Commit f4e33b4a authored by IKEDA Soji's avatar IKEDA Soji
Browse files

[change] RC4 encrypted password in user_table will no longer be supported.

Administrators upgrading from earlier versions have to run upgrade_sympa_password.pl to decrypt and rehash older passwords.
parent a7596fa7
......@@ -9,8 +9,8 @@
# Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
# 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
# Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
# Copyright 2017, 2018 The Sympa Community. See the AUTHORS.md file at the
# top-level directory of this distribution and at
# Copyright 2017, 2018, 2019 The Sympa Community. See the AUTHORS.md file at
# the top-level directory of this distribution and at
# <https://github.com/sympa-community/sympa.git>.
#
# This program is free software; you can redistribute it and/or modify
......@@ -29,14 +29,16 @@
use lib split(/:/, $ENV{SYMPALIB} || ''), '--modulesdir--';
use strict;
use warnings;
use Digest::MD5;
use Getopt::Long;
use MIME::Base64 qw();
use Time::HiRes qw(gettimeofday tv_interval);
BEGIN { eval 'use Crypt::CipherSaber'; }
use Conf;
use Sympa::DatabaseManager;
use Sympa::Tools::Password;
use Sympa::User;
use Digest::MD5;
use Getopt::Long;
use Time::HiRes qw(gettimeofday tv_interval);
my $usage =
"Usage: $0 [--dry_run|n] [--debug|d] [--verbose|v] [--config file] [--cache file] [--nosavecache] [--noupdateuser] [--limit|l]\n";
......@@ -77,8 +79,6 @@ if ($dry_run) {
$savecache = $updateuser = 0;
}
die "Crypt::CipherSaber not installed ; cannot crypt passwords"
unless $Crypt::CipherSaber::VERSION;
die 'Error in configuration'
unless Conf::load($config, 'no_db');
......@@ -104,8 +104,17 @@ $dry_run && print "dry_run: database will *not* be updated.\n";
my $sdm = Sympa::DatabaseManager->instance
or die 'Can\'t connect to database';
my $sth;
# Check if RC4 decryption required.
$sth = $sdm->do_prepared_query(
q{SELECT COUNT(*) FROM user_table WHERE password_user LIKE 'crypt.%'});
my ($encrypted) = $sth->fetchrow_array;
if ($encrypted and not $Crypt::CipherSaber::VERSION) {
die "Password seems encrypted while Crypt::CipherSaber is not installed!\n";
}
my $sth = $sdm->do_query(q{SELECT email_user, password_user from user_table});
$sth = $sdm->do_query(q{SELECT email_user, password_user from user_table});
unless ($sth) {
die 'Unable to prepare SQL statement';
}
......@@ -139,10 +148,11 @@ while (my $user = $sth->fetchrow_hashref('NAME_lc')) {
next;
}
if ($user->{'password_user'} =~ /^crypt.(.*)$/) {
$clear_password = Sympa::Tools::Password::decrypt_password(
$user->{'password_user'});
} else { ## Old style cleartext passwords
if ($user->{'password_user'} =~ /\Acrypt[.](.*)\z/) {
# Old style RC4 encrypted password.
$clear_password = _decrypt_rc4_password($user->{'password_user'});
} else {
# Old style cleartext password.
$clear_password = $user->{'password_user'};
}
......@@ -253,6 +263,20 @@ if ($total->{'prehashes'}) {
exit 0;
my $rc4;
# decrypt RC4 encrypted password.
# Old name: Sympa::Tools::Password::decrypt_password().
sub _decrypt_rc4_password {
my $inpasswd = shift;
return $inpasswd unless $inpasswd =~ /\Acrypt[.](.*)\z/;
$inpasswd = $1;
$rc4 = Crypt::CipherSaber->new($Conf::Conf{'cookie'}) unless $rc4;
return $rc4->decrypt(MIME::Base64::decode($inpasswd));
}
#
# Here we use MD5 as a quick way to make sure that a precalculated hash
# is still valid.
......
