Changeset 3627:9bccfc2257ad

Timestamp:

12/19/17 17:27:59 (6 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Use PHP 5.5+ new password functions, closes #2182

Warnings:

• $core->auth->crypt($pwd) doesn't return twice the same result for a single $pwd, so if you need this old behaviour use the $core->auth->cryptLegacy($pwd) instead.
• $core->auth->checkPassword($pwd) must be used with an uncrypted password string as argument.
• if you need a unique UID/key, use http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->cryptLegacy($core->auth->userID())). (may be refined in future)

Files:

• admin/auth.php (modified) (1 diff)
• admin/blog_del.php (modified) (1 diff)
• admin/langs.php (modified) (2 diffs)
• admin/post.php (modified) (1 diff)
• admin/preferences.php (modified) (1 diff)
• admin/user.php (modified) (1 diff)
• admin/users_actions.php (modified) (1 diff)
• inc/admin/actions/class.dcactionblogs.php (modified) (1 diff)
• inc/admin/lib.moduleslist.php (modified) (2 diffs)
• inc/core/class.dc.auth.php (modified) (3 diffs)
• inc/core/class.dc.core.php (modified) (2 diffs)
• plugins/antispam/inc/lib.dc.antispam.php (modified) (2 diffs)
• plugins/importExport/inc/class.dc.import.flat.php (modified) (1 diff)
• plugins/pages/page.php (modified) (1 diff)

admin/auth.php

@@ -209 +209 @@
 
      $cookie_admin = http::browserUID(DC_MASTER_KEY.$user_id.
-          $core->auth->crypt($user_pwd)).bin2hex(pack('a32',$user_id));
+          $core->auth->cryptLegacy($user_id)).bin2hex(pack('a32',$user_id));
 
      if ($check_perms && $core->auth->mustChangePassword())

admin/blog_del.php

@@ -37 +37 @@
 if (!$core->error->flag() && $blog_id && !empty($_POST['del']))
 {
-     if (!$core->auth->checkPassword($core->auth->crypt($_POST['pwd']))) {
+     if (!$core->auth->checkPassword($_POST['pwd'])) {
           $core->error->add(__('Password verification failed'));
      } else {

admin/langs.php

@@ -93 +93 @@
      try
      {
-          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
+          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) {
                throw new Exception(__('Password verification failed'));
           }
@@ -136 +136 @@
      try
      {
-          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
+          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) {
                throw new Exception(__('Password verification failed'));
           }

admin/post.php

@@ -698 +698 @@
           $preview_url =
           $core->blog->url.$core->url->getURLFor('preview',$core->auth->userID().'/'.
-          http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->getInfo('user_pwd')).
+          http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->cryptLegacy($core->auth->userID())).
           '/'.$post->post_url);
           echo '<a id="post-preview" href="'.$preview_url.'" class="button modal" accesskey="p">'.__('Preview').' (p)'.'</a>';

admin/preferences.php

@@ -161 +161 @@
      try
      {
-          $pwd_check = !empty($_POST['cur_pwd']) && $core->auth->checkPassword($core->auth->crypt($_POST['cur_pwd']));
+          $pwd_check = !empty($_POST['cur_pwd']) && $core->auth->checkPassword($_POST['cur_pwd']);
 
           if ($core->auth->allowPassChange() && !$pwd_check && $user_email != $_POST['user_email']) {

admin/user.php

@@ -72 +72 @@
      try
      {
-          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
+          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) {
                throw new Exception(__('Password verification failed'));
           }

admin/users_actions.php

@@ -97 +97 @@
           try
           {
-               if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) {
                     throw new Exception(__('Password verification failed'));
                }

inc/admin/actions/class.dcactionblogs.php

@@ -155 +155 @@
           }
 
-          if (!$core->auth->checkPassword($core->auth->crypt($_POST['pwd']))) {
+          if (!$core->auth->checkPassword($_POST['pwd'])) {
                throw new Exception(__('Password verification failed'));
           }

inc/admin/lib.moduleslist.php

@@ -1253 +1253 @@
                || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url']))
           {
-               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) {
                     throw new Exception(__('Password verification failed'));
                }
@@ -2033 +2033 @@
                     || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url']))
                {
-                    if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
+                    if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) {
                          throw new Exception(__('Password verification failed'));
                     }

