# HG changeset patch # User Dan # Date 1231048540 18000 # Node ID eb8b23f117446332eb6c79989efc59ae0326d85f # Parent 9cdfe82c56cdc025a889934f8aa6923cb00cba45 Two big commits in one day I know, but redid password storage to use HMAC-SHA1. Consolidated much AES processing to three core methods in session that should handle everything automagically. Installation works; upgrades should. Rebranded as 1.1.6. diff -r 9cdfe82c56cd -r eb8b23f11744 README --- a/README Sat Jan 03 18:11:18 2009 -0500 +++ b/README Sun Jan 04 00:55:40 2009 -0500 @@ -1,5 +1,5 @@ Enano CMS -Version 1.1.5 +Version 1.1.6 ----------------------------- Thanks for downloading Enano! If you're looking for an installation guide, @@ -9,7 +9,7 @@ ----------------------------- Enano CMS -Copyright (C) 2006-2008 Dan Fuhry. All rights except those explicitly granted +Copyright (C) 2006-2009 Dan Fuhry. All rights except those explicitly granted by the included license agreement reserved. PHILOSOPHY diff -r 9cdfe82c56cd -r eb8b23f11744 ajax.php --- a/ajax.php Sat Jan 03 18:11:18 2009 -0500 +++ b/ajax.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 cron.php --- a/cron.php Sat Jan 03 18:11:18 2009 -0500 +++ b/cron.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/cache.php --- a/includes/cache.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/cache.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/captcha.php --- a/includes/captcha.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/captcha.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * captcha.php - visual confirmation system used during registration * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/captcha/engine_default.php --- a/includes/captcha/engine_default.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/captcha/engine_default.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * captcha.php - visual confirmation system used during registration * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/captcha/engine_failsafe.php --- a/includes/captcha/engine_failsafe.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/captcha/engine_failsafe.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * captcha.php - visual confirmation system used during registration * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/captcha/engine_potpourri.php --- a/includes/captcha/engine_potpourri.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/captcha/engine_potpourri.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * captcha.php - visual confirmation system used during registration * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/clientside/jscompress.php --- a/includes/clientside/jscompress.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/clientside/jscompress.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * jsres.php - the Enano client-side runtime, a.k.a. AJAX on steroids * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/clientside/jsres.php --- a/includes/clientside/jsres.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/clientside/jsres.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * jsres.php - the Enano client-side runtime, a.k.a. AJAX on steroids * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/clientside/tinymce/tiny_mce_gzip.php --- a/includes/clientside/tinymce/tiny_mce_gzip.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/clientside/tinymce/tiny_mce_gzip.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * tiny_mce_gzip.php - TinyMCE gzip and caching script, stock from MoxieCode with one modification * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/comment.php --- a/includes/comment.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/comment.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/common.php --- a/includes/common.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/common.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -44,7 +44,7 @@ // be the expected output of enano_version(), which will always be in the // format of 1.0.2, 1.0.2a1, 1.0.2b1, 1.0.2RC1 // You'll want to change this for custom distributions. -$version = '1.1.5'; +$version = '1.1.6'; /** * Returns a floating-point number with the current UNIX timestamp in microseconds. Defined very early because we gotta call it @@ -147,6 +147,7 @@ require_once(ENANO_ROOT.'/includes/pageprocess.php'); require_once(ENANO_ROOT.'/includes/namespaces/default.php'); require_once(ENANO_ROOT.'/includes/tagcloud.php'); +require_once(ENANO_ROOT.'/includes/hmac.php'); strip_magic_quotes_gpc(); diff -r 9cdfe82c56cd -r eb8b23f11744 includes/common_cli.php --- a/includes/common_cli.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/common_cli.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/constants.php --- a/includes/constants.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/constants.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * constants.php - important defines used Enano-wide * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/dbal.php --- a/includes/dbal.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/dbal.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/diff.php --- a/includes/diff.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/diff.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/diffiehellman.php --- a/includes/diffiehellman.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/diffiehellman.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * diffiehellman.php - Diffie Hellman key exchange and supporting functions * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/email.php --- a/includes/email.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/email.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/functions.php --- a/includes/functions.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/functions.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -1259,6 +1259,7 @@ '1.1.3' => 'Caoineag alpha 3', '1.1.4' => 'Caoineag alpha 4', '1.1.5' => 'Caoineag alpha 5', + '1.1.6' => 'Caoineag beta 1' ); $version = enano_version(); if ( isset($names[$version]) ) diff -r 9cdfe82c56cd -r eb8b23f11744 includes/graphs.php --- a/includes/graphs.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/graphs.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/hmac.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/includes/hmac.php Sun Jan 04 00:55:40 2009 -0500 @@ -0,0 +1,89 @@ + diff -r 9cdfe82c56cd -r eb8b23f11744 includes/http.php --- a/includes/http.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/http.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * class_http.php - Pure PHP HTTP client library * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/js-compressor.php --- a/includes/js-compressor.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/js-compressor.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Javascript compression library - used to compact the client-side Javascript code (all 72KB of it!) to save some bandwidth * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/lang.php --- a/includes/lang.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/lang.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/math.php --- a/includes/math.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/math.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * diffiehellman.php - Diffie Hellman key exchange and supporting functions * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/namespaces/admin.php --- a/includes/namespaces/admin.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/namespaces/admin.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/namespaces/api.php --- a/includes/namespaces/api.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/namespaces/api.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/namespaces/default.php --- a/includes/namespaces/default.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/namespaces/default.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/namespaces/file.php --- a/includes/namespaces/file.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/namespaces/file.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/namespaces/special.php --- a/includes/namespaces/special.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/namespaces/special.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/namespaces/template.php --- a/includes/namespaces/template.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/namespaces/template.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/namespaces/user.php --- a/includes/namespaces/user.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/namespaces/user.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/output.php --- a/includes/output.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/output.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * output.php - Controls output format, messages of death, that kind of stuff * Copyright (C) 2006-2008 Dan Fuhry * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/pageprocess.php --- a/includes/pageprocess.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/pageprocess.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * pageprocess.php - intelligent retrieval of pages * Copyright (C) 2006-2008 Dan Fuhry * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/pageutils.php --- a/includes/pageutils.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/pageutils.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * pageutils.php - a class that handles raw page manipulations, used mostly by AJAX requests or their old-fashioned form-based counterparts * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/paths.php --- a/includes/paths.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/paths.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /** * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * paths.php - The part of Enano that actually manages content. Everything related to page handling and namespaces is in here. * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/plugins.php --- a/includes/plugins.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/plugins.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/render.php --- a/includes/render.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/render.