d3020a6321ecaaa8b94bb832d30e677752ed6727 chinhli Tue May 15 17:24:26 2012 -0700 hgLogin.c will not compile with openssl lib. See http://redmine.soe.ucsc.edu/issues/7824#note-6 for more detail. diff --git src/hg/hgLogin/hgLogin.c src/hg/hgLogin/hgLogin.c index fe569bf..bda53bb 100644 --- src/hg/hgLogin/hgLogin.c +++ src/hg/hgLogin/hgLogin.c @@ -4,49 +4,51 @@ #include "hash.h" #include "obscure.h" #include "hgConfig.h" #include "cheapcgi.h" #include "memalloc.h" #include "jksql.h" #include "htmshell.h" #include "cart.h" #include "hPrint.h" #include "hdb.h" #include "hui.h" #include "web.h" #include "ra.h" #include "hgColors.h" #include -#include #include "net.h" #include "wikiLink.h" #include "hgLogin.h" #include "gbMembers.h" #include "versionInfo.h" /* ---- Global variables. ---- */ char msg[4096] = ""; /* The excludeVars are not saved to the cart. */ char *excludeVars[] = { "submit", "Submit", "debug", "fixMembers", "update", "hgLogin_password", "hgLogin_password2", "hgLogin_newPassword1", "hgLogin_newPassword2", NULL }; struct cart *cart; /* This holds cgi and other variables between clicks. */ char *database; /* Name of genome database - hg15, mm3, or the like. */ struct hash *oldCart; /* Old cart hash. */ char *errMsg; /* Error message to show user when form data rejected */ -/* -------- password functions ---- */ +/* -------- password functions depend on optionally installed openssl lib ---- */ +#ifdef USE_SSL +#include + void cryptWikiWay(char *password, char *salt, char* result) /* encrypt password in mediawiki format - ':B:'.$salt.':'. md5($salt.'-'.md5($password ) */ { int i; unsigned char result1[MD5_DIGEST_LENGTH]; unsigned char result2[MD5_DIGEST_LENGTH]; char firstMD5[MD5_DIGEST_LENGTH*2 + 1]; char secondMD5[MD5_DIGEST_LENGTH*2 + 1]; i = MD5_DIGEST_LENGTH; MD5((unsigned char *)password, strlen(password), result1); for(i = 0; i < MD5_DIGEST_LENGTH; i++) printf("%02x", result1[i]); for(i = 0; i < MD5_DIGEST_LENGTH; i++) @@ -83,30 +85,70 @@ unsigned long seed[2]; char salt[] = "........"; const char *const seedchars = "0123456789ABCDEFGHIJKLMNOPQRST" "UVWXYZabcdefghijklmnopqrstuvwxyz"; int i; /* Generate a (not very) random seed. */ seed[0] = time(NULL); seed[1] = getpid() ^ (seed[0] >> 14 & 0x30000); /* Turn it into printable characters from 'seedchars'. */ for (i = 0; i < 8; i++) salt[i] = seedchars[(seed[i/5] >> (i%5)*6) & 0x3f]; encryptPWD(password, salt, buf, bufsize); } +char *generateTokenMD5(char *token) +/* Generate an unsalted MD5 string from token. */ +{ +unsigned char result[MD5_DIGEST_LENGTH]; +char tokenMD5[MD5_DIGEST_LENGTH*2 + 1]; +int i = MD5_DIGEST_LENGTH; +MD5((unsigned char *) token, strlen(token), result); +// Convert the tokenMD5 value to string +for(i = 0; i < MD5_DIGEST_LENGTH; i++) + { + sprintf(&tokenMD5[i*2], "%02x", result[i]); + } +return cloneString(tokenMD5); +} + +#else // --------- no USE_SSL ==> errAbort with message that openssl is required -------------- + +#define NEED_OPENSSL "kent/src must be recompiled with openssl libs and USE_SSL=1 in order for this to work." + +void encryptPWD(char *password, char *salt, char *buf, int bufsize) +/* This is just a warning that appears in the absence of USE_SSL. Real implementation is above! */ +{ +errAbort(NEED_OPENSSL); +} + +void encryptNewPwd(char *password, char *buf, int bufsize) +/* This is just a warning that appears in the absence of USE_SSL. Real implementation is above! */ +{ +errAbort(NEED_OPENSSL); +} + +char *generateTokenMD5(char *token) +/* This is just a warning that appears in the absence of USE_SSL. Real implementation is above! */ +{ +errAbort(NEED_OPENSSL); +return NULL; // Compiler doesn't know that we never get here. +} + +#endif//ndef USE_SSL + void findSalt(char *encPassword, char *salt, int saltSize) /* find the salt part from the password field */ { char tempStr1[45]; char tempStr2[45]; int i; // Skip the ":B:" part for (i = 3; i <= strlen(encPassword); i++) tempStr1[i-3] = encPassword[i]; i = strcspn(tempStr1,":"); safencpy(tempStr2, sizeof(tempStr2), tempStr1, i); safecpy(salt, saltSize,tempStr2); } bool checkPwd(char *password, char *encPassword) @@ -436,40 +478,31 @@ sqlEscapeString(username), sqlEscapeString(encToken)); safef(subject, sizeof(subject),"UCSC Genome Browser account e-mail address confirmation"); safef(msg, sizeof(msg), "Someone, probably you from IP address %s, has requested an account %s with this e-mail address on the UCSC Genome Browser.\nTo confirm that this account really does belong to you on the UCSC Genome Browser, open this link in your browser:\ni\n%s\nIf the account is created, only you will be e-mailed this confirmation.\nIf this is *not* you, do not follow the link. This confirmation code will expire at %s, %s.\n", remoteAddr, username, activateURL, expireTime, expireDate); safecat (msg, sizeof(msg), signature); sendMailOut(email, subject, msg); } void setupNewAccount(struct sqlConnection *conn, char *email, char *username) /* Set up new user account and send activation mail to user */ { char query[256]; char *token = generateRandomPassword(); -int i; -unsigned char result[MD5_DIGEST_LENGTH]; -char tokenMD5[MD5_DIGEST_LENGTH*2 + 1]; -i = MD5_DIGEST_LENGTH; -MD5((unsigned char *) token, strlen(token), result); -// Convert the tokenMD5 value to string -for(i = 0; i < MD5_DIGEST_LENGTH; i++) - { - sprintf(&tokenMD5[i*2], "%02x", result[i]); - } +char *tokenMD5 = generateTokenMD5(token); safef(query,sizeof(query), "update gbMembers set lastUse=NOW(),emailToken='%s', emailTokenExpires=DATE_ADD(NOW(), INTERVAL 7 DAY), accountActivated='N' where userName='%s'", sqlEscapeString(tokenMD5), sqlEscapeString(username) ); sqlUpdate(conn, query); safef(query,sizeof(query), "select TIME(emailTokenExpires) from gbMembers where userName='%s'", username); char *expireTime = sqlQuickString(conn, query); safef(query,sizeof(query), "select DATE(emailTokenExpires) from gbMembers where userName='%s'", username); char *expireDate = sqlQuickString(conn, query); sendActivateMail(email, username, tokenMD5, expireTime, expireDate); return; }