From: Bill Erickson <berickxx@gmail.com>
Date: Thu, 23 Jul 2015 18:02:19 +0000 (-0400)
Subject: LP#1468422 db legacy password hashes w/ salt first
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=4ffcb6151cda4f1d5a398c2b7859c8b0fc78c5a9;p=working%2FEvergreen.git

LP#1468422 db legacy password hashes w/ salt first

Signed-off-by: Bill Erickson <berickxx@gmail.com>
---

diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.schema.password-storage.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.schema.password-storage.sql
index ab1b4025d8..81155af72e 100644
--- a/Open-ILS/src/sql/Pg/upgrade/XXXX.schema.password-storage.sql
+++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.schema.password-storage.sql
@@ -161,7 +161,7 @@ BEGIN
     pw_salt := actor.create_salt('main');
 
     PERFORM actor.set_passwd(
-        pw_usr, 'main', MD5(usr_row.passwd || pw_salt), pw_salt);
+        pw_usr, 'main', MD5(pw_salt || usr_row.passwd), pw_salt);
 
     -- clear the existing password
     UPDATE actor.usr SET passwd = '' WHERE id = usr_row.id;
@@ -178,7 +178,7 @@ DECLARE
 BEGIN
     /* Returns TRUE if the password provided matches the in-db password.  
      * If the password type is salted, we compare the output of CRYPT().
-     * NOTE: test_passwd is MD5(MD5(password) || salt) for legacy 
+     * NOTE: test_passwd is MD5(salt || MD5(password)) for legacy 
      * 'main' passwords.
      */
 
@@ -215,6 +215,8 @@ INSERT INTO actor.passwd_type
     (code, name, login, crypt_algo, iter_count) 
     VALUES ('main', 'Main Login Password', TRUE, 'bf', 14);
 
+--COMMIT;
+--BEGIN;
 
 -- INLINE TESTS ---------------
 -- TODO: move to new t/ file.
@@ -254,14 +256,14 @@ SELECT isnt_empty(
 
 SELECT ok(
     (SELECT actor.verify_passwd(187, 'main', 
-        MD5(MD5('montyc1234') || actor.get_salt(187, 'main')))),
+        MD5(actor.get_salt(187, 'main') || MD5('montyc1234')))),
     'verify_passwd should verify migrated password'
 );
 
 SELECT ok(
     (SELECT NOT (
         SELECT actor.verify_passwd(187, 'main', 
-            MD5(MD5('BADPASSWORD') || actor.get_salt(187, 'main'))))
+            MD5(actor.get_salt(187, 'main') || MD5('BADPASSWORD'))))
     ),
     'verify_passwd should fail with wrong password'
 );
@@ -274,12 +276,12 @@ BEGIN
     -- calls will create a new one.
     SELECT INTO new_salt actor.create_salt('main');
     PERFORM actor.set_passwd(
-        187, 'main', MD5(MD5('bobblehead') || new_salt), new_salt);
+        187, 'main', MD5(new_salt || MD5('bobblehead')), new_salt);
 END $$;
 
 SELECT ok(
     (SELECT actor.verify_passwd(187, 'main', 
-        MD5(MD5('bobblehead') || actor.get_salt(187, 'main')))),
+        MD5(actor.get_salt(187, 'main') || MD5('bobblehead')))),
     'verify_passwd should verify new password'
 );