From 473fba0091e30f627b2602b16325a7934331941c Mon Sep 17 00:00:00 2001
From: "Jean-Marc Pigeon (Delson)" <jmp@safe.ca>
Date: Thu, 10 Jul 2025 07:17:33 -0400
Subject: [PATCH] uth plain and login authentication use crypted password
 (instead hash)

---
 lib/devsql.c     | 20 ++++++++++++--------
 lib/lvleml.c     | 49 ++++++++++++++++++++++++++----------------------
 lib/unisql.c     |  1 +
 lib/unisql.h     |  1 +
 sql/mailleur.sql |  4 ++--
 5 files changed, 43 insertions(+), 32 deletions(-)

diff --git a/lib/devsql.c b/lib/devsql.c
index d1c6788..194274f 100644
--- a/lib/devsql.c
+++ b/lib/devsql.c
@@ -311,10 +311,11 @@ static USRTYP *select_user(SQLTYP *sql,char *email)
 //field available in table "emails"
 static const FLDTYP usrfield[]={
           {1,"email"},
-          {2,"hash"},
-          {3,"space"},
-          {4,"mxspace"},
-          {5,"locked"},
+          {2,"password"},
+          {3,"hash"},
+          {4,"space"},
+          {5,"mxspace"},
+          {6,"locked"},
           {0,(char *)0}
           };
 
@@ -366,16 +367,19 @@ while (proceed==true) {
           case 1        :       //user email
             usr->email=strdup(locval);
             break;
-          case 2        :       //'email:realm:password' MD5
+          case 2        :       //User crypted password
+            usr->password=strdup(locval);
+            break;
+          case 3        :       //'email:realm:password' MD5
             usr->hash=strdup(locval);
             break;
-          case 3        :       //user used space
+          case 4        :       //user used space
             usr->space=atoi(locval);
             break;
-          case 4        :       //user max space available
+          case 5        :       //user max space available
             usr->mxspace=atoi(locval);
             break;
-          case 5        :       //lock status
+          case 6        :       //lock status
             usr->lock=atoi(locval);
             break;
           default       :
diff --git a/lib/lvleml.c b/lib/lvleml.c
index 2e3b47b..8b3f5f8 100644
--- a/lib/lvleml.c
+++ b/lib/lvleml.c
@@ -384,24 +384,7 @@ while (proceed==true) {
         phase=999;      //No need to go further
         }
       break;
-    case 2      :  {    //computing the given md5
-      char *seq;
-      MD5TYP *givenmd5;
-
-      (void) rou_asprintf(&seq,"%s:%s:%s",data[1],rou_getrealm(),data[2]);
-      givenmd5=dig_hashmd5((unsigned char *)seq,strlen(seq));
-      if (givenmd5!=(MD5TYP *)0) {
-        givenhash=cnv_tohexa((char *)givenmd5,sizeof(MD5TYP));
-        (void) free(givenmd5);
-        }
-      if (givenhash==(char *)0) {
-        (void) rou_alert(0,"%s Unable to have md5 for <%s> (Bug?)",seq);
-        phase=999;      //trouble trouble
-        }
-      seq=rou_freestr(seq);
-      }
-      break;
-    case 3      :  {    //checking user password
+    case 2      :  {    //checking user password
       USRTYP *usr;
 
       usr=(USRTYP *)0;
@@ -409,12 +392,34 @@ while (proceed==true) {
       contact->authname=strdup(data[1]);
       *rmtpass=strdup(data[2]);
       if (sql_mngusr(contact->sqlptr,sql_select,data[1],&usr)==true) {
-        if (usr->hash==(char *)0) {
-          usr->hash=cnv_getrndstr(10);
-          (void) rou_alert(0,"%s usr=<%s> password empty, using random hash",
+        char *givenpass;;
+
+        givenpass=data[2];
+        *rmtpass=strdup(givenpass);
+        if (usr->password==(char *)0) {
+          (void) rou_alert(0,"%s usr=<%s> password empty, assigning one",
                               OPEP,data[1]);
+          usr->password=cnv_getrndstr(10);
+          }
+        if (usr->password[0]=='$') {
+          char *ptr;
+          char idsalt[100];
+
+          (void) memset(idsalt,'\000',sizeof(idsalt));
+          (void) strncpy(idsalt,usr->password,sizeof(idsalt)-1);
+          if ((ptr=strrchr(idsalt,'$'))!=(char *)0) {
+            ptr++;
+            *ptr='\000';
+            }
+          if ((ptr=crypt(givenpass,idsalt))==(char *)0) {
+            (void) rou_alert(0,"%s Trouble to crypt (Bug?) givenpass=<%s> "
+                               "salt=<%s> (error=<%s>)",
+                                OPEP,givenpass,idsalt,strerror(errno));
+            ptr=data[2]; //trying to overcome
+            }
+          givenpass=ptr;
           }
-        isok=(strcmp(givenhash,usr->hash)==0);
+        isok=(strcmp(givenpass,usr->password)==0);
         usr=sql_freeusr(usr);
         }
       }
diff --git a/lib/unisql.c b/lib/unisql.c
index 76a1d28..975aba6 100644
--- a/lib/unisql.c
+++ b/lib/unisql.c
@@ -107,6 +107,7 @@ PUBLIC USRTYP *sql_freeusr(USRTYP *usr)
 {
 if (usr!=(USRTYP *)0) {
   usr->hash=rou_freestr(usr->hash);
+  usr->password=rou_freestr(usr->password);
   usr->email=rou_freestr(usr->email);
   (void) free(usr);
   usr=(USRTYP *)0;
diff --git a/lib/unisql.h b/lib/unisql.h
index 4dcf553..7903c54 100644
--- a/lib/unisql.h
+++ b/lib/unisql.h
@@ -20,6 +20,7 @@ typedef enum    {
 //structure about user within the database
 typedef struct  {
         char *email;    //user emails
+        char *password; //user crypted password
         char *hash;     //'email:realm:password' MD5
         u_int  lock;    //account is lock
         u_long space;   //user space used
diff --git a/sql/mailleur.sql b/sql/mailleur.sql
index 9a0dccf..5247fd0 100644
--- a/sql/mailleur.sql
+++ b/sql/mailleur.sql
@@ -127,7 +127,7 @@ CREATE TRIGGER sethash
   BEFORE UPDATE ON emails FOR EACH ROW
     BEGIN
     set NEW.hash=MD5(HASHING);
-    set NEW.password=encrypt(NEW.password,'$1$abcdef');
+    set NEW.password=encrypt(NEW.password,concat('$1$',md5(rand())));
     END$$
     
   
@@ -135,7 +135,7 @@ CREATE TRIGGER updhash
   BEFORE INSERT ON emails FOR EACH ROW
     BEGIN
     set NEW.hash=MD5(HASHING);
-    set NEW.password=encrypt(NEW.password,'$1$abcdef');
+    set NEW.password=encrypt(NEW.password,concat('$1$',md5(rand())));
     END$$
 
 #endif
-- 
2.47.3