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * render.php - handles fetching pages and parsing them into HTML * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/rijndael.php --- a/includes/rijndael.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/rijndael.php Sun Jan 04 00:55:40 2009 -0500 @@ -1658,25 +1658,30 @@ * @return string a BINARY key */ - function randkey($len = 32) + static function randkey($len = 32) + { + if ( @file_exists('/dev/urandom') && @is_readable('/dev/urandom') ) + { + // Let's use something a little more secure + $ur = @fopen('/dev/urandom', 'r'); + if ( !$ur ) + return self::randkey_safe($len); + $ukey = @fread($ur, $len); + fclose($ur); + if ( strlen($ukey) != $len ) + return self::randkey_safe($len); + return $ukey; + } + return self::randkey_safe($len); + } + + static function randkey_safe($len = 32) { $key = ''; for($i=0;$i<$len;$i++) { $key .= chr(mt_rand(0, 255)); } - if ( @file_exists('/dev/urandom') && @is_readable('/dev/urandom') ) - { - // Let's use something a little more secure - $ur = @fopen('/dev/urandom', 'r'); - if ( !$ur ) - return $key; - $ukey = @fread($ur, $len); - fclose($ur); - if ( strlen($ukey) != $len ) - return $key; - return $ukey; - } return $key; } diff -r 9cdfe82c56cd -r eb8b23f11744 includes/search.php --- a/includes/search.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/search.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * search.php - algorithm used to search pages * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/sessions.php --- a/includes/sessions.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/sessions.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * sessions.php - everything related to security and user management * @@ -501,7 +501,7 @@ } else { - $key = strrev($_REQUEST['auth']); + $key = $_REQUEST['auth']; if ( !empty($key) && ( strlen($key) / 2 ) % 4 == 0 ) { $super = $this->validate_session($key); @@ -645,7 +645,14 @@ { global $db, $session, $paths, $template, $plugins; // Common objects - $pass_hashed = ( $already_md5ed ) ? $password : md5($password); + if ( $already_md5ed ) + { + // No longer supported + return array( + 'mode' => 'error', + 'error' => '$already_md5ed is no longer supported (set this parameter to false and make sure the password you send to $session->login_without_crypto() is not hashed)' + ); + } // Replace underscores with spaces in username // (Added in 1.0.2) @@ -654,7 +661,7 @@ // Perhaps we're upgrading Enano? if($this->compat) { - return $this->login_compat($username, $pass_hashed, $level); + return $this->login_compat($username, md5($password), $level); } if ( !defined('IN_ENANO_INSTALL') ) @@ -710,7 +717,13 @@ $success = false; // Retrieve the real password from the database - $this->sql('SELECT password,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix.'users WHERE ' . ENANO_SQLFUNC_LOWERCASE . '(username)=\''.$this->prepare_text(strtolower($username)).'\';'); + $username_db = $db->escape(strtolower($username)); + if ( !$db->sql_query('SELECT password,password_salt,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix."users\n" + . " WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db';") ) + { + $this->sql('SELECT password,\'\' AS password_salt,old_encryption,user_id,user_level,temp_password,temp_password_time FROM '.table_prefix."users\n" + . " WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '$username_db';"); + } if($db->numrows() < 1) { // This wasn't logged in <1.0.2, dunno how it slipped through @@ -747,8 +760,8 @@ if((intval($row['temp_password_time']) + 3600*24) > time() ) { - $temp_pass = $aes->decrypt( $row['temp_password'], $this->private_key, ENC_HEX ); - if( md5($temp_pass) == $pass_hashed ) + $temp_pass = hmac_sha1($password, $row['password_salt']); + if( $temp_pass === $row['temp_password'] ) { $code = $plugins->setHook('login_password_reset'); foreach ( $code as $cmd ) @@ -759,31 +772,41 @@ return array( 'success' => false, 'error' => 'valid_reset', - 'redirect_url' => makeUrlComplete('Special', 'PasswordReset/stage2/' . $row['user_id'] . '/' . $row['temp_password']) + 'redirect_url' => makeUrlComplete('Special', 'PasswordReset/stage2/' . $row['user_id'] . '/' . $this->pk_encrypt($password)) ); } } - if($row['old_encryption'] == 1) + if ( $row['old_encryption'] == 1 ) { // The user's password is stored using the obsolete and insecure MD5 algorithm - we'll update the field with the new password - if($pass_hashed == $row['password'] && !$already_md5ed) + if(md5($password) === $row['password']) { - $pass_stashed = $aes->encrypt($password, $this->private_key, ENC_HEX); - $this->sql('UPDATE '.table_prefix.'users SET password=\''.$pass_stashed.'\',old_encryption=0 WHERE user_id='.$row['user_id'].';'); + $hmac_secret = AESCrypt::randkey(20); + $password_hmac = hmac_sha1($password, $hmac_secret); + $this->sql('UPDATE '.table_prefix."users SET password = '$password_hmac', password_salt = '$hmac_secret', old_encryption = 0 WHERE user_id={$row['user_id']};"); $success = true; } - elseif($pass_hashed == $row['password'] && $already_md5ed) + } + else if ( $row['old_encryption'] == 2 ) + { + // Our password field uses the 1.0RC1-1.1.5 encryption format + $real_pass = $aes->decrypt($row['password'], $this->private_key); + if($password === $real_pass) { - // We don't have the real password so don't bother with encrypting it, just call it success and get out of here + $success = true; + $hmac_secret = AESCrypt::randkey(20); + $password_hmac = hmac_sha1($password, $hmac_secret); + $this->sql('UPDATE '.table_prefix."users SET password = '$password_hmac', password_salt = '$hmac_secret', old_encryption = 0 WHERE user_id={$row['user_id']};"); $success = true; } } else { - // Our password field is up-to-date with the >=1.0RC1 encryption standards, so decrypt the password in the table and see if we have a match - $real_pass = $aes->decrypt($row['password'], $this->private_key); - if($pass_hashed == md5($real_pass)) + // Password uses HMAC-SHA1 + $user_challenge = hmac_sha1($password, $row['password_salt']); + $password_hmac =& $row['password']; + if ( $user_challenge === $password_hmac ) { $success = true; } @@ -795,7 +818,7 @@ 'success' => false, 'error' => 'too_big_for_britches' ); - $sess = $this->register_session(intval($row['user_id']), $username, $real_pass, $level, $remember); + $sess = $this->register_session($row['user_id'], $username, $password_hmac, $level, $remember); if($sess) { if($level > USER_LEVEL_MEMBER) @@ -886,37 +909,34 @@ * Basically the session key is a hex-encoded cookie (encrypted with the site's private key) that says "u=[username];p=[sha1 of password];s=[unique key id]" * @param int $user_id * @param string $username - * @param string $password + * @param string $password_hmac The HMAC of the user's password, right from the database * @param int $level The level of access to grant, defaults to USER_LEVEL_MEMBER * @param bool $remember Whether the session should be long-term (true) or not (false). Defaults to short-term. * @return bool */ - function register_session($user_id, $username, $password, $level = USER_LEVEL_MEMBER, $remember = false) + function register_session($user_id, $username, $password_hmac, $level = USER_LEVEL_MEMBER, $remember = false) { global $db, $session, $paths, $template, $plugins; // Common objects // Random key identifier - $salt = md5(microtime() . mt_rand()); + $salt = ''; + for ( $i = 0; $i < 32; $i++ ) + { + $salt .= chr(mt_rand(32, 127)); + } - // SHA1 hash of password, stored in the key - $passha1 = sha1($password); - - // Unencrypted session key - $session_key = "u=$username;p=$passha1;s=$salt"; + // Session key + $session_key = hmac_sha1($password_hmac, $salt); // Type of key $key_type = ( $level > USER_LEVEL_MEMBER ) ? SK_ELEV : ( $remember ? SK_LONG : SK_SHORT ); - // Encrypt the key - $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); - $session_key = $aes->encrypt($session_key, $this->private_key, ENC_HEX); - // If we're registering an elevated-privilege key, it needs to be on GET if($level > USER_LEVEL_MEMBER) { // Reverse it - cosmetic only ;-) - $hexkey = strrev($session_key); + $hexkey = $session_key; $this->sid_super = $hexkey; $_GET['auth'] = $hexkey; } @@ -943,10 +963,10 @@ die('Somehow an SQL injection attempt crawled into our session registrar! (2)'); // All done! - $query = $db->sql_query('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time, key_type) VALUES(\''.$keyhash.'\', \''.$salt.'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.', ' . $key_type . ');'); + $query = $db->sql_query('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time, key_type) VALUES(\''.$keyhash.'\', \''.$db->escape($salt).'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.', ' . $key_type . ');'); if ( !$query && defined('IN_ENANO_UPGRADE') ) // we're trying to upgrade so the key_type column is probably missing - try it again without specifying the key type - $this->sql('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time) VALUES(\''.$keyhash.'\', \''.$salt.'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.');'); + $this->sql('INSERT INTO '.table_prefix.'session_keys(session_key, salt, user_id, auth_level, source_ip, time) VALUES(\''.$keyhash.'\', \''.$db->escape($salt).'\', '.$user_id.', '.$level.', \''.$ip.'\', '.$time.');'); return true; } @@ -1025,9 +1045,33 @@ { global $db, $session, $paths, $template, $plugins; // Common objects profiler_log("SessionManager: checking session: " . sha1($key)); + + if ( strlen($key) > 48 ) + { + return $this->validate_aes_session($key); + } + + profiler_log("SessionManager: checking session: " . $key); + + return $this->validate_session_shared($key, ''); + } + + /** + * Validates an old-format AES session key. DO NOT USE THIS. Will return false if called outside of an upgrade. + * @param string Session key + * @return array + */ + + protected function validate_aes_session($key) + { + global $db, $session, $paths, $template, $plugins; // Common objects + + // No valid use except during upgrades + if ( !preg_match('/^upg-/', enano_version()) || !defined('IN_ENANO_UPGRADE') ) + return false; + $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); $decrypted_key = $aes->decrypt($key, $this->private_key, ENC_HEX); - if ( !$decrypted_key ) { // die_semicritical('AES encryption error', '

