mirror of
https://github.com/phpbb/phpbb.git
synced 2025-08-06 08:47:45 +02:00
Merge pull request #1716 from marc1706/feature/passwords
[feature/passwords] Add password hashing manager with support for newer hashing algorithms
This commit is contained in:
Nils Adermann
@@ -926,7 +926,7 @@ class acp_forums
|
||||
*/
|
||||
function update_forum_data(&$forum_data)
|
||||
{
|
||||
global $db, $user, $cache, $phpbb_root_path, $phpbb_dispatcher;
|
||||
global $db, $user, $cache, $phpbb_root_path, $phpbb_container, $phpbb_dispatcher;
|
||||
|
||||
$errors = array();
|
||||
|
||||
@@ -1030,7 +1030,10 @@ class acp_forums
|
||||
}
|
||||
else
|
||||
{
|
||||
$forum_data_sql['forum_password'] = phpbb_hash($forum_data_sql['forum_password']);
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
$forum_data_sql['forum_password'] = $passwords_manager->hash($forum_data_sql['forum_password']);
|
||||
}
|
||||
unset($forum_data_sql['forum_password_unset']);
|
||||
|
||||
|
||||
@@ -824,9 +824,12 @@ class acp_users
|
||||
$error[] = 'FORM_INVALID';
|
||||
}
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
// Which updates do we need to do?
|
||||
$update_username = ($user_row['username'] != $data['username']) ? $data['username'] : false;
|
||||
$update_password = ($data['new_password'] && !phpbb_check_hash($data['new_password'], $user_row['user_password'])) ? true : false;
|
||||
$update_password = $data['new_password'] && !$passwords_manager->check($data['new_password'], $user_row['user_password']);
|
||||
$update_email = ($data['email'] != $user_row['user_email']) ? $data['email'] : false;
|
||||
|
||||
if (!sizeof($error))
|
||||
@@ -910,7 +913,7 @@ class acp_users
|
||||
if ($update_password)
|
||||
{
|
||||
$sql_ary += array(
|
||||
'user_password' => phpbb_hash($data['new_password']),
|
||||
'user_password' => $passwords_manager->hash($data['new_password']),
|
||||
'user_passchg' => time(),
|
||||
'user_pass_convert' => 0,
|
||||
);
|
||||
|
||||
@@ -318,7 +318,7 @@ $schema_data['phpbb_forums'] = array(
|
||||
'forum_desc_options' => array('UINT:11', 7),
|
||||
'forum_desc_uid' => array('VCHAR:8', ''),
|
||||
'forum_link' => array('VCHAR_UNI', ''),
|
||||
'forum_password' => array('VCHAR_UNI:40', ''),
|
||||
'forum_password' => array('VCHAR_UNI', ''),
|
||||
'forum_style' => array('UINT', 0),
|
||||
'forum_image' => array('VCHAR', ''),
|
||||
'forum_rules' => array('TEXT_UNI', ''),
|
||||
@@ -1112,7 +1112,7 @@ $schema_data['phpbb_users'] = array(
|
||||
'user_regdate' => array('TIMESTAMP', 0),
|
||||
'username' => array('VCHAR_CI', ''),
|
||||
'username_clean' => array('VCHAR_CI', ''),
|
||||
'user_password' => array('VCHAR_UNI:40', ''),
|
||||
'user_password' => array('VCHAR_UNI', ''),
|
||||
'user_passchg' => array('TIMESTAMP', 0),
|
||||
'user_pass_convert' => array('BOOL', 0),
|
||||
'user_email' => array('VCHAR_UNI:100', ''),
|
||||
|
||||
@@ -368,73 +368,27 @@ function still_on_time($extra_time = 15)
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier)
|
||||
*
|
||||
* Portable PHP password hashing framework.
|
||||
*
|
||||
* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
|
||||
* the public domain.
|
||||
*
|
||||
* There's absolutely no warranty.
|
||||
*
|
||||
* The homepage URL for this framework is:
|
||||
*
|
||||
* http://www.openwall.com/phpass/
|
||||
*
|
||||
* Please be sure to update the Version line if you edit this file in any way.
|
||||
* It is suggested that you leave the main version number intact, but indicate
|
||||
* your project name (after the slash) and add your own revision information.
|
||||
*
|
||||
* Please do not change the "private" password hashing method implemented in
|
||||
* here, thereby making your hashes incompatible. However, if you must, please
|
||||
* change the hash type identifier (the "$P$") to something different.
|
||||
*
|
||||
* Obviously, since this code is in the public domain, the above are not
|
||||
* requirements (there can be none), but merely suggestions.
|
||||
*
|
||||
*
|
||||
* Hash the password
|
||||
*
|
||||
* @deprecated 3.1.0-a2 (To be removed: 3.3.0)
|
||||
*
|
||||
* @param string $password Password to be hashed
|
||||
*
|
||||
* @return string|bool Password hash or false if something went wrong during hashing
|
||||
*/
|
||||
function phpbb_hash($password)
|
||||
{
|
||||
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
||||
global $phpbb_container;
|
||||
|
||||
$random_state = unique_id();
|
||||
$random = '';
|
||||
$count = 6;
|
||||
|
||||
if (($fh = @fopen('/dev/urandom', 'rb')))
|
||||
{
|
||||
$random = fread($fh, $count);
|
||||
fclose($fh);
|
||||
}
|
||||
|
||||
if (strlen($random) < $count)
|
||||
{
|
||||
$random = '';
|
||||
|
||||
for ($i = 0; $i < $count; $i += 16)
|
||||
{
|
||||
$random_state = md5(unique_id() . $random_state);
|
||||
$random .= pack('H*', md5($random_state));
|
||||
}
|
||||
$random = substr($random, 0, $count);
|
||||
}
|
||||
|
||||
$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);
|
||||
|
||||
if (strlen($hash) == 34)
|
||||
{
|
||||
return $hash;
|
||||
}
|
||||
|
||||
return md5($password);
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
return $passwords_manager->hash($password);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check for correct password
|
||||
*
|
||||
* @deprecated 3.1.0-a2 (To be removed: 3.3.0)
|
||||
*
|
||||
* @param string $password The password in plain text
|
||||
* @param string $hash The stored password hash
|
||||
*
|
||||
@@ -442,130 +396,10 @@ function phpbb_hash($password)
|
||||
*/
|
||||
function phpbb_check_hash($password, $hash)
|
||||
{
|
||||
if (strlen($password) > 4096)
|
||||
{
|
||||
// If the password is too huge, we will simply reject it
|
||||
// and not let the server try to hash it.
