Index: cram.admin.inc =================================================================== RCS file: cram.admin.inc diff -N cram.admin.inc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ cram.admin.inc 19 Feb 2008 22:18:28 -0000 @@ -0,0 +1,16 @@ + 'radios', + '#title' => t('CRAM Enabled by default'), + '#default_value' => variable_get('cram_default_enabled', 0), + '#options' => array(t('Default to insecure login'), t('Default to CRAM login')), + ); + return system_settings_form($form); +} Index: cram.info =================================================================== RCS file: /cvs/drupal-contrib/contributions/modules/cram/cram.info,v retrieving revision 1.2 diff -u -p -r1.2 cram.info --- cram.info 16 Jan 2008 02:21:49 -0000 1.2 +++ cram.info 19 Feb 2008 22:18:28 -0000 @@ -1,4 +1,4 @@ ; $Id: cram.info,v 1.2 2008/01/16 02:21:49 selmanj Exp $ name = CRAM description = "A javascript implementation of CRAM (Challenge-Response Authentication Mechanism)" -version = 5.x-1.x-dev +core = 6.x Index: cram.install =================================================================== RCS file: /cvs/drupal-contrib/contributions/modules/cram/cram.install,v retrieving revision 1.2 diff -u -p -r1.2 cram.install --- cram.install 26 Jan 2008 05:03:17 -0000 1.2 +++ cram.install 19 Feb 2008 22:18:28 -0000 @@ -1,20 +1,44 @@ array( + 'nonce' => array( + 'type' => 'varchar', + 'length' => 32, + 'not null' => TRUE, + 'default' => ''), + 'issued' => array( + 'type' => 'int', + 'not null' => TRUE, + 'default' => 0), + 'valid' => array( + 'type' => 'int', + 'not null' => TRUE, + 'default' => 0), + ), + 'primary key' => array('nonce', 'issued'), + ); + return $schema; +} + function cram_install() { - switch($GLOBALS['db_type']) { - case 'mysql': - case 'mysqli': - db_query("CREATE TABLE {cram_nonce} ( - nonce varchar(32) NOT NULL default '', - issued int(11) NOT NULL default '0', - valid int(1) NOT NULL default '0', - PRIMARY KEY (nonce, issued) - ) /*!40100 DEFAULT CHARACTER SET utf8 */;"); - break; - } + drupal_install_schema('cram'); } function cram_uninstall() { - db_query('DROP TABLE {cram_nonce}'); + drupal_uninstall_schema('cram'); +} + +function cram_update_1() { + $ret = array(); + + if (!db_table_exists('cram_nonce')) { + $ret = drupal_install_schema('cram'); + } + + if (db_table_exists('cram_challenge')) { + db_drop_table($ret, 'cram_challenge'); + } } Index: cram.module =================================================================== RCS file: /cvs/drupal-contrib/contributions/modules/cram/cram.module,v retrieving revision 1.7 diff -u -p -r1.7 cram.module --- cram.module 19 Feb 2008 05:46:07 -0000 1.7 +++ cram.module 19 Feb 2008 22:18:28 -0000 @@ -4,70 +4,74 @@ /** * Implementation of hook_menu(). */ -function cram_menu($may_cache) { - $items = array(); - - if ($may_cache) { - $items[] = array('path' => 'admin/settings/cram', - 'title' => t('CRAM settings'), - 'description' => t('Adjust settings for CRAM secure login.'), - 'callback' => 'drupal_get_form', - 'callback arguments' => array('cram_admin_settings'), - 'access' => user_access('administer site configuration'), - 'type' => MENU_NORMAL_ITEM, - ); - } +function cram_menu() { + $items['admin/settings/cram'] = array( + 'title' => 'CRAM settings', + 'description' => 'Adjust settings for CRAM secure login.', + 'page callback' => 'drupal_get_form', + 'page arguments' => array('cram_admin_settings'), + 'access arguments' => array('administer site configuration'), + 'type' => MENU_NORMAL_ITEM, + 'file' => 'cram.admin.inc', + 'file path' => drupal_get_path('module', 'cram'), + ); return $items; } -/** - * Cram settings page in the admin menu. +/** + * Custom version of user_login_authenticate_validate() */ -function cram_admin_settings() { - $form = array(); - $form['cram_default_enabled'] = array( - '#type' => 'radios', - '#title' => t('CRAM Enabled by default'), - '#default_value' => variable_get('cram_default_enabled', 0), - '#options' => array(t('Default to insecure login'), t('Default to CRAM login')), - ); - return system_settings_form($form); +function cram_login_authenticate_validate($form, &$form_state) { + $form_values = $form_state['values']; + $form_values['cram_nonce'] = $form['#post']['cram_nonce']; + cram_authenticate($form_values); } /** - * Implementation of hook_auth(). + * Custom version of user_authenticate() */ -function cram_auth($username, $pass, $server) { - // does the user already exist? we don't want to authenticate non-existant users - $user = user_load(array('name' => $username)); - if ($user === FALSE) { - return FALSE; - } - $nonce_array = explode('.', $_POST['cram_nonce']); - // check to see if we have a valid nonce - $query = "SELECT nonce, issued, valid FROM {cram_nonce} WHERE nonce='%s' AND issued='%d' AND issued > '%d'"; - if (db_num_rows(db_query($query, $nonce_array[0], $nonce_array[1], time()-60)) == 0) { - return FALSE; - } +function cram_authenticate($form_values = array()) { + global $user; + if (!empty($form_values['name']) && !empty($form_values['pass']) && + $account = user_load(array('name' => $form_values['name'], 'status' => 1))) { + $user = $account; + + // Get username and password + $username = $form_values['name']; + $pass = $form_values['pass']; + // Get nonce - for some reason $form_state['values']['cram_nonce'] and + // $form['#post']['cram_nonce'] aren't the same. $form['#post'] is the same + // as $_POST which is what the old code used. + $nonce = $form_values['cram_nonce']; + $nonce_array = explode('.', $form_values['cram_nonce']); + + // check to see if we have a valid nonce + $query = "SELECT nonce, issued, valid FROM {cram_nonce} WHERE nonce='%s' AND issued='%d' AND issued > '%d'"; + if (db_result(db_query($query, $nonce_array[0], $nonce_array[1], time()-60)) == FALSE) { + return FALSE; + } - if ($pass != cram_hmac_md5($user->pass, $_POST['cram_nonce'])) { - return FALSE; - } - // we found a match! immediately expire the nonce - db_query("UPDATE {cram_nonce} SET valid=0 WHERE nonce='%s' AND issued='%d'", $nonce_array[0], $nonce_array[1]); - return TRUE; + if ($pass != cram_hmac_md5($user->pass, $nonce)) { + return FALSE; + } + // we found a match! immediately expire the nonce + db_query("UPDATE {cram_nonce} SET valid=0 WHERE nonce='%s' AND issued='%d'", $nonce_array[0], $nonce_array[1]); + + user_authenticate_finalize($form_state['values']); + return $user; + } } /** * Implementation of hook_form_alter(). */ -function cram_form_alter($form_id, &$form) { +function cram_form_alter(&$form, &$form_state, $form_id) { if ($form_id == 'user_login' || $form_id == 'user_login_block') { if (_cram_enabled()) { $module_path = drupal_get_path('module', 'cram'); // Make sure the md5.js file is available. if (!file_exists("$module_path/md5.js")) { - watchdog('cram', "md5.js was not found in $module_path. See the INSTALL.txt file for details.", WATCHDOG_ERROR); + watchdog('cram', "md5.js was not found in $module_path. See the INSTALL.txt file for details.", array(), WATCHDOG_ERROR); return; } // add our md5 and cram javascript to the page view @@ -78,9 +82,17 @@ function cram_form_alter($form_id, &$for '#type' => 'hidden', '#value' => cram_get_nonce(), ); - $form['#prefix'] = l('Click here to revert to plaintext login.', $_GET['q'], array(), 'cram_enabled=0'); + // Validate using the first and last of user_login_default_validators(), + // but use a custom made login_authenticate_validate function for password + // checking, which actually needs to check a hash. + $form['#validate'] = array( + 'user_login_name_validate', + 'cram_login_authenticate_validate', + 'user_login_final_validate', + ); + $form['#prefix'] = l('Click here to revert to plaintext login.', $_GET['q'], array('query' => 'cram_enabled=0')); } else { - $form['#prefix'] = l('Click here to log in using CRAM secure login.', $_GET['q'], array(), 'cram_enabled=1'); + $form['#prefix'] = l('Click here to log in using CRAM secure login.', $_GET['q'], array('query' => 'cram_enabled=1')); } } } @@ -102,7 +114,7 @@ function _cram_enabled() { */ function cram_get_nonce() { // generate our nonce - $nonce = md5(mt_rand() . getmypid() . $_SERVER['REMOTE_ADDR']); + $nonce = md5(mt_rand() . getmypid() . ip_address()); $issued = time(); db_query("INSERT INTO {cram_nonce} (nonce, issued, valid) VALUES ( '%s', '%d', 1)", $nonce, $issued);