Something went wrong during the AES decryption process.

'.print_r($decrypted_key, true).'
'); @@ -1042,24 +1086,59 @@ } $keyhash = md5($key); $salt = $db->escape($keydata[3]); - profiler_log("SessionManager: checking session: " . sha1($key) . ": decrypted session key to $decrypted_key"); + + return $this->validate_session_shared($keyhash, $salt, true); + } + + /** + * Shared portion of session validation. Do not try to call this. + * @return array + * @access private + */ + + protected function validate_session_shared($key, $salt, $loose_call = false) + { + global $db, $session, $paths, $template, $plugins; // Common objects + // using a normal call to $db->sql_query to avoid failing on errors here - $query = $db->sql_query('SELECT u.user_id AS uid,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,' . "\n" - . ' u.reg_time,u.account_active,u.activation_key,u.user_lang,u.user_title,k.source_ip,k.time,k.auth_level,k.key_type,COUNT(p.message_id) AS num_pms,' . "\n" - . ' u.user_timezone, u.user_dst, x.* FROM '.table_prefix.'session_keys AS k' . "\n" - . ' LEFT JOIN '.table_prefix.'users AS u' . "\n" - . ' ON ( u.user_id=k.user_id )' . "\n" - . ' LEFT JOIN '.table_prefix.'users_extra AS x' . "\n" - . ' ON ( u.user_id=x.user_id OR x.user_id IS NULL )' . "\n" - . ' LEFT JOIN '.table_prefix.'privmsgs AS p' . "\n" - . ' ON ( p.message_to=u.username AND p.message_read=0 )' . "\n" - . ' WHERE k.session_key=\''.$keyhash.'\'' . "\n" - . ' AND k.salt=\''.$salt.'\'' . "\n" - . ' GROUP BY u.user_id,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,u.user_lang,u.user_timezone,u.user_title,u.user_dst,k.source_ip,k.time,k.auth_level,k.key_type,x.user_id, x.user_aim, x.user_yahoo, x.user_msn, x.user_xmpp, x.user_homepage, x.user_location, x.user_job, x.user_hobbies, x.email_public, x.disable_js_fx;'); + $columns_select = "u.user_id AS uid, u.username, u.password, u.password_salt, u.email, u.real_name, u.user_level, u.theme,\n" + . " u.style,u.signature, u.reg_time, u.account_active, u.activation_key, u.user_lang, u.user_title, k.salt, k.source_ip,\n" + . " k.time, k.auth_level, k.key_type, COUNT(p.message_id) AS num_pms, u.user_timezone, u.user_dst, x.*"; + + $columns_groupby = "u.user_id, u.username, u.password, u.email, u.real_name, u.user_level, u.theme, u.style, u.signature,\n" + . " u.reg_time, u.account_active, u.activation_key, u.user_lang, u.user_timezone, u.user_title, u.user_dst,\n" + . " k.salt, k.source_ip, k.time, k.auth_level, k.key_type, x.user_id, x.user_aim, x.user_yahoo, x.user_msn,\n" + . " x.user_xmpp, x.user_homepage, x.user_location, x.user_job, x.user_hobbies, x.email_public,\n" + . " x.disable_js_fx"; + + $joins = " LEFT JOIN " . table_prefix . "users AS u\n" + . " ON ( u.user_id=k.user_id )\n" + . " LEFT JOIN " . table_prefix . "users_extra AS x\n" + . " ON ( u.user_id=x.user_id OR x.user_id IS NULL )\n" + . " LEFT JOIN " . table_prefix . "privmsgs AS p\n" + . " ON ( p.message_to=u.username AND p.message_read=0 )\n"; + if ( !$loose_call ) + { + $key_md5 = md5($key); + $query = $db->sql_query("SELECT $columns_select\n" + . "FROM " . table_prefix . "session_keys AS k\n" + . $joins + . " WHERE k.session_key='$key_md5'\n" + . " GROUP BY $columns_groupby;"); + } + else + { + $query = $db->sql_query("SELECT $columns_select\n" + . "FROM " . table_prefix . "session_keys AS k\n" + . $joins + . " WHERE k.session_key='$key'\n" + . " AND k.salt='$salt'\n" + . " GROUP BY $columns_groupby;"); + } if ( !$query && ( defined('IN_ENANO_INSTALL') or defined('IN_ENANO_UPGRADE') ) ) { - $query = $this->sql('SELECT u.user_id AS uid,u.username,u.password,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms, 1440 AS user_timezone, \'0;0;0;0;60\' AS user_dst, ' . SK_SHORT . ' AS key_type FROM '.table_prefix.'session_keys AS k + $query = $this->sql('SELECT u.user_id AS uid,u.username,u.password,\'\' AS password_salt,u.email,u.real_name,u.user_level,u.theme,u.style,u.signature,u.reg_time,u.account_active,u.activation_key,k.source_ip,k.time,k.auth_level,COUNT(p.message_id) AS num_pms, 1440 AS user_timezone, \'0;0;0;0;60\' AS user_dst, ' . SK_SHORT . ' AS key_type FROM '.table_prefix.'session_keys AS k LEFT JOIN '.table_prefix.'users AS u ON ( u.user_id=k.user_id ) LEFT JOIN '.table_prefix.'privmsgs AS p @@ -1078,7 +1157,8 @@ return false; } $row = $db->fetchrow(); - profiler_log("SessionManager: checking session: " . sha1($key) . ": selected and fetched results"); + profiler_log("SessionManager: session check: selected and fetched results"); + $row['user_id'] =& $row['uid']; $ip = $_SERVER['REMOTE_ADDR']; if($row['auth_level'] > $row['user_level']) @@ -1103,15 +1183,21 @@ return false; } - // Do the password validation - $real_pass = $aes->decrypt($row['password'], $this->private_key, ENC_HEX); - - //die('
'.print_r($keydata, true).'
'); - if(sha1($real_pass) != $keydata[2]) + // $loose_call is turned on only from validate_aes_session + if ( !$loose_call ) { - // Failed password check - // echo '(debug) $session->validate_session: encrypted password is wrong
Real password: '.$real_pass.'
Real hash: '.sha1($real_pass).'
User hash: '.$keydata[2]; - return false; + $correct_key = hexdecode(hmac_sha1($row['password'], $row['salt'])); + $user_key = hexdecode($key); + if ( $correct_key !== $user_key || !is_string($user_key) ) + { + return false; + } + } + else + { + // if this is a "loose call", this only works once (during the final upgrade stage). Destroy the contents of session_keys. + if ( $row['auth_level'] == USER_LEVEL_ADMIN ) + $this->sql('DELETE FROM ' . table_prefix . "session_keys;"); } // timestamp check @@ -1156,7 +1242,7 @@ // If this is an elevated-access or short-term session key, update the time if( $row['key_type'] == SK_ELEV || $row['key_type'] == SK_SHORT ) { - $this->sql('UPDATE '.table_prefix.'session_keys SET time='.time().' WHERE session_key=\''.$keyhash.'\';'); + $this->sql('UPDATE '.table_prefix.'session_keys SET time='.time().' WHERE session_key=\''.md5($key).'\';'); } $user_extra = array(); @@ -1169,7 +1255,7 @@ $this->user_extra = $user_extra; // Leave the rest to PHP's automatic garbage collector ;-) - $row['password'] = md5($real_pass); + $row['password'] = ''; $row['user_timezone'] = intval($row['user_timezone']) - 1440; profiler_log("SessionManager: finished session check"); @@ -1256,12 +1342,8 @@ { return 'success'; } - // See if we can get rid of the cached decrypted session key - $key_bin = hex2bin(strrev($this->sid_super)); - $key_hash = sha1($key_bin . '::' . $this->private_key); - aes_decrypt_cache_destroy($key_hash); // Destroy elevated privileges - $keyhash = md5(strrev($this->sid_super)); + $keyhash = md5($this->sid_super); $this->sql('DELETE FROM '.table_prefix.'session_keys WHERE session_key=\''.$keyhash.'\' AND user_id=\'' . $this->user_id . '\';'); $this->sid_super = false; $this->auth_level = USER_LEVEL_MEMBER; @@ -1996,8 +2078,18 @@ function register_temp_password($user_id, $password) { - $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); - $temp_pass = $aes->encrypt($password, $this->private_key, ENC_HEX); + global $db; + if ( !is_int($user_id) ) + return false; + + $this->sql('SELECT password_salt FROM ' . table_prefix . "users WHERE user_id = $user_id;"); + if ( $db->numrows() < 1 ) + return false; + + list($salt) = $db->fetchrow_num(); + $db->free_result(); + + $temp_pass = hmac_sha1($password, $salt); $this->sql('UPDATE '.table_prefix.'users SET temp_password=\'' . $temp_pass . '\',temp_password_time='.time().' WHERE user_id='.intval($user_id).';'); } @@ -2285,6 +2377,27 @@ } /** + * Sets a user's password. + * @param int|string User ID or username + * @param string New password + */ + + function set_password($user, $password) + { + // Generate new password and salt + $hmac_secret = hexencode(AESCrypt::randkey(20), '', ''); + $password_hmac = hmac_sha1($password, $hmac_secret); + + // Figure out how we want to specify the user + $uidcol = is_int($user) ? "user_id = $user" : ENANO_SQLFUNC_LOWERCASE . "(username) = '" . strtolower($this->prepare_text($user)) . "'"; + + // Perform update + $this->sql('UPDATE ' . table_prefix . "users SET old_encryption = 0, password = '$password_hmac', password_salt = '$hmac_secret' WHERE $uidcol;"); + + return true; + } + + /** * Encrypts a string using the site's private key. * @param string * @param int Return type - one of ENC_BINARY, ENC_HEX, ENC_BASE64 @@ -3389,7 +3502,7 @@ } /** - * Generates some Javascript that calls the AES encryption library. + * Generates some Javascript that calls the AES encryption library. Put this after your . * @param string The name of the form * @param string The name of the password field * @param string The name of the field that switches encryption on or off @@ -3402,15 +3515,16 @@ * @return string */ - function aes_javascript($form_name, $pw_field, $use_crypt, $crypt_key, $crypt_data, $challenge, $dh_supported = false, $dh_pubkey = false, $dh_client_pubkey = false) + function aes_javascript($form_name, $pw_field, $use_crypt = 'use_crypt', $crypt_key = 'crypt_key', $crypt_data = 'crypt_data', $challenge = 'challenge_data', $dh_supported = 'dh_supported', $dh_pubkey = 'dh_public_key', $dh_client_pubkey = 'dh_client_public_key') { $code = ' '; @@ -3514,6 +3646,125 @@ } /** + * Generates the HTML form elements required for an encrypted logon experience. + * @return string + */ + + function generate_aes_form() + { + $return = ''; + $return .