Encrypt transition

freeciv-proxy/freeciv-proxy.py

@@ -159,17 +159,38 @@ def get_game_auth_method(self, cursor):
             return "password"
 
     def check_user_password(self, cursor, username, password):
-        query = ("select secure_hashed_password, activated from auth where lower(username)=lower(%(usr)s)")
-        cursor.execute(query, {'usr': username, 'pwd': password})
+        # Encryption method transition period code. Clear out first query and
+        # compat_encrypt use after the transition period.
+        query = ("select digest_pw from auth where lower(username) = lower(%(usr)s)")
+        cursor.execute(query, {'usr': username})
+        result = cursor.fetchall()
+        if len(result) == 0:
+            return True
+        compat_encrypt = not result[0][0]
+        if compat_encrypt:
+            query = ("select secure_hashed_password, CAST(ENCRYPT(%(pwd)s, secure_hashed_password) AS CHAR), activated, id from auth where lower(username)=lower(%(usr)s)")
+            cursor.execute(query, {'usr': username, 'pwd': password})
+        else:
+            query = ("select secure_hashed_password, activated from auth where lower(username)=lower(%(usr)s)")
+            cursor.execute(query, {'usr': username})
         result = cursor.fetchall()
 
         if len(result) == 0:
             # Unreserved user, no password needed
             return True
 
-        for secure_shashed_password, active in result:
-            if (active == 0): return False
-            if secure_shashed_password == hashlib.sha256(password.encode('utf-8')).hexdigest(): return True
+        if compat_encrypt:
+            for db_pass, encrypted_pass, active, uid in result:
+                if (active == 0): return False
+                if db_pass == encrypted_pass:
+                    new_hash = hashlib.sha256(password.encode('utf-8')).hexdigest()
+                    query = ("update auth set secure_hashed_password = %(pwd)s, digest_pw = TRUE where id = %(uid)s;")
+                    cursor.execute(query, {'pwd': new_hash, 'uid': uid})
+                    return True
+        else:
+            for secure_shashed_password, active in result:
+                if (active == 0): return False
+                if secure_shashed_password == hashlib.sha256(password.encode('utf-8')).hexdigest(): return True
 
         return False
 

freeciv-web/src/main/java/org/freeciv/persistence/DbManager.java

@@ -22,7 +22,7 @@ public static String getQueryCountServersByHost() {
 	}
 
 	public static String getQuerySaltHash() {
-		return " SELECT secure_hashed_password FROM auth " //
+		return " SELECT secure_hashed_password,digest_pw FROM auth " //
 				+ " WHERE LOWER(username) = LOWER(?) AND activated = '1' " //
 				+ " LIMIT 1 ";
 	}
@@ -148,8 +148,8 @@ public static StringBuilder getQueryUpdateServers(boolean serverExists, List<Str
 	}
 
 	public static String getQueryInsertAuthPlayer() {
-		return "INSERT INTO auth (username, email, secure_hashed_password, activated, ip) " //
-				+ "VALUES (?, ?, ?, ?, ?)";
+		return "INSERT INTO auth (username, email, secure_hashed_password, activated, ip, digest_pw) " //
+				+ "VALUES (?, ?, ?, ?, ?, TRUE)";
 	}
 
     public static String getQueryInsertCheater() {

freeciv-web/src/main/java/org/freeciv/servlet/LoginUser.java

@@ -17,6 +17,8 @@
  *******************************************************************************/
 package org.freeciv.servlet;
 
+import org.apache.commons.codec.digest.Crypt;
+
 import java.io.*;
 import javax.servlet.*;
 import javax.servlet.http.*;
@@ -76,13 +78,24 @@ public void doPost(HttpServletRequest request, HttpServletResponse response)
 				response.getOutputStream().print("Failed");
 			} else {
 				String hashedPasswordFromDB = rs1.getString(1);
-				if (hashedPasswordFromDB != null &&
-						hashedPasswordFromDB.equals(DigestUtils.sha256Hex(secure_password))) {
+                                Boolean compat_encrypt = !rs1.getBoolean(2);
+                                if (compat_encrypt) {
+                                    if (hashedPasswordFromDB != null &&
+                                        hashedPasswordFromDB.equals(Crypt.crypt(secure_password, hashedPasswordFromDB))) {
+                                        // Login OK!
+					response.getOutputStream().print("OK");
+                                    } else {
+					response.getOutputStream().print("Failed");
+                                    }
+                                } else {
+                                    if (hashedPasswordFromDB != null &&
+                                        hashedPasswordFromDB.equals(DigestUtils.sha256Hex(secure_password))) {
 					// Login OK!
 					response.getOutputStream().print("OK");
-				} else {
+                                    } else {
 					response.getOutputStream().print("Failed");
-				}
+                                    }
+                                }
 			}
 
 

freeciv-web/src/main/resources/db/migration/V1_15__encrypt_mode.sql

@@ -0,0 +1,2 @@
+alter table auth add column `digest_pw` BOOLEAN;
+update auth set digest_pw = FALSE;