930518209974b5a1bc3b568d345b625d0374ef18 chinhli Fri Apr 13 15:39:10 2012 -0700 Finished password decrypt. diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index 2a26803..616aac9 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -89,58 +89,92 @@ i = MD5_DIGEST_LENGTH; printf("MD5_DIGEST_LENGTH is %d\nLength of secondMD5 is %d\n",i, strlen(secondMD5)); printf("secondMD5 before return is: \n%s\n", secondMD5); strcpy(result, secondMD5); } void encryptPWD(char *password, char *salt, char *buf, int bufsize) /* encrypt a password */ { /* encrypt user's password. */ // safef(buf,bufsize,crypt(password, salt)); char md5Returned[100]; cryptWikiWay(password, salt, md5Returned); -safef(buf,bufsize,md5Returned); +safecat(buf,bufsize,":B:"); +safecat(buf,bufsize,salt); +safecat(buf,bufsize,":"); +safecat(buf,bufsize,md5Returned); + +//safef(buf,bufsize,md5Returned); + printf("After encrypt, buf isL K\n%s\n bufsize is %d\n", buf, bufsize); } void encryptNewPwd(char *password, char *buf, int bufsize) /* encrypt a new password */ /* XXXX TODO: use MD5 in linked SSL */ { unsigned long seed[2]; -char salt[] = "$1$........"; +char salt[] = "........"; const char *const seedchars = -"./0123456789ABCDEFGHIJKLMNOPQRST" +"0123456789ABCDEFGHIJKLMNOPQRST" "UVWXYZabcdefghijklmnopqrstuvwxyz"; int i; /* Generate a (not very) random seed. */ seed[0] = time(NULL); seed[1] = getpid() ^ (seed[0] >> 14 & 0x30000); /* Turn it into printable characters from `seedchars'. */ for (i = 0; i < 8; i++) - salt[3+i] = seedchars[(seed[i/5] >> (i%5)*6) & 0x3f]; + salt[i] = seedchars[(seed[i/5] >> (i%5)*6) & 0x3f]; +printf("salt generated: %s\n", salt); encryptPWD(password, salt, buf, bufsize); } +void findSalt(char *encPassword, char *salt, int saltSize) +{ +printf("encPassword from database is: %s\n",encPassword); +char tempStr1[45]; +char tempStr2[45]; + +int i; +// Skip the ":B:" part +for (i = 3; i <= strlen(encPassword); i++) + tempStr1[i-3] = encPassword[i]; +printf("encPassword is %s\n",encPassword); +printf("Trim out the :B: to become %s\n",tempStr1); +i = strcspn(tempStr1,":"); +printf(" : is at location %d\n", i); +safencpy(tempStr2, sizeof(tempStr2), tempStr1, i); +printf("Trimmed salt is %s\n", tempStr2); +safef(salt, saltSize,tempStr2); +printf("Final salt is %s\n", salt); + +} bool checkPwd(char *password, char *encPassword) /* check an encrypted password */ { -char encPwd[35] = ""; -encryptPWD(password, encPassword, encPwd, sizeof(encPwd)); + +printf("password type in is: %s\n",password); +char salt[14]; +int saltSize; +saltSize = sizeof(salt); +findSalt(encPassword, salt, saltSize); +char encPwd[45] = ""; +// encryptPWD(password, encPassword, encPwd, sizeof(encPwd)); +encryptPWD(password, salt, encPwd, sizeof(encPwd)); if (sameString(encPassword,encPwd)) { return TRUE; } else { return FALSE; } } boolean checkPwdCharClasses(char *password) /* check that password uses at least 2 character classes */ { /* [A-Z] [a-z] [0-9] [!@#$%^&*()] */ @@ -308,31 +342,31 @@ errMsg = cloneString("Email cannot be blank."); lostPasswordPage(conn); return; } safef(query,sizeof(query), "select password from gbMembers where email='%s'", email); char *password = sqlQuickString(conn, query); if (!password) { freez(&errMsg); errMsg = cloneString("Email not found."); lostPasswordPage(conn); return; } freez(&password); password = generateRandomPassword(); -char encPwd[35] = ""; +char encPwd[45] = ""; encryptNewPwd(password, encPwd, sizeof(encPwd)); safef(query,sizeof(query), "update gbMembers set password='%s' where email='%s'", sqlEscapeString(encPwd), sqlEscapeString(email)); sqlUpdate(conn, query); updatePasswordsFile(conn); safef(cmd,sizeof(cmd), "echo 'Your new password is: %s' | mail -s \"Lost GSID HIV password\" %s" , password, email); int result = system(cmd); if (result == -1) { hPrintf( "<h2>UCSC Genome Browser</h2>" @@ -438,31 +472,31 @@ errMsg = cloneString("New password must be at least 5 characters long."); changePasswordPage(conn); return; } /*************************** if (!checkPwdCharClasses(newPassword)) { freez(&errMsg); errMsg = cloneString( "Password must contain characters from 2 of the following 4 classes: " "[A-Z] [a-z] [0-9] [!@#$%^&*()]."); changePasswordPage(conn); return; } ********************************************/ -char encPwd[35] = ""; +char encPwd[45] = ""; encryptNewPwd(newPassword, encPwd, sizeof(encPwd)); safef(query,sizeof(query), "update gbMembers set password='%s' where email='%s'", sqlEscapeString(encPwd), sqlEscapeString(email)); sqlUpdate(conn, query); hPrintf ( "<h2>UCSC Genome Browser</h2>" "<p align=\"left\">" "</p>" "<h3>Password has been changed.</h3>" "Click <a href=hgLogin?hgLogin.do.signupPage=1>here</a> to return.<br>" ); updatePasswordsFile(conn); @@ -630,31 +664,31 @@ } if (password && confirmPW && !sameString(password, confirmPW)) { freez(&errMsg); errMsg = cloneString("Passwords do not match."); signupPage(conn); return; } char *realName = cartUsualString(cart, "hgLogin_realName", ""); if (!realName || sameString(realName,"")) { realName = " "; } -char encPwd[35] = ""; +char encPwd[45] = ""; encryptNewPwd(password, encPwd, sizeof(encPwd)); safef(query,sizeof(query), "insert into gbMembers set " "userName='%s',realName='%s',password='%s',email='%s', " "lastUse=NOW(),activated='N',dateAuthenticated='9999-12-31 23:59:59'", sqlEscapeString(user),sqlEscapeString(realName),sqlEscapeString(encPwd),sqlEscapeString(email)); sqlUpdate(conn, query); hPrintf( "<h2>UCSC Genome Browser</h2>\n" "<p align=\"left\">\n" "</p>\n" "<h3>User %s successfully added.</h3>\n" , user ); @@ -1002,31 +1036,31 @@ for(email=list;email;email=email->next) { uglyf("email=%s<br>\n",email->name); safef(query,sizeof(query),"select password from gbMembers where email='%s'", email->name); char *password = sqlQuickString(conn,query); uglyf("password=%s<br>\n",password); if (password) { if (!startsWith("$1$",password)) / * upgrade has not already been done * / { uglyf("does not start with $1$<br>\n"); - char encPwd[35] = ""; + char encPwd[45] = ""; encryptNewPwd(password, encPwd, sizeof(encPwd)); safef(query,sizeof(query),"update gbMembers set password = '%s' where email='%s'", sqlEscapeString(encPwd), sqlEscapeString(email->name)); uglyf("query: %s<br>\n",query); sqlUpdate(conn,query); } freez(&password); } uglyf("<br>\n"); } slFreeList(&list); } */