= ''; + $return .= ''; + $return .= ''; + + require_once(ENANO_ROOT . '/includes/math.php'); + require_once(ENANO_ROOT . '/includes/diffiehellman.php'); + + global $dh_supported, $_math; + if ( $dh_supported ) + { + $dh_key_priv = dh_gen_private(); + $dh_key_pub = dh_gen_public($dh_key_priv); + $dh_key_priv = $_math->str($dh_key_priv); + $dh_key_pub = $_math->str($dh_key_pub); + // store the keys in the DB + $this->sql('INSERT INTO ' . table_prefix . "diffiehellman( public_key, private_key ) VALUES ( '$dh_key_pub', '$dh_key_priv' );"); + + $return .= " + + "; + } + else + { + $return .= ""; + } + return $return; + } + + /** + * If you used all the same form fields as the normal login interface, this will take care of DiffieHellman for you and return the key. + * @param string Password field name (defaults to "password") + * @return string + */ + + function get_aes_post($fieldname = 'password') + { + global $db, $session, $paths, $template, $plugins; // Common objects + + $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); + if ( $_POST['use_crypt'] == 'yes' ) + { + $crypt_key = $this->fetch_public_key($_POST['crypt_key']); + if ( !$crypt_key ) + { + throw new Exception($lang->get('user_err_key_not_found')); + } + $crypt_key = hexdecode($crypt_key); + $data = $aes->decrypt($_POST['crypt_data'], $crypt_key, ENC_HEX); + } + else if ( $_POST['use_crypt'] == 'yes_dh' ) + { + require_once(ENANO_ROOT . '/includes/math.php'); + require_once(ENANO_ROOT . '/includes/diffiehellman.php'); + + global $dh_supported, $_math; + + if ( !$dh_supported ) + { + throw new Exception('Server does not support DiffieHellman, denying request'); + } + + // Fetch private key + $dh_public = $_POST['dh_public_key']; + if ( !preg_match('/^[0-9]+$/', $dh_public) ) + { + throw new Exception('ERR_DH_KEY_NOT_INTEGER'); + } + $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$dh_public';"); + if ( !$q ) + $db->die_json(); + + if ( $db->numrows() < 1 ) + { + throw new Exception('ERR_DH_KEY_NOT_FOUND'); + } + + list($dh_private, $dh_key_id) = $db->fetchrow_num(); + $db->free_result(); + + // We have the private key, now delete the key pair, we no longer need it + $q = $db->sql_query('DELETE FROM ' . table_prefix . "diffiehellman WHERE key_id = $dh_key_id;"); + if ( !$q ) + $db->die_json(); + + // Generate the shared secret + $dh_secret = dh_gen_shared_secret($dh_private, $_POST['dh_client_public_key']); + $dh_secret = $_math->str($dh_secret); + + // Did we get all our math right? + $dh_secret_check = sha1($dh_secret); + $dh_hash = $_POST['crypt_key']; + if ( $dh_secret_check !== $dh_hash ) + { + throw new Exception('ERR_DH_HASH_NO_MATCH'); + } + + // All good! Generate the AES key + $aes_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 )); + + // decrypt user info + $aes_key = hexdecode($aes_key); + $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); + $data = $aes->decrypt($_POST['crypt_data'], $aes_key, ENC_HEX); + } + else + { + $data = $_POST[$fieldname]; + } + return $data; + } + + /** * Backend code for the JSON login interface. Basically a frontend to the session API that takes all parameters in one huge array. * @param array LoginAPI request * @return array LoginAPI response @@ -3736,7 +3987,7 @@ // If we're logging in with a temp password, attach to the login_password_reset hook to send our JSON response // A bit hackish since it just dies with the response :-( - $plugins->attachHook('login_password_reset', '$this->process_login_request(array(\'mode\' => \'respond_password_reset\', \'user_id\' => $row[\'user_id\'], \'temp_password\' => $row[\'temp_password\']));'); + $plugins->attachHook('login_password_reset', '$this->process_login_request(array(\'mode\' => \'respond_password_reset\', \'user_id\' => $row[\'user_id\'], \'temp_password\' => $this->pk_encrypt($password)));'); // attempt the login // function login_without_crypto($username, $password, $already_md5ed = false, $level = USER_LEVEL_MEMBER, $captcha_hash = false, $captcha_code = false) diff -r 9cdfe82c56cd -r eb8b23f11744 includes/sql_parse.php --- a/includes/sql_parse.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/sql_parse.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * sql_parse.php - SQL query splitter and templater diff -r 9cdfe82c56cd -r eb8b23f11744 includes/stats.php --- a/includes/stats.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/stats.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * stats.php - handles statistics for pages (disablable in the admin CP) * diff -r 9cdfe82c56cd -r eb8b23f11744 includes/tagcloud.php --- a/includes/tagcloud.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/tagcloud.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/template.php --- a/includes/template.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/template.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/wikiengine/Tables.php --- a/includes/wikiengine/Tables.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/wikiengine/Tables.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 includes/wikiformat.php --- a/includes/wikiformat.php Sat Jan 03 18:11:18 2009 -0500 +++ b/includes/wikiformat.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 index.php --- a/index.php Sat Jan 03 18:11:18 2009 -0500 +++ b/index.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/common.php --- a/install/includes/common.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/common.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * common.php - Installer common functions @@ -16,8 +16,8 @@ // Our version number. This needs to be changed for any custom releases. $installer_version = array( - 'version' => '1.1.5', - 'type' => 'alpha' + 'version' => '1.1.6', + 'type' => 'beta' // If type is set to "rc", "beta", or "alpha", optionally another version number can be issued with the key 'sub': // 'sub' => '3' will produce Enano 1.1.1a3 / Enano 1.1.1 alpha 3 ); @@ -105,6 +105,7 @@ require_once(ENANO_ROOT . '/includes/json.php'); require_once(ENANO_ROOT . '/includes/constants.php'); require_once(ENANO_ROOT . '/includes/rijndael.php'); +require_once(ENANO_ROOT . '/includes/hmac.php'); // If we have at least PHP 5, load json2 if ( version_compare(PHP_VERSION, '5.0.0', '>=') ) diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/libenanoinstall.php --- a/install/includes/libenanoinstall.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/libenanoinstall.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * libenanoinstall.php - Installation payload backend diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/payload.php --- a/install/includes/payload.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/payload.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * payload.php - Installer payload (the installation logic) @@ -96,11 +96,12 @@ return $sql_parser->parse(); $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); + $hmac_secret = hexencode(AESCrypt::randkey(20), '', ''); $site_key = stg_make_private_key(); $site_key = hexdecode($site_key); $admin_pass_clean = stg_password_decode(); - $admin_pass = $aes->encrypt($admin_pass_clean, $site_key, ENC_HEX); + $admin_pass = hmac_sha1($admin_pass_clean, $hmac_secret); unset($admin_pass_clean); // Security @@ -137,6 +138,7 @@ 'VERSION' => $installer_version['version'], 'ADMIN_USER' => $db->escape($_POST['username']), 'ADMIN_PASS' => $admin_pass, + 'ADMIN_PASS_SALT' => $hmac_secret, 'ADMIN_EMAIL' => $db->escape($_POST['email']), 'REAL_NAME' => '', // This has always been stubbed. 'ADMIN_EMBED_PHP' => strval(AUTH_DISALLOW), diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/confirm.php --- a/install/includes/stages/confirm.