1
0
mirror of https://github.com/vichan-devel/vichan.git synced 2024-11-23 23:20:57 +01:00

[SECURITY] keep up with modern password hashing standards

This commit is contained in:
czaks 2016-04-22 05:35:43 +02:00
parent 028fd3df15
commit caaf741691
5 changed files with 87 additions and 21 deletions

View File

@ -1672,3 +1672,18 @@
'<a href="https://youtu.be/$2" target="_blank" class="file">'.
'<img style="width:360px;height:270px;" src="//img.youtube.com/vi/$2/0.jpg" class="post-image"/>'.
'</a></div>';
// Password hashing function
//
// $5$ <- SHA256
// $6$ <- SHA512
//
// 25000 rounds make for ~0.05s on my 2015 Core i3 computer.
//
// https://secure.php.net/manual/en/function.crypt.php
$config['password_crypt'] = '$6$rounds=25000$';
// Password hashing method version
// If set to 0, it won't upgrade hashes using old password encryption schema, only create new.
// You can set it to a higher value, to further migrate to other password hashing function.
$config['password_crypt_version'] = 1;

View File

@ -18,7 +18,18 @@ function mkhash($username, $password, $salt = false) {
}
// generate hash (method is not important as long as it's strong)
$hash = substr(base64_encode(md5($username . $config['cookies']['salt'] . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20);
$hash = substr(
base64_encode(
md5(
$username . $config['cookies']['salt'] . sha1(
$username . $password . $salt . (
$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
), true
) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema
, true
)
), 0, 20
);
if (isset($generated_salt))
return array($hash, $salt);
@ -26,25 +37,63 @@ function mkhash($username, $password, $salt = false) {
return $hash;
}
function generate_salt() {
mt_srand(microtime(true) * 100000 + memory_get_usage(true));
return md5(uniqid(mt_rand(), true));
function crypt_password_old($password) {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($password));
return array($salt, $password);
}
function login($username, $password, $makehash=true) {
global $mod;
// SHA1 password
if ($makehash) {
$password = sha1($password);
function crypt_password($password) {
global $config;
// `salt` database field is reused as a version value. We don't want it to be 0.
$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;
$new_salt = generate_salt();
$password = crypt($password, $config['password_crypt'] . $new_salt . "$");
return array($version, $password);
}
function test_password($password, $salt, $test) {
global $config;
// Version = 0 denotes an old password hashing schema. In the same column, the
// password hash was kept previously
$version = (strlen($salt) <= 8) ? (int) $salt : 0;
if ($version == 0) {
$comp = hash('sha256', $salt . sha1($test));
}
else {
$comp = crypt($test, $password);
}
return array($version, hash_equals($password, $comp));
}
function generate_salt() {
// 128 bits of entropy
return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
}
function login($username, $password) {
global $mod, $config;
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username");
$query->bindValue(':username', $username);
$query->execute() or error(db_error($query));
if ($user = $query->fetch(PDO::FETCH_ASSOC)) {
if ($user['password'] === hash('sha256', $user['salt'] . $password)) {
list($version, $ok) = test_password($user['password'], $user['salt'], $password);
if ($ok) {
if ($config['password_crypt_version'] > $version) {
// It's time to upgrade the password hashing method!
list ($user['salt'], $user['password']) = crypt_password($password);
$query = prepare("UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id");
$query->bindValue(':password', $user['password']);
$query->bindValue(':salt', $user['salt']);
$query->bindValue(':id', $user['id']);
$query->execute() or error(db_error($query));
}
return $mod = array(
'id' => $user['id'],
'type' => $user['type'],

View File

@ -1734,9 +1734,8 @@ function mod_user($uid) {
}
if ($_POST['password'] != '') {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
list($salt, $password) = crypt_password($_POST['password']);
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid);
$query->bindValue(':password', $password);
@ -1761,8 +1760,7 @@ function mod_user($uid) {
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
if ($_POST['password'] != '') {
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
list($salt, $password) = crypt_password($_POST['password']);
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
$query->bindValue(':id', $uid);
@ -1834,8 +1832,7 @@ function mod_user_new() {
if (!isset($config['mod']['groups'][$type]) || $type == DISABLED)
error(sprintf($config['error']['invalidfield'], 'type'));
$salt = generate_salt();
$password = hash('sha256', $salt . sha1($_POST['password']));
list($salt, $password) = crypt_password($_POST['password']);
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)');
$query->bindValue(':username', $_POST['username']);

View File

@ -1,10 +1,12 @@
<?php
// Installation/upgrade file
define('VERSION', '4.9.93');
define('VERSION', '5.0.0');
require 'inc/functions.php';
loadConfig();
$step = isset($_GET['step']) ? round($_GET['step']) : 0;
$page = array(
'config' => $config,
@ -551,6 +553,9 @@ if (file_exists($config['has_installed'])) {
foreach ($boards as &$board) {
query(sprintf('ALTER TABLE ``posts_%s`` ADD `slug` VARCHAR(255) DEFAULT NULL AFTER `embed`;', $board['uri'])) or error(db_error());
}
case '4.9.93':
query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error());
query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error());
case false:
// TODO: enhance Tinyboard -> vichan upgrade path.
query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error());

View File

@ -131,8 +131,8 @@ CREATE TABLE IF NOT EXISTS `modlogs` (
CREATE TABLE IF NOT EXISTS `mods` (
`id` smallint(6) unsigned NOT NULL AUTO_INCREMENT,
`username` varchar(30) NOT NULL,
`password` char(64) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
`salt` char(32) CHARACTER SET ascii NOT NULL,
`password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
`salt` varchar(64) CHARACTER SET ascii NOT NULL,
`type` smallint(2) NOT NULL,
`boards` text CHARACTER SET utf8 NOT NULL,
PRIMARY KEY (`id`),