#i42

new password hashing mechanism for storing passwords git-svn-id: file:///svn/phpbb/trunk@8139 89ea8834-ac86-4346-8a33-228a782c2dd0
2025-05-07 16:15:22 +02:00 · 2007-10-04 18:50:25 +00:00 · 2007-10-04 18:50:25 +00:00 · 760fe6bc66
commit 760fe6bc66
parent c208556578
13 changed files with 1491 additions and 1219 deletions
--- a/phpBB/common.php
+++ b/phpBB/common.php
@ -184,7 +184,10 @@ require($phpbb_root_path . 'includes/cache.' . $phpEx);
 require($phpbb_root_path . 'includes/template.' . $phpEx);
 require($phpbb_root_path . 'includes/session.' . $phpEx);
 require($phpbb_root_path . 'includes/auth.' . $phpEx);
 require($phpbb_root_path . 'includes/functions.' . $phpEx);
 require($phpbb_root_path . 'includes/functions_content.' . $phpEx);
 require($phpbb_root_path . 'includes/constants.' . $phpEx);
 require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
 require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx);
--- a/phpBB/includes/acp/acp_users.php
+++ b/phpBB/includes/acp/acp_users.php
@ -694,7 +694,7 @@ class acp_users
 					// Which updates do we need to do?
 					$update_username = ($user_row['username'] != $data['username']) ? $data['username'] : false;
-					$update_password = ($data['new_password'] && $user_row['user_password'] != md5($data['new_password'])) ? true : false;
+					$update_password = ($data['new_password'] && !phpbb_check_hash($user_row['user_password'], $data['new_password'])) ? true : false;
 					$update_email = ($data['email'] != $user_row['user_email']) ? $data['email'] : false;
 					if (!sizeof($error))
@ -766,7 +766,7 @@ class acp_users
 						if ($update_password)
 						{
 							$sql_ary += array(
-								'user_password' => md5($data['new_password']),
+								'user_password' => phpbb_hash($data['new_password']),
 								'user_passchg'	=> time(),
 							);
--- a/phpBB/includes/auth/auth_apache.php
+++ b/phpBB/includes/auth/auth_apache.php
@ -194,7 +194,7 @@ function user_row_apache($username, $password)
 	// generate user account data
 	return array(
 		'username'		=> $username,
-		'user_password'	=> md5($password),
+		'user_password'	=> phpbb_hash($password),
 		'user_email'	=> '',
 		'group_id'		=> (int) $row['group_id'],
 		'user_type'		=> USER_NORMAL,
--- a/phpBB/includes/auth/auth_db.php
+++ b/phpBB/includes/auth/auth_db.php
@ -125,15 +125,17 @@ function login_db(&$username, &$password)
 			// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
 			if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
 			{
 				$hash = phpbb_hash($password_new_format);
 				// Update the password in the users table to the new format and remove user_pass_convert flag
 				$sql = 'UPDATE ' . USERS_TABLE . '
-					SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\',
+					SET user_password = \'' . $db->sql_escape($hash) . '\',
 						user_pass_convert = 0
 					WHERE user_id = ' . $row['user_id'];
 				$db->sql_query($sql);
 				$row['user_pass_convert'] = 0;
-				$row['user_password'] = md5($password_new_format);
+				$row['user_password'] = $hash;
 			}
 			else
 			{
@ -154,8 +156,23 @@ function login_db(&$username, &$password)
 	}
 	// Check password ...
-	if (!$row['user_pass_convert'] && md5($password) == $row['user_password'])
+	if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
 	{
 		// Check for old password hash...
 		if (strlen($row['user_password']) == 32)
 		{
 			$hash = phpbb_hash($password);
 			// Update the password in the users table to the new format
 			$sql = 'UPDATE ' . USERS_TABLE . "
 				SET user_password = '" . $db->sql_escape($hash) . "',
 					user_pass_convert = 0
 				WHERE user_id = {$row['user_id']}";
 			$db->sql_query($sql);
 			$row['user_password'] = $hash;
 		}
 		if ($row['user_login_attempts'] != 0)
 		{
 			// Successful, reset login attempts (the user passed all stages)
--- a/phpBB/includes/auth/auth_ldap.php
+++ b/phpBB/includes/auth/auth_ldap.php
@ -204,7 +204,7 @@ function login_ldap(&$username, &$password)
 				// generate user account data
 				$ldap_user_row = array(
 					'username'		=> $username,
-					'user_password'	=> md5($password),
+					'user_password'	=> phpbb_hash($password),
 					'user_email'	=> (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '',
 					'group_id'		=> (int) $row['group_id'],
 					'user_type'		=> USER_NORMAL,
--- a/phpBB/includes/functions.php
+++ b/phpBB/includes/functions.php
--- a/phpBB/includes/functions_content.php
+++ b/phpBB/includes/functions_content.php
--- a/phpBB/includes/ucp/ucp_profile.php
+++ b/phpBB/includes/ucp/ucp_profile.php
@ -75,13 +75,13 @@ class ucp_profile
 						$error[] = 'NEW_PASSWORD_ERROR';
 					}
-					if (($data['new_password'] || ($auth->acl_get('u_chgemail') && $data['email'] != $user->data['user_email']) || ($data['username'] != $user->data['username'] && $auth->acl_get('u_chgname') && $config['allow_namechange'])) && md5($data['cur_password']) != $user->data['user_password'])
+					if (($data['new_password'] || ($auth->acl_get('u_chgemail') && $data['email'] != $user->data['user_email']) || ($data['username'] != $user->data['username'] && $auth->acl_get('u_chgname') && $config['allow_namechange'])) && !phpbb_check_hash($data['cur_password'], $user->data['user_password']))
 					{
 						$error[] = 'CUR_PASSWORD_ERROR';
 					}