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/confirm.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * confirm.php - Installer installation summary/confirmation stage diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/database.php --- a/install/includes/stages/database.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/database.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * database.php - Installer database driver selection stage diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/database_mysql.php --- a/install/includes/stages/database_mysql.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/database_mysql.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * database_mysql.php - Installer database info page, MySQL diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/database_post.php --- a/install/includes/stages/database_post.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/database_post.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * database_post.php - Database installation, stage 1 diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/database_postgresql.php --- a/install/includes/stages/database_postgresql.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/database_postgresql.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * database_postgresql.php - Installer database info page, PostgreSQL diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/finish.php --- a/install/includes/stages/finish.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/finish.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * finish.php - Installer finalization stage diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/install.php --- a/install/includes/stages/install.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/install.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * install.php - Installer payload stage diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/license.php --- a/install/includes/stages/license.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/license.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * license.php - Installer license-agreement stage diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/login.php --- a/install/includes/stages/login.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/login.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * login.php - Installer login information stage diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/sysreqs.php --- a/install/includes/stages/sysreqs.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/sysreqs.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * sysreqs.php - Installer system-requirements page diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/stages/website.php --- a/install/includes/stages/website.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/stages/website.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * website.php - Installer website-settings stage diff -r 9cdfe82c56cd -r eb8b23f11744 install/includes/ui.php --- a/install/includes/ui.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/includes/ui.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * ui.php - User interface for installations and upgrades diff -r 9cdfe82c56cd -r eb8b23f11744 install/index.php --- a/install/index.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/index.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * welcome.php - Portal to upgrade, readme, and install pages diff -r 9cdfe82c56cd -r eb8b23f11744 install/install.php --- a/install/install.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/install.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * install.php - Main installation interface diff -r 9cdfe82c56cd -r eb8b23f11744 install/readme.php --- a/install/readme.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/readme.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * install.php - Main installation interface diff -r 9cdfe82c56cd -r eb8b23f11744 install/schemas/mysql_stage2.sql --- a/install/schemas/mysql_stage2.sql Sat Jan 03 18:11:18 2009 -0500 +++ b/install/schemas/mysql_stage2.sql Sun Jan 04 00:55:40 2009 -0500 @@ -93,7 +93,8 @@ CREATE TABLE {{TABLE_PREFIX}}users( user_id mediumint(8) NOT NULL auto_increment, username text, - password varchar(255), + password varchar(40), + password_salt varchar(40) NOT NULL DEFAULT '', email text, real_name text, user_level tinyint(1) NOT NULL DEFAULT 2, @@ -373,9 +374,9 @@ ('oxygen', 'Oxygen', 1, 'bleu.css', 1), ('stpatty', 'St. Patty', 2, 'shamrock.css', 1); -INSERT INTO {{TABLE_PREFIX}}users(user_id, username, password, email, real_name, user_level, theme, style, signature, reg_time, account_active, user_registration_ip) VALUES - (1, 'Anonymous', 'invalid-pass-hash', 'anonspam@enanocms.org', 'None', 1, 'oxygen', 'bleu', '', 0, 0, '{{IP_ADDRESS}}'), - (2, '{{ADMIN_USER}}', '{{ADMIN_PASS}}', '{{ADMIN_EMAIL}}', '{{REAL_NAME}}', 9, 'oxygen', 'bleu', '', UNIX_TIMESTAMP(), 1, '{{IP_ADDRESS}}'); +INSERT INTO {{TABLE_PREFIX}}users(user_id, username, password, password_salt, email, real_name, user_level, theme, style, signature, reg_time, account_active, user_registration_ip) VALUES + (1, 'Anonymous', 'invalid-pass-hash', '', 'anonspam@enanocms.org', 'None', 1, 'oxygen', 'bleu', '', 0, 0, '{{IP_ADDRESS}}'), + (2, '{{ADMIN_USER}}', '{{ADMIN_PASS}}', '{{ADMIN_PASS_SALT}}', '{{ADMIN_EMAIL}}', '{{REAL_NAME}}', 9, 'oxygen', 'bleu', '', UNIX_TIMESTAMP(), 1, '{{IP_ADDRESS}}'); INSERT INTO {{TABLE_PREFIX}}users_extra(user_id) VALUES (2); diff -r 9cdfe82c56cd -r eb8b23f11744 install/schemas/postgresql_stage2.sql --- a/install/schemas/postgresql_stage2.sql Sat Jan 03 18:11:18 2009 -0500 +++ b/install/schemas/postgresql_stage2.sql Sun Jan 04 00:55:40 2009 -0500 @@ -94,6 +94,7 @@ user_id SERIAL, username text, password varchar(255), + password_salt varchar(40) NOT NULL DEFAULT '', email text, real_name text, user_level smallint NOT NULL DEFAULT 2, @@ -390,9 +391,9 @@ ('oxygen', 'Oxygen', 1, 'bleu.css', 1), ('stpatty', 'St. Patty', 2, 'shamrock.css', 1); -INSERT INTO {{TABLE_PREFIX}}users(user_id, username, password, email, real_name, user_level, theme, style, signature, reg_time, account_active, user_registration_ip, user_lang, user_has_avatar, avatar_type) VALUES - (1, 'Anonymous', 'invalid-pass-hash', 'anonspam@enanocms.org', 'None', 1, 'oxygen', 'bleu', '', 0, 0, '', 0, 0, 'png'), - (2, '{{ADMIN_USER}}', '{{ADMIN_PASS}}', '{{ADMIN_EMAIL}}', '{{REAL_NAME}}', 9, 'oxygen', 'bleu', '', {{UNIX_TIME}}, 1, '{{IP_ADDRESS}}', 0, 0, 'png'); +INSERT INTO {{TABLE_PREFIX}}users(user_id, username, password, password_salt, email, real_name, user_level, theme, style, signature, reg_time, account_active, user_registration_ip, user_lang, user_has_avatar, avatar_type) VALUES + (1, 'Anonymous', 'invalid-pass-hash', '', 'anonspam@enanocms.org', 'None', 1, 'oxygen', 'bleu', '', 0, 0, '', 0, 0, 'png'), + (2, '{{ADMIN_USER}}', '{{ADMIN_PASS}}', '{{ADMIN_PASS_SALT}}', '{{ADMIN_EMAIL}}', '{{REAL_NAME}}', 9, 'oxygen', 'bleu', '', {{UNIX_TIME}}, 1, '{{IP_ADDRESS}}', 0, 0, 'png'); INSERT INTO {{TABLE_PREFIX}}users_extra(user_id) VALUES (2); diff -r 9cdfe82c56cd -r eb8b23f11744 install/schemas/upgrade/1.1.5-1.1.6-mysql.sql --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/install/schemas/upgrade/1.1.5-1.1.6-mysql.sql Sun Jan 04 00:55:40 2009 -0500 @@ -0,0 +1,2 @@ +ALTER TABLE users ADD COLUMN password_salt varchar(40) NOT NULL DEFAULT ''; + diff -r 9cdfe82c56cd -r eb8b23f11744 install/schemas/upgrade/1.1.5-1.1.6-postgresql.sql --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/install/schemas/upgrade/1.1.5-1.1.6-postgresql.sql Sun Jan 04 00:55:40 2009 -0500 @@ -0,0 +1,2 @@ +ALTER TABLE users ADD COLUMN password_salt varchar(40) NOT NULL DEFAULT ''; + diff -r 9cdfe82c56cd -r eb8b23f11744 install/schemas/upgrade/1.1.5-1.1.6.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/install/schemas/upgrade/1.1.5-1.1.6.php Sun Jan 04 00:55:40 2009 -0500 @@ -0,0 +1,35 @@ +sql_query('UPDATE ' . table_prefix . "users SET old_encryption = 2 WHERE user_id > 1 AND old_encryption = 0;"); +if ( !$q ) + $db->_die(); + +$q = $db->sql_query('SELECT user_id, password FROM ' . table_prefix . "users WHERE user_id > 1 AND old_encryption = 2;"); +if ( !$q ) + $db->_die(); + +while ( $row = $db->fetchrow($q) ) +{ + $password = $session->pk_decrypt($row['password']); + if ( empty($password) ) + { + global $ui; + echo '

