[aur-dev] FS#17109: AUR passwords are not salted

Loui Chang louipc.ist at gmail.com
Fri Jun 4 18:19:23 EDT 2010 

On Wed 26 May 2010 22:22 +0200, Linas wrote:
> Loui Chang wrote:
> > On Mon 19 Apr 2010 15:39 +0200, Linas wrote:
> >   
> >> Loui Chang wrote:
> >>     
> >> Thanks for your support. Here goes an attempt.
> >> I have mixed my suggestions with Denis idea of changing the hash algorithm
> >> at the same time plus a few bits I found on the way.
> >>
> >> Actions performed by this patch:
> >> salt to be NULL, in which case it is treated as md5 hashed password.
> >> *All entries can be automatically updated by a -to be written- script.
> >> *Removes add salt on login code, per above.
> >> *Salted passwords now use sha512 instead of md5.
> >> *Adds requirement on hash extension (usually bundled as static).
> >> *try_login() only performs one query to verify user login instead of 5.
> >> *generate_salt now uses mt_rand()
> >> *Reject passwords given by GET.
> >>
> > Sorry for the late response.
> > Ideally each of these actions should be a separate patch.
> >
> > That would enable changes that are straightforward to be applied
> > quickly, while the other changes might still need review.
> > The -to be written- script also needs to be included for the change to
> > be complete.
> 
> Ok. I have splitted it on three patches.
> The first patch with the changes to acctfuncs.inc, which speeds up
> try_login,
> affect the lazy salting, and changes the $_REQUEST to $_POST.
> A second patch adding the mt_rand (the one-line change to generate_salt).
> A third patch actually using sha512 (salted_hash function, aur-schema.sql
> and README) with a format that allows the script update to work.
> 
> Should the update script try to perform the alter table itself? If so,
> assuming that it has the Salt field (ie. Kobozev change was applied to
> the db) or not?

No structural changes have been applied to the db since at least the
last code release. I'll apply the second patch. I'll still have to
review the rest of it.

* Messages generally should use i18n __("my message")
* We should keep failed auth ambiguous: "wrong username or passwd"
  instead of "wrong passwd"
* Please use `git format-patch` to generate patches.

Thanks

More information about the aur-dev mailing list