From 46bde4d1fc8554263750f769f5ada4e304785d5e Mon Sep 17 00:00:00 2001
From: x2001corpet <x2001corpet@839d8a87-29fc-0310-9880-83ba4fa771e5>
Date: Thu, 22 Jun 2006 22:05:12 +0000
Subject: [PATCH] bug 375, utilise le SHA1 au lieu du MD5

git-svn-id: svn+ssh://murphy/home/svn/platal/trunk@333 839d8a87-29fc-0310-9880-83ba4fa771e5
---
 ChangeLog                                          |   3 +
 hooks/tmp.inc.php                                  |  21 ++-
 htdocs/admin/utilisateurs.php                      |  45 ++---
 htdocs/javascript/do_challenge_response.js         |  10 +-
 htdocs/javascript/do_challenge_response_logged.js  |  10 +-
 .../javascript/{motdepassemd5.js => motdepasse.js} |   4 +-
 htdocs/javascript/secure_hash.js                   |  53 ++++++
 htdocs/javascript/sha1.js                          | 202 +++++++++++++++++++++
 htdocs/{motdepassemd5.php => motdepasse.php}       |  10 +-
 htdocs/register/success.php                        |   6 +-
 htdocs/tmpPWD.php                                  |   5 +-
 include/login.conf.php                             |   2 +-
 include/marketing.inc.php                          |   6 +-
 include/register.inc.php                           |   5 +-
 include/secure_hash.inc.php                        |  41 +++++
 include/xorg/session.inc.php                       |  73 ++++----
 install.d/platal/files                             |   6 +-
 templates/admin/utilisateurs.tpl                   |   2 +-
 templates/docs/plan.tpl                            |   2 +-
 templates/inscription/step4.tpl                    |   2 +-
 ...passemd5.success.tpl => motdepasse.success.tpl} |   0
 templates/{motdepassemd5.tpl => motdepasse.tpl}    |   0
 templates/password_prompt.tpl                      |   1 +
 templates/password_prompt_logged.tpl               |   1 +
 templates/preferences.tpl                          |   2 +-
 upgrade/0.9.10/04_passwd.sql                       |   1 +
 26 files changed, 430 insertions(+), 83 deletions(-)
 rename htdocs/javascript/{motdepassemd5.js => motdepasse.js} (93%)
 create mode 100644 htdocs/javascript/secure_hash.js
 create mode 100644 htdocs/javascript/sha1.js
 rename htdocs/{motdepassemd5.php => motdepasse.php} (87%)
 create mode 100644 include/secure_hash.inc.php
 rename templates/{motdepassemd5.success.tpl => motdepasse.success.tpl} (100%)
 rename templates/{motdepassemd5.tpl => motdepasse.tpl} (100%)
 create mode 100644 upgrade/0.9.10/04_passwd.sql

diff --git a/ChangeLog b/ChangeLog
index 91a01a9..4f483f2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,9 @@ Bug/Wish :
     * Carnet :
         - #414: Link to users' fiche go to private fiche and not public.    -Car
 
+    * Core :
+        - #375: Use SHA1 instead of MD5 for password encryption.            -Car
+
     * Events :
         - #268: Hide read events.                                           -Car
         - #391: Go back to top link at end of each event.                   -Car
diff --git a/hooks/tmp.inc.php b/hooks/tmp.inc.php
index 0c52987..d3fd8f1 100644
--- a/hooks/tmp.inc.php
+++ b/hooks/tmp.inc.php
@@ -1,4 +1,23 @@
 <?php
+/***************************************************************************
+ *  Copyright (C) 2003-2006 Polytechnique.org                              *
+ *  http://opensource.polytechnique.org/                                   *
+ *                                                                         *
+ *  This program is free software; you can redistribute it and/or modify   *
+ *  it under the terms of the GNU General Public License as published by   *
+ *  the Free Software Foundation; either version 2 of the License, or      *
+ *  (at your option) any later version.                                    *
+ *                                                                         *
+ *  This program is distributed in the hope that it will be useful,        *
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
+ *  GNU General Public License for more details.                           *
+ *                                                                         *
+ *  You should have received a copy of the GNU General Public License      *
+ *  along with this program; if not, write to the Free Software            *
+ *  Foundation, Inc.,                                                      *
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
+ ***************************************************************************/
 
 function tmp_menu()
 {
@@ -7,7 +26,7 @@ function tmp_menu()
     $globals->menu->addPrivateEntry(XOM_CUSTOM,   10, 'Mon profil',            'profil.php');
     $globals->menu->addPrivateEntry(XOM_CUSTOM,   20, 'Mes contacts',          'carnet/mescontacts.php');
     $globals->menu->addPrivateEntry(XOM_CUSTOM,   30, 'Mon carnet',            'carnet/');
-    $globals->menu->addPrivateEntry(XOM_CUSTOM,   40, 'Mon mot de passe',      'motdepassemd5.php');
+    $globals->menu->addPrivateEntry(XOM_CUSTOM,   40, 'Mon mot de passe',      'motdepasse.php');
     $globals->menu->addPrivateEntry(XOM_CUSTOM,   50, 'Mes préférences',       'preferences.php');
 
