From d3df8eca869c5ed0ccbbff24734ed0942f1db630 Mon Sep 17 00:00:00 2001 From: david Date: Thu, 4 Oct 2012 14:54:02 +0000 Subject: [PATCH] =?UTF-8?q?Tarea=20#1104=20->=20Guardar=20en=20el=20usuari?= =?UTF-8?q?o=20la=20fecha=20de=20creaci=C3=B3n,=20del=20=C3=BAltimo=20logi?= =?UTF-8?q?n=20y=20del=20borrado=20(baja=20l=C3=B3gica)=20Tarea=20#1099=20?= =?UTF-8?q?->=20Mejorar=20la=20encriptaci=C3=B3n=20de=20las=20contrase?= =?UTF-8?q?=C3=B1as?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: https://192.168.0.254/svn/Proyectos.Incam_PROFIND_Web/trunk@55 3fe1ab16-cfe0-e34b-8c9f-7d8c168d430d --- www/protected/components/Controller.php | 2 +- .../components/IdentificacionUsuario.php | 20 +- www/protected/components/UsuarioWeb.php | 27 +- www/protected/config/main.php | 160 ++++------- www/protected/config/mode_development.php | 5 +- .../controllers/EquipoController.php | 5 +- .../controllers/RegistroUsuarioController.php | 12 +- .../SeguridadUsuarioController.php | 4 +- .../extensions/PasswordHash/PasswordHash.php | 253 ++++++++++++++++++ .../extensions/PasswordHash/c/Makefile | 21 ++ .../extensions/PasswordHash/c/crypt_private.c | 106 ++++++++ .../extensions/PasswordHash/test.php | 72 +++++ .../m121004_100805_tbl_usuarios.php | 14 + .../models/FormularioCambiarPassword.php | 2 +- www/protected/models/Usuario.php | 42 ++- 15 files changed, 587 insertions(+), 158 deletions(-) create mode 100644 www/protected/extensions/PasswordHash/PasswordHash.php create mode 100644 www/protected/extensions/PasswordHash/c/Makefile create mode 100644 www/protected/extensions/PasswordHash/c/crypt_private.c create mode 100644 www/protected/extensions/PasswordHash/test.php create mode 100644 www/protected/migrations/m121004_100805_tbl_usuarios.php diff --git a/www/protected/components/Controller.php b/www/protected/components/Controller.php index 4d27862..ee7d14d 100644 --- a/www/protected/components/Controller.php +++ b/www/protected/components/Controller.php @@ -9,7 +9,7 @@ class Controller extends CController * @var string the default layout for the controller view. Defaults to '//layouts/column1', * meaning using a single column layout. See 'protected/views/layouts/column1.php'. */ - public $layout='//layouts/column1'; + public $layout='//layouts/main'; /** * @var array context menu items. This property will be assigned to {@link CMenu::items}. */ diff --git a/www/protected/components/IdentificacionUsuario.php b/www/protected/components/IdentificacionUsuario.php index 2d4fd06..79f8241 100644 --- a/www/protected/components/IdentificacionUsuario.php +++ b/www/protected/components/IdentificacionUsuario.php @@ -36,11 +36,15 @@ class IdentificacionUsuario extends CBaseUserIdentity { */ public function authenticate() { $usuario = Usuario::model()->findByAttributes(array('email' => $this->email)); + $ph = new PasswordHash( + Yii::app()->params['phpass']['iteration_count_log2'], + Yii::app()->params['phpass']['portable_hashes'] + ); if ($usuario === NULL) { $this->errorCode = self::ERROR_USERNAME_INVALID; } else { - if ($usuario->password !== $usuario->encrypt($this->password)) + if (($usuario->password !== md5($this->password)) && !$ph->checkPassword($this->password, $usuario->password)) $this->errorCode = self::ERROR_PASSWORD_INVALID; else if($usuario->estado == Usuario::ESTADO_NOACTIVO) $this->errorCode = self::ERROR_ESTADO_NOACTIVO; @@ -49,15 +53,13 @@ class IdentificacionUsuario extends CBaseUserIdentity { else if($usuario->estado == Usuario::ESTADO_DENEGADO) $this->errorCode = self::ERROR_ESTADO_DENEGADO; else { - $this->_id = $usuario->id; - $this->setState('id_empresa', $usuario->id_empresa); - if ($usuario->last_login_time === null) { - $lastLogin = time(); - } else { - $lastLogin = strtotime($usuario->last_login_time); - $this->setState('lastLoginTime', $lastLogin); + // Si el usuario tiene cifrada la contraseña con md5() + // pasarla al nuevo método. + if ($usuario->password{0} !