[SECURITY] keep up with modern password hashing standards
This commit is contained in:
parent
028fd3df15
commit
caaf741691
@ -1672,3 +1672,18 @@
|
||||
'<a href="https://youtu.be/$2" target="_blank" class="file">'.
|
||||
'<img style="width:360px;height:270px;" src="//img.youtube.com/vi/$2/0.jpg" class="post-image"/>'.
|
||||
'</a></div>';
|
||||
|
||||
// Password hashing function
|
||||
//
|
||||
// $5$ <- SHA256
|
||||
// $6$ <- SHA512
|
||||
//
|
||||
// 25000 rounds make for ~0.05s on my 2015 Core i3 computer.
|
||||
//
|
||||
// https://secure.php.net/manual/en/function.crypt.php
|
||||
$config['password_crypt'] = '$6$rounds=25000$';
|
||||
|
||||
// Password hashing method version
|
||||
// If set to 0, it won't upgrade hashes using old password encryption schema, only create new.
|
||||
// You can set it to a higher value, to further migrate to other password hashing function.
|
||||
$config['password_crypt_version'] = 1;
|
||||
|
@ -18,7 +18,18 @@ function mkhash($username, $password, $salt = false) {
|
||||
}
|
||||
|
||||
// generate hash (method is not important as long as it's strong)
|
||||
$hash = substr(base64_encode(md5($username . $config['cookies']['salt'] . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20);
|
||||
$hash = substr(
|
||||
base64_encode(
|
||||
md5(
|
||||
$username . $config['cookies']['salt'] . sha1(
|
||||
$username . $password . $salt . (
|
||||
$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
|
||||
), true
|
||||
) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema
|
||||
, true
|
||||
)
|
||||
), 0, 20
|
||||
);
|
||||
|
||||
if (isset($generated_salt))
|
||||
return array($hash, $salt);
|
||||
@ -26,25 +37,63 @@ function mkhash($username, $password, $salt = false) {
|
||||
return $hash;
|
||||
}
|
||||
|
||||
function generate_salt() {
|
||||
mt_srand(microtime(true) * 100000 + memory_get_usage(true));
|
||||
return md5(uniqid(mt_rand(), true));
|
||||
function crypt_password_old($password) {
|
||||
$salt = generate_salt();
|
||||
$password = hash('sha256', $salt . sha1($password));
|
||||
return array($salt, $password);
|
||||
}
|
||||
|
||||
function login($username, $password, $makehash=true) {
|
||||
global $mod;
|
||||
|
||||
// SHA1 password
|
||||
if ($makehash) {
|
||||
$password = sha1($password);
|
||||
function crypt_password($password) {
|
||||
global $config;
|
||||
// `salt` database field is reused as a version value. We don't want it to be 0.
|
||||
$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;
|
||||
$new_salt = generate_salt();
|
||||
$password = crypt($password, $config['password_crypt'] . $new_salt . "$");
|
||||
return array($version, $password);
|
||||
}
|
||||
|
||||
function test_password($password, $salt, $test) {
|
||||
global $config;
|
||||
|
||||
// Version = 0 denotes an old password hashing schema. In the same column, the
|
||||
// password hash was kept previously
|
||||
$version = (strlen($salt) <= 8) ? (int) $salt : 0;
|
||||
|
||||
if ($version == 0) {
|
||||
$comp = hash('sha256', $salt . sha1($test));
|
||||
}
|
||||
else {
|
||||
$comp = crypt($test, $password);
|
||||
}
|
||||
return array($version, hash_equals($password, $comp));
|
||||
}
|
||||
|
||||
function generate_salt() {
|
||||
// 128 bits of entropy
|
||||
return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
|
||||
}
|
||||
|
||||
function login($username, $password) {
|
||||
global $mod, $config;
|
||||
|
||||
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username");
|
||||
$query->bindValue(':username', $username);
|
||||
$query->execute() or error(db_error($query));
|
||||
|
||||
if ($user = $query->fetch(PDO::FETCH_ASSOC)) {
|
||||
if ($user['password'] === hash('sha256', $user['salt'] . $password)) {
|
||||
list($version, $ok) = test_password($user['password'], $user['salt'], $password);
|
||||
|
||||
if ($ok) {
|
||||
if ($config['password_crypt_version'] > $version) {
|
||||
// It's time to upgrade the password hashing method!