     $globals->menu->addPrivateEntry(XOM_GROUPS,   10, 'Trombi/Site promo',          'trombipromo.php');
diff --git a/htdocs/admin/utilisateurs.php b/htdocs/admin/utilisateurs.php
index 8c4011d..044e67e 100644
--- a/htdocs/admin/utilisateurs.php
+++ b/htdocs/admin/utilisateurs.php
@@ -117,26 +117,27 @@ if ($login) {
 
 	    // Editer un profil
 	    case "u_edit":
-		$pass_md5B = Env::get('newpass_clair') != "********" ? md5(Env::get('newpass_clair')) : Env::get('passw');
-                $naiss = Env::get('naissanceN');
-                $perms = Env::get('permsN');
-                $prenm = Env::get('prenomN');
-                $nom   = Env::get('nomN');
-                $promo = Env::getInt('promoN');
-                $sexe  = Env::get('sexeN');
-                $comm  = Env::get('commentN');
-
-		$query = "UPDATE auth_user_md5 SET
-			    naissance = '$naiss',
-			    password  = '$pass_md5B',
-			    perms     = '$perms',
-			    prenom    = '".addslashes($prenm)."',
-			    nom       = '".addslashes($nom)."',
-			    flags     = '$sexe',
-			    promo     = $promo,
-			    comment   = '".addslashes($comm)."'
-			  WHERE user_id = '{$mr['user_id']}'";
-		if ($globals->xdb->execute($query)) {
+            require_once('secure_hash.inc.php');
+            $pass_encrypted = Env::get('newpass_clair') != "********" ? hash_encrypt(Env::get('newpass_clair')) : Env::get('passw');
+            $naiss = Env::get('naissanceN');
+            $perms = Env::get('permsN');
+            $prenm = Env::get('prenomN');
+            $nom   = Env::get('nomN');
+            $promo = Env::getInt('promoN');
+            $sexe  = Env::get('sexeN');
+            $comm  = Env::get('commentN');
+
+            $query = "UPDATE auth_user_md5 SET
+                    naissance = '$naiss',
+                    password  = '$pass_encrypted',
+                    perms     = '$perms',
+                    prenom    = '".addslashes($prenm)."',
+                    nom       = '".addslashes($nom)."',
+                    flags     = '$sexe',
+                    promo     = $promo,
+                    comment   = '".addslashes($comm)."'
+                WHERE user_id = '{$mr['user_id']}'";
+            if ($globals->xdb->execute($query)) {
                     user_reindex($mr['user_id']);
 
                     require_once("diogenes/diogenes.hermes.inc.php");
@@ -153,12 +154,12 @@ if ($login) {
                     require_once('nomusage.inc.php');
                     set_new_usage($mr['user_id'], Env::get('nomusageN'), make_username(Env::get('prenomN'), Env::get('nomusageN')));
                 }
-		$r  = $globals->xdb->query("SELECT  *, a.alias AS forlife, u.flags AS sexe
+                $r  = $globals->xdb->query("SELECT  *, a.alias AS forlife, u.flags AS sexe
                                               FROM  auth_user_md5 AS u
                                         INNER JOIN  aliases       AS a ON (u.user_id=a.id)
                                              WHERE  user_id = {?}", $mr['user_id']);
                 $mr = $r->fetchOneAssoc();
-		break;
+                break;
 
             // DELETE FROM auth_user_md5
 	    case "u_kill":
diff --git a/htdocs/javascript/do_challenge_response.js b/htdocs/javascript/do_challenge_response.js
index 5eced5d..419d1f0 100644
--- a/htdocs/javascript/do_challenge_response.js
+++ b/htdocs/javascript/do_challenge_response.js
@@ -18,6 +18,8 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
+document.write('<script language="javascript" src="javascript/secure_hash.js"></script>');
+
 function correctUserName() {
     var u = document.forms.login.username;
     // login with no space
@@ -43,11 +45,15 @@ function doChallengeResponse() {
 
     if (!correctUserName()) return false;
 
+    var new_pass = hash_encrypt(document.forms.login.password.value);
+    var old_pass = MD5(document.forms.login.password.value);
+    
     str = document.forms.login.username.value + ":" +
-        MD5(document.forms.login.password.value) + ":" +
+        new_pass + ":" +
         document.forms.loginsub.challenge.value;
 
