[svn r18942] Implementing sha1 as a possibility to encrypt user passwords see SVN#3798

17 years ago · 9286d1c6ea
parent a7aa50f814
commit 9286d1c6ea
17 changed files with 143 additions and 44 deletions
--- a/main/admin/session_import.php
+++ b/main/admin/session_import.php
@ -1,4 +1,4 @@
-<?php // $Id: session_import.php 18675 2009-02-25 05:37:35Z yannoo $
+<?php // $Id: session_import.php 18942 2009-03-10 23:42:21Z juliomontoya $
 /* For licensing terms, see /dokeos_license.txt */
 /**
 ==============================================================================
@ -95,7 +95,7 @@ if ($_POST['formSent']) {
 								username = '".Database::escape_string($username)."',
 								lastname = '".Database::escape_string($lastname)."',
 								firstname = '".Database::escape_string($firstname)."',
-								password = '".($userPasswordCrypted==true ? md5($password) : $password)."',
+								password = '".(api_get_encrypted_password($password))."',
 								email = '".Database::escape_string($email)."',
 								official_code = '".Database::escape_string($official_code)."',
 								phone = '".Database::escape_string($phone)."',
@ -141,7 +141,7 @@ if ($_POST['formSent']) {
 						$sql = "UPDATE $tbl_user SET
 									lastname = '".Database::escape_string($lastname)."',
 									firstname = '".Database::escape_string($firstname)."',
-									".(empty($password) ? "" : "password = '".($userPasswordCrypted==true ? md5($password) : $password)."',")."
+									".(empty($password) ? "" : "password = '".(api_get_encrypted_password($password))."',")."
 									email = '".Database::escape_string($email)."',
 									official_code = '".Database::escape_string($official_code)."',
 									phone = '".Database::escape_string($phone)."',
--- a/main/admin/user_export.php
+++ b/main/admin/user_export.php
@ -1,5 +1,5 @@
 <?php
-// $Id: user_export.php 18595 2009-02-19 21:17:17Z juliomontoya $
+// $Id: user_export.php 18942 2009-03-10 23:42:21Z juliomontoya $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -83,15 +83,17 @@ $form->setDefaults(array('file_type'=>'csv'));
 if ($form->validate())
 {
 	global $userPasswordCrypted;
+	
 	$export = $form->exportValues();
 	$file_type = $export['file_type'];
-	$course_code = $export['course_code'];
+	$course_code = $export['course_code'];	
+	$userPasswordCrypted =
 	$sql = "SELECT  u.user_id 	AS UserId,
 					u.lastname 	AS LastName,
 					u.firstname 	AS FirstName,
 					u.email 		AS Email,
 					u.username	AS UserName,
-					".(($userPasswordCrypted)?" ":"u.password AS Password, ")."
+					".(($userPasswordCrypted!='none')?" ":"u.password AS Password, ")."
 					u.auth_source	AS AuthSource,
 					u.status		AS Status,
 					u.official_code	AS OfficialCode,
@ -120,7 +122,7 @@ if ($form->validate())
 	$extra_fields = Usermanager::get_extra_fields(0, 0, 5, 'ASC',false);
 	if ($export['addcsvheader']=='1' AND $export['file_type']=='csv')
 	{
-		if($userPasswordCrypted) {
+		if($userPasswordCrypted!='none') {
 			$data[] = array('UserId', 'LastName', 'FirstName', 'Email', 'UserName', 'AuthSource', 'Status', 'OfficialCode', 'Phone');
 		} else {
 			$data[] = array('UserId', 'LastName', 'FirstName', 'Email', 'UserName','Password',  'AuthSource', 'Status', 'OfficialCode', 'Phone');	
--- a/main/auth/lostPassword.php
+++ b/main/auth/lostPassword.php
@ -1,6 +1,6 @@
 <?php

