kashire/lainchan
4
0
Fork 0
Code Issues 18 Pull Requests Releases Wiki Activity

[SECURITY] keep up with modern password hashing standards

Browse Source
This commit is contained in:
czaks 2016-04-22 05:35:43 +02:00
parent 028fd3df15
commit caaf741691
5 changed files with 87 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
inc/config.php
View File

@ -1672,3 +1672,18 @@
'<a href="https://youtu.be/$2" target="_blank" class="file">'. '<a href="https://youtu.be/$2" target="_blank" class="file">'.
'<img style="width:360px;height:270px;" src="//img.youtube.com/vi/$2/0.jpg" class="post-image"/>'. '<img style="width:360px;height:270px;" src="//img.youtube.com/vi/$2/0.jpg" class="post-image"/>'.
'</a></div>'; '</a></div>';
// Password hashing function
//
// $5$ <- SHA256
// $6$ <- SHA512
//
// 25000 rounds make for ~0.05s on my 2015 Core i3 computer.
//
// https://secure.php.net/manual/en/function.crypt.php
$config['password_crypt'] = '$6$rounds=25000$';
// Password hashing method version
// If set to 0, it won't upgrade hashes using old password encryption schema, only create new.
// You can set it to a higher value, to further migrate to other password hashing function.
$config['password_crypt_version'] = 1;

69
inc/mod/auth.php
View File

@ -18,7 +18,18 @@ function mkhash($username, $password, $salt = false) {
} }
// generate hash (method is not important as long as it's strong) // generate hash (method is not important as long as it's strong)
$hash = substr(base64_encode(md5($username . $config['cookies']['salt'] . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20); $hash = substr(
base64_encode(
md5(
$username . $config['cookies']['salt'] . sha1(
$username . $password . $salt . (
$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
), true
) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema
, true
)
), 0, 20
);
if (isset($generated_salt)) if (isset($generated_salt))
return array($hash, $salt); return array($hash, $salt);
@ -26,25 +37,63 @@ function mkhash($username, $password, $salt = false) {
return $hash; return $hash;
} }
function generate_salt() { function crypt_password_old($password) {
mt_srand(microtime(true) * 100000 + memory_get_usage(true)); $salt = generate_salt();
return md5(uniqid(mt_rand(), true)); $password = hash('sha256', $salt . sha1($password));
return array($salt, $password);
} }
function login($username, $password, $makehash=true) { function crypt_password($password) {
global $mod; global $config;
// `salt` database field is reused as a version value. We don't want it to be 0.
$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;
$new_salt = generate_salt();
$password = crypt($password, $config['password_crypt'] . $new_salt . "$");
return array($version, $password);
}
// SHA1 password function test_password($password, $salt, $test) {
if ($makehash) { global $config;
$password = sha1($password);
// Version = 0 denotes an old password hashing schema. In the same column, the
// password hash was kept previously
$version = (strlen($salt) <= 8) ? (int) $salt : 0;
if ($version == 0) {
$comp = hash('sha256', $salt . sha1($test));
} }
else {
$comp = crypt($test, $password);
}
return array($version, hash_equals($password, $comp));
}
function generate_salt() {
// 128 bits of entropy
return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
}
function login($username, $password) {
global $mod, $config;
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username"); $query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username");
$query->bindValue(':username', $username); $query->bindValue(':username', $username);
$query->execute() or error(db_error($query)); $query->execute() or error(db_error($query));
if ($user = $query->fetch(PDO::FETCH_ASSOC)) { if ($user = $query->fetch(PDO::FETCH_ASSOC)) {
if ($user['password'] === hash('sha256', $user['salt'] . $password)) { list($version, $ok) = test_password($user['password'], $user['salt'], $password);
if ($ok) {
if ($config['password_crypt_version'] > $version) {
// It's time to upgrade the password hashing method!
list ($user['salt'], $user['password']) = crypt_password($password);
$query = prepare("UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id");
$query->bindValue(':password', $user['password']);
$query->bindValue(':salt', $user['salt']);
$query->bindValue(':id', $user['id']);
$query->execute() or error(db_error($query));
}
return $mod = array( return $mod = array(
'id' => $user['id'], 'id' => $user['id'],
'type' => $user['type'], 'type' => $user['type'],

9
inc/mod/pages.php
View File

@ -1734,8 +1734,7 @@ function mod_user($uid) {
} }
if ($_POST['password'] != '') { if ($_POST['password'] != '') {
$salt = generate_salt(); list($salt, $password) = crypt_password($_POST['password']);
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); $query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid); $query->bindValue(':id', $uid);
@ -1761,8 +1760,7 @@ function mod_user($uid) {
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) { if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
if ($_POST['password'] != '') { if ($_POST['password'] != '') {
$salt = generate_salt(); list($salt, $password) = crypt_password($_POST['password']);
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); $query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid); $query->bindValue(':id', $uid);
@ -1834,8 +1832,7 @@ function mod_user_new() {
if (!isset($config['mod']['groups'][$type]) || $type == DISABLED) if (!isset($config['mod']['groups'][$type]) || $type == DISABLED)
error(sprintf($config['error']['invalidfield'], 'type')); error(sprintf($config['error']['invalidfield'], 'type'));
$salt = generate_salt(); list($salt, $password) = crypt_password($_POST['password']);
$password = hash('sha256', $salt . sha1($_POST['password']));
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)'); $query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)');
$query->bindValue(':username', $_POST['username']); $query->bindValue(':username', $_POST['username']);

7
install.php
View File

@ -1,10 +1,12 @@
<?php <?php
// Installation/upgrade file // Installation/upgrade file
define('VERSION', '4.9.93'); define('VERSION', '5.0.0');
require 'inc/functions.php'; require 'inc/functions.php';
loadConfig();
$step = isset($_GET['step']) ? round($_GET['step']) : 0; $step = isset($_GET['step']) ? round($_GET['step']) : 0;
$page = array( $page = array(
'config' => $config, 'config' => $config,
@ -551,6 +553,9 @@ if (file_exists($config['has_installed'])) {
foreach ($boards as &$board) { foreach ($boards as &$board) {
query(sprintf('ALTER TABLE ``posts_%s`` ADD `slug` VARCHAR(255) DEFAULT NULL AFTER `embed`;', $board['uri'])) or error(db_error()); query(sprintf('ALTER TABLE ``posts_%s`` ADD `slug` VARCHAR(255) DEFAULT NULL AFTER `embed`;', $board['uri'])) or error(db_error());
} }
case '4.9.93':
query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error());
query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error());
case false: case false:
// TODO: enhance Tinyboard -> vichan upgrade path. // TODO: enhance Tinyboard -> vichan upgrade path.
query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error()); query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error());

4
install.sql
View File

@ -131,8 +131,8 @@ CREATE TABLE IF NOT EXISTS `modlogs` (
CREATE TABLE IF NOT EXISTS `mods` ( CREATE TABLE IF NOT EXISTS `mods` (
`id` smallint(6) unsigned NOT NULL AUTO_INCREMENT, `id` smallint(6) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(30) NOT NULL, `username` varchar(30) NOT NULL,
`password` char(64) CHARACTER SET ascii NOT NULL COMMENT 'SHA256', `password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
`salt` char(32) CHARACTER SET ascii NOT NULL, `salt` varchar(64) CHARACTER SET ascii NOT NULL,
`type` smallint(2) NOT NULL, `type` smallint(2) NOT NULL,
`boards` text CHARACTER SET utf8 NOT NULL, `boards` text CHARACTER SET utf8 NOT NULL,
PRIMARY KEY (`id`), PRIMARY KEY (`id`),