-    document.forms.loginsub.response.value = MD5(str);
+    document.forms.loginsub.response.value = hash_encrypt(str);
+    document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass);
     document.forms.loginsub.username.value = document.forms.login.username.value;
     document.forms.loginsub.remember.value = document.forms.login.remember.checked;
     document.forms.loginsub.domain.value = document.forms.login.domain.value;
diff --git a/htdocs/javascript/do_challenge_response_logged.js b/htdocs/javascript/do_challenge_response_logged.js
index d25c9a7..2ec3595 100644
--- a/htdocs/javascript/do_challenge_response_logged.js
+++ b/htdocs/javascript/do_challenge_response_logged.js
@@ -18,6 +18,8 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
+document.write('<script language="javascript" src="javascript/secure_hash.js"></script>');
+
 function readCookie(name)
 {
     var nameEQ = name + "=";
@@ -33,11 +35,15 @@ function readCookie(name)
 
 
 function doChallengeResponse() {
+    var new_pass = hash_encrypt(document.forms.login.password.value);
+    var old_pass = MD5(document.forms.login.password.value);
+    
     str = readCookie('ORGuid') + ":" +
-        MD5(document.forms.login.password.value) + ":" +
+        hash_encrypt(document.forms.login.password.value) + ":" +
         document.forms.loginsub.challenge.value;
 
-    document.forms.loginsub.response.value = MD5(str);
+    document.forms.loginsub.response.value = hash_encrypt(str);
+    document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass);
     document.forms.loginsub.remember.value = document.forms.login.remember.checked;
     document.forms.login.password.value = "";
     document.forms.loginsub.submit();
diff --git a/htdocs/javascript/motdepassemd5.js b/htdocs/javascript/motdepasse.js
similarity index 93%
rename from htdocs/javascript/motdepassemd5.js
rename to htdocs/javascript/motdepasse.js
index 218022b..c996dc8 100644
--- a/htdocs/javascript/motdepassemd5.js
+++ b/htdocs/javascript/motdepasse.js
@@ -18,6 +18,8 @@
  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
  ***************************************************************************/
 
