[Evolvis-commits] r127: write the php-perl Authen:: Passphrase glue↵ ↵ yuck , exceptions. I *hate* exceptions. ↵

mirabilos at evolvis.org mirabilos at evolvis.org
Mon Jun 8 11:41:04 CEST 2009


Author: mirabilos
Date: 2009-06-08 09:41:03 +0000 (Mon, 08 Jun 2009)
New Revision: 127

Modified:
   branches/php-v5-sid-branch/common/include/User.class.php
   branches/php-v5-sid-branch/common/include/session.php
   branches/php-v5-sid-branch/debian/changelog
Log:
write the php-perl Authen::Passphrase glue

yuck, exceptions. I *hate* exceptions.


Modified: branches/php-v5-sid-branch/common/include/User.class.php
===================================================================
--- branches/php-v5-sid-branch/common/include/User.class.php	2009-06-08 09:37:50 UTC (rev 126)
+++ branches/php-v5-sid-branch/common/include/User.class.php	2009-06-08 09:41:03 UTC (rev 127)
@@ -706,6 +706,10 @@
 	/**
 	 *	getMD5Passwd - the password.
 	 *
+	 *	*WARNING*: This may not return a valid MD5 hash, if the
+	 *	user has not yet successfully authenticated. *DO NOT USE*
+	 *	Use real authentification functions if you want that.
+	 *
 	 *	@return	string	This user's MD5-crypted passwd.
 	 */
 	function getMD5Passwd() {

Modified: branches/php-v5-sid-branch/common/include/session.php
===================================================================
--- branches/php-v5-sid-branch/common/include/session.php	2009-06-08 09:37:50 UTC (rev 126)
+++ branches/php-v5-sid-branch/common/include/session.php	2009-06-08 09:41:03 UTC (rev 127)
@@ -156,58 +156,83 @@
 	if (!$res || db_numrows($res) < 1) {
 		// No user whose MD5 passwd matches the MD5 of the provided passwd
 		// Selecting by user_name only
-		$res = db_query("SELECT user_id,status,unix_pw
+		$res = db_query("SELECT user_id,status,user_pw,unix_pw
 					FROM users
 					WHERE user_name='$loginname'");
 		if (!$res || db_numrows($res) < 1) {
 			// No user by that name
 			$feedback=_('Invalid Password Or User Name');
 			return false;
-		} else {
-			// There is a user with the provided user_name, but the MD5 passwds do not match
-			// We'll have to try checking the (crypt) unix_pw
-			$usr = db_fetch_array($res);
+		}
 
