:00:00 2001 From: Denis Date: Mon, 5 Apr 2010 09:41:30 -0400 Subject: Support for storing salted passwords To upgrade existing databases: ALTER TABLE Users ADD Salt CHAR(32) NOT NULL DEFAULT ''; Signed-off-by: Loui Chang --- web/lib/acctfuncs.inc | 58 +++++++++++++++++++++++++++++++++------------------ web/lib/aur.inc | 31 +++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 20 deletions(-) (limited to 'web/lib') diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc index 91b6249..9c172bb 100644 --- a/web/lib/acctfuncs.inc +++ b/web/lib/acctfuncs.inc @@ -265,17 +265,14 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { if ($TYPE == "new") { # no errors, go ahead and create the unprivileged user - - # md5hash the password - $P = md5($P); - $q = "INSERT INTO Users (AccountTypeID, Suspended, Username, Email, "; - $q.= "Passwd, RealName, LangPreference, IRCNick, NewPkgNotify) "; - $q.= "VALUES (1, 0, '".mysql_real_escape_string($U)."'"; - $q.= ", '".mysql_real_escape_string($E)."'"; - $q.= ", '".mysql_real_escape_string($P)."'"; - $q.= ", '".mysql_real_escape_string($R)."'"; - $q.= ", '".mysql_real_escape_string($L)."'"; - $q.= ", '".mysql_real_escape_string($I)."'"; + $salt = generate_salt(); + $P = salted_hash($P, $salt); + $escaped = array_map(mysql_real_escape_string, + array($U, $E, $P, $salt, $R, $L, $I)); + $q = "INSERT INTO Users (" . + "AccountTypeID, Suspended, Username, Email, Passwd, Salt" . + ", RealName, LangPreference, IRCNick, NewPkgNotify) " . + "VALUES (1, 0, '" . implode("', '", $escaped) . "'"; if ($N) { $q.= ", 1)"; } else { @@ -298,7 +295,6 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } else { # no errors, go ahead and modify the user account - # md5 hash the password $q = "UPDATE Users SET "; $q.= "Username = '".mysql_real_escape_string($U)."'"; if ($T) { @@ -311,7 +307,9 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", } $q.= ", Email = '".mysql_real_escape_string($E)."'"; if ($P) { - $q.= ", Passwd = '".mysql_real_escape_string(md5($P))."'"; + $salt = generate_salt(); + $hash = salted_hash($P, $salt); + $q .= ", Passwd = '$hash', Salt = '$salt'"; } $q.= ", RealName = '".mysql_real_escape_string($R)."'"; $q.= ", LangPreference = '".mysql_real_escape_string($L)."'"; @@ -738,14 +736,34 @@ function valid_passwd( $userID, $passwd ) { if ( strlen($passwd) > 0 ) { $dbh = db_connect(); - $q = "SELECT ID FROM Users". - " WHERE ID = '$userID'" . - " AND Passwd = '" . md5($passwd) . "'"; - $result = mysql_fetch_row(db_query($q, $dbh)); - if ($result[0]) { - # Is it the right password? - return true; + # get salt for this user + $salt = get_salt($userID); + if ($salt) { + # use salt + $passwd_q = "SELECT ID FROM Users" . + " WHERE ID = '$userID' AND Passwd = '" . + salted_hash($passwd, $salt) . "'"; + $passwd_result = mysql_fetch_row(db_query($passwd_q, $dbh)); + if ($passwd_result[0]) { + return true; + } + } else { + # check without salt + $nosalt_q = "SELECT ID FROM Users". + " WHERE ID = '$userID'" . + " AND Passwd = '" . md5($passwd) . "'"; + $nosalt_result = mysql_fetch_row(db_query($nosalt_q, $dbh)); + if ($nosalt_result[0]) { + # password correct, but salt it first + if (!save_salt($userID, $passwd)) { + trigger_error("Unable to salt user's password;" . + " ID $userID", E_USER_WARNING); + return false; + } + + return true; + } } } return false; diff --git a/web/lib/aur.inc b/web/lib/aur.inc index e0521ab..8ccce89 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -455,3 +455,34 @@ function mkurl($append) { return substr($out, 5); } + +function get_salt($user_id) +{ + $dbh = db_connect(); + $salt_q = "SELECT Salt FROM Users WHERE ID = '$user_id'"; + $salt_result = mysql_fetch_row(db_query($salt_q, $dbh)); + return $salt_result[0]; +} + +function save_salt($user_id, $passwd) +{ + $dbh = db_connect(); + $salt = generate_salt(); + $hash = salted_hash($passwd, $salt); + $salting_q = "UPDATE Users SET Salt = '$salt'" . + ", Passwd = '$hash' WHERE ID = '$user_id'"; + return db_query($salting_q, $dbh); +} + +function generate_salt() +{ + return md5(uniqid(rand(), true)); +} + +function salted_hash($passwd, $salt) +{ + if (strlen($salt) != 32) { + trigger_error('Salt does not look like an md5 hash', E_USER_WARNING); + } + return md5($salt . $passwd); +} -- cgit v1.2.3-70-g09d2