+document.write('<script language="javascript" src="javascript/secure_hash.js"></script>');
+
 function EnCryptedResponse() {
     pw1 = document.forms.changepass.nouveau.value;
     pw2 = document.forms.changepass.nouveau2.value;
@@ -31,7 +33,7 @@ function EnCryptedResponse() {
             return false;
         exit;
     }
-    str = MD5(document.forms.changepass.nouveau.value);
+    str = hash_encrypt(document.forms.changepass.nouveau.value);
     document.forms.changepass2.response2.value = str;
     alert ("Le mot de passe que tu as rentré va être chiffré avant de nous parvenir par Internet ! Ainsi il ne circulera pas en clair.");
     document.forms.changepass2.submit();
diff --git a/htdocs/javascript/secure_hash.js b/htdocs/javascript/secure_hash.js
new file mode 100644
index 0000000..ebe3f6a
--- /dev/null
+++ b/htdocs/javascript/secure_hash.js
@@ -0,0 +1,53 @@
+/***************************************************************************
+ *  Copyright (C) 2003-2006 Polytechnique.org                              *
+ *  http://opensource.polytechnique.org/                                   *
+ *                                                                         *
+ *  This program is free software; you can redistribute it and/or modify   *
+ *  it under the terms of the GNU General Public License as published by   *
+ *  the Free Software Foundation; either version 2 of the License, or      *
+ *  (at your option) any later version.                                    *
+ *                                                                         *
+ *  This program is distributed in the hope that it will be useful,        *
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
+ *  GNU General Public License for more details.                           *
+ *                                                                         *
+ *  You should have received a copy of the GNU General Public License      *
+ *  along with this program; if not, write to the Free Software            *
+ *  Foundation, Inc.,                                                      *
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
+ ***************************************************************************/
+
+document.write('<script language="javascript" src="javascript/md5.js"></script>');
+document.write('<script language="javascript" src="javascript/sha1.js"></script>');
+
+function hash_encrypt(a) {
+    return hex_sha1(a);
+}
+
+var hexa_h = "0123456789abcdef";
+
+function dechex(a) {
+    return hexa_h.charAt(a);
+}
+
+function hexdec(a) {
+    return hexa_h.indexOf(a);
+}
+
+function hash_xor(a, b) {
+    var c,i,j,k;
+    c = "";
+    i = a.length;
+    j = b.length;
+    if (i < j) {
+        var d;
+        d = a; a = b; b = d;
+        k = i; i = j; j = k;
+    }
+    for (k = 0; k < j; k++)
+        c += dechex(hexdec(a.charAt(k)) ^ hexdec(b.charAt(k)));
+    for (; k < i; k++)
+        c += a.charAt(k);
+    return c;
+}
diff --git a/htdocs/javascript/sha1.js b/htdocs/javascript/sha1.js
new file mode 100644
index 0000000..1b55982
--- /dev/null
+++ b/htdocs/javascript/sha1.js
@@ -0,0 +1,202 @@
+/*
+ * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
+ * in FIPS PUB 180-1
+ * Version 2.1a Copyright Paul Johnston 2000 - 2002.
+ * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
+ * Distributed under the BSD License
+ * See http://pajhome.org.uk/crypt/md5 for details.
+ */
+
+/*
+ * Configurable variables. You may need to tweak these to be compatible with
+ * the server-side, but the defaults work in most cases.
+ */
+var hexcase = 0;  /* hex output format. 0 - lowercase; 1 - uppercase        */
+var b64pad  = ""; /* base-64 pad character. "=" for strict RFC compliance   */
+var chrsz   = 8;  /* bits per input character. 8 - ASCII; 16 - Unicode      */
+
+/*
+ * These are the functions you'll usually want to call
+ * They take string arguments and return either hex or base-64 encoded strings
+ */
+function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
+function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
+function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
+function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
+function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
+function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
+
+/*
+ * Perform a simple self-test to see if the VM is working
+ */
+function sha1_vm_test()
+{
+  return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d";
+}
+
+/*
+ * Calculate the SHA-1 of an array of big-endian words, and a bit length
+ */
+function core_sha1(x, len)
+{
+  /* append padding */
+  x[len >> 5] |= 0x80 << (24 - len % 32);
+  x[((len + 64 >> 9) << 4) + 15] = len;
+
+  var w = Array(80);
+  var a =  1732584193;
+  var b = -271733879;
+  var c = -1732584194;
+  var d =  271733878;
+  var e = -1009589776;
+
+  for(var i = 0; i < x.length; i += 16)
+  {
+    var olda = a;
+    var oldb = b;
+    var oldc = c;
+    var oldd = d;
+    var olde = e;
+
+    for(var j = 0; j < 80; j++)
+    {
+      if(j < 16) w[j] = x[i + j];
+      else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
+      var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)),
+                       safe_add(safe_add(e, w[j]), sha1_kt(j)));
+      e = d;
+      d = c;
+      c = rol(b, 30);
+      b = a;
+      a = t;
+    }
+
+    a = safe_add(a, olda);
+    b = safe_add(b, oldb);
+    c = safe_add(c, oldc);
+    d = safe_add(d, oldd);
+    e = safe_add(e, olde);
+  }
+  return Array(a, b, c, d, e);
+
+}
+
+/*
+ * Perform the appropriate triplet combination function for the current
+ * iteration
+ */
+function sha1_ft(t, b, c, d)
+{
+  if(t < 20) return (b & c) | ((~b) & d);
+  if(t < 40) return b ^ c ^ d;
+  if(t < 60) return (b & c) | (b & d) | (c & d);
+  return b ^ c ^ d;
+}
+
+/*
+ * Determine the appropriate additive constant for the current iteration
+ */
+function sha1_kt(t)
+{
+  return (t < 20) ?  1518500249 : (t < 40) ?  1859775393 :
+         (t < 60) ? -1894007588 : -899497514;
+}
+
+/*
+ * Calculate the HMAC-SHA1 of a key and some data
+ */
+function core_hmac_sha1(key, data)
+{
+  var bkey = str2binb(key);
+  if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
+
+  var ipad = Array(16), opad = Array(16);
+  for(var i = 0; i < 16; i++)
+  {
+    ipad[i] = bkey[i] ^ 0x36363636;
+    opad[i] = bkey[i] ^ 0x5C5C5C5C;
+  }
+
+  var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz);
+  return core_sha1(opad.concat(hash), 512 + 160);
+}
+
+/*
+ * Add integers, wrapping at 2^32. This uses 16-bit operations internally
+ * to work around bugs in some JS interpreters.
+ */
+function safe_add(x, y)
+{
+  var lsw = (x & 0xFFFF) + (y & 0xFFFF);
+  var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
+  return (msw << 16) | (lsw & 0xFFFF);
+}
+
+/*
+ * Bitwise rotate a 32-bit number to the left.
+ */
+function rol(num, cnt)
+{
+  return (num << cnt) | (num >>> (32 - cnt));
+}
+
+/*
+ * Convert an 8-bit or 16-bit string to an array of big-endian words
+ * In 8-bit function, characters >255 have their hi-byte silently ignored.
+ */
+function str2binb(str)
+{
+  var bin = Array();
+  var mask = (1 << chrsz) - 1;
+  for(var i = 0; i < str.length * chrsz; i += chrsz)
+    bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32);
+  return bin;
+}
+
+/*
+ * Convert an array of big-endian words to a string
+ */
+function binb2str(bin)
+{
+  var str = "";
+  var mask = (1 << chrsz) - 1;
+  for(var i = 0; i < bin.length * 32; i += chrsz)
+    str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask);
+  return str;
+}
+
+/*
+ * Convert an array of big-endian words to a hex string.
+ */
+function binb2hex(binarray)
+{
+  var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
+  var str = "";
+  for(var i = 0; i < binarray.length * 4; i++)
+  {
+    str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) +
+           hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8  )) & 0xF);
+  }
+  return str;
+}
+
+/*
+ * Convert an array of big-endian words to a base-64 string
+ */
+function binb2b64(binarray)
+{
+  var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+  var str = "";
+  for(var i = 0; i < binarray.length * 4; i += 3)
+  {
+    var triplet = (((binarray[i   >> 2] >> 8 * (3 -  i   %4)) & 0xFF) << 16)
+                | (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 )
+                |  ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF);
+    for(var j = 0; j < 4; j++)
+    {
+      if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;
+      else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
+    }
+  }
+  return str;
+}
diff --git a/htdocs/motdepassemd5.php b/htdocs/motdepasse.php
similarity index 87%
rename from htdocs/motdepassemd5.php
rename to htdocs/motdepasse.php
index 3fcdcde..df9c8b4 100644
--- a/htdocs/motdepassemd5.php
+++ b/htdocs/motdepasse.php
@@ -22,6 +22,7 @@
 require_once('xorg.inc.php');
 