-			if (crypt ($passwd, $usr['unix_pw']) != $usr['unix_pw']) {
-				// Even the (crypt) unix_pw does not patch
-				// This one has clearly typed a bad passwd
-				$feedback=_('Invalid Password Or User Name');
-				return false;
+		$usr = db_fetch_array($res);
+
+		// Compare (crypt) unix_pw first, try Authen::Passphrase next
+		$is_valid = false;
+		if (crypt($passwd, $usr['unix_pw']) == $usr['unix_pw']) {
+			$is_valid = true;
+		} else if ($usr['user_pw'] != '') {
+			if ($usr['user_pw'][0] == '{' /* } */) {
+				// RFC2307 hash
+				$pwhash = $usr['user_pw'];
+			} else {
+				// crypt hash
+				$pwhash = "{crypt}" . $usr['user_pw'];
 			}
-			// User exists, (crypt) unix_pw matches
-			// Update the (MD5) user_pw and retry authentication
-			// It should work, except for status errors
-			$res = db_query ("UPDATE users
-				SET user_pw='" . md5($passwd) . "'
-				WHERE user_id='".$usr['user_id']."'");
-			return session_login_valid_dbonly($loginname, $passwd, $allowpending) ;
+
+			try {
+				$perl = new Perl();
+				$perl->eval('use Authen::Passphrase');
+				$perl->pwhash = $pwhash;
+				$perl->pwplain = $passwd;
+				$perl->eval('$ppr = Authen::Passphrase->from_rfc2307($pwhash);');
+				if ($perl->eval('$ppr->match($pwplain)')) {
+					$is_valid = true;
+				}
+			} catch (PerlException $e) {
+				$is_valid = false;
+			}
 		}
+
+		if (!$is_valid) {
+			// There is a user with the provided user_name, but
+			// neither does the MD5 password match, nor can we
+			// authenticate it using the (crypt) unix_pw, nor
+			// is the user_pw a valid crypt or LDAP password hash
+
+			$feedback=_('Invalid Password Or User Name');
+			return false;
+		}
+
+	//=== until here  : $is_valid: is the $passwd valid  ===
+	//=== from here on: $is_valid: is the DB entry valid ===
+
+		$is_valid = false;	// update the DB, always
 	} else {
-		// If we're here, then the user has typed a password matching the (MD5) user_pw
-		// Let's check whether it also matches the (crypt) unix_pw
+		// MD5 password is valid, check the unix (crypt) password
+
 		$usr = db_fetch_array($res);
-/*
-		if (crypt ($passwd, $usr['unix_pw']) != $usr['unix_pw']) {
-			// The (crypt) unix_pw does not match
-			if ($usr['unix_pw'] == '') {
-				// Empty unix_pw, we'll take the MD5 as authoritative
-				// Update the (crypt) unix_pw and retry authentication
-				// It should work, except for status errors
-				$res = db_query ("UPDATE users
-					SET unix_pw='" . account_genunixpw($passwd) . "'
-					WHERE user_id='".$usr['user_id']."'");
-				return session_login_valid_dbonly($loginname, $passwd, $allowpending) ;
-			} else {
-				// Invalidate (MD5) user_pw, refuse authentication
-				$res = db_query ("UPDATE users
-					SET user_pw='OUT OF DATE'
-					WHERE user_id='".$usr['user_id']."'");
-				$feedback=_('Invalid Password Or User Name');
-				return false;
-			}
+
+		if (crypt($passwd, $usr['unix_pw']) == $usr['unix_pw']) {
+			$is_valid = true;
+		} else {
+			$is_valid = false;
 		}
-*/
+	}
 
+	// We have a user and authenticated him/her somehow, meaning that
+	// user_name='$loginname' has the valid plain text '$passwd'.
+	// Update the database with this information if required.
+
+	if (!$is_valid) {
+		// Just update both fields. It doesn’t hurt.
+		$res = db_query("UPDATE users
+		    SET user_pw='" . md5($passwd) . "',
+		    unix_pw='" . account_genunixpw($passwd) . "'
+		    WHERE user_name='$loginname'");
+		//$is_valid = true;
+	}
+
 		// Yay.  The provided password matches both fields in the database.
 		// Let's check the status of this user
 
@@ -241,7 +266,6 @@
 		session_set_new(db_result($res,0,'user_id'));
 
 		return true;
-	}
 }
 
 /**

Modified: branches/php-v5-sid-branch/debian/changelog
===================================================================
--- branches/php-v5-sid-branch/debian/changelog	2009-06-08 09:37:50 UTC (rev 126)
+++ branches/php-v5-sid-branch/debian/changelog	2009-06-08 09:41:03 UTC (rev 127)
@@ -13,8 +13,9 @@
     XXX yet go into upstream Debian; later we may depend on any
   * Change size of users.user_pw field from 32 to 128 to accomodate
     potentially larger LDAP password hashes
+  * Use Authen::Passphrase for matching users.user_pw ≠ MD5 hashes
 
- -- Thorsten Glaser <t.glaser at tarent.de>  Mon, 08 Jun 2009 10:41:12 +0200
+ -- Thorsten Glaser <t.glaser at tarent.de>  Mon, 08 Jun 2009 11:40:21 +0200
 
 gforge (4.7.1-1) experimental; urgency=low
 




More information about the evolvis-commits mailing list