-// $Id: lostPassword.php 17747 2009-01-15 21:03:02Z cfasanando $
+// $Id: lostPassword.php 18942 2009-03-10 23:42:21Z juliomontoya $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -84,7 +84,7 @@ else
 			{
 				$user[] = $data;
 			}
-			if ($userPasswordCrypted)
+			if ($userPasswordCrypted!='none')
 			{
 				$msg = handle_encrypted_password($user);
 			}
--- a/main/auth/lost_password.lib.php
+++ b/main/auth/lost_password.lib.php
@ -1,5 +1,5 @@
 <?php
-// $Id: lost_password.lib.php 18376 2009-02-09 20:25:27Z juliomontoya $
+// $Id: lost_password.lib.php 18942 2009-03-10 23:42:21Z juliomontoya $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -184,10 +184,11 @@ function reset_password($secret, $id)
 	{
 		$user[0]["password"] = api_generate_password();
 		$crypted = $user[0]["password"];
-		if( $userPasswordCrypted)
+		$crypted = api_get_encrypted_password($crypted);
+		/*if( $userPasswordCrypted)
 		{
 			$crypted = md5($crypted);
-		}
+		}*/
 		api_sql_query("UPDATE ".$tbl_user." SET password='$crypted' WHERE user_id=$id");
 		return send_password_to_user($user, $your_password_has_been_reset);
 	}
--- a/main/auth/profile.php
+++ b/main/auth/profile.php
@ -1,4 +1,4 @@
-<?php // $Id: profile.php 18900 2009-03-09 21:51:41Z iflorespaz $
+<?php // $Id: profile.php 18942 2009-03-10 23:42:21Z juliomontoya $
 /* For licensing terms, see /dokeos_license.txt */
 /**
 ==============================================================================
@ -663,14 +663,8 @@ if (!empty($_SESSION['production_uploaded']))

 	if (isset($password))
 	{
-		if ($userPasswordCrypted)
-		{
-			$sql .= " password = MD5('".Database::escape_string($password)."')";
-		}
-		else
-		{
-			$sql .= " password = '".Database::escape_string($password)."'";
-		}
+		$password = api_get_encrypted_password($password);
+		$sql .= " password = '".Database::escape_string($password)."'";  		
 	}
 	else // remove trailing , from the query we have so far
 	{
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@ -3038,7 +3038,8 @@ function api_get_current_access_url_id()
 * @author Julio Montoya <gugli100@gmail.com>
 * @return int user id  
 */
-function api_get_access_url_from_user($user_id) {
+function api_get_access_url_from_user($user_id) 
+{
 	$table_url_rel_user	= Database :: get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
 	$table_url	= Database :: get_main_table(TABLE_MAIN_ACCESS_URL);		
 	$sql = "SELECT access_url_id FROM $table_url_rel_user url_rel_user INNER JOIN $table_url u 
@ -3160,3 +3161,25 @@ function api_is_xml_http_request() {
 		return false;
 	}
 }
+/**
+ * This function gets the hash in md5 or sha1 (it depends in the platform config) of a given password
+ * @param  string password
+ * @return string password with the applied hash 
+ * */
+function api_get_encrypted_password($password) 
+{
+	global $userPasswordCrypted;
+	switch ($userPasswordCrypted){
+		case 'md5':
+		return md5($password);
+		break;
+		case 'sha1':
+		return sha1($password);
+		break;
+		case 'none':
+		return $password;
+		break;
+		default:
+		return md5($password); 
+	}
+}
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@ -1,4 +1,4 @@
-<?php // $Id: usermanager.lib.php 18875 2009-03-09 16:13:34Z juliomontoya $
+<?php // $Id: usermanager.lib.php 18942 2009-03-10 23:42:21Z juliomontoya $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@ -95,7 +95,8 @@ class UserManager
 		if (! UserManager::is_username_available($loginName))
 			return api_set_failure('login-pass already taken');
 		//$password = "PLACEHOLDER";
-		$password = ($userPasswordCrypted ? md5($password) : $password);
+		$password = api_get_encrypted_password($password); 
+		//$password = ($userPasswordCrypted ? md5($password) : $password);
 		$sql = "INSERT INTO $table_user
 					                SET lastname = '".Database::escape_string(trim($lastName))."',
 					                firstname = '".Database::escape_string(trim($firstName))."',
@ -301,7 +302,8 @@ class UserManager
 				username='".Database::escape_string($username)."',";
 		if(!is_null($password))
 		{
-			$password = $userPasswordCrypted ? md5($password) : $password;
+			//$password = $userPasswordCrypted ? md5($password) : $password;			
+			$password = api_get_encrypted_password($password);  
 			$sql .= " password='".Database::escape_string($password)."',";
 		}
 		if(!is_null($auth_source))
--- a/main/inc/local.inc.php
+++ b/main/inc/local.inc.php
@ -223,9 +223,10 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
                // determine if the password needs to be encrypted before checking
                // $userPasswordCrypted is set in an external configuration file

-                if ($userPasswordCrypted) {
+                /*if ($userPasswordCrypted) {
                	$password = md5($password);
-                }               
+                } */
+                $password = api_get_encrypted_password($password);                
                