 if (Env::has('response2'))  {
+    require_once('secure_hash.inc.php');
     $_SESSION['password'] = $password = Post::get('response2');
     
     $globals->xdb->execute('UPDATE auth_user_md5 SET password={?} WHERE user_id={?}', $password, Session::getInt('uid'));
@@ -30,16 +31,15 @@ if (Env::has('response2'))  {
     $log->log('passwd', '');
 
     if (Cookie::get('ORGaccess')) {
-        setcookie('ORGaccess', md5($password), (time()+25920000), '/', '' ,0);
+        setcookie('ORGaccess', hash_encrypt($password), (time()+25920000), '/', '' ,0);
     }
 
-    new_skinned_page('motdepassemd5.success.tpl', AUTH_MDP);
+    new_skinned_page('motdepasse.success.tpl', AUTH_MDP);
     $page->run();
 }
 
-new_skinned_page('motdepassemd5.tpl', AUTH_MDP);
-$page->addJsLink('javascript/md5.js');
-$page->addJsLink('javascript/motdepassemd5.js');
+new_skinned_page('motdepasse.tpl', AUTH_MDP);
+$page->addJsLink('javascript/motdepasse.js');
 $page->assign('xorg_title','Polytechnique.org - Mon mot de passe');
 $page->run();
 ?>
diff --git a/htdocs/register/success.php b/htdocs/register/success.php
index cd67657..ec3f678 100644
--- a/htdocs/register/success.php
+++ b/htdocs/register/success.php
@@ -31,14 +31,14 @@ if (Env::has('response2'))  {
     $log->log('passwd', '');
 
     if (Cookie::get('ORGaccess')) {
-        setcookie('ORGaccess', md5($password), (time()+25920000), '/', '' ,0);
+        require_once('secure_hash.inc.php');
+        setcookie('ORGaccess', hash_encrypt($password), (time()+25920000), '/', '' ,0);
     }
 
     $page->assign('mdpok', true);
 }
 
-$page->addJsLink('javascript/md5.js');
-$page->addJsLink('javascript/motdepassemd5.js');
+$page->addJsLink('javascript/motdepasse.js');
 
 $page->run();
 ?>
diff --git a/htdocs/tmpPWD.php b/htdocs/tmpPWD.php
index 8e95da0..aa1b62b 100644
--- a/htdocs/tmpPWD.php
+++ b/htdocs/tmpPWD.php
@@ -37,9 +37,8 @@ if ($ligne = $res->fetchOneAssoc())  {
         new_skinned_page('tmpPWD.success.tpl', AUTH_PUBLIC);
         $page->run();
     } else {
-        new_skinned_page('motdepassemd5.tpl', AUTH_PUBLIC);
-        $page->addJsLink('javascript/md5.js');
-        $page->addJsLink('javascript/motdepassemd5.js');
+        new_skinned_page('motdepasse.tpl', AUTH_PUBLIC);
+        $page->addJsLink('javascript/motdepasse.js');
         $page->run();
     }
 } else {
diff --git a/include/login.conf.php b/include/login.conf.php
index 8f0e723..b183106 100644
--- a/include/login.conf.php
+++ b/include/login.conf.php
@@ -5,7 +5,7 @@ $pub_nbCol = 2 ;
 
 // Liens apparaissant toujours
 $pub_tjs = array(
-    "motdepassemd5.php" => "Changer mon mot de passe" ,
+    "motdepasse.php" => "Changer mon mot de passe" ,
     "dons.php"          => "Faire un don à l'association Polytechnique.org"
     ) ;
 
diff --git a/include/marketing.inc.php b/include/marketing.inc.php
index eba4cd7..a683f8b 100644
--- a/include/marketing.inc.php
+++ b/include/marketing.inc.php
@@ -127,9 +127,11 @@ function relance($uid, $nbx = -1)
         return false;
     }
 
+    require_once('secure_hash.inc.php');
+    
     $hash     = rand_url_id(12);
     $pass     = rand_pass();
-    $pass_md5 = md5($pass);
+    $pass_encrypted = hash_encrypt($pass);
     $fdate    = strftime('%d %B %Y', strtotime($date));
     
