Made $session->private_key protected and added pk_{en,de}crypt methods for encrypting and decrypting data using the private key
--- a/includes/clientside/static/enano-lib-basic.js Mon Jun 30 17:20:02 2008 -0400
+++ b/includes/clientside/static/enano-lib-basic.js Mon Jun 30 17:22:29 2008 -0400
@@ -450,6 +450,7 @@
ajaxStartLogin: 'login.js',
ajaxStartAdminLogin: 'login.js',
ajaxLoginNavTo: 'login.js',
+ ajaxLogonToElev: 'login.js',
ajaxAdminPage: 'login.js',
mb_logout: 'login.js',
selectButtonMajor: 'toolbar.js',
--- a/includes/sessions.php Mon Jun 30 17:20:02 2008 -0400
+++ b/includes/sessions.php Mon Jun 30 17:22:29 2008 -0400
@@ -136,11 +136,12 @@
var $unread_pms = 0;
/**
- * AES key used to encrypt passwords and session key info - irreversibly destroyed when disallow_password_grab() is called
+ * AES key used to encrypt passwords and session key info.
* @var string
+ * @access private
*/
- var $private_key;
+ protected $private_key;
/**
* Regex that defines a valid username, minus the ^ and $, these are added later
@@ -2407,6 +2408,32 @@
return 'success';
}
+ /**
+ * Encrypts a string using the site's private key.
+ * @param string
+ * @param int Return type - one of ENC_BINARY, ENC_HEX, ENC_BASE64
+ * @return string
+ */
+
+ function pk_encrypt($string, $return_type = ENC_HEX)
+ {
+ $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
+ return $aes->encrypt($string, $this->private_key, $return_type);
+ }
+
+ /**
+ * Encrypts a string using the site's private key.
+ * @param string
+ * @param int Input type - one of ENC_BINARY, ENC_HEX, ENC_BASE64
+ * @return string
+ */
+
+ function pk_decrypt($string, $input_type = ENC_HEX)
+ {
+ $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
+ return $aes->decrypt($string, $this->private_key, $input_type);
+ }
+
#
# USER RANKS
#
--- a/plugins/SpecialUserFuncs.php Mon Jun 30 17:20:02 2008 -0400
+++ b/plugins/SpecialUserFuncs.php Mon Jun 30 17:22:29 2008 -0400
@@ -1597,7 +1597,7 @@
return false;
}
}
- $encpass = $aes->encrypt($data, $session->private_key, ENC_HEX);
+ $encpass = $session->pk_encrypt($data, ENC_HEX);
$q = $db->sql_query('UPDATE '.table_prefix.'users SET password=\'' . $encpass . '\',temp_password=\'\',temp_password_time=0 WHERE user_id='.$user_id.';');
if($q)
--- a/plugins/SpecialUserPrefs.php Mon Jun 30 17:20:02 2008 -0400
+++ b/plugins/SpecialUserPrefs.php Mon Jun 30 17:22:29 2008 -0400
@@ -211,7 +211,7 @@
$db->_die();
$row = $db->fetchrow();
$db->free_result();
- $old_pass = $aes->decrypt($row['password'], $session->private_key, ENC_HEX);
+ $old_pass = $session->pk_decrypt($row['password'], ENC_HEX);
$new_email = $_POST['newemail'];
@@ -257,7 +257,7 @@
// Encrypt new password
if ( empty($errors) )
{
- $newpass_enc = $aes->encrypt($newpass, $session->private_key, ENC_HEX);
+ $newpass_enc = $session->pk_encrypt($newpass, ENC_HEX);
// Perform the swap
$q = $db->sql_query('UPDATE '.table_prefix.'users SET password=\'' . $newpass_enc . '\' WHERE user_id=' . $session->user_id . ';');
if ( !$q )
--- a/plugins/admin/UserManager.php Mon Jun 30 17:20:02 2008 -0400
+++ b/plugins/admin/UserManager.php Mon Jun 30 17:22:29 2008 -0400
@@ -147,7 +147,7 @@
$to_update_users['username'] = $username;
if ( $password )
{
- $password = $aes->encrypt($password, $session->private_key, ENC_HEX);
+ $password = $session->pk_encrypt($password, ENC_HEX);
$to_update_users['password'] = $password;
}
$to_update_users['email'] = $email;