diff --git a/DreamTown/cgi-bin/auth/5555/create b/DreamTown/cgi-bin/auth/5555/create index f83d9b3..9538818 100644 --- a/DreamTown/cgi-bin/auth/5555/create +++ b/DreamTown/cgi-bin/auth/5555/create @@ -23,12 +23,7 @@ jsonData = json.loads(post) result = {"status":SUCCESS} -def xor(data, key): - l = len(key) - return bytearray(( - (data[i] ^ key[i % l]) for i in range(0,len(data)) - )) - + def CheckUserExists(username): c = db.cursor() cur = c.execute('SELECT COUNT(1) from users WHERE Name=?',(username,)) @@ -63,16 +58,8 @@ def TryCreate(): #Generate password hash Salt = binascii.hexlify(os.urandom(64)).decode('utf8') - m = hashlib.sha512() - m.update(password.encode('utf-8')) - PasswordHash = m.digest() - - m = hashlib.sha512() - m.update(securityAnswer.encode('utf-8')) - AnswerHash = m.digest() - - PassHashSalted = binascii.hexlify(xor(bytearray(PasswordHash),bytearray(binascii.unhexlify(Salt)))).decode('utf-8') - AnswerHashSalted = binascii.hexlify(xor(bytearray(AnswerHash),bytearray(binascii.unhexlify(Salt)))).decode('utf-8') + PassHashSalted = pass_salt_algo(password,Salt); + AnswerHashSalted = pass_salt_algo(securityAnswer,Salt); c = db.cursor() c.execute('UPDATE users SET LastSession=NULL WHERE LastSession=?',(authToken,)) diff --git a/DreamTown/cgi-bin/auth/5555/login b/DreamTown/cgi-bin/auth/5555/login index 0482f5c..fcc15d2 100644 --- a/DreamTown/cgi-bin/auth/5555/login +++ b/DreamTown/cgi-bin/auth/5555/login @@ -21,12 +21,6 @@ jsonData = json.loads(post) result = {"status":SUCCESS} -def xor(data, key): - l = len(key) - return bytearray(( - (data[i] ^ key[i % l]) for i in range(0,len(data)) - )) - def TryLogin(): username = jsonData['name'].lower() password = jsonData['password'] @@ -43,14 +37,14 @@ def TryLogin(): return 0 #Check Password cur = c.execute('SELECT PassHash,Salt from users WHERE Name= ?',(username,)) - rows = cur.fetchone() - m = hashlib.sha512() - m.update(password.encode('utf-8')) - InputHash = m.digest() + rows = cur.fetchone() + PassHash = rows[0] Salt = rows[1] - SaltedHash = binascii.hexlify(xor(bytearray(InputHash),bytearray(binascii.unhexlify(Salt)))).decode('utf-8') + + SaltedHash = pass_salt_algo(password,Salt) + if SaltedHash != PassHash: result['status'] = INVALID_PASSWORD return 0 diff --git a/DreamTown/cgi-bin/auth/5555/retrievePassword b/DreamTown/cgi-bin/auth/5555/retrievePassword index f6f3d8e..f123a5d 100644 --- a/DreamTown/cgi-bin/auth/5555/retrievePassword +++ b/DreamTown/cgi-bin/auth/5555/retrievePassword @@ -21,12 +21,6 @@ post = sys.stdin.read(content_len) jsonData = json.loads(post) result = {"status":SUCCESS} -def xor(data, key): - l = len(key) - return bytearray(( - (data[i] ^ key[i % l]) for i in range(0,len(data)) - )) - def TryRetrive(): username = jsonData['name'].lower() @@ -50,15 +44,10 @@ def TryRetrive(): cur = c.execute('SELECT Salt from users WHERE Name=?',(username,)) rows = cur.fetchone() Salt = rows[0] + + InputHash = pass_salt_algo(answer, Salt) - - m = hashlib.sha512() - m.update(answer.encode('utf-8')) - InputHash = m.digest() - SaltedHash = binascii.hexlify(xor(bytearray(InputHash),bytearray(binascii.unhexlify(Salt)))).decode('utf-8') - - - if SaltedHash != AnswerHash: + if InputHash != AnswerHash: result['status'] = INVALID_PASSWORD return 0 @@ -68,12 +57,9 @@ def TryRetrive(): if len(answer) < 9: newPass += str(random.randint(0,999)) - m = hashlib.sha512() - m.update(newPass.encode('utf-8')) - InputHash = m.digest() - SaltedHash = binascii.hexlify(xor(bytearray(InputHash),bytearray(binascii.unhexlify(Salt)))).decode('utf-8') - - c.execute('UPDATE users SET PassHash=? WHERE Name=?',(SaltedHash,username)) + NewPassHash = pass_salt_algo(newPass, Salt) + + c.execute('UPDATE users SET PassHash=? WHERE Name=?',(NewPassHash,username)) c.execute('UPDATE users SET LastSession=NULL WHERE Name=?',(username,)) result['password'] = newPass diff --git a/DreamTown/cgi-bin/dreamtown_config.py b/DreamTown/cgi-bin/dreamtown_config.py index b0098a5..209be49 100644 --- a/DreamTown/cgi-bin/dreamtown_config.py +++ b/DreamTown/cgi-bin/dreamtown_config.py @@ -1,7 +1,11 @@ +# Add /friends/cgi-bin to $PYTHONPATH in /etc/enviroment and as a SetVar for your VirtualHost in apache2 + import sqlite3 +import binascii +import hashlib #MAKE SURE THE DB IS *OUTSIDE* THE PUBLIC_HTML!!! -SQLLITE_DB_PATH = "/home/silica/DreamTown.db" +SQLLITE_DB_PATH = "/home/web/DreamTown.db" SUCCESS = 1 USER_DOES_NOT_EXIST = 2 @@ -12,6 +16,28 @@ ANSWER_INCORRECT = 5 db = sqlite3.connect(SQLLITE_DB_PATH) + +def xor(data, key): + l = len(key) + return bytearray(( + (data[i] ^ key[i % l]) for i in range(0,len(data)) + )) + + +def pass_salt_algo(passwd, Salt): + m = hashlib.sha512() + m.update(passwd.encode('utf-8')) + passHash = m.digest() + + salt = bytearray(binascii.unhexlify(Salt)) + saltedHash = xor(passHash,salt); + + m = hashlib.sha512() + m.update(saltedHash) + outHash = m.digest(); + + return binascii.hexlify(outHash).decode("utf-8") + c = db.cursor() try: c.execute("""