|
||||
list ($user['salt'], $user['password']) = crypt_password($password);
|
||||
$query = prepare("UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id");
|
||||
$query->bindValue(':password', $user['password']);
|
||||
$query->bindValue(':salt', $user['salt']);
|
||||
$query->bindValue(':id', $user['id']);
|
||||
$query->execute() or error(db_error($query));
|
||||
}
|
||||
|
||||
return $mod = array(
|
||||
'id' => $user['id'],
|
||||
'type' => $user['type'],
|
||||
|
@ -1734,9 +1734,8 @@ function mod_user($uid) {
|
||||
}
|
||||
|
||||
if ($_POST['password'] != '') {
|
||||
$salt = generate_salt();
|
||||
$password = hash('sha256', $salt . sha1($_POST['password']));
|
||||
|
||||
list($salt, $password) = crypt_password($_POST['password']);
|
||||
|
||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
|
||||
$query->bindValue(':id', $uid);
|
||||
$query->bindValue(':password', $password);
|
||||
@ -1761,8 +1760,7 @@ function mod_user($uid) {
|
||||
|
||||
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
|
||||
if ($_POST['password'] != '') {
|
||||
$salt = generate_salt();
|
||||
$password = hash('sha256', $salt . sha1($_POST['password']));
|
||||
list($salt, $password) = crypt_password($_POST['password']);
|
||||
|
||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
|
||||
$query->bindValue(':id', $uid);
|
||||
@ -1834,8 +1832,7 @@ function mod_user_new() {
|
||||
if (!isset($config['mod']['groups'][$type]) || $type == DISABLED)
|
||||
error(sprintf($config['error']['invalidfield'], 'type'));
|
||||
|
||||
$salt = generate_salt();
|
||||
$password = hash('sha256', $salt . sha1($_POST['password']));
|
||||
list($salt, $password) = crypt_password($_POST['password']);
|
||||
|
||||
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)');
|
||||
$query->bindValue(':username', $_POST['username']);
|
||||
|
@ -1,10 +1,12 @@
|
||||
<?php
|
||||
|
||||
// Installation/upgrade file
|
||||
define('VERSION', '4.9.93');
|
||||
define('VERSION', '5.0.0');
|
||||
|
||||
require 'inc/functions.php';
|
||||
|
||||
loadConfig();
|
||||
|
||||
$step = isset($_GET['step']) ? round($_GET['step']) : 0;
|
||||
$page = array(
|
||||
'config' => $config,
|
||||
@ -551,6 +553,9 @@ if (file_exists($config['has_installed'])) {
|
||||
foreach ($boards as &$board) {
|
||||
query(sprintf('ALTER TABLE ``posts_%s`` ADD `slug` VARCHAR(255) DEFAULT NULL AFTER `embed`;', $board['uri'])) or error(db_error());
|
||||
}
|
||||
case '4.9.93':
|
||||
query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error());
|
||||
query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error());
|
||||
case false:
|
||||
// TODO: enhance Tinyboard -> vichan upgrade path.
|
||||
query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error());
|
||||
|
@ -131,8 +131,8 @@ CREATE TABLE IF NOT EXISTS `modlogs` (
|
||||
CREATE TABLE IF NOT EXISTS `mods` (
|
||||
`id` smallint(6) unsigned NOT NULL AUTO_INCREMENT,
|
||||
`username` varchar(30) NOT NULL,
|
||||
`password` char(64) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
|
||||
`salt` char(32) CHARACTER SET ascii NOT NULL,
|
||||
`password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
|
||||
`salt` varchar(64) CHARACTER SET ascii NOT NULL,
|
||||
`type` smallint(2) NOT NULL,
|
||||
`boards` text CHARACTER SET utf8 NOT NULL,
|
||||
PRIMARY KEY (`id`),
|
||||
|
Loading…
Reference in New Issue
Block a user