I'm doing a code review in knop_user -> login and its
dependencies. There's a code block that leaves me scratching my head.
https://github.com/knop-project/knop/blob/master/knop9/knoplibs/knop_user.lasso#L436-L442
if(knop_crypthash(#_password,
-hash = string(#db -> field(.'passwordfield')),
-salt = knop_blowfish(-string = #db ->
field(.'saltfield'), -mode = 'D'),
-cost = (.'costfield' -> size ? integer(#db ->
field(.'costfield')) | .'costsize'),
-cipher = (.'encrypt_cipher')) == true) => {
#validlogin = true
}
...and the source for knop_crypthash:
https://github.com/knop-project/knop/blob/master/knop9/knoplibs/knop_utils.lasso#L482-L563
From this I've tried to reverse engineer how passwords should
be stored (and other bits used for knop_user -> login), but I
have not been successful. It looks like knop_blowfish is used
to encrypt the salt and store that in the database. Then on
login, the value in the saltfield is decrypted with
knop_blowfish and passed into the -salt argument for knop_crypthash.
When I tried storing the password like that and try
authentication with the -cost parameter, knop_user -> login
always fails. All other knop_user -> login methods that do not
use -cost work for me.
If anyone has this working (Rick Draper, Jolle Carlestam),
please share a code sample of how you create a user record with
its fields for username, password (hashed), saltfield,
costfield, and any other relevant bits.
Also include whether anything more elaborate than knop_user ->
login('u', 'p') is called.
Finally, is there a reason that knop_blowfish is used here? In
Bil Corry's original post on the topic, he didn't mention using
blowfish. Here's a gist I threw together to test it.
Bil's post
http://lasso.2283332.n4.nabble.com/encryption-tt3140901.html#a3140908
My gist.
https://gist.github.com/stevepiercy/acf9d559e596e57f7c3a
Thanks in advance.
--steve
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy Website Builder Soquel, CA
<w...@StevePiercy.com> <
http://www.StevePiercy.com/>