......@@ -64,7 +64,6 @@ use Sympa::Ticket;
use Sympa::Tools::Data;
use Sympa::Tools::Domains;
use Sympa::Tools::File;
use Sympa::Tools::Password;
use Sympa::Tools::SMIME;
use Sympa::Tools::Text;
use Sympa::User;
......@@ -3878,14 +3877,6 @@ sub add_list_member {
$new_user->{'custom_attribute'}
);
# Crypt password if it was not crypted.
unless (
Sympa::Tools::Data::smart_eq($new_user->{'password'}, qr/^crypt/))
{
$new_user->{'password'} = Sympa::Tools::Password::crypt_password(
$new_user->{'password'});
}
## Either is_included or is_subscribed must be set
## default is is_subscriber for backward compatibility reason
unless ($new_user->{'included'}) {
......
......@@ -8,6 +8,9 @@
# Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
# 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
# Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
# Copyright 2019 The Sympa Community. See the AUTHORS.md file at
# the top-level directory of this distribution and at
# <https://github.com/sympa-community/sympa.git>.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -27,15 +30,10 @@ package Sympa::Tools::Password;
use strict;
use warnings;
use Digest::MD5;
use MIME::Base64 qw();
BEGIN { eval 'use Crypt::CipherSaber'; }
BEGIN { eval 'use Data::Password'; }
use Conf;
use Sympa::Language;
use Sympa::Log;
my $log = Sympa::Log->instance;
sub tmp_passwd {
my $email = shift;
......@@ -47,46 +45,14 @@ sub tmp_passwd {
'init' . substr(Digest::MD5::md5_hex(join '/', $cookie, $email), -8));
}
# global var to store a CipherSaber object
my $cipher;
# create a cipher
sub ciphersaber_installed {
return $cipher if defined $cipher;
if ($Crypt::CipherSaber::VERSION) {
$cipher = Crypt::CipherSaber->new($Conf::Conf{'cookie'});
} else {
$cipher = '';
}
return $cipher;
}
# No longer used, Use _decrypt_rc4_password() in upgrade_sympa_password.pl.
#sub ciphersaber_installed;
## encrypt a password
sub crypt_password {
my $inpasswd = shift;
# No longer used.
#sub crypt_password;
ciphersaber_installed();
return $inpasswd unless $cipher;
return ("crypt." . MIME::Base64::encode($cipher->encrypt($inpasswd)));
}
## decrypt a password
sub decrypt_password {
my $inpasswd = shift;
$log->syslog('debug2', '(%s)', $inpasswd);
return $inpasswd unless ($inpasswd =~ /^crypt\.(.*)$/);
$inpasswd = $1;
ciphersaber_installed();
unless ($cipher) {
$log->syslog('info',
'Password seems crypted while CipherSaber is not installed !');
return $inpasswd;
}
return ($cipher->decrypt(MIME::Base64::decode($inpasswd)));
}
# Moved: Use _decrypt_rc4_password() in upgrade_sympa_password.pl.
#sub decrypt_password;
# Old name: Sympa::Session::get_random().
sub get_random {
......
......@@ -39,7 +39,6 @@ use Sympa::DatabaseManager;
use Sympa::Language;
use Sympa::Log;
use Sympa::Tools::Data;
use Sympa::Tools::Password;
use Sympa::Tools::Text;
my $log = Sympa::Log->instance;
......@@ -535,13 +534,7 @@ sub get_global_user {
$sth = pop @sth_stack;
if (defined $user) {
## decrypt password
if ($user->{'password'}) {
$user->{'password'} =
Sympa::Tools::Password::decrypt_password($user->{'password'});
}
## Canonicalize lang if possible
# Canonicalize lang if possible.
if ($user->{'lang'}) {
$user->{'lang'} = Sympa::Language::canonic_lang($user->{'lang'})
|| $user->{'lang'};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment