[change] RC4 encrypted password in user_table will no longer be supported.

Administrators upgrading from earlier versions have to run upgrade_sympa_password.pl to decrypt and rehash older passwords.

[change] RC4 encrypted password in user_table will no longer be supported.
Administrators upgrading from earlier versions have to run upgrade_sympa_password.pl to decrypt and rehash older passwords.
f4e33b4a · IKEDA Soji · a7596fa7 · f4e33b4a · f4e33b4a · f4e33b4a
Commit f4e33b4a authored Feb 23, 2019 by IKEDA Soji
--- a/src/bin/upgrade_sympa_password.pl.in
+++ b/src/bin/upgrade_sympa_password.pl.in
@@ -9,8 +9,8 @@
 # Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
 # 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
 # Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
-# Copyright 2017, 2018 The Sympa Community. See the AUTHORS.md file at the
-# top-level directory of this distribution and at
+# Copyright 2017, 2018, 2019 The Sympa Community. See the AUTHORS.md file at
+# the top-level directory of this distribution and at
 # <https://github.com/sympa-community/sympa.git>.
 #
 # This program is free software; you can redistribute it and/or modify
@@ -29,14 +29,16 @@
 use lib split(/:/, $ENV{SYMPALIB} || ''), '--modulesdir--';
 use strict;
 use warnings;
+use Digest::MD5;
+use Getopt::Long;
+use MIME::Base64 qw();
+use Time::HiRes qw(gettimeofday tv_interval);
+
+BEGIN { eval 'use Crypt::CipherSaber'; }

 use Conf;
 use Sympa::DatabaseManager;
-use Sympa::Tools::Password;
 use Sympa::User;
-use Digest::MD5;
-use Getopt::Long;
-use Time::HiRes qw(gettimeofday tv_interval);

 my $usage =
    "Usage: $0 [--dry_run|n] [--debug|d] [--verbose|v] [--config file] [--cache file] [--nosavecache] [--noupdateuser] [--limit|l]\n";
@@ -77,8 +79,6 @@ if ($dry_run) {
    $savecache = $updateuser = 0;
 }

-die "Crypt::CipherSaber not installed ; cannot crypt passwords"
-    unless $Crypt::CipherSaber::VERSION;
 die 'Error in configuration'
    unless Conf::load($config, 'no_db');

@@ -104,8 +104,17 @@ $dry_run && print "dry_run: database will *not* be updated.\n";

 my $sdm = Sympa::DatabaseManager->instance
    or die 'Can\'t connect to database';
+my $sth;
+
+# Check if RC4 decryption required.
+$sth = $sdm->do_prepared_query(
+    q{SELECT COUNT(*) FROM user_table WHERE password_user LIKE 'crypt.%'});
+my ($encrypted) = $sth->fetchrow_array;
+if ($encrypted and not $Crypt::CipherSaber::VERSION) {
+    die "Password seems encrypted while Crypt::CipherSaber is not installed!\n";
+}

-my $sth = $sdm->do_query(q{SELECT email_user, password_user from user_table});
+$sth = $sdm->do_query(q{SELECT email_user, password_user from user_table});
 unless ($sth) {
    die 'Unable to prepare SQL statement';
 }
@@ -139,10 +148,11 @@ while (my $user = $sth->fetchrow_hashref('NAME_lc')) {
        next;
    }

-    if ($user->{'password_user'} =~ /^crypt.(.*)$/) {
-        $clear_password = Sympa::Tools::Password::decrypt_password(
-            $user->{'password_user'});
-    } else {    ## Old style cleartext passwords
+    if ($user->{'password_user'} =~ /\Acrypt[.](.*)\z/) {
+        # Old style RC4 encrypted password.
+        $clear_password = _decrypt_rc4_password($user->{'password_user'});
+    } else {
+        # Old style cleartext password.
        $clear_password = $user->{'password_user'};
    }

@@ -253,6 +263,20 @@ if ($total->{'prehashes'}) {

 exit 0;

+my $rc4;
+
+# decrypt RC4 encrypted password.
+# Old name: Sympa::Tools::Password::decrypt_password().
+sub _decrypt_rc4_password {
+    my $inpasswd = shift;
+
+    return $inpasswd unless $inpasswd =~ /\Acrypt[.](.*)\z/;
+    $inpasswd = $1;
+
+    $rc4 = Crypt::CipherSaber->new($Conf::Conf{'cookie'}) unless $rc4;
+    return $rc4->decrypt(MIME::Base64::decode($inpasswd));
+}
+
 #
 # Here we use MD5 as a quick way to make sure that a precalculated hash
 # is still valid.