     $mymail = new XOrgMailer('marketing.relance.tpl');
@@ -142,7 +144,7 @@ function relance($uid, $nbx = -1)
     $mymail->assign('lemail',     $email);
     $mymail->assign('subj',       $alias.'@'.$globals->mail->domain);
     $mymail->send();
-    $globals->xdb->execute('UPDATE register_pending SET hash={?}, password={?}, relance=NOW() WHERE uid={?}', $hash, $pass_md5, $uid);
+    $globals->xdb->execute('UPDATE register_pending SET hash={?}, password={?}, relance=NOW() WHERE uid={?}', $hash, $pass_encrypted, $uid);
 
     return "$prenom $nom ($promo)";
 }
diff --git a/include/register.inc.php b/include/register.inc.php
index 2587141..a05f8f5 100644
--- a/include/register.inc.php
+++ b/include/register.inc.php
@@ -252,9 +252,10 @@ function finish_ins($sub_state)
 {
     global $globals;
     extract($sub_state);
+    require_once('secure_hash.inc.php');
 
     $pass     = rand_pass();
-    $pass_md5 = md5($pass_clair);
+    $pass_encrypted = hash_encrypt($pass_clair);
     $hash     = rand_url_id(12);
   
     $globals->xdb->execute('UPDATE auth_user_md5 SET last_known_email={?} WHERE matricule = {?}', $email, $mat);
@@ -262,7 +263,7 @@ function finish_ins($sub_state)
     $globals->xdb->execute(
             "REPLACE INTO  register_pending (uid, forlife, bestalias, mailorg2, password, email, date, relance, naissance, hash)
                    VALUES  ({?}, {?}, {?}, {?}, {?}, {?}, NOW(), 0, {?}, {?})",
-            $uid, $forlife, $bestalias, $mailorg2, $pass_md5, $email, $naissance, $hash);
+            $uid, $forlife, $bestalias, $mailorg2, $pass_encrypted, $email, $naissance, $hash);
 
     require_once('xorg.mailer.inc.php');
     $mymail = new XOrgMailer('inscrire.mail.tpl');
diff --git a/include/secure_hash.inc.php b/include/secure_hash.inc.php
new file mode 100644
index 0000000..e7b3585
--- /dev/null
+++ b/include/secure_hash.inc.php
@@ -0,0 +1,41 @@
+<?php
+/***************************************************************************
+ *  Copyright (C) 2003-2006 Polytechnique.org                              *
+ *  http://opensource.polytechnique.org/                                   *
+ *                                                                         *
+ *  This program is free software; you can redistribute it and/or modify   *
+ *  it under the terms of the GNU General Public License as published by   *
+ *  the Free Software Foundation; either version 2 of the License, or      *
+ *  (at your option) any later version.                                    *
+ *                                                                         *
+ *  This program is distributed in the hope that it will be useful,        *
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
+ *  GNU General Public License for more details.                           *
+ *                                                                         *
+ *  You should have received a copy of the GNU General Public License      *
+ *  along with this program; if not, write to the Free Software            *
+ *  Foundation, Inc.,                                                      *
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
+ ***************************************************************************/
+ 
+function hash_encrypt($s) {
+    return sha1($s);
+}
+
+function hash_xor($a, $b) {
+    $c = "";
+    $i = strlen($a);
+    $j = strlen($b);
+    if ($i < $j) {
+        $d = $a; $a = $b; $b = $d;
+        $k = $i; $i = $j; $j = $k;
+    }
+    for ($k = 0; $k < $j; $k++)
+        $c .= dechex(hexdec($a{$k}) ^ hexdec($b{$k}));
+    for (; $k < $i; $k++)
+        $c .= $a{$k};
+    return $c;
+}
+
+?>
\ No newline at end of file
diff --git a/include/xorg/session.inc.php b/include/xorg/session.inc.php
index 3235143..c03a39b 100644
--- a/include/xorg/session.inc.php
+++ b/include/xorg/session.inc.php
@@ -64,19 +64,19 @@ class XorgSession extends DiogenesCoreSession
      */
     function doAuth(&$page,$new_name=false)
     {
-	global $globals;
-	if (identified()) { // ok, c'est bon, on n'a rien à faire
-	    return true;
-	}
+    	global $globals;
+    	if (identified()) { // ok, c'est bon, on n'a rien à faire
+    	    return true;
+    	}
 
         if (Session::has('session')) {
             $session =& Session::getMixed('session');
         }
 
         if (Env::has('username') && Env::has('response') && isset($session->challenge))
-	{
-	    // si on vient de recevoir une identification par passwordpromptscreen.tpl
-	    // ou passwordpromptscreenlogged.tpl
+    	{
+    	    // si on vient de recevoir une identification par passwordpromptscreen.tpl
+    	    // ou passwordpromptscreenlogged.tpl
             $uname = Env::get('username');
             
