[TYPO3-project-4-3] Salted Passwords in Combination with RSAauth

Sun Jun 14 20:02:48 CEST 2009

Hi List, Hi Devs,
especially Core-Devs and Dmitry.

After discussion with Markus Krause I implemented the reimplemented the 
saltedPasswords as a sysext. Stand-Alone, this works fine, in 
combination with rsaauth it does not.

So I had a closer look at rsaauth and the "co-work" of different 
auth-services... I will present my results and hope for some response...

every service is called from 
class.t3lib_userauth.php->checkAuthentication one after the other...

If any service does any transformation on the submitted data, such as 
decrypting the encrypted password, this information is not retrieved 
from the service and therefore not passed to the next...
So no later service can use the decryption of rsaauth.

Dmitry found a "workaround" for this, which will only work with with 
plain and md5 passwords, not with salted or any other encryption, which 
won't always return same result (details follow).
The plain authService all Auth-Services are extending just checks for 
equality of the db-value and the password... Since he could not pass the 
decrypted password to the next service, he used TCE Eval-Function to 
hash the the plain password and compare it to the dbvalue in his own 
service...
Problem: if you call the encrypt function for salted passwords without a 
salt, a random salt will be used and therefore the values WONT EVER be same.
Furthermore this is some kind against the thought behind the services.

I hope you all followed since here.

The result is:
The work of a service has to be evaluated and used in the next service.

I did a small fix in checkAuthentification (which really nobody will 
hurt) and therefore this works, and rsauth can be cleaned up be many 
lines...

What is it about: Every service gets t3lib_userAuth as parentObject...
So I Just moved $loginData (where the supplied form-values are stored) 
to $this->loginData, so that a service may access it via pObj->loginData 
if he thinks that his results are worth for others...

So --> the only thing the rsa service has to do: save the decrypted 
password to the parent object and let do the normal authservices their 
job...

Diff for t3lib_userAuth attached.
The attached patch for rsaauth, is without cleanup of stuff which is not 
needed anymore because I did not won't to mix up things... so there is 
just a change in storing the data and hand around to other services.

I hope I was able to make it all clear... Looking forward to discussion.

regards

Steffen
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: userAuth.diff
Url: http://lists.netfielders.de/pipermail/typo3-project-4-3/attachments/20090614/dfcc19c8/attachment-0002.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: rsaauth.diff
Url: http://lists.netfielders.de/pipermail/typo3-project-4-3/attachments/20090614/dfcc19c8/attachment-0003.txt 