                // check the user's password
                if ($password == $uData['password'] AND (trim($login) == $uData['username'])) {
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@ -137,8 +137,8 @@ $phpMyAdminPath              							= '';
 $_configuration['verbose_backup']						= false;
 // security word for password recovery
 $_configuration['security_key']      					= '{SECURITY_KEY}';
-// Settings for new and future features
-$userPasswordCrypted          							= ENCRYPT_PASSWORD;
+// Hash function method 
+$userPasswordCrypted          							= '{ENCRYPT_PASSWORD}';
 // You may have to restart your web server if you change this
 $storeSessionInDb             							= false;
 // Session lifetime
--- a/main/install/index.php
+++ b/main/install/index.php
@ -269,7 +269,7 @@ if(!isset($_GET['running']))
 	$allowSelfRegProf=1;
 	$enableTrackingForm=1;
 	$singleDbForm=0;
-	$encryptPassForm=1;
+	$encryptPassForm='md5';
 	$session_lifetime=360000;
 }
 else
@ -336,6 +336,12 @@ elseif (!empty($_POST['step5']))
 }


+// Managing the $encryptPassForm 
+if ($encryptPassForm=='1' ) {
+	$encryptPassForm = 'md5'; 
+} elseif ($encryptPassForm=='0') {	  	
+	$encryptPassForm = 'none';
+}

 ?>
 <!DOCTYPE html
@ -504,6 +510,13 @@ elseif($_POST['step4'])
 		{   //for version 1.6
 			$urlForm = get_config_param('rootWeb');
 			$encryptPassForm = get_config_param('userPasswordCrypted');
+			// Managing the $encryptPassForm 
+			if ($encryptPassForm=='1' ) {
+				$encryptPassForm = 'md5'; 
+			} elseif ($encryptPassForm=='0') {	  	
+				$encryptPassForm = 'none';
+			}
+			
 			$allowSelfReg = get_config_param('allowSelfReg');
 			$allowSelfRegProf = get_config_param('allowSelfRegProf');
 		}
@ -511,6 +524,13 @@ elseif($_POST['step4'])
 		{   //for version 1.8
 			$urlForm = $_configuration['root_web'];
 			$encryptPassForm = get_config_param('userPasswordCrypted');
+			// Managing the $encryptPassForm 
+			if ($encryptPassForm=='1' ) {
+				$encryptPassForm = 'md5'; 
+			} elseif ($encryptPassForm=='0') {	  	
+				$encryptPassForm = 'none';
+			}
+			
 			$allowSelfReg = false;
 			$tmp = get_config_param_from_db($dbHostForm,$dbUsernameForm,$dbPassForm,$db_name,'allow_registration');
 			if(!empty($tmp)) $allowSelfReg = $tmp;
@ -570,7 +590,9 @@ elseif($_POST['step5'])
 	<?php echo get_lang('SingleDb').' : '.($singleDbForm?$langOne:$langSeveral); ?><br /><br />

 	<?php echo get_lang('AllowSelfReg').' : '.($allowSelfReg?$langYes:$langNo); ?><br />
-	<?php echo get_lang('EncryptUserPass').' : '.($encryptPassForm?$langYes:$langNo); ?><br /><br/>
+	<?php echo get_lang('EncryptMethodUserPass').' : ';
+  	echo $encryptPassForm;
+	?><br /><br/>

 	<?php echo get_lang('AdminEmail').' : '.$emailForm; ?><br />
 	<?php echo get_lang('AdminLastName').' : '.$adminLastName; ?><br />
@ -618,6 +640,13 @@ elseif($_POST['step6'])
 		$_configuration['main_database'] = $dbNameForm;
 		//$urlAppendPath = get_config_param('urlAppend');
        error_log('Starting migration process from '.$my_old_version.' ('.time().')',0);
+        
+    	if ($userPasswordCrypted=='1' ) {
+			$userPasswordCrypted = 'md5'; 
+		} elseif ($userPasswordCrypted=='0') {	  	
+			$userPasswordCrypted = 'none'; 
+		} 
+			
 		switch($my_old_version)
 		{
 			case '1.6':
@ -686,4 +715,4 @@ else
 	&nbsp;
 </div>
 </body>
-</html>
+</html>
--- a/main/install/install_db.inc.php
+++ b/main/install/install_db.inc.php
@ -77,6 +77,18 @@ if($urlForm[strlen($urlForm)-1] != '/')
 	$urlForm=$urlForm.'/';
 }

