Use XXTEA for permanent login

git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@1287 7c3ca157-0c34-0410-bff1-cbf682f78f5c

diff --git a/adminer/include/auth.inc.php b/adminer/include/auth.inc.php
index c3e04f022d7a860906c423b9be7f2b6d202871ba..0e8b923c50d3266448c9d63b2be6cf1077e08b9f 100644 (file)
--- a/adminer/include/auth.inc.php
+++ b/adminer/include/auth.inc.php
@@ -7,7 +7,7 @@ if (isset($_POST["server"])) {
                cookie("adminer_permanent",
                        base64_encode($_POST["server"])
                        . ":" . base64_encode($_POST["username"])
-                       . ":" . base64_encode(cipher_password($_POST["password"], pack("H*", sha1(str_pad($_POST["username"], 1) . $adminer->permanentLogin())))) // str_pad - to hide original key
+                       . ":" . base64_encode(encrypt_string($_POST["password"], $adminer->permanentLogin()))
                );
        }
        if (count($_POST) == 3 + ($_POST["permanent"] ? 1 : 0)) { // 3 - server, username, password
@@ -40,36 +40,13 @@ if (isset($_POST["server"])) {
        if (!strlen($_GET["server"]) || $server == $_GET["server"]) {
                session_regenerate_id(); // defense against session fixation
                $_SESSION["usernames"][$server] = $username;
-               $_SESSION["passwords"][$server] = decipher_password($cipher, pack("H*", sha1(str_pad($username, 1) . $adminer->permanentLogin())));
+               $_SESSION["passwords"][$server] = decrypt_string($cipher, $adminer->permanentLogin());
                if (!$_POST && $server != $_GET["server"]) {
                        redirect(preg_replace('~^([^?]*).*~', '\\1', ME) . '?server=' . urlencode($server));
                }
        }
 }
 
-/** Cipher password
-* @param string plain-text password
-* @param string binary key, should be longer than $password
-* @return string binary cipher
-*/
-function cipher_password($password, $key) {
-       $password2 = strlen($password) . ":" . str_pad($password, 17);
-       $repeat = ceil(strlen($password2) / strlen($key));
-       return $password2 ^ str_repeat($key, $repeat);
-}
-
-/** Decipher password
-* @param string binary cipher
-* @param string binary key
-* @return string plain-text password
-*/
-function decipher_password($cipher, $key) {
-       $repeat = ceil(strlen($cipher) / strlen($key));
-       $password2 = $cipher ^ str_repeat($key, $repeat);
-       list($length, $password) = explode(":", $password2, 2);
-       return substr($password, 0, $length);
-}
-
 function auth_error($exception = null) {
        global $connection, $adminer;
        $session_name = session_name();

diff --git a/adminer/include/bootstrap.inc.php b/adminer/include/bootstrap.inc.php
index 8c152a6d43b57522864d35eee7f99d79578aecfb..61c109aee6d58e70f8e3e7c9e4eab7e68d08de23 100644 (file)
--- a/adminer/include/bootstrap.inc.php
+++ b/adminer/include/bootstrap.inc.php
@@ -85,6 +85,7 @@ include "./include/adminer.inc.php";
 include "../adminer/include/design.inc.php";
 include "../adminer/include/pdo.inc.php";
 include "../adminer/include/mysql.inc.php";
+include "../adminer/include/xxtea.inc.php";
 include "../adminer/include/auth.inc.php";
 include "./include/connect.inc.php";
 include "./include/editing.inc.php";

diff --git a/adminer/include/functions.inc.php b/adminer/include/functions.inc.php
index 279abd3776074e1087ac6eb64ba640d27fa511b6..4425d484c49c8a876593da238dbf353478f024b3 100644 (file)
--- a/adminer/include/functions.inc.php
+++ b/adminer/include/functions.inc.php
@@ -201,7 +201,7 @@ function where_link($i, $column, $value) {
 * @return bool
 */
 function cookie($name, $value) {
-       $params = array($name, $value, time() + 2592000, preg_replace('~\\?.*~', '', ME), "", (bool) $_SERVER["HTTPS"]); // 2592000 = 30 * 24 * 60 * 60
+       $params = array($name, $value, time() + 2592000, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"]), "", (bool) $_SERVER["HTTPS"]); // 2592000 = 30 * 24 * 60 * 60
        if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
                $params[] = true; // HttpOnly
        }

