# HG changeset patch # User Dan # Date 1214860949 14400 # Node ID 2529833a77314fd907965840df86d4539164b794 # Parent 03a60844c7c5d1c6a4eb28ba4804931162831065 Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key diff -r 03a60844c7c5 -r 2529833a7731 includes/clientside/static/enano-lib-basic.js --- a/includes/clientside/static/enano-lib-basic.js Mon Jun 30 17:20:02 2008 -0400 +++ b/includes/clientside/static/enano-lib-basic.js Mon Jun 30 17:22:29 2008 -0400 @@ -450,6 +450,7 @@ ajaxStartLogin: 'login.js', ajaxStartAdminLogin: 'login.js', ajaxLoginNavTo: 'login.js', + ajaxLogonToElev: 'login.js', ajaxAdminPage: 'login.js', mb_logout: 'login.js', selectButtonMajor: 'toolbar.js', diff -r 03a60844c7c5 -r 2529833a7731 includes/sessions.php --- a/includes/sessions.php Mon Jun 30 17:20:02 2008 -0400 +++ b/includes/sessions.php Mon Jun 30 17:22:29 2008 -0400 @@ -136,11 +136,12 @@ var $unread_pms = 0; /** - * AES key used to encrypt passwords and session key info - irreversibly destroyed when disallow_password_grab() is called + * AES key used to encrypt passwords and session key info. * @var string + * @access private */ - var $private_key; + protected $private_key; /** * Regex that defines a valid username, minus the ^ and $, these are added later @@ -2407,6 +2408,32 @@ return 'success'; } + /** + * Encrypts a string using the site's private key. + * @param string + * @param int Return type - one of ENC_BINARY, ENC_HEX, ENC_BASE64 + * @return string + */ + + function pk_encrypt($string, $return_type = ENC_HEX) + { + $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); + return $aes->encrypt($string, $this->private_key, $return_type); + } + + /** + * Encrypts a string using the site's private key. + * @param string + * @param int Input type - one of ENC_BINARY, ENC_HEX, ENC_BASE64 + * @return string + */ + + function pk_decrypt($string, $input_type = ENC_HEX) + { + $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE); + return $aes->decrypt($string, $this->private_key, $input_type); + } + # # USER RANKS # diff -r 03a60844c7c5 -r 2529833a7731 plugins/SpecialUserFuncs.php --- a/plugins/SpecialUserFuncs.php Mon Jun 30 17:20:02 2008 -0400 +++ b/plugins/SpecialUserFuncs.php Mon Jun 30 17:22:29 2008 -0400 @@ -1597,7 +1597,7 @@ return false; } } - $encpass = $aes->encrypt($data, $session->private_key, ENC_HEX); + $encpass = $session->pk_encrypt($data, ENC_HEX); $q = $db->sql_query('UPDATE '.table_prefix.'users SET password=\'' . $encpass . '\',temp_password=\'\',temp_password_time=0 WHERE user_id='.$user_id.';'); if($q) diff -r 03a60844c7c5 -r 2529833a7731 plugins/SpecialUserPrefs.php --- a/plugins/SpecialUserPrefs.php Mon Jun 30 17:20:02 2008 -0400 +++ b/plugins/SpecialUserPrefs.php Mon Jun 30 17:22:29 2008 -0400 @@ -211,7 +211,7 @@ $db->_die(); $row = $db->fetchrow(); $db->free_result(); - $old_pass = $aes->decrypt($row['password'], $session->private_key, ENC_HEX); + $old_pass = $session->pk_decrypt($row['password'], ENC_HEX); $new_email = $_POST['newemail']; @@ -257,7 +257,7 @@ // Encrypt new password if ( empty($errors) ) { - $newpass_enc = $aes->encrypt($newpass, $session->private_key, ENC_HEX); + $newpass_enc = $session->pk_encrypt($newpass, ENC_HEX); // Perform the swap $q = $db->sql_query('UPDATE '.table_prefix.'users SET password=\'' . $newpass_enc . '\' WHERE user_id=' . $session->user_id . ';'); if ( !$q ) diff -r 03a60844c7c5 -r 2529833a7731 plugins/admin/UserManager.php --- a/plugins/admin/UserManager.php Mon Jun 30 17:20:02 2008 -0400 +++ b/plugins/admin/UserManager.php Mon Jun 30 17:22:29 2008 -0400 @@ -147,7 +147,7 @@ $to_update_users['username'] = $username; if ( $password ) { - $password = $aes->encrypt($password, $session->private_key, ENC_HEX); + $password = $session->pk_encrypt($password, ENC_HEX); $to_update_users['password'] = $password; } $to_update_users['email'] = $email;