Changeset 3627:9bccfc2257ad for inc

Timestamp:

12/19/17 17:27:59 (8 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Use PHP 5.5+ new password functions, closes #2182

Warnings:

• $core->auth->crypt($pwd) doesn't return twice the same result for a single $pwd, so if you need this old behaviour use the $core->auth->cryptLegacy($pwd) instead.
• $core->auth->checkPassword($pwd) must be used with an uncrypted password string as argument.
• if you need a unique UID/key, use http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->cryptLegacy($core->auth->userID())). (may be refined in future)

Location:

inc

Files:

• admin/actions/class.dcactionblogs.php (modified) (1 diff)
• admin/lib.moduleslist.php (modified) (2 diffs)
• core/class.dc.auth.php (modified) (3 diffs)
• core/class.dc.core.php (modified) (2 diffs)

inc/admin/actions/class.dcactionblogs.php

@@ -155 +155 @@
           }
 
-          if (!$core->auth->checkPassword($core->auth->crypt($_POST['pwd']))) {
+          if (!$core->auth->checkPassword($_POST['pwd'])) {
                throw new Exception(__('Password verification failed'));
           }

inc/admin/lib.moduleslist.php

@@ -1253 +1253 @@
                || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url']))
           {
-               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) {
                     throw new Exception(__('Password verification failed'));
                }
@@ -2033 +2033 @@
                     || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url']))
                {
-                    if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
+                    if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) {
                          throw new Exception(__('Password verification failed'));
                     }

inc/core/class.dc.auth.php

@@ -121 +121 @@
           if ($pwd != '')
           {
-               if ($this->crypt($pwd) != $rs->user_pwd) {
-                    sleep(rand(2,5));
-                    return false;
+               $rehash = false;
+               if (password_verify($pwd,$rs->user_pwd)) {
+                    // User password ok
+                    if (password_needs_rehash($rs->user_pwd,PASSWORD_DEFAULT)) {
+                         $rs->user_pwd = $this->crypt($pwd);
+                         $rehash = true;
+                    }
+               } else {
+                    // Check if pwd still stored in old fashion way
+                    $ret = password_get_info($rs->user_pwd);
+                    if (is_array($ret) && isset($ret['algo']) && $ret['algo'] == 0) {
+                         // hash not done with password_hash() function, check by old fashion way
+                         if (crypt::hmac(DC_MASTER_KEY,$pwd,DC_CRYPT_ALGO) == $rs->user_pwd) {
+                              // Password Ok, need to store it in new fashion way
+                              $rs->user_pwd = $this->crypt($pwd);
+                              $rehash = true;
+                         } else {
+                              // Password KO
+                              sleep(rand(2,5));
+                              return false;
+                         }
+                    } else {
+                         // Password KO
+                         sleep(rand(2,5));
+                         return false;
+                    }
+               }
+               if ($rehash) {
+                    // Store new hash in DB
+                    $cur = $this->con->openCursor($this->user_table);
+                    $cur->user_pwd = (string) $rs->user_pwd;
+                    $cur->update("WHERE user_id = '".$rs->user_id."'");
                }
           }
           elseif ($user_key != '')
           {
-               if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$rs->user_pwd) != $user_key) {
+               if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$this->cryptLegacy($rs->user_id)) != $user_key) {
                     return false;
                }
@@ -172 +201 @@
      public function crypt($pwd)
      {
+          return password_hash($pwd,PASSWORD_DEFAULT);
+     }
+
+     /**
+      * This method crypt given string (password, session_id, …).
+      *
+      * @param string $pwd string to be crypted
+      * @return string crypted value
+      */
+     public function cryptLegacy($pwd)
+     {
           return crypt::hmac(DC_MASTER_KEY,$pwd,DC_CRYPT_ALGO);
      }
@@ -184 +224 @@
      {
           if (!empty($this->user_info['user_pwd'])) {
-               return $pwd == $this->user_info['user_pwd'];
+               return password_verify($pwd,$this->user_info['user_pwd']);
           }
 

inc/core/class.dc.core.php

@@ -195 +195 @@
      public function getNonce()
      {
-          return $this->auth->crypt(session_id());
+          return $this->auth->cryptLegacy(session_id());
      }
 
@@ -205 +205 @@
           }
 
-          return $secret == $this->auth->crypt(session_id());
+          return $secret == $this->auth->cryptLegacy(session_id());
      }