+switch ($encryptPassForm) {
+	case 'md5' :
+	$passToStore=md5($passForm);
+	break;
+	case 'sha1' : 
+	$passToStore=sha1($passForm);
+	break;
+	case 'none' :
+	$passToStore=($passForm); 
+	break;
+}
+/*
 if($encryptPassForm)
 {
 	$passToStore=md5($passForm);
@ -84,7 +96,7 @@ if($encryptPassForm)
 else
 {
 	$passToStore=($passForm);
-}
+}*/

 $dbPrefixForm=eregi_replace('[^a-z0-9_-]','',$dbPrefixForm);

@ -204,6 +216,7 @@ $installation_settings['{ADMINEMAIL}'] = $emailForm;
 $installation_settings['{ADMINPHONE}'] = $adminPhoneForm;
 $installation_settings['{PLATFORM_AUTH_SOURCE}'] = PLATFORM_AUTH_SOURCE;
 $installation_settings['{ADMINLANGUAGE}'] = $languageForm;
+$installation_settings['{HASHFUNCTIONMODE}'] = $encryptPassForm;
 load_main_database($installation_settings);

 /**
--- a/main/install/install_functions.inc.php
+++ b/main/install/install_functions.inc.php
@ -1021,7 +1021,7 @@ function display_configuration_settings_form($installType, $urlForm, $languageFo

 	//Second parameter: Dokeos URL
 	echo "<tr>\n";
-	echo '<td>'.get_lang('DokeosURL').' (<font color="#cc0033">'.get_lang('ThisFieldIsRequired')."</font>)&nbsp;&nbsp;</td>\n";
+	echo '<td>'.get_lang('DokeosURL').' (<font color="red">'.get_lang('ThisFieldIsRequired')."</font>)&nbsp;&nbsp;</td>\n";
 	
 	if($installType == 'update') echo '<td>'.htmlentities($urlForm)."</td>\n";
 	else echo '<td><input type="text" size="40" maxlength="100" name="urlForm" value="'.htmlentities($urlForm).'" />'."</td>\n";
@ -1055,9 +1055,10 @@ function display_configuration_settings_form($installType, $urlForm, $languageFo

 	//Parameter 11: institute (short) name
 	display_configuration_parameter($installType, get_lang("InstituteURL"), "institutionUrlForm", $institutionUrlForm);
-
-	?>
-	<tr>
+	
+	/*
+	 //old method
+	  	<tr>
 	  <td><?php echo get_lang("EncryptUserPass"); ?> :</td>

 	  <?php if($installType == 'update'): ?>
@ -1068,8 +1069,29 @@ function display_configuration_settings_form($installType, $urlForm, $languageFo
 		<input class="checkbox" type="radio" name="encryptPassForm" value="0" id="encryptPass0" <?php echo $encryptPassForm?'':'checked="checked" '; ?>/> <label for="encryptPass0"><?php echo get_lang("No"); ?></label>
 	  </td>
 	  <?php endif; ?>
-
 	</tr>
+	
+	 */
+	
+	?>
+	<tr>
+	  <td><?php echo get_lang("EncryptMethodUserPass"); ?> :</td>
+ 
+	  <?php if($installType == 'update'): ?>
+	  <td><input type="hidden" name="encryptPassForm" value="<?php echo $encryptPassForm; ?>" /><?php  echo $encryptPassForm; ?></td>
+	  <?php else: ?>
+	  <td>
+		<input class="checkbox" type="radio" name="encryptPassForm" value="md5" id="encryptPass0" <?php echo $encryptPassForm?'checked="checked" ':''; ?>/> <label for="encryptPass0"><?php echo "md5"; ?></label>
+		<input class="checkbox" type="radio" name="encryptPassForm" value="sha1" id="encryptPass1" <?php echo $encryptPassForm?'':'checked="checked" '; ?>/> <label for="encryptPass1"><?php echo "sha1"; ?></label>
+		<input class="checkbox" type="radio" name="encryptPassForm" value="none" id="encryptPass2" <?php echo $encryptPassForm?'':'checked="checked" '; ?>/> <label for="encryptPass2"><?php echo get_lang("None"); ?></label>
+	  </td>
+	  <?php endif; ?>
+	</tr>
+	
+
+	
+	
+	
 	<tr>
 	  <td><?php echo get_lang("AllowSelfReg"); ?> :</td>

