Ignore:
Timestamp:
May 24, 2006 5:35:19 AM (18 years ago)
Author:
scdev
Message:

Q - Improved hashing algorithms in Auth_SQL, added more sc- css selectors, misc bug fixes

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/lib/Auth_SQL.inc.php

    r121 r124  
    44 *
    55 * @author  Quinn Comendant <quinn@strangecode.com>
    6  * @version 2.0
     6 * @version 2.1
    77 */
    88
    99// Available encryption types for class Auth_SQL.
    10 define('AUTH_ENCRYPT_MD5', 'md5');
    11 define('AUTH_ENCRYPT_CRYPT', 'crypt');
    12 define('AUTH_ENCRYPT_SHA1', 'sha1');
    13 define('AUTH_ENCRYPT_PLAINTEXT', 'plaintext');
     10define('AUTH_ENCRYPT_MD5', 1);
     11define('AUTH_ENCRYPT_CRYPT', 2);
     12define('AUTH_ENCRYPT_SHA1', 3);
     13define('AUTH_ENCRYPT_PLAINTEXT', 4);
    1414
    1515require_once dirname(__FILE__) . '/Email.inc.php';
     
    4141
    4242        // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above.
    43         'encryption_type' => AUTH_ENCRYPT_MD5,
     43        'encryption_type' => AUTH_ENCRYPT_SHA1,
    4444
    4545        // The URL to the login script.
     
    4747
    4848        // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire.
    49         // This applies to admins and users. In seconds. 21600 seconds = 6 hours.
     49        // In seconds. 21600 seconds = 6 hours.
    5050        'login_timeout' => 21600,
    5151
    5252        // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
    53         // This applies to admins and users. In seconds. 3600 seconds = 1 hour.
     53        // In seconds. 3600 seconds = 1 hour.
    5454        'idle_timeout' => 3600,
    5555
     
    300300        $this->initDB();
    301301
    302         // Query DB for user matching credentials.
    303         // FIXME: Cannot compare crypt style passwords this way.
    304         $qid = DB::query("
    305             SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
    306             FROM " . $this->_params['db_table'] . "
    307             WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
    308             AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
    309         ");
     302        switch ($this->_params['encryption_type']) {
     303        case AUTH_ENCRYPT_CRYPT :
     304            // Query DB for user matching credentials. Compare cyphertext with salted-encrypted password.
     305            $qid = DB::query("
     306                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
     307                FROM " . $this->_params['db_table'] . "
     308                WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
     309                AND BINARY userpass = ENCRYPT('" . DB::escapeString($password) . "', LEFT(userpass, 2)))
     310            ");
     311            break;
     312        case AUTH_ENCRYPT_PLAINTEXT :
     313        case AUTH_ENCRYPT_MD5 :
     314        case AUTH_ENCRYPT_SHA1 :
     315        default :
     316            // Query DB for user matching credentials. Directly compare cyphertext with result from encryptPassword().
     317            $qid = DB::query("
     318                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
     319                FROM " . $this->_params['db_table'] . "
     320                WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
     321                AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
     322            ");
     323            break;
     324        }
    310325
    311326        // Return user data if found.
     
    665680    function generatePassword($pattern='CvccvCdd')
    666681    {
    667         mt_srand((double) microtime() * 10000000);
    668682        $str = '';
    669683        for ($i=0; $i<strlen($pattern); $i++) {
     
    682696     *
    683697     */
    684     function encryptPassword($password)
     698    function encryptPassword($password, $salt=null)
    685699    {
    686700        switch ($this->_params['encryption_type']) {
     
    690704
    691705        case AUTH_ENCRYPT_CRYPT :
    692             return crypt($password);
     706            // If comparing plaintext password with a hash, provide first two chars of the hash as the salt.
     707            return isset($salt) ? crypt($password, substr($salt, 0, 2)) : crypt($password);
    693708            break;
    694709
    695710        case AUTH_ENCRYPT_SHA1 :
    696             return sha1($password);
     711            return sha1(App::getParam('signing_key') . sha1($password));
    697712            break;
    698713
    699714        case AUTH_ENCRYPT_MD5 :
    700715        default :
    701             return md5($password);
     716            return md5(App::getParam('signing_key') . md5($password));
    702717            break;
    703718        }
Note: See TracChangeset for help on using the changeset viewer.