== '$') { + $usuario->password = $ph->HashPassword($this->password); + $usuario->save(); } - + $this->_id = $usuario->id; $this->errorCode = self::ERROR_NONE; } } diff --git a/www/protected/components/UsuarioWeb.php b/www/protected/components/UsuarioWeb.php index f711268..54905ff 100644 --- a/www/protected/components/UsuarioWeb.php +++ b/www/protected/components/UsuarioWeb.php @@ -4,42 +4,49 @@ class UsuarioWeb extends CWebUser { private $_model; + public function afterLogin(){ + if (($this->_model === null) && ($this->loadUser())) + Usuario::model()->updateByPk($this->id, array( + 'last_login_time'=> date("Y-m-d H:i:s"), + )); + return true; + } + public function getId_empresa() { - $usuario = $this->loadUser(Yii::app()->user->id); + $usuario = $this->loadUser($this->id); return $usuario->id_empresa; } public function getEsCoordinador() { - $usuario = $this->loadUser(Yii::app()->user->id); + $usuario = $this->loadUser(); return ($usuario->tipo == Usuario::TIPO_USUARIO_COORDINADOR); } public function getTieneEquipo() { - $subscripcion = $this->loadSubscripcion(Yii::app()->user->id); + $subscripcion = $this->loadSubscripcion(); return ($subscripcion->producto->n_agentes > 0); } public function getSubscripcion() { - return $this->loadSubscripcion(Yii::app()->user->id); + return $this->loadSubscripcion(); } public function getName() { - $usuario = $this->loadUser(Yii::app()->user->id); + $usuario = $this->loadUser(); return ($usuario->nombre) ? $usuario->nombreCompleto : parent::getName(); } // Load user model. - protected function loadUser($id = null) { + protected function loadUser() { if ($this->_model === null) { - if ($id !== null) - $this->_model = Usuario::model()->findByPk($id); + $this->_model = Usuario::model()->findByPk($this->id); } return $this->_model; } // Carga la subscripción activa - protected function loadSubscripcion($idUsuario = null) { - return Subscripcion::model()->activa()->findByAttributes(array('id_usuario' => $idUsuario)); + protected function loadSubscripcion() { + return Subscripcion::model()->activa()->findByAttributes(array('id_usuario' => $this->id)); } diff --git a/www/protected/config/main.php b/www/protected/config/main.php index 3f2580a..5c23d90 100644 --- a/www/protected/config/main.php +++ b/www/protected/config/main.php @@ -2,125 +2,59 @@ // Set yiiPath (add extra ../../) // $yiiPath = dirname(__FILE__) . '/../../../yii/framework/yii.php'; - // Set YII_DEBUG and YII_TRACE_LEVEL flags //$debug = true; //$traceLevel = 0; $config = array( - 'basePath'=>dirname(__FILE__).DIRECTORY_SEPARATOR.'..', - 'theme'=>'profind', - 'sourceLanguage' => 'en_US', - 'language' => 'es', - 'name' => 'PROFIND', - 'defaultController' => 'usuario', + 'basePath' => dirname(__FILE__) . DIRECTORY_SEPARATOR . '..', + 'theme' => 'profind', + 'sourceLanguage' => 'es', + 'language' => 'es', + 'name' => 'PROFIND', - - // preloading 'log' component - 'preload'=>array('log'), - - // autoloading model and component classes - 'import'=>array( - 'application.models.*', - 'application.components.*', - 'application.extensions.yii-mail.YiiMailMessage', - ), + 'defaultController' => 'usuario', - 'modules'=>array( - 'application.modules.socialconnect.SocialConnectModule', - ), - - // application components - 'components'=>array( - 'user'=>array( - 'class' => 'UsuarioWeb', - 'allowAutoLogin' => false, - ), - // uncomment the following to enable URLs in path-format - /*'urlManager' => array( - 'urlFormat' => 'path', - // Ocultar 'index.php' de las URL's. - // Hay que poner un fichero .htaccess con la redirección. - 'showScriptName' => false, - 'urlSuffix' => '.html', - 'rules' => require(dirname(__FILE__) . '/url_rules.php'), - ),*/ - - 'errorHandler'=>array( - // use 'site/error' action to display errors - 'errorAction'=>'site/error', - ), - /*'widgetFactory'=>array( - 