--- a/main/install/install_upgrade.lib.php
+++ b/main/install/install_upgrade.lib.php
@ -97,7 +97,7 @@ function fill_current_settings_table($current_settings_table, $installation_sett
 	$allowSelfReg = $installation_settings['allow_self_registration'];
 	$allowSelfRegProf = $installation_settings['allow_teacher_self_registration'];
 	$adminPhoneForm = $installation_settings['admin_phone_form'];
-
+	
 	$file_path = dirname(__FILE__).'/'.SETTING_CURRENT_DATA_FILENAME;
 	$add_setting_current_sql = "LOAD DATA INFILE '".mysql_real_escape_string($file_path)."' INTO TABLE $current_settings_table FIELDS TERMINATED BY ',' OPTIONALLY ENCLOSED BY '\'';";
 	@ mysql_query($add_setting_current_sql);
@ -203,7 +203,8 @@ function write_dokeos_config_file($path)
 	$config['{GARBAGE_DIR}'] = str_replace("\\", '/', $garbageDir);
 	$config['{PLATFORM_LANGUAGE}'] = $languageForm;
 	$config['{SECURITY_KEY}'] = md5(uniqid(rand().time()));
-	$config['ENCRYPT_PASSWORD'] = trueFalse($encryptPassForm);
+	$config['{ENCRYPT_PASSWORD}'] = $encryptPassForm; 
+	
 	$config['SESSION_LIFETIME'] = $session_lifetime;
 	$config['{NEW_VERSION}'] = $new_version;
 	$config['NEW_VERSION_STABLE'] = trueFalse($new_version_stable);
@ -211,6 +212,7 @@ function write_dokeos_config_file($path)
 	{
 		$content = str_replace($key, $value, $content);
 	}
+	
 	$fp = @ fopen($path, 'w');

 	if (!$fp)
--- a/main/install/update-files-1.8.5-1.8.6.inc.php
+++ b/main/install/update-files-1.8.5-1.8.6.inc.php
@ -39,6 +39,10 @@ if (defined('DOKEOS_INSTALL') || defined('DOKEOS_COURSE_UPDATE'))
 			$found_stable = true;
 			$line = '$_configuration[\'dokeos_stable\'] = '.($new_version_stable?'true':'false').';'."\r\n";
 		}
+		elseif(stristr($line,'$userPasswordCrypted'))
+		{			
+			$line = '$userPasswordCrypted 									= \''.($userPasswordCrypted).'\';'."\r\n";
+		}
 		elseif(stristr($line,'?>'))
 		{
 			//ignore the line
--- a/main/install/upgrade.php
+++ b/main/install/upgrade.php
@ -889,7 +889,12 @@ if( isset($values['old_version_path']) && $values['old_version_path'] != '/var/w
 	$defaults['encrypt_password'] = 1;
 	$defaults['organization_name'] = get_config_param('institution["name"]',$path);
 	$defaults['organization_url'] = get_config_param('institution["url"]',$path);
-	$defaults['encrypt_password'] = get_config_param('userPasswordCrypted',$path);
+	if (get_config_param('userPasswordCrypted',$path)==1) {
+		$defaults['encrypt_password'] = 'md5';
+	} elseif (get_config_param('userPasswordCrypted',$path)==0){
+		$defaults['encrypt_password'] = 'none';
+	}	
+	//$defaults['encrypt_password'] = get_config_param('userPasswordCrypted',$path);
 	$defaults['self_reg'] = get_config_param('allowSelfReg',$path);
 }
 else
--- a/main/lang/english/install.inc.php
+++ b/main/lang/english/install.inc.php
@ -113,4 +113,5 @@ $DokeosArtLicense = "The images and media galleries of Dokeos use images from Nu
 $PleasGoBackToStep1 = "Please go back to step 1";
 $OptionalParameters = "Optional parameters";
 $FailedConectionDatabase = "The database connection has failed. This is generally due to the wrong user, the wrong password or the wrong database prefix being set above. Please review these settings and try again.";
+$EncryptMethodUserPass = "Encryption method"; 
 ?>
--- a/main/user/user_add.php
+++ b/main/user/user_add.php
@ -140,9 +140,9 @@ if($register)
 		if ($_cid) $platformStatus = STUDENT;          // course registrartion context...
 		else       $platformStatus = $platformStatus; // admin section of the platform context...

-		if ($userPasswordCrypted) $pw = md5($password_form);
-		else                      $pw = $password_form;
-
+		//if ($userPasswordCrypted) $pw = md5($password_form);		
+		//else                      $pw = $password_form;
+		$pw = api_get_encrypted_password($password_form);
 		$result = api_sql_query("INSERT INTO $tbl_user
 		                       SET lastname       = '$lastname_form',
 		                           firstname    = '$firstname_form',