1.1.5-1.1.6 migration script: ERROR: bad password returned from $session->pk_decrypt()

'; + $ui->show_footer(); + exit; + } + $hmac_secret = hexencode(AESCrypt::randkey(20), '', ''); + $password = hmac_sha1($password, $hmac_secret); + $e = $db->sql_query('UPDATE ' . table_prefix . "users SET password = '{$password}', password_salt = '{$hmac_secret}', old_encryption = 0 WHERE user_id = {$row['user_id']};"); + if ( !$e ) + $db->_die(); +} + + diff -r 9cdfe82c56cd -r eb8b23f11744 install/upgrade.php --- a/install/upgrade.php Sat Jan 03 18:11:18 2009 -0500 +++ b/install/upgrade.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * Installation package * upgrade.php - Upgrade interface @@ -19,7 +19,7 @@ // The list of versions in THIS AND PREVIOUS branches, in chronological order. $enano_versions = array(); $enano_versions['1.0'] = array('1.0', '1.0.1', '1.0.2b1', '1.0.2', '1.0.3', '1.0.4', '1.0.5'); -$enano_versions['1.1'] = array('1.1.1', '1.1.2', '1.1.3', '1.1.4', '1.1.5'); +$enano_versions['1.1'] = array('1.1.1', '1.1.2', '1.1.3', '1.1.4', '1.1.5', '1.1.6'); // Turn on every imaginable API hack to make common load on older databases define('IN_ENANO_UPGRADE', 1); diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/PrivateMessages.php --- a/plugins/PrivateMessages.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/PrivateMessages.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialAdmin.php --- a/plugins/SpecialAdmin.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialAdmin.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialCSS.php --- a/plugins/SpecialCSS.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialCSS.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialGroups.php --- a/plugins/SpecialGroups.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialGroups.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2007 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialPageFuncs.php --- a/plugins/SpecialPageFuncs.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialPageFuncs.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialRecentChanges.php --- a/plugins/SpecialRecentChanges.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialRecentChanges.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialSearch.php --- a/plugins/SpecialSearch.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialSearch.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialUpdownload.php --- a/plugins/SpecialUpdownload.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialUpdownload.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * SpecialUpdownload.php - handles uploading and downloading of user-uploaded files - possibly the most rigorously security-enforcing script in all of Enano, although sessions.php comes in a close second * diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialUserFuncs.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -121,12 +121,6 @@ global $__login_status; global $lang; - require_once( ENANO_ROOT . '/includes/diffiehellman.php' ); - global $dh_supported, $_math; - - $pubkey = $session->rijndael_genkey(); - $challenge = $session->dss_rand(); - $locked_out = false; // are we locked out? $threshold = ( $_ = getConfig('lockout_threshold') ) ? intval($_) : 5; @@ -436,10 +430,6 @@ - - - - str($dh_key_priv); - $dh_key_pub = $_math->str($dh_key_pub); - // store the keys in the DB - $q = $db->sql_query('INSERT INTO ' . table_prefix . "diffiehellman( public_key, private_key ) VALUES ( '$dh_key_pub', '$dh_key_priv' );"); - if ( !$q ) - $db->_die(); - - echo " - - "; - } - else - { - echo ""; - } + echo $session->generate_aes_form(); ?> aes_javascript('loginform', 'pass', 'use_crypt', 'crypt_key', 'crypt_data', 'challenge_data', 'dh_supported', 'dh_public_key', 'dh_client_public_key'); + echo $session->aes_javascript('loginform', 'pass'); ?> footer(); @@ -516,93 +483,28 @@ } if ( isset($_GET['act']) && $_GET['act'] == 'ajaxlogin' ) { - echo 'This version of the Enano LoginAPI is deprecated. Please use the action.json method instead.'; + echo 'This version of the Enano LoginAPI is deprecated. Please clear your browser\'s cache and try your login again. Developers, please use the action.json method instead.'; return true; } if(isset($_POST['login'])) { $captcha_hash = ( isset($_POST['captcha_hash']) ) ? $_POST['captcha_hash'] : false; $captcha_code = ( isset($_POST['captcha_code']) ) ? $_POST['captcha_code'] : false; - if ( $_POST['use_crypt'] == 'yes' ) + + try { - $result = $session->login_with_crypto($_POST['username'], $_POST['crypt_data'], $_POST['crypt_key'], $_POST['challenge_data'], intval($_POST['auth_level']), $captcha_hash, $captcha_code, isset($_POST['remember'])); + $password = $session->get_aes_post('pass'); } - else if ( $_POST['use_crypt'] == 'yes_dh' ) + catch ( Exception $e ) { - // retrieve and decrypt the password using DiffieHellman - - require_once( ENANO_ROOT . '/includes/diffiehellman.php' ); - global $dh_supported, $_math; - - if ( !$dh_supported ) - { - die_semicritical('DiffieHellman error', 'Server does not support DiffieHellman, denying logon request'); - } - - // Fetch private key - $dh_public = $_POST['dh_public_key']; - if ( !preg_match('/^[0-9]+$/', $dh_public) ) - { - $__login_status = array( - 'success' => false, - 'error' => 'ERR_DH_KEY_NOT_INTEGER', - 'debug' => "public key: $dh_public" - ); - return false; - } - $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$dh_public';"); - if ( !$q ) - $db->die_json(); - - if ( $db->numrows() < 1 ) - { - $__login_status = array( - 'success' => false, - 'error' => 'ERR_DH_KEY_NOT_FOUND', - 'debug' => "public key: $dh_public" - ); - return false; - } - - list($dh_private, $dh_key_id) = $db->fetchrow_num(); - $db->free_result(); - - // We have the private key, now delete the key pair, we no longer need it - $q = $db->sql_query('DELETE FROM ' . table_prefix . "diffiehellman WHERE key_id = $dh_key_id;"); - if ( !$q ) - $db->die_json(); - - // Generate the shared secret - $dh_secret = dh_gen_shared_secret($dh_private, $_POST['dh_client_public_key']); - $dh_secret = $_math->str($dh_secret); - - // Did we get all our math right? - $dh_secret_check = sha1($dh_secret); - $dh_hash = $_POST['crypt_key']; - if ( $dh_secret_check !== $dh_hash ) - { - $__login_status = array( - 'success' => false, - 'error' => 'ERR_DH_HASH_NO_MATCH', - 'debug' => "dh_secret_check = $dh_secret_check\ndh_hash_input = $dh_hash" - ); - return false; - } - - // All good! Generate the AES key - $aes_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 )); - - // decrypt user info - $aes_key = hexdecode($aes_key); - $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); - $password = $aes->decrypt($_POST['crypt_data'], $aes_key, ENC_HEX); - - $result = $session->login_without_crypto($_POST['username'], $password, false, intval($_POST['auth_level']), $captcha_hash, $captcha_code, isset($_POST['remember'])); + $__login_status = array( + 'mode' => 'error', + 'error' => $e->getMessage() + ); + return false; } - else - { - $result = $session->login_without_crypto($_POST['username'], $_POST['pass'], false, intval($_POST['auth_level']), $captcha_hash, $captcha_code, isset($_POST['remember'])); - } + + $result = $session->login_without_crypto($_POST['username'], $password, false, intval($_POST['auth_level']), $captcha_hash, $captcha_code, isset($_POST['remember'])); if($result['success']) { @@ -1598,6 +1500,9 @@ $template->header(); if($paths->getParam(0) == 'stage2') { + require_once(ENANO_ROOT . '/includes/math.php'); + require_once(ENANO_ROOT . '/includes/diffiehellman.php'); + $user_id = intval($paths->getParam(1)); $encpass = $paths->getParam(2); if ( $user_id < 2 ) @@ -1613,7 +1518,7 @@ return false; } - $q = $db->sql_query('SELECT username,temp_password_time FROM '.table_prefix.'users WHERE user_id='.$user_id.' AND temp_password=\'' . $encpass . '\';'); + $q = $db->sql_query('SELECT username,temp_password_time,temp_password,password_salt FROM '.table_prefix.'users WHERE user_id='.$user_id.';'); if($db->numrows() < 1) { echo '