'widgets'=>array( - 'CLinkPager'=>array( - 'cssFile'=>(strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css/pager.css', - ), - 'CJuiAccordion' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiAutoComplete' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiButton' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiDatePicker' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiDialog' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiDraggable' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiDroppable' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiInputWidget' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiProgressBar' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiResizable' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiSelectable' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiSlider' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiSliderInput' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiSortable' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiTabs' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - 'CJuiWidget' => array ( - 'themeUrl' => (strlen(dirname($_SERVER['SCRIPT_NAME']))>1 ? dirname($_SERVER['SCRIPT_NAME']) : '' ) . '/css', - 'theme' => 'plugins', - ), - ), - ),*/ - ), + // preloading 'log' component + 'preload' => array('log'), + + // autoloading model and component classes + 'import' => array( + 'application.models.*', + 'application.components.*', + 'application.extensions.yii-mail.YiiMailMessage', + 'application.extensions.PasswordHash.PasswordHash', + ), + + 'modules' => array( + 'application.modules.socialconnect.SocialConnectModule', + ), + + // application components + 'components' => array( + 'user' => array( + 'class' => 'UsuarioWeb', + 'allowAutoLogin' => false, + ), + // uncomment the following to enable URLs in path-format + /* 'urlManager' => array( + 'urlFormat' => 'path', + // Ocultar 'index.php' de las URL's. + // Hay que poner un fichero .htaccess con la redirección. + 'showScriptName' => false, + 'urlSuffix' => '.html', + 'rules' => require(dirname(__FILE__) . '/url_rules.php'), + ), */ + 'errorHandler' => array( + // use 'site/error' action to display errors + 'errorAction' => 'site/error', + ), + ), + 'params' => array( + 'phpass' => array( + 'iteration_count_log2' => 8, + 'portable_hashes' => false, + ), + ) ); \ No newline at end of file diff --git a/www/protected/config/mode_development.php b/www/protected/config/mode_development.php index 091e15a..435aef0 100644 --- a/www/protected/config/mode_development.php +++ b/www/protected/config/mode_development.php @@ -85,13 +85,12 @@ $configSpecific = array( // Save log messages on file array( 'class' => 'CFileLogRoute', - 'levels' => 'error, warning, info', + 'levels' => 'error, warning', ), // Show log messages on web pages array( 'class' => 'CWebLogRoute', - //'categories' => 'system.db.CDbCommand', - 'levels' => 'error, warning, trace, info', + 'levels' => 'error, warning', 'showInFireBug' => true, ), ), diff --git a/www/protected/controllers/EquipoController.php b/www/protected/controllers/EquipoController.php index 65f1e44..5016f34 100644 --- a/www/protected/controllers/EquipoController.php +++ b/www/protected/controllers/EquipoController.php @@ -41,9 +41,9 @@ class EquipoController extends Controller { $nuevo_usuario->tipo = Usuario::TIPO_USUARIO_AGENTE; $nuevo_usuario->nombre = $invitacion->nombre; $nuevo_usuario->email = $invitacion->email; - $nuevo_usuario->password = $nuevo_usuario->encrypt(microtime()); + $nuevo_usuario->password = $nuevo_usuario->encryptPassword(microtime()); $nuevo_usuario->estado = Usuario::ESTADO_NOACTIVO; - $nuevo_usuario->clave_seguridad = $nuevo_usuario->encrypt(microtime() . $nuevo_usuario->password); + $nuevo_usuario->clave_seguridad = $nuevo_usuario->encryptSecureKey(microtime() . $nuevo_usuario->password); if ($nuevo_usuario->save()) { $this->enviarMailRegistroAgente($nuevo_usuario); @@ -51,6 +51,7 @@ class EquipoController extends Controller { $invitacion = new FormularioInvitarAgente; } else { Yii::app()->user->setFlash('error', Yii::t('profind', 'Se ha producido un error al registrar la invitación')); + Yii::log(CVarDumper::dumpAsString($nuevo_usuario->attributes), CLogger::LEVEL_ERROR, $this->id); } } else { Yii::app()->user->setFlash('error', Yii::t('profind', 'Se ha producido un error al validar la invitación')); diff --git a/www/protected/controllers/RegistroUsuarioController.php b/www/protected/controllers/RegistroUsuarioController.php index abbb155..d72dd8b 100644 --- a/www/protected/controllers/RegistroUsuarioController.php +++ b/www/protected/controllers/RegistroUsuarioController.php @@ -49,9 +49,9 @@ class RegistroUsuarioController extends Controller { $nuevo_usuario = new Usuario('registrar'); $nuevo_usuario->tipo = Usuario::TIPO_USUARIO_COORDINADOR; $nuevo_usuario->email = $formulario->email; - $nuevo_usuario->password = $nuevo_usuario->encrypt($formulario->password); + $nuevo_usuario->password = $nuevo_usuario->encryptPassword($formulario->password); $nuevo_usuario->estado = Usuario::ESTADO_NOACTIVO; - $nuevo_usuario->clave_seguridad = $nuevo_usuario->encrypt(microtime() . $nuevo_usuario->password); + $nuevo_usuario->clave_seguridad = $nuevo_usuario->encryptSecureKey(microtime() . $nuevo_usuario->password); if (!$nuevo_usuario->save()) { foreach ($nuevo_usuario->getErrors() as $campo => $error) { @@ -155,8 +155,8 @@ class RegistroUsuarioController extends Controller { if (!isset($usuario)) throw new CHttpException(404, Yii::t('profind', 'La página solicitada no existe.')); - $usuario->password = $usuario->encrypt($nueva_password); - $usuario->clave_seguridad = $usuario->encrypt(microtime() . $usuario->password); + $usuario->password = $usuario->encryptPassword($nueva_password); + $usuario->clave_seguridad = $usuario->encryptSecureKey(microtime() . $usuario->password); if ($usuario->save()) { return true; } else @@ -193,7 +193,7 @@ class RegistroUsuarioController extends Controller { } elseif (isset($usuario->clave_seguridad) && ($usuario->clave_seguridad == $clave_seguridad)) { // Hay que activar el usuario $usuario->estado = Usuario::ESTADO_ACTIVO; - $usuario->clave_seguridad = $usuario->encrypt(microtime() . $usuario->password); + $usuario->clave_seguridad = $usuario->encryptSecureKey(microtime() . $usuario->password); $usuario->save(); $this->enviarMailConfirmacionActivacion($usuario); @@ -245,7 +245,7 @@ class RegistroUsuarioController extends Controller { } elseif (isset($usuario->clave_seguridad) && ($usuario->clave_seguridad == $clave_seguridad)) { // Hay que desactivar el usuario $usuario->estado = Usuario::ESTADO_NOACTIVO; - $usuario->clave_seguridad = $usuario->encrypt(microtime() . $usuario->password); + $usuario->clave_seguridad = $usuario->encryptSecureKey(microtime() . $usuario->password); $usuario->save(); $this->enviarMailConfirmacionCancelacion($usuario); diff --git a/www/protected/controllers/SeguridadUsuarioController.php b/www/protected/controllers/SeguridadUsuarioController.php index 776b2b5..f37ce7c 100644 --- a/www/protected/controllers/SeguridadUsuarioController.php +++ b/www/protected/controllers/SeguridadUsuarioController.php @@ -126,8 +126,8 @@ class SeguridadUsuarioController extends Controller { if (!isset($usuario)) throw new CHttpException(404, Yii::t('profind', 'La página solicitada no existe.')); - $usuario->password = $usuario->encrypt($nueva_password); - $usuario->clave_seguridad = $usuario->encrypt(microtime() . $usuario->password); + $usuario->password = $usuario->encryptPassword($nueva_password); + $usuario->clave_seguridad = $usuario->encryptSecureKey(microtime() . $usuario->password); if ($usuario->save()) { $this->enviarMailNotificacionCambioPassword($usuario); return