inc/core/class.dc.auth.php

@@ -121 +121 @@
           if ($pwd != '')
           {
-               if ($this->crypt($pwd) != $rs->user_pwd) {
-                    sleep(rand(2,5));
-                    return false;
+               $rehash = false;
+               if (password_verify($pwd,$rs->user_pwd)) {
+                    // User password ok
+                    if (password_needs_rehash($rs->user_pwd,PASSWORD_DEFAULT)) {
+                         $rs->user_pwd = $this->crypt($pwd);
+                         $rehash = true;
+                    }
+               } else {
+                    // Check if pwd still stored in old fashion way
+                    $ret = password_get_info($rs->user_pwd);
+                    if (is_array($ret) && isset($ret['algo']) && $ret['algo'] == 0) {
+                         // hash not done with password_hash() function, check by old fashion way
+                         if (crypt::hmac(DC_MASTER_KEY,$pwd,DC_CRYPT_ALGO) == $rs->user_pwd) {
+                              // Password Ok, need to store it in new fashion way
+                              $rs->user_pwd = $this->crypt($pwd);
+                              $rehash = true;
+                         } else {
+                              // Password KO
+                              sleep(rand(2,5));
+                              return false;
+                         }
+                    } else {
+                         // Password KO
+                         sleep(rand(2,5));
+                         return false;
+                    }
+               }
+               if ($rehash) {
+                    // Store new hash in DB
+                    $cur = $this->con->openCursor($this->user_table);
+                    $cur->user_pwd = (string) $rs->user_pwd;
+                    $cur->update("WHERE user_id = '".$rs->user_id."'");
                }
           }
           elseif ($user_key != '')
           {
-               if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$rs->user_pwd) != $user_key) {
+               if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$this->cryptLegacy($rs->user_id)) != $user_key) {
                     return false;
                }
@@ -172 +201 @@
      public function crypt($pwd)
      {
+          return password_hash($pwd,PASSWORD_DEFAULT);
+     }
+
+     /**
+      * This method crypt given string (password, session_id, …).
+      *
+      * @param string $pwd string to be crypted
+      * @return string crypted value
+      */
+     public function cryptLegacy($pwd)
+     {
           return crypt::hmac(DC_MASTER_KEY,$pwd,DC_CRYPT_ALGO);
      }
@@ -184 +224 @@
      {
           if (!empty($this->user_info['user_pwd'])) {
-               return $pwd == $this->user_info['user_pwd'];
+               return password_verify($pwd,$this->user_info['user_pwd']);
           }
 

inc/core/class.dc.core.php

@@ -195 +195 @@
      public function getNonce()
      {
-          return $this->auth->crypt(session_id());
+          return $this->auth->cryptLegacy(session_id());
      }
 
@@ -205 +205 @@
           }
 
-          return $secret == $this->auth->crypt(session_id());
+          return $secret == $this->auth->cryptLegacy(session_id());
      }
 

plugins/antispam/inc/lib.dc.antispam.php

@@ -134 +134 @@
           $code =
           pack('a32',$core->auth->userID()).
-          pack('H*',$core->auth->crypt($core->auth->getInfo('user_pwd')));
+          pack('H*',$core->auth->cryptLegacy($core->auth->getInfo('user_pwd')));
           return bin2hex($code);
      }
@@ -161 +161 @@
           }
 
-          if ($core->auth->crypt($rs->user_pwd) != $pwd) {
+          if ($core->auth->cryptLegacy($rs->user_pwd) != $pwd) {
                return false;
           }

plugins/importExport/inc/class.dc.import.flat.php

@@ -90 +90 @@
           if ($full_upl !== null && $this->core->auth->isSuperAdmin())
           {
-               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) {
                     throw new Exception(__('Password verification failed'));
                }

plugins/pages/page.php

@@ -539 +539 @@
           $core->url->getURLFor('pagespreview',
           $core->auth->userID().'/'.
-          http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->getInfo('user_pwd')).
+          http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->cryptLegacy($core->auth->userID())).
           '/'.$post->post_url);
           echo '<a id="post-preview" href="'.$preview_url.'" class="button" accesskey="p">'.__('Preview').' (p)'.'</a>';