Invalid credentials

'; @@ -1623,6 +1528,16 @@ $row = $db->fetchrow(); $db->free_result(); + $temp_pass = $session->pk_decrypt($encpass); + $temp_hmac = hmac_sha1($temp_pass, $row['password_salt']); + + if ( $temp_hmac !== $row['temp_password'] ) + { + echo '

Invalid credentials

'; + $template->footer(); + return false; + } + if ( ( intval($row['temp_password_time']) + ( 3600 * 24 ) ) < time() ) { echo '

' . $lang->get('userfuncs_passreset_err_pass_expired', array('reset_url' => makeUrlNS('Special', 'PasswordReset'))) . '

'; @@ -1632,48 +1547,29 @@ if ( isset($_POST['do_stage2']) ) { - $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); - if($_POST['use_crypt'] == 'yes') - { - $crypt_key = $session->fetch_public_key($_POST['crypt_key']); - if(!$crypt_key) - { - echo $lang->get('user_err_key_not_found'); - $template->footer(); - return false; - } - $crypt_key = hexdecode($crypt_key); - $data = $aes->decrypt($_POST['crypt_data'], $crypt_key, ENC_HEX); - if(strlen($data) < 6) - { - echo $lang->get('userfuncs_passreset_err_too_short'); - $template->footer(); - return false; - } - } - else - { - $data = $_POST['pass']; - $conf = $_POST['pass_confirm']; - if($data != $conf) - { - echo $lang->get('userfuncs_passreset_err_no_match'); - $template->footer(); - return false; - } - if(strlen($data) < 6) - { - echo $lang->get('userfuncs_passreset_err_too_short'); - $template->footer(); - return false; - } - } + $data = $session->get_aes_post('pass'); + if(empty($data)) { echo 'ERROR: Sanity check failed!'; $template->footer(); return false; } + if ( strlen($data) < 6 ) + { + echo '

' . $lang->get('userfuncs_passreset_err_too_short') . '

'; + $template->footer(); + return false; + } + if ( $_POST['use_crypt'] == 'no' ) + { + if ( $_POST['pass'] !== $_POST['pass_confirm'] ) + { + echo '

' . $lang->get('userfuncs_passreset_err_no_match') . '

'; + $template->footer(); + return false; + } + } if ( getConfig('pw_strength_enable') == '1' ) { $min_score = intval(getConfig('pw_strength_minimum')); @@ -1686,8 +1582,10 @@ return false; } } - $encpass = $session->pk_encrypt($data, ENC_HEX); - $q = $db->sql_query('UPDATE '.table_prefix.'users SET password=\'' . $encpass . '\',temp_password=\'\',temp_password_time=0 WHERE user_id='.$user_id.';'); + + $session->set_password($user_id, $data); + + $q = $db->sql_query('UPDATE '.table_prefix.'users SET temp_password=\'\',temp_password_time=0 WHERE user_id = '.$user_id.';'); if($q) { @@ -1704,10 +1602,8 @@ } // Password reset form - $pubkey = $session->rijndael_genkey(); - $evt_get_score = ( getConfig('pw_strength_enable') == '1' ) ? 'onkeyup="password_score_field(this);" ' : ''; - $pw_meter = ( getConfig('pw_strength_enable') == '1' ) ? '' . $lang->get('userfuncs_passreset_stage2_lbl_strength') . '
' : ''; + $pw_meter = ( getConfig('pw_strength_enable') == '1' ) ? '' . $lang->get('userfuncs_passreset_stage2_lbl_strength') . '
' : ''; $pw_blurb = ( getConfig('pw_strength_enable') == '1' && intval(getConfig('pw_strength_minimum')) > -10 ) ? '
' . $lang->get('userfuncs_passreset_stage2_blurb_strength') . '' : ''; ?> @@ -1721,86 +1617,23 @@ - - - + + generate_aes_form(); ?> aes_javascript('resetform', 'pass', 'use_crypt', 'crypt_key', 'crypt_data', 'challenge_data', 'dh_supported', 'dh_public_key', 'dh_client_public_key'); $template->footer(); return true; } diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/SpecialUserPrefs.php --- a/plugins/SpecialUserPrefs.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/SpecialUserPrefs.php Sun Jan 04 00:55:40 2009 -0500 @@ -12,7 +12,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute it and/or modify it under the terms of the GNU General Public License @@ -226,13 +226,9 @@ $email_changed = true; } // Obtain password - if ( $_POST['use_crypt'] == 'yes' && !empty($_POST['crypt_data']) ) + if ( !empty($_POST['crypt_data']) || !empty($_POST['newpass']) ) { - $key = $session->fetch_public_key($_POST['crypt_key']); - if ( !$key ) - die('Can\'t lookup key'); - $key = hexdecode($key); - $newpass = $aes->decrypt($_POST['crypt_data'], $key, ENC_HEX); + $newpass = $session->get_aes_post('newpass'); // At this point we know if we _want_ to change the password... // We can't check the password to see if it matches the confirmation @@ -255,14 +251,15 @@ if ( $score_inp < $score_min ) $errors .= '
' . $lang->get('usercp_emailpassword_err_password_too_weak', array('score' => $score_inp)) . '
'; } + if ( $_POST['use_crypt'] == 'no' && $newpass != $_POST['newpass_confirm'] ) + { + $errors .= '
' . $lang->get('usercp_emailpassword_err_password_no_match') . '
'; + } // Encrypt new password if ( empty($errors) ) { - $newpass_enc = $session->pk_encrypt($newpass, ENC_HEX); // Perform the swap - $q = $db->sql_query('UPDATE '.table_prefix.'users SET password=\'' . $newpass_enc . '\' WHERE user_id=' . $session->user_id . ';'); - if ( !$q ) - $db->_die(); + $session->set_password($session->username, $newpass); // Log out and back in $username = $session->username; $session->logout(); @@ -282,39 +279,6 @@ } } } - else - { - switch('foo') // allow breaking out of our section...i can't wait until PHP6 (goto support!) - { - case 'foo': - $pass = $_POST['newpass']; - if ( $pass != $_POST['newpass_conf'] ) - { - $errors .= '
' . $lang->get('usercp_emailpassword_err_password_no_match') . '
'; - break; - } - - $session->logout(); - if ( $email_changed ) - { - if ( getConfig('account_activation') == 'user' ) - { - redirect(makeUrl(get_main_page()), $lang->get('usercp_emailpassword_msg_profile_success'), $lang->get('usercp_emailpassword_msg_need_activ_user'), 20); - } - else if ( getConfig('account_activation') == 'admin' ) - { - redirect(makeUrl(get_main_page()), $lang->get('usercp_emailpassword_msg_profile_success'), $lang->get('usercp_emailpassword_msg_need_activ_admin'), 20); - } - } - else - { - $session->login_without_crypto($session->username, $newpass); - redirect(makeUrlNS('Special', 'Preferences'), $lang->get('usercp_emailpassword_msg_pass_success'), $lang->get('usercp_emailpassword_msg_password_changed'), 5); - } - - return; - } - } } $template->tpl_strings['PAGE_NAME'] = $lang->get('usercp_emailpassword_title'); break; @@ -359,8 +323,6 @@ echo '
'; // Password change form - $pubkey = $session->rijndael_genkey(); - echo '
' . $lang->get('usercp_emailpassword_grp_chpasswd') . ' ' . $lang->get('usercp_emailpassword_field_newpass') . '
@@ -368,7 +330,7 @@