true; diff --git a/www/protected/extensions/PasswordHash/PasswordHash.php b/www/protected/extensions/PasswordHash/PasswordHash.php new file mode 100644 index 0000000..12958c7 --- /dev/null +++ b/www/protected/extensions/PasswordHash/PasswordHash.php @@ -0,0 +1,253 @@ + in 2004-2006 and placed in +# the public domain. Revised in subsequent years, still public domain. +# +# There's absolutely no warranty. +# +# The homepage URL for this framework is: +# +# http://www.openwall.com/phpass/ +# +# Please be sure to update the Version line if you edit this file in any way. +# It is suggested that you leave the main version number intact, but indicate +# your project name (after the slash) and add your own revision information. +# +# Please do not change the "private" password hashing method implemented in +# here, thereby making your hashes incompatible. However, if you must, please +# change the hash type identifier (the "$P$") to something different. +# +# Obviously, since this code is in the public domain, the above are not +# requirements (there can be none), but merely suggestions. +# +class PasswordHash { + var $itoa64; + var $iteration_count_log2; + var $portable_hashes; + var $random_state; + + function PasswordHash($iteration_count_log2, $portable_hashes) + { + $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + + if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) + $iteration_count_log2 = 8; + $this->iteration_count_log2 = $iteration_count_log2; + + $this->portable_hashes = $portable_hashes; + + $this->random_state = microtime(); + if (function_exists('getmypid')) + $this->random_state .= getmypid(); + } + + function get_random_bytes($count) + { + $output = ''; + if (is_readable('/dev/urandom') && + ($fh = @fopen('/dev/urandom', 'rb'))) { + $output = fread($fh, $count); + fclose($fh); + } + + if (strlen($output) < $count) { + $output = ''; + for ($i = 0; $i < $count; $i += 16) { + $this->random_state = + md5(microtime() . $this->random_state); + $output .= + pack('H*', md5($this->random_state)); + } + $output = substr($output, 0, $count); + } + + return $output; + } + + function encode64($input, $count) + { + $output = ''; + $i = 0; + do { + $value = ord($input[$i++]); + $output .= $this->itoa64[$value & 0x3f]; + if ($i < $count) + $value |= ord($input[$i]) << 8; + $output .= $this->itoa64[($value >> 6) & 0x3f]; + if ($i++ >= $count) + break; + if ($i < $count) + $value |= ord($input[$i]) << 16; + $output .= $this->itoa64[($value >> 12) & 0x3f]; + if ($i++ >= $count) + break; + $output .= $this->itoa64[($value >> 18) & 0x3f]; + } while ($i < $count); + + return $output; + } + + function gensalt_private($input) + { + $output = '$P$'; + $output .= $this->itoa64[min($this->iteration_count_log2 + + ((PHP_VERSION >= '5') ? 5 : 3), 30)]; + $output .= $this->encode64($input, 6); + + return $output; + } + + function crypt_private($password, $setting) + { + $output = '*0'; + if (substr($setting, 0, 2) == $output) + $output = '*1'; + + $id = substr($setting, 0, 3); + # We use "$P$", phpBB3 uses "$H$" for the same thing + if ($id != '$P$' && $id != '$H$') + return $output; + + $count_log2 = strpos($this->itoa64, $setting[3]); + if ($count_log2 < 7 || $count_log2 > 30) + return $output; + + $count = 1 << $count_log2; + + $salt = substr($setting, 4, 8); + if (strlen($salt) != 8) + return $output; + + # We're kind of forced to use MD5 here since it's the only + # cryptographic primitive available in all versions of PHP + # currently in use. To implement our own low-level crypto + # in PHP would result in much worse performance and + # consequently in lower iteration counts and hashes that are + # quicker to crack (by non-PHP code). + if (PHP_VERSION >= '5') { + $hash = md5($salt . $password, TRUE); + do { + $hash = md5($hash . $password, TRUE); + } while (--$count); + } else { + $hash = pack('H*', md5($salt . $password)); + do { + $hash = pack('H*', md5($hash . $password)); + } while (--$count); + } + + $output = substr($setting, 0, 12); + $output .