 					// Only check the new password against the previous password if there have been no errors
-					if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && md5($data['new_password']) == $user->data['user_password'])
+					if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && phpbb_check_hash($data['new_password'], $user->data['user_password']))
 					{
 						$error[] = 'SAME_PASSWORD_ERROR';
 					}
@ -103,7 +103,7 @@ class ucp_profile
 							'username_clean'	=> ($auth->acl_get('u_chgname') && $config['allow_namechange']) ? utf8_clean_string($data['username']) : $user->data['username_clean'],
 							'user_email'		=> ($auth->acl_get('u_chgemail')) ? $data['email'] : $user->data['user_email'],
 							'user_email_hash'	=> ($auth->acl_get('u_chgemail')) ? crc32($data['email']) . strlen($data['email']) : $user->data['user_email_hash'],
-							'user_password'		=> ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? md5($data['new_password']) : $user->data['user_password'],
+							'user_password'		=> ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? phpbb_hash($data['new_password']) : $user->data['user_password'],
 							'user_passchg'		=> ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,
 						);
@ -112,7 +112,7 @@ class ucp_profile
 							add_log('user', $user->data['user_id'], 'LOG_USER_UPDATE_NAME', $user->data['username'], $data['username']);
 						}
-						if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && md5($data['new_password']) != $user->data['user_password'])
+						if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !phpbb_check_hash($data['new_password'], $user->data['user_password']))
 						{
 							$user->reset_login_keys();
 							add_log('user', $user->data['user_id'], 'LOG_USER_NEW_PASSWORD', $data['username']);
--- a/phpBB/includes/ucp/ucp_register.php
+++ b/phpBB/includes/ucp/ucp_register.php
@ -300,7 +300,7 @@ class ucp_register
 				$user_row = array(
 					'username'				=> $data['username'],
-					'user_password'			=> md5($data['new_password']),
+					'user_password'			=> phpbb_hash($data['new_password']),
 					'user_email'			=> $data['email'],
 					'group_id'				=> (int) $group_id,
 					'user_timezone'			=> (float) $data['tz'],
--- a/phpBB/includes/ucp/ucp_remind.php
+++ b/phpBB/includes/ucp/ucp_remind.php
@ -67,7 +67,7 @@ class ucp_remind
 			$user_password = gen_rand_string(8);
 			$sql = 'UPDATE ' . USERS_TABLE . "
-				SET user_newpasswd = '" . $db->sql_escape(md5($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
+				SET user_newpasswd = '" . $db->sql_escape(phpbb_hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
 				WHERE user_id = " . $user_row['user_id'];
 			$db->sql_query($sql);
--- a/phpBB/install/database_update.php
+++ b/phpBB/install/database_update.php
@ -55,7 +55,14 @@ require($phpbb_root_path . 'includes/cache.' . $phpEx);
 require($phpbb_root_path . 'includes/template.' . $phpEx);
 require($phpbb_root_path . 'includes/session.' . $phpEx);
 require($phpbb_root_path . 'includes/auth.' . $phpEx);
 require($phpbb_root_path . 'includes/functions.' . $phpEx);
 if (file_exists($phpbb_root_path . 'includes/functions_content.' . $phpEx))
 {
 	require($phpbb_root_path . 'includes/functions_content.' . $phpEx);
 }
 require($phpbb_root_path . 'includes/functions_admin.' . $phpEx);
 require($phpbb_root_path . 'includes/constants.' . $phpEx);
 require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
--- a/phpBB/install/index.php
+++ b/phpBB/install/index.php
@ -149,6 +149,12 @@ else
 // Include essential scripts
 require($phpbb_root_path . 'includes/functions.' . $phpEx);
 if (file_exists($phpbb_root_path . 'includes/functions_content.' . $phpEx))
 {
 	require($phpbb_root_path . 'includes/functions_content.' . $phpEx);
 }
 include($phpbb_root_path . 'includes/auth.' . $phpEx);
 include($phpbb_root_path . 'includes/session.' . $phpEx);
 include($phpbb_root_path . 'includes/template.' . $phpEx);
--- a/phpBB/install/install_install.php
+++ b/phpBB/install/install_install.php
@ -1309,7 +1309,7 @@ class install_install extends module
 				WHERE config_name = 'avatar_salt'",
 			'UPDATE ' . $data['table_prefix'] . "users
-				SET username = '" . $db->sql_escape($data['admin_name']) . "', user_password='" . $db->sql_escape(md5($data['admin_pass1'])) . "', user_ip = '" . $db->sql_escape($user_ip) . "', user_lang = '" . $db->sql_escape($data['default_lang']) . "', user_email='" . $db->sql_escape($data['board_email1']) . "', user_dateformat='" . $db->sql_escape($lang['default_dateformat']) . "', user_email_hash = " . (crc32($data['board_email1']) . strlen($data['board_email1'])) . ", username_clean = '" . $db->sql_escape(utf8_clean_string($data['admin_name'])) . "'
+				SET username = '" . $db->sql_escape($data['admin_name']) . "', user_password='" . $db->sql_escape(phpbb_hash($data['admin_pass1'])) . "', user_ip = '" . $db->sql_escape($user_ip) . "', user_lang = '" . $db->sql_escape($data['default_lang']) . "', user_email='" . $db->sql_escape($data['board_email1']) . "', user_dateformat='" . $db->sql_escape($lang['default_dateformat']) . "', user_email_hash = " . (crc32($data['board_email1']) . strlen($data['board_email1'])) . ", username_clean = '" . $db->sql_escape(utf8_clean_string($data['admin_name'])) . "'
 				WHERE username = 'Admin'",
 			'UPDATE ' . $data['table_prefix'] . "moderator_cache