' . $lang->get('usercp_emailpassword_field_newpass_confirm') . '
- + ' . ( getConfig('pw_strength_enable') == '1' ? '

' . $lang->get('usercp_emailpassword_msg_password_min_score') . '' : '' ) . '

@@ -381,75 +343,24 @@ ' . $lang->get('usercp_emailpassword_field_newemail_confirm') . '
- - -
'; + echo $session->generate_aes_form(); echo '
'; // ENCRYPTION CODE ?> + - - function runEncryption() - { - load_component('crypto'); - var aes_testpassed = aes_self_test(); - - var frm = document.forms.empwform; - if ( frm.newpass.value.length < 1 ) - return true; - - pass1 = frm.newpass.value; - pass2 = frm.newpass_conf.value; - if ( pass1 != pass2 ) - { - alert($lang.get('usercp_emailpassword_err_password_no_match')); - return false; - } - if ( pass1.length < 6 && pass1.length > 0 ) - { - alert($lang.get('usercp_emailpassword_err_password_too_short')); - return false; - } - - if(aes_testpassed) - { - frm.use_crypt.value = 'yes'; - var cryptkey = frm.crypt_key.value; - frm.crypt_key.value = hex_md5(cryptkey); - cryptkey = hexToByteArray(cryptkey); - if(!cryptkey || ( ( typeof cryptkey == 'string' || typeof cryptkey == 'object' ) ) && cryptkey.length != keySizeInBits / 8 ) - { - frm.submit.disabled = true; - len = ( typeof cryptkey == 'string' || typeof cryptkey == 'object' ) ? '\nLen: '+cryptkey.length : ''; - alert('The key is messed up\nType: '+typeof(cryptkey)+len); - } - pass = frm.newpass.value; - pass = stringToByteArray(pass); - cryptstring = rijndaelEncrypt(pass, cryptkey, 'ECB'); - if(!cryptstring) - { - return false; - } - cryptstring = byteArrayToHex(cryptstring); - frm.crypt_data.value = cryptstring; - frm.newpass.value = ""; - frm.newpass_conf.value = ""; - } - return true; - } - aes_javascript('empwform', 'newpass'); break; case 'Signature': if ( isset($_POST['new_sig']) ) diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/CacheManager.php --- a/plugins/admin/CacheManager.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/CacheManager.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/GroupManager.php --- a/plugins/admin/GroupManager.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/GroupManager.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/LangManager.php --- a/plugins/admin/LangManager.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/LangManager.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/PageEditor.php --- a/plugins/admin/PageEditor.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/PageEditor.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/PageGroups.php --- a/plugins/admin/PageGroups.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/PageGroups.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/PageManager.php --- a/plugins/admin/PageManager.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/PageManager.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/PluginManager.php --- a/plugins/admin/PluginManager.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/PluginManager.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/SecurityLog.php --- a/plugins/admin/SecurityLog.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/SecurityLog.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/ThemeManager.php --- a/plugins/admin/ThemeManager.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/ThemeManager.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/UserManager.php --- a/plugins/admin/UserManager.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/UserManager.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License @@ -76,72 +76,7 @@ $password = false; if ( $_POST['changing_pw'] == 'yes' ) { - $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); - if ( $_POST['dh_supported'] === 'true' ) - { - $my_public = $_POST['dh_public']; - $remote_public = $_POST['dh_mypublic']; - - // Check the key - if ( !preg_match('/^[0-9]+$/', $my_public) || !preg_match('/^[0-9]+$/', $remote_public) ) - { - $errors[] = $lang->get('user_err_dh_key_not_numeric'); - } - else - { - // We have our own public key - cross reference it with the private key in the database - $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$my_public';"); - if ( !$q ) - $db->_die(); - - if ( $db->numrows() < 1 ) - { - $errors[] = $lang->get('user_err_dh_key_not_found'); - } - else - { - list($my_private, $key_id) = $db->fetchrow_num($q); - $db->free_result(); - // now that we have this key it can be disposed of - $q = $db->sql_query("DELETE FROM " . table_prefix . "diffiehellman WHERE key_id = $key_id;"); - if ( !$q ) - $db->_die(); - // get the shared secret - $dh_secret = dh_gen_shared_secret($my_private, $remote_public); - global $_math; - $dh_secret = $_math->str($dh_secret); - - // make sure we calculated everything right - $secret_check = sha1($dh_secret); - if ( $secret_check !== $_POST['crypt_key'] ) - { - // uh-oh. - $errors[] = $lang->get('user_err_dh_key_not_found'); - } - else - { - $aes_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 )); - $aes_key = hexdecode($aes_key); - $password = $aes->decrypt($_POST['crypt_data'], $aes_key, ENC_HEX); - } - } - } - } - else if ( $_POST['dh_supported'] === 'false' ) - { - $key_hex_md5 = $_POST['crypt_key']; - $key_hex = $session->fetch_public_key($key_hex_md5); - if ( $key_hex ) - { - $key_bin = hexdecode($key_hex); - $data_hex = $_POST['crypt_data']; - $password = $aes->decrypt($data_hex, $key_bin, ENC_HEX); - } - } - else - { - $errors[] = $lang->get('acpum_err_no_aes_key'); - } + $password = $session->get_aes_post('new_password'); } $email = $_POST['email']; @@ -939,13 +874,7 @@ if ( form.changing_pw.value == 'yes' ) { - if ( form.new_password.value != form.new_password_confirm.value ) - { - alert(\$lang.get('user_reg_err_alert_password_nomatch')); - return false; - } - form.new_password_confirm.value = ''; - runEncryption(); + return runEncryption(true); } return true; @@ -1003,13 +932,7 @@ {lang:acpum_msg_same_user_password} {lang:etc_cancel} - - - - - - - + {AES_FORM}
@@ -1346,26 +1269,7 @@ } $form_action = makeUrlNS('Special', 'Administration', 'module=' . $paths->cpage['module'], true); - $aes_javascript = $session->aes_javascript("useredit_$this->uuid", 'new_password', 'use_crypt', 'crypt_key', 'crypt_data', 'challenge_data', 'dh_supported', 'dh_public', 'dh_mypublic'); - - // FIXME should this be in logic rather than presentation code? - if ( $dh_supported ) - { - global $_math; - - $dh_key_priv = dh_gen_private(); - $dh_key_pub = dh_gen_public($dh_key_priv); - $dh_key_priv = $_math->str($dh_key_priv); - $dh_key_pub = $_math->str($dh_key_pub); - // store the keys in the DB for later fetching - $q = $db->sql_query('INSERT INTO ' . table_prefix . "diffiehellman( public_key, private_key ) VALUES ( '$dh_key_pub', '$dh_key_priv' );"); - if ( !$q ) - $db->_die(); - } - else - { - $dh_key_pub = ''; - } + $aes_javascript = $session->aes_javascript("useredit_$this->uuid", 'new_password'); // build rank list $q = $db->sql_query('SELECT rank_id, rank_title FROM ' . table_prefix . 'ranks'); @@ -1382,10 +1286,7 @@ 'USERNAME' => $this->username, 'EMAIL' => $this->email, 'USER_ID' => $this->user_id, - 'MD5_CHALLENGE' => $session->dss_rand(), - 'PUBLIC_KEY' => $session->rijndael_genkey(), - 'DH_SUPPORTED' => ( $dh_supported ? 'true' : 'false' ), - 'DH_PUBLIC' => $dh_key_pub, + 'AES_FORM' => $session->generate_aes_form(), 'REAL_NAME' => $this->real_name, 'SIGNATURE_FIELD' => $template->tinymce_textarea('signature', $this->signature, 10, 50), 'USER_TITLE' => $this->user_title, diff -r 9cdfe82c56cd -r eb8b23f11744 plugins/admin/UserRanks.php --- a/plugins/admin/UserRanks.php Sat Jan 03 18:11:18 2009 -0500 +++ b/plugins/admin/UserRanks.php Sun Jan 04 00:55:40 2009 -0500 @@ -2,7 +2,7 @@ /* * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between - * Version 1.1.5 (Caoineag alpha 5) + * Version 1.1.6 (Caoineag beta 1) * Copyright (C) 2006-2008 Dan Fuhry * * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License