= $this->encode64($hash, 16); + + return $output; + } + + function gensalt_extended($input) + { + $count_log2 = min($this->iteration_count_log2 + 8, 24); + # This should be odd to not reveal weak DES keys, and the + # maximum valid value is (2**24 - 1) which is odd anyway. + $count = (1 << $count_log2) - 1; + + $output = '_'; + $output .= $this->itoa64[$count & 0x3f]; + $output .= $this->itoa64[($count >> 6) & 0x3f]; + $output .= $this->itoa64[($count >> 12) & 0x3f]; + $output .= $this->itoa64[($count >> 18) & 0x3f]; + + $output .= $this->encode64($input, 3); + + return $output; + } + + function gensalt_blowfish($input) + { + # This one needs to use a different order of characters and a + # different encoding scheme from the one in encode64() above. + # We care because the last character in our encoded string will + # only represent 2 bits. While two known implementations of + # bcrypt will happily accept and correct a salt string which + # has the 4 unused bits set to non-zero, we do not want to take + # chances and we also do not want to waste an additional byte + # of entropy. + $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; + + $output = '$2a$'; + $output .= chr(ord('0') + $this->iteration_count_log2 / 10); + $output .= chr(ord('0') + $this->iteration_count_log2 % 10); + $output .= '$'; + + $i = 0; + do { + $c1 = ord($input[$i++]); + $output .= $itoa64[$c1 >> 2]; + $c1 = ($c1 & 0x03) << 4; + if ($i >= 16) { + $output .= $itoa64[$c1]; + break; + } + + $c2 = ord($input[$i++]); + $c1 |= $c2 >> 4; + $output .= $itoa64[$c1]; + $c1 = ($c2 & 0x0f) << 2; + + $c2 = ord($input[$i++]); + $c1 |= $c2 >> 6; + $output .= $itoa64[$c1]; + $output .= $itoa64[$c2 & 0x3f]; + } while (1); + + return $output; + } + + function HashPassword($password) + { + $random = ''; + + if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { + $random = $this->get_random_bytes(16); + $hash = + crypt($password, $this->gensalt_blowfish($random)); + if (strlen($hash) == 60) + return $hash; + } + + if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) { + if (strlen($random) < 3) + $random = $this->get_random_bytes(3); + $hash = + crypt($password, $this->gensalt_extended($random)); + if (strlen($hash) == 20) + return $hash; + } + + if (strlen($random) < 6) + $random = $this->get_random_bytes(6); + $hash = + $this->crypt_private($password, + $this->gensalt_private($random)); + if (strlen($hash) == 34) + return $hash; + + # Returning '*' on error is safe here, but would _not_ be safe + # in a crypt(3)-like function used _both_ for generating new + # hashes and for validating passwords against existing hashes. + return '*'; + } + + function CheckPassword($password, $stored_hash) + { + $hash = $this->crypt_private($password, $stored_hash); + if ($hash[0] == '*') + $hash = crypt($password, $stored_hash); + + return $hash == $stored_hash; + } +} + +?> diff --git a/www/protected/extensions/PasswordHash/c/Makefile b/www/protected/extensions/PasswordHash/c/Makefile new file mode 100644 index 0000000..fe48917 --- /dev/null +++ b/www/protected/extensions/PasswordHash/c/Makefile @@ -0,0 +1,21 @@ +# +# Written by Solar Designer and placed in the public domain. +# See crypt_private.c for more information. +# +CC = gcc +LD = $(CC) +RM = rm -f +CFLAGS = -Wall -O2 -fomit-frame-pointer -funroll-loops +LDFLAGS = -s +LIBS = -lcrypto + +all: crypt_private-test + +crypt_private-test: crypt_private-test.o + $(LD) $(LDFLAGS) $(LIBS) crypt_private-test.o -o $@ + +crypt_private-test.o: crypt_private.c + $(CC) -c $(CFLAGS) crypt_private.c -DTEST -o $@ + +clean: + $(RM) crypt_private-test* diff --git a/www/protected/extensions/PasswordHash/c/crypt_private.c b/www/protected/extensions/PasswordHash/c/crypt_private.c new