             if (Env::get('domain') == "alias") {
@@ -95,19 +95,27 @@ class XorgSession extends DiogenesCoreSession
             } else {
                 $login = $uname;
             }
-
-	    $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
-	    $res   = $globals->xdb->query(
-                    "SELECT  u.user_id, u.password
-                       FROM  auth_user_md5 AS u
-                 INNER JOIN  aliases       AS a ON ( a.id=u.user_id AND type!='homonyme' )
-                      WHERE  a.$field = {?} AND u.perms IN('admin','user')", $login);
-
+    
+    	    $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
+    	    $res   = $globals->xdb->query(
+                        "SELECT  u.user_id, u.password
+                           FROM  auth_user_md5 AS u
+                     INNER JOIN  aliases       AS a ON ( a.id=u.user_id AND type!='homonyme' )
+                          WHERE  a.$field = {?} AND u.perms IN('admin','user')", $login);
+    
             $logger =& Session::getMixed('log');
-
-	    if (list($uid, $password) = $res->fetchOneRow()) {
-		$expected_response=md5("$uname:$password:{$session->challenge}");
-		if (Env::get('response') == $expected_response) {
+    	    if (list($uid, $password) = $res->fetchOneRow()) {
+        	    require_once('secure_hash.inc.php');
+        		$expected_response=hash_encrypt("$uname:$password:{$session->challenge}");
+        		// le password de la base est peut-être encore encodé en md5
+        		if (Env::get('response') != $expected_response) {
+        		  $new_password = hash_xor(Env::get('xorpass'), $password);
+        		  $expected_response = hash_encrypt("$uname:$new_password:{$session->challenge}");
+        		  if (Env::get('response') == $expected_response) {
+        		      $globals->xdb->execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}", $new_password, $uid);
+        		  }
+        		}
+        		if (Env::get('response') == $expected_response) {
                     if (Env::has('domain')) {
                         if (($domain = Env::get('domain', 'login')) == 'alias') {
                             setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
@@ -117,14 +125,14 @@ class XorgSession extends DiogenesCoreSession
                         // pour que la modification soit effective dans le reste de la page
                         $_COOKIE['ORGdomain'] = $domain;
                     }
-
-		    unset($session->challenge);
-		    if ($logger) {
-			$logger->log('auth_ok');
+    
+        		    unset($session->challenge);
+        		    if ($logger) {
+            			$logger->log('auth_ok');
                     }
-		    start_connexion($uid, true);
+        		    start_connexion($uid, true);
                     if (Env::get('remember', 'false') == 'true') {
-                        $cookie = md5(Session::get('password'));
+                        $cookie = hash_encrypt(Session::get('password'));
                         setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
                         if ($logger) {
                             $logger->log("cookie_on");
@@ -136,14 +144,14 @@ class XorgSession extends DiogenesCoreSession
                             $logger->log("cookie_off");
                         }
                     }
-		    return true;
-		} elseif ($logger) {
+        		    return true;
+        		} elseif ($logger) {
                     $logger->log('auth_fail','bad password');
                 }
-	    } elseif ($logger) {
-                $logger->log('auth_fail','bad login');
+            } elseif ($logger) {
+                    $logger->log('auth_fail','bad login');
             }
-	}
+    	}
         $this->doLogin($page,$new_name);
     }
 
@@ -176,7 +184,7 @@ class XorgSession extends DiogenesCoreSession
      */
     function doLogin(&$page, $new_name=false)
     {
-        $page->addJsLink('javascript/md5.js');
+        $page->addJsLink('javascript/secure_hash.js');
 	if (logged() and !$new_name) {
 	    $page->changeTpl('password_prompt_logged.tpl');
             $page->addJsLink('javascript/do_challenge_response_logged.js');
@@ -243,7 +251,8 @@ function try_cookie()
     );
     if ($res->numRows() != 0) {
 	list($uid, $password) = $res->fetchOneRow();
-	$expected_value       = md5($password);
+	require_once('secure_hash.inc.php');
+	$expected_value       = hash_encrypt($password);
 	if ($expected_value == Cookie::get('ORGaccess')) {
 	    start_connexion($uid, false);
 	    return 0;
diff --git a/install.d/platal/files b/install.d/platal/files
index 8ed6e90..396cb9c 100644
--- a/install.d/platal/files
+++ b/install.d/platal/files
@@ -254,7 +254,7 @@ htdocs/index.php
 htdocs/javascript/do_challenge_response.js
 htdocs/javascript/md5.js
 htdocs/javascript/xorg.js
-htdocs/motdepassemd5.php
+htdocs/motdepasse.php
 htdocs/preferences.php
 htdocs/recovery.php
 htdocs/tmpPWD.php
@@ -295,8 +295,8 @@ templates/cookie_on.tpl
 templates/deconnexion.tpl
 templates/index.tpl
 templates/logger-view.tpl
-templates/motdepassemd5.success.tpl
-templates/motdepassemd5.tpl
+templates/motdepasse.success.tpl
+templates/motdepasse.tpl
 templates/password_prompt_logged.tpl
 templates/password_prompt.tpl
 templates/preferences.tpl
diff --git a/templates/admin/utilisateurs.tpl b/templates/admin/utilisateurs.tpl
index 83528e1..22dc021 100644
--- a/templates/admin/utilisateurs.tpl
+++ b/templates/admin/utilisateurs.tpl
@@ -84,7 +84,7 @@ depuis <strong>{$host}</strong>
 <script type="text/javascript">
 //<![CDATA[
 function doEditUser() {
-  document.forms.auth.hashpass.value = MD5(document.forms.edit.password.value);
+  document.forms.auth.hashpass.value = hash_encrypt(document.forms.edit.password.value);
   document.forms.auth.password.value = "";
   document.forms.auth.submit();
 }
diff --git a/templates/docs/plan.tpl b/templates/docs/plan.tpl
index a3e8126..ff2f9b6 100644
--- a/templates/docs/plan.tpl
+++ b/templates/docs/plan.tpl
@@ -104,7 +104,7 @@
     Que tu aimes les pingouins ou que tu préfères le site sous une apparence plus traditionnelle url=tu trouvera de quoi mettre le site Polytechnique.org à ton gout !
     {/page}
 