--- a/src/lib/Sympa/List.pm
+++ b/src/lib/Sympa/List.pm
@@ -64,7 +64,6 @@ use Sympa::Ticket;
 use Sympa::Tools::Data;
 use Sympa::Tools::Domains;
 use Sympa::Tools::File;
-use Sympa::Tools::Password;
 use Sympa::Tools::SMIME;
 use Sympa::Tools::Text;
 use Sympa::User;
@@ -3878,14 +3877,6 @@ sub add_list_member {
            $new_user->{'custom_attribute'}
        );

-        # Crypt password if it was not crypted.
-        unless (
-            Sympa::Tools::Data::smart_eq($new_user->{'password'}, qr/^crypt/))
-        {
-            $new_user->{'password'} = Sympa::Tools::Password::crypt_password(
-                $new_user->{'password'});
-        }
-
        ## Either is_included or is_subscribed must be set
        ## default is is_subscriber for backward compatibility reason
        unless ($new_user->{'included'}) {

--- a/src/lib/Sympa/Tools/Password.pm
+++ b/src/lib/Sympa/Tools/Password.pm
@@ -8,6 +8,9 @@
 # Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
 # 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
 # Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
+# Copyright 2019 The Sympa Community. See the AUTHORS.md file at
+# the top-level directory of this distribution and at
+# <https://github.com/sympa-community/sympa.git>.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -27,15 +30,10 @@ package Sympa::Tools::Password;
 use strict;
 use warnings;
 use Digest::MD5;
-use MIME::Base64 qw();
-BEGIN { eval 'use Crypt::CipherSaber'; }
 BEGIN { eval 'use Data::Password'; }

 use Conf;
 use Sympa::Language;
-use Sympa::Log;
-
-my $log = Sympa::Log->instance;

 sub tmp_passwd {
    my $email = shift;
@@ -47,46 +45,14 @@ sub tmp_passwd {
        'init' . substr(Digest::MD5::md5_hex(join '/', $cookie, $email), -8));
 }

-# global var to store a CipherSaber object
-my $cipher;
-
-# create a cipher
-sub ciphersaber_installed {
-    return $cipher if defined $cipher;
-
-    if ($Crypt::CipherSaber::VERSION) {
-        $cipher = Crypt::CipherSaber->new($Conf::Conf{'cookie'});
-    } else {
-        $cipher = '';
-    }
-    return $cipher;
-}
+# No longer used, Use _decrypt_rc4_password() in upgrade_sympa_password.pl.
+#sub ciphersaber_installed;

-## encrypt a password
-sub crypt_password {
-    my $inpasswd = shift;
+# No longer used.
+#sub crypt_password;

-    ciphersaber_installed();
-    return $inpasswd unless $cipher;
-    return ("crypt." . MIME::Base64::encode($cipher->encrypt($inpasswd)));
-}
-
-## decrypt a password
-sub decrypt_password {
-    my $inpasswd = shift;
-    $log->syslog('debug2', '(%s)', $inpasswd);
-
-    return $inpasswd unless ($inpasswd =~ /^crypt\.(.*)$/);
-    $inpasswd = $1;
-
-    ciphersaber_installed();
-    unless ($cipher) {
-        $log->syslog('info',
-            'Password seems crypted while CipherSaber is not installed !');
-        return $inpasswd;
-    }
-    return ($cipher->decrypt(MIME::Base64::decode($inpasswd)));
-}
+# Moved: Use _decrypt_rc4_password() in upgrade_sympa_password.pl.
+#sub decrypt_password;

 # Old name: Sympa::Session::get_random().
 sub get_random {

--- a/src/lib/Sympa/User.pm
+++ b/src/lib/Sympa/User.pm
@@ -39,7 +39,6 @@ use Sympa::DatabaseManager;
 use Sympa::Language;
 use Sympa::Log;
 use Sympa::Tools::Data;
-use Sympa::Tools::Password;
 use Sympa::Tools::Text;

 my $log = Sympa::Log->instance;
@@ -535,13 +534,7 @@ sub get_global_user {
    $sth = pop @sth_stack;

    if (defined $user) {
-        ## decrypt password
-        if ($user->{'password'}) {
-            $user->{'password'} =
-                Sympa::Tools::Password::decrypt_password($user->{'password'});
-        }
-
-        ## Canonicalize lang if possible
+        # Canonicalize lang if possible.
        if ($user->{'lang'}) {
            $user->{'lang'} = Sympa::Language::canonic_lang($user->{'lang'})
                || $user->{'lang'};