file mode 100644 index 0000000..6abc05b --- /dev/null +++ b/www/protected/extensions/PasswordHash/c/crypt_private.c @@ -0,0 +1,106 @@ +/* + * This code exists for the sole purpose to serve as another implementation + * of the "private" password hashing method implemened in PasswordHash.php + * and thus to confirm that these password hashes are indeed calculated as + * intended. + * + * Other uses of this code are discouraged. There are much better password + * hashing algorithms available to C programmers; one of those is bcrypt: + * + * http://www.openwall.com/crypt/ + * + * Written by Solar Designer in 2005 and placed in + * the public domain. + * + * There's absolutely no warranty. + */ + +#include +#include + +#ifdef TEST +#include +#endif + +static char *itoa64 = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static void encode64(char *dst, char *src, int count) +{ + int i, value; + + i = 0; + do { + value = (unsigned char)src[i++]; + *dst++ = itoa64[value & 0x3f]; + if (i < count) + value |= (unsigned char)src[i] << 8; + *dst++ = itoa64[(value >> 6) & 0x3f]; + if (i++ >= count) + break; + if (i < count) + value |= (unsigned char)src[i] << 16; + *dst++ = itoa64[(value >> 12) & 0x3f]; + if (i++ >= count) + break; + *dst++ = itoa64[(value >> 18) & 0x3f]; + } while (i < count); +} + +char *crypt_private(char *password, char *setting) +{ + static char output[35]; + MD5_CTX ctx; + char hash[MD5_DIGEST_LENGTH]; + char *p, *salt; + int count_log2, length, count; + + strcpy(output, "*0"); + if (!strncmp(setting, output, 2)) + output[1] = '1'; + + if (strncmp(setting, "$P$", 3)) + return output; + + p = strchr(itoa64, setting[3]); + if (!p) + return output; + count_log2 = p - itoa64; + if (count_log2 < 7 || count_log2 > 30) + return output; + + salt = setting + 4; + if (strlen(salt) < 8) + return output; + + length = strlen(password); + + MD5_Init(&ctx); + MD5_Update(&ctx, salt, 8); + MD5_Update(&ctx, password, length); + MD5_Final(hash, &ctx); + + count = 1 << count_log2; + do { + MD5_Init(&ctx); + MD5_Update(&ctx, hash, MD5_DIGEST_LENGTH); + MD5_Update(&ctx, password, length); + MD5_Final(hash, &ctx); + } while (--count); + + memcpy(output, setting, 12); + encode64(&output[12], hash, MD5_DIGEST_LENGTH); + + return output; +} + +#ifdef TEST +int main(int argc, char **argv) +{ + if (argc != 3) return 1; + + puts(crypt_private(argv[1], argv[2])); + + return 0; +} +#endif diff --git a/www/protected/extensions/PasswordHash/test.php b/www/protected/extensions/PasswordHash/test.php new file mode 100644 index 0000000..2f4a41c --- /dev/null +++ b/www/protected/extensions/PasswordHash/test.php @@ -0,0 +1,72 @@ +HashPassword($correct); + +print 'Hash: ' . $hash . "\n"; + +$check = $t_hasher->CheckPassword($correct, $hash); +if ($check) $ok++; +print "Check correct: '" . $check . "' (should be '1')\n"; + +$wrong = 'test12346'; +$check = $t_hasher->CheckPassword($wrong, $hash); +if (!$check) $ok++; +print "Check wrong: '" . $check . "' (should be '0' or '')\n"; + +unset($t_hasher); + +# Force the use of weaker portable hashes. +$t_hasher = new PasswordHash(8, TRUE); + +$hash = $t_hasher->HashPassword($correct); + +print 'Hash: ' . $hash . "\n"; + +$check = $t_hasher->CheckPassword($correct, $hash); +if ($check) $ok++; +print "Check correct: '" . $check . "' (should be '1')\n"; + +$check = $t_hasher->CheckPassword($wrong, $hash); +if (!$check) $ok++; +print "Check wrong: '" . $check . "' (should be '0' or '')\n"; + +# A correct portable hash for 'test12345'. +# Please note the use of single quotes to ensure that the dollar signs will +# be interpreted literally. Of course, a real application making use of the +# framework won't store password hashes within a PHP source file anyway. +# We only do this for testing. +$hash = '$P$9IQRaTwmfeRo7ud9Fh4E2PdI0S3r.L0'; + +print 'Hash: ' . $hash . "\n"; + +$check = $t_hasher->CheckPassword($correct, $hash); +if ($check) $ok++; +print "Check correct: '" . $check . "' (should be '1')\n"; + +$check = $t_hasher->CheckPassword($wrong, $hash); +if (!