diff options
| author | pmichaud <pmichaud@524c5546-5005-0410-9a3e-e25e191bd360> | 2005-06-22 16:17:11 +0000 |
|---|---|---|
| committer | pmichaud <pmichaud@524c5546-5005-0410-9a3e-e25e191bd360> | 2005-06-22 16:17:11 +0000 |
| commit | f9c63d7c15c96f520299004374c2cd130c2a74f6 (patch) | |
| tree | d4b1987711d78cf8f95add0dda89e4f7ab848ab8 /scripts/authuser.php | |
| parent | e33daf7e5d8a5c009bc8f82f3ef4656f6ef467b0 (diff) | |
| download | pmwiki.svn-f9c63d7c15c96f520299004374c2cd130c2a74f6.tar.bz2 | |
Added apache-compatible md5 encryption, and sha encryption.
git-svn-id: svn://pmwiki.org/trunk/pmwiki@674 524c5546-5005-0410-9a3e-e25e191bd360
Diffstat (limited to 'scripts/authuser.php')
| -rw-r--r-- | scripts/authuser.php | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/scripts/authuser.php b/scripts/authuser.php index 55b0ef57..aac7c4e3 100644 --- a/scripts/authuser.php +++ b/scripts/authuser.php @@ -5,6 +5,10 @@ by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See pmwiki.php for full details. + The APR compatible MD5 encryption algorithm in _crypt() below is + based on code Copyright 2005 by D. Faure and the File::Passwd + PEAR library module by Mike Wallner <mike@php.net>. + This script enables simple authentication based on username and password combinations. At present this script can authenticate from passwords held in arrays or in .htpasswd-formatted files, @@ -64,10 +68,51 @@ foreach((array)($AuthUser['htpasswd']) as $f) { while ($x = fgets($fp, 1024)) { $x = rtrim($x); list($i, $c, $r) = explode(':', $x, 3); - if ($i == $id && crypt($pw, $c) == $c) + if ($i == $id && _crypt($pw, $c) == $c) { fclose($fp); AuthenticateUser($id); return; } } fclose($fp); } +# The _crypt function provides support for SHA1 encrypted passwords +# (keyed by '{SHA}') and Apache MD5 encrypted passwords (keyed by +# '$apr1$'); otherwise it just calls PHP's crypt() for the rest. +# The APR MD5 encryption code was contributed by D. Faure. + +function _crypt($plain, $salt=null) { + if (strncmp($salt, '{SHA}', 5) == 0) + return '{SHA}'.base64_encode(pack('H*', sha1($plain))); + if (strncmp($salt, '$apr1$', 6) == 0) { + preg_match('/^\\$apr1\\$([^$]+)/', $salt, $match); + $salt = $match[1]; + $length = strlen($plain); + $context = $plain . '$apr1$' . $salt; + $binary = pack('H32', md5($plain . $salt . $plain)); + for($i = $length; $i > 0; $i -= 16) + $context .= substr($binary, 0, min(16, $i)); + for($i = $length; $i > 0; $i >>= 1) + $context .= ($i & 1) ? chr(0) : $plain{0}; + $binary = pack('H32', md5($context)); + for($i = 0; $i < 1000; $i++) { + $new = ($i & 1) ? $plain : $binary; + if ($i % 3) $new .= $salt; + if ($i % 7) $new .= $plain; + $new .= ($i & 1) ? $binary : $plain; + $binary = pack('H32', md5($new)); + } + $q = ''; + for ($i = 0; $i < 5; $i++) { + $k = $i + 6; + $j = $i + 12; + if ($j == 16) $j = 5; + $q = $binary{$i}.$binary{$k}.$binary{$j} . $q; + } + $q = chr(0).chr(0).$binary{11} . $q; + $q = strtr(strrev(substr(base64_encode($q), 2)), + 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/', + './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'); + return "\$apr1\$$salt\$$q"; + } + return crypt($plain, $salt); +} |