-    {page title="Changer mon mot de passe pour le site" url="motdepassemd5.php"|url}
+    {page title="Changer mon mot de passe pour le site" url="motdepasse.php"|url}
     Grâce à cette page, tu peux changer le mot de passe qui te permet d'accéder au site
     Polytechnique.org ainsi que les groupes X associés.
     {/page}
diff --git a/templates/inscription/step4.tpl b/templates/inscription/step4.tpl
index 67a39a2..3a2bad3 100644
--- a/templates/inscription/step4.tpl
+++ b/templates/inscription/step4.tpl
@@ -31,7 +31,7 @@
   qui comporte exactement les mêmes adresses que le domaine polytechnique.org.
 </p>
 <p>
-<strong><a href="{#globals.baseurl#}/motdepassemd5.php">Clique ici pour changer ton mot de passe.</a></strong>
+<strong><a href="{#globals.baseurl#}/motdepasse.php">Clique ici pour changer ton mot de passe.</a></strong>
 </p>
 <p>
   N'oublie pas : si tu perds ton mot de passe, nous n'avons aucun engagement, en
diff --git a/templates/motdepassemd5.success.tpl b/templates/motdepasse.success.tpl
similarity index 100%
rename from templates/motdepassemd5.success.tpl
rename to templates/motdepasse.success.tpl
diff --git a/templates/motdepassemd5.tpl b/templates/motdepasse.tpl
similarity index 100%
rename from templates/motdepassemd5.tpl
rename to templates/motdepasse.tpl
diff --git a/templates/password_prompt.tpl b/templates/password_prompt.tpl
index 78cf35e..cfff53b 100644
--- a/templates/password_prompt.tpl
+++ b/templates/password_prompt.tpl
@@ -129,6 +129,7 @@ Probl
   <div>
     <input type="hidden" name="challenge" value="{$smarty.session.session->challenge}" />
     <input type="hidden" name="response"  value="" />
+    <input type="hidden" name="xorpass"  value="" />
     <input type="hidden" name="username"  value="" />
     <input type="hidden" name="remember"  value="" />
     <input type="hidden" name="domain"    value="" />
diff --git a/templates/password_prompt_logged.tpl b/templates/password_prompt_logged.tpl
index bf42e1f..d1971f2 100644
--- a/templates/password_prompt_logged.tpl
+++ b/templates/password_prompt_logged.tpl
@@ -79,6 +79,7 @@
   <div>
     <input type="hidden" name="challenge" value="{$smarty.session.session->challenge}" />
     <input type="hidden" name="username"  value="{$smarty.cookies.ORGuid}" />
+    <input type="hidden" name="xorpass"  value="" />
     <input type="hidden" name="remember"  value="" />
     <input type="hidden" name="response"  value="" />
   </div>
diff --git a/templates/preferences.tpl b/templates/preferences.tpl
index c783cdb..56ced8b 100644
--- a/templates/preferences.tpl
+++ b/templates/preferences.tpl
@@ -55,7 +55,7 @@
   </tr>
   <tr class="impair">
     <td>
-      <h3><a href="{"motdepassemd5.php"|url}">Changer mon mot de passe pour le site</a></h3>
+      <h3><a href="{"motdepasse.php"|url}">Changer mon mot de passe pour le site</a></h3>
       <div class='explication'>
         permet de changer ton mot de passe pour accéder au site Polytechnique.org
       </div>
diff --git a/upgrade/0.9.10/04_passwd.sql b/upgrade/0.9.10/04_passwd.sql
new file mode 100644
index 0000000..62804c2
--- /dev/null
+++ b/upgrade/0.9.10/04_passwd.sql
@@ -0,0 +1 @@
+ALTER TABLE `auth_user_md5` CHANGE `password` `password` VARCHAR( 40 ) NOT NULL;
\ No newline at end of file
-- 
2.1.4