$check) $ok++; +print "Check wrong: '" . $check . "' (should be '0' or '')\n"; + +if ($ok == 6) + print "All tests have PASSED\n"; +else + print "Some tests have FAILED\n"; + +?> diff --git a/www/protected/migrations/m121004_100805_tbl_usuarios.php b/www/protected/migrations/m121004_100805_tbl_usuarios.php new file mode 100644 index 0000000..0ec320c --- /dev/null +++ b/www/protected/migrations/m121004_100805_tbl_usuarios.php @@ -0,0 +1,14 @@ +addColumn('tbl_usuarios', 'created_time', 'datetime'); + $this->addColumn('tbl_usuarios', 'deleted_time', 'datetime'); + } + + public function safeDown() { + $this->dropColumn('tbl_usuarios', 'created_time'); + $this->dropColumn('tbl_usuarios', 'deleted_time'); + } +} \ No newline at end of file diff --git a/www/protected/models/FormularioCambiarPassword.php b/www/protected/models/FormularioCambiarPassword.php index 23334ad..f19c1b3 100644 --- a/www/protected/models/FormularioCambiarPassword.php +++ b/www/protected/models/FormularioCambiarPassword.php @@ -27,7 +27,7 @@ class FormularioCambiarPassword extends CFormModel { public function comprobarPasswordAnterior($attribute, $params) { if (!$this->hasErrors()) { $usuario = Usuario::model()->findByPk(Yii::app()->user->id); - if ($usuario->password != Usuario::model()->encrypt($this->passwordAnterior)) + if ($usuario->password != Usuario::model()->encryptPassword($this->passwordAnterior)) $this->addError($this->passwordAnterior, Yii::t('profind', 'La contraseña anterior no es correcta.')); } } diff --git a/www/protected/models/Usuario.php b/www/protected/models/Usuario.php index c6e3d52..3119a65 100644 --- a/www/protected/models/Usuario.php +++ b/www/protected/models/Usuario.php @@ -15,7 +15,9 @@ * @property string $titulo * @property string $localidad * @property string $telefono - * @property string $last_login_time + * @property datetime $last_login_time + * @property datetime $created_time + * @property datetime $deleted_time * @property string $clave_seguridad * @property string $descripcion * @property string $ficheroFotografia @@ -148,13 +150,20 @@ class Usuario extends CActiveRecord { $criteria->compare('titulo', $this->titulo, true); $criteria->compare('localidad', $this->localidad, true); $criteria->compare('telefono', $this->telefono, true); - $criteria->compare('last_login_time', $this->last_login_time, true); $criteria->compare('descripcion', $this->descripcion, true); return new CActiveDataProvider($this, array( 'criteria' => $criteria, )); } + + protected function beforeSave() { + if ($this->isNewRecord) + $this->created_time = date("Y-m-d H:i:s"); + if (($this->estado === self::ESTADO_BORRADO) && ($this->deleted_time === NULL)) + $this->deleted_time = date("Y-m-d H:i:s"); + return parent::beforeSave(); + } protected function afterFind() { parent::afterFind(); @@ -222,19 +231,30 @@ class Usuario extends CActiveRecord { } else return false; } - - /* - * Función para cifrar la contraseña del usuario (temporal) - * @return string contraseña cifrada - */ - public function encrypt($value) { - return md5($value); - } - + public function getNombreCompleto() { $cadena = $this->nombre; if ($this->apellidos) $cadena .= ' ' . $this->apellidos; return $cadena; } + /* + * Función para cifrar la contraseña del usuario + * @return string contraseña cifrada + */ + public function encryptPassword($password) { + $ph = new PasswordHash( + Yii::app()->params['phpass']['iteration_count_log2'], + Yii::app()->params['phpass']['portable_hashes'] + ); + return $ph->HashPassword($password); + } + + /* + * Función para cifrar la clave de seguridad del usuario + * @return string clave de seguridad cifrada + */ + public function encryptSecureKey($key) { + return md5($key); + } }