diff --git a/adminer/include/version.inc.php b/adminer/include/version.inc.php
index 12594af9d1cd4e82e703730e1cf69c9a2ff85792..494ea3675699c42d3cf9e792d5590fd8cf72ebd8 100644 (file)
--- a/adminer/include/version.inc.php
+++ b/adminer/include/version.inc.php
@@ -1,2 +1,2 @@
 <?php
-$VERSION = "2.2.2-dev";
+$VERSION = "2.3.0-dev";

diff --git a/adminer/include/xxtea.inc.php b/adminer/include/xxtea.inc.php
new file mode 100644 (file)
index 0000000..25786ab
--- /dev/null
+++ b/adminer/include/xxtea.inc.php
@@ -0,0 +1,96 @@
+<?php
+/** PHP implementation of XXTEA encryption algorithm.
+* @author Ma Bingyao <andot@ujn.edu.cn>
+* @link http://www.coolcode.cn/?action=show&id=128
+*/
+
+function int32($n) {
+       while ($n >= 2147483648) {
+               $n -= 4294967296;
+       }
+       while ($n <= -2147483649) {
+               $n += 4294967296;
+       }
+       return (int) $n;
+}
+
+function long2str($v, $w) {
+       $s = '';
+       foreach ($v as $val) {
+               $s .= pack('V', $val);
+       }
+       if ($w) {
+               return substr($s, 0, end($v));
+       }
+       return $s;
+}
+
+function str2long($s, $w) {
+       $v = array_values(unpack('V*', str_pad($s, 4 * ceil(strlen($s) / 4), "\0")));
+       if ($w) {
+               $v[] = strlen($s);
+       }
+       return $v;
+}
+
+function xxtea_mx($z, $y, $sum, $k) {
+       return int32((($z >> 5 & 0x7FFFFFF) ^ $y << 2) + (($y >> 3 & 0x1FFFFFFF) ^ $z << 4)) ^ int32(($sum ^ $y) + ($k ^ $z));
+}
+
+/** Cipher
+* @param string plain-text password
+* @param array 4 integers
+* @return string binary cipher
+*/
+function encrypt_string($str, $key) {
+       $v = str2long($str, true);
+       $n = count($v) - 1;
+       $z = $v[$n];
+       $y = $v[0];
+       $q = floor(6 + 52 / ($n + 1));
+       $sum = 0;
+       while ($q-- > 0) {
+               $sum = int32($sum + 0x9E3779B9);
+               $e = $sum >> 2 & 3;
+               for ($p=0; $p < $n; $p++) {
+                       $y = $v[$p + 1];
+                       $mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
+                       $z = int32($v[$p] + $mx);
+                       $v[$p] = $z;
+               }
+               $y = $v[0];
+               $mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
+               $z = int32($v[$n] + $mx);
+               $v[$n] = $z;
+       }
+       return long2str($v, false);
+}
+
+/** Decipher
+* @param string binary cipher
+* @param array 4 integers
+* @return string plain-text password
+*/
+function decrypt_string($str, $key) {
+       $v = str2long($str, false);
+       $n = count($v) - 1;
+       $z = $v[$n];
+       $y = $v[0];
+       $q = floor(6 + 52 / ($n + 1));
+       $sum = int32($q * 0x9E3779B9);
+       while ($sum) {
+               $e = $sum >> 2 & 3;
+               for ($p=$n; $p > 0; $p--) {
+                       $z = $v[$p - 1];
+                       $mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
+                       $y = int32($v[$p] - $mx);
+                       $v[$p] = $y;
+               }
+               $z = $v[$n];
+               $mx = xxtea_mx($z, $y, $sum, $key[$p & 3 ^ $e]);
+               $y = int32($v[0] - $mx);
+               $v[0] = $y;
+               $sum = int32($sum - 0x9E3779B9);
+       }
+       return long2str($v, true);
+}

diff --git a/changes.txt b/changes.txt
index ade61147e784b0136f46ef0efac7747e1cc881d6..9949beeb5a60f31b53c024b45a0dfb232e040846 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,9 +1,10 @@
-Adminer 2.2.2-dev:
+Adminer 2.3.0-dev:
 Support for permanent login (customization required)
+Show status variables
 Add Delete button to Edit page (regression from 2.0.0)
 Simplify SQL syntax error message
-Print SQL query info if available
-Delete length when changing type
+Show SQL query info if available
+Delete length when changing type in alter table
 
 Adminer 2.2.1 (released 2009-11-26):
 Highlight current links