|
||||
return false;
|
||||
}
|
||||
global $phpbb_container;
|
||||
|
||||
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
||||
if (strlen($hash) == 34)
|
||||
{
|
||||
return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
|
||||
}
|
||||
|
||||
return (md5($password) === $hash) ? true : false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate salt for hash generation
|
||||
*/
|
||||
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
|
||||
{
|
||||
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
|
||||
{
|
||||
$iteration_count_log2 = 8;
|
||||
}
|
||||
|
||||
$output = '$H$';
|
||||
$output .= $itoa64[min($iteration_count_log2 + 5, 30)];
|
||||
$output .= _hash_encode64($input, 6, $itoa64);
|
||||
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* Encode hash
|
||||
*/
|
||||
function _hash_encode64($input, $count, &$itoa64)
|
||||
{
|
||||
$output = '';
|
||||
$i = 0;
|
||||
|
||||
do
|
||||
{
|
||||
$value = ord($input[$i++]);
|
||||
$output .= $itoa64[$value & 0x3f];
|
||||
|
||||
if ($i < $count)
|
||||
{
|
||||
$value |= ord($input[$i]) << 8;
|
||||
}
|
||||
|
||||
$output .= $itoa64[($value >> 6) & 0x3f];
|
||||
|
||||
if ($i++ >= $count)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
if ($i < $count)
|
||||
{
|
||||
$value |= ord($input[$i]) << 16;
|
||||
}
|
||||
|
||||
$output .= $itoa64[($value >> 12) & 0x3f];
|
||||
|
||||
if ($i++ >= $count)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
$output .= $itoa64[($value >> 18) & 0x3f];
|
||||
}
|
||||
while ($i < $count);
|
||||
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* The crypt function/replacement
|
||||
*/
|
||||
function _hash_crypt_private($password, $setting, &$itoa64)
|
||||
{
|
||||
$output = '*';
|
||||
|
||||
// Check for correct hash
|
||||
if (substr($setting, 0, 3) != '$H$' && substr($setting, 0, 3) != '$P$')
|
||||
{
|
||||
return $output;
|
||||
}
|
||||
|
||||
$count_log2 = strpos($itoa64, $setting[3]);
|
||||
|
||||
if ($count_log2 < 7 || $count_log2 > 30)
|
||||
{
|
||||
return $output;
|
||||
}
|
||||
|
||||
$count = 1 << $count_log2;
|
||||
$salt = substr($setting, 4, 8);
|
||||
|
||||
if (strlen($salt) != 8)
|
||||
{
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* We're kind of forced to use MD5 here since it's the only
|
||||
* cryptographic primitive available in all versions of PHP
|
||||
* currently in use. To implement our own low-level crypto
|
||||
* in PHP would result in much worse performance and
|
||||
* consequently in lower iteration counts and hashes that are
|
||||
* quicker to crack (by non-PHP code).
|
||||
*/
|
||||
$hash = md5($salt . $password, true);
|
||||
do
|
||||
{
|
||||
$hash = md5($hash . $password, true);
|
||||
}
|
||||
while (--$count);
|
||||
|
||||
$output = substr($setting, 0, 12);
|
||||
$output .= _hash_encode64($hash, 16, $itoa64);
|
||||
|
||||
return $output;
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
return $passwords_manager->check($password, $hash);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -3206,9 +3040,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
|
||||
*/
|
||||
function login_forum_box($forum_data)
|
||||
{
|
||||
global $db, $config, $user, $template, $phpEx;
|
||||
global $db, $phpbb_container, $request, $template, $user;
|
||||
|
||||
$password = request_var('password', '', true);
|
||||
$password = $request->variable('password', '', true);
|
||||
|
||||
$sql = 'SELECT forum_id
|
||||
FROM ' . FORUMS_ACCESS_TABLE . '
|
||||
@@ -3249,7 +3083,9 @@ function login_forum_box($forum_data)
|
||||
}
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
if (phpbb_check_hash($password, $forum_data['forum_password']))
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
if ($passwords_manager->check($password, $forum_data['forum_password']))
|
||||
{
|
||||
$sql_ary = array(
|
||||
'forum_id' => (int) $forum_data['forum_id'],
|
||||
|
||||
@@ -82,13 +82,16 @@ class ucp_profile
|
||||
$error[] = ($data['password_confirm']) ? 'NEW_PASSWORD_ERROR' : 'NEW_PASSWORD_CONFIRM_EMPTY';
|
||||
}
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
// Only check the new password against the previous password if there have been no errors
|
||||
if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && phpbb_check_hash($data['new_password'], $user->data['user_password']))
|
||||
if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && $passwords_manager->check($data['new_password'], $user->data['user_password']))
|
||||
{
|
||||
$error[] = 'SAME_PASSWORD_ERROR';
|
||||
}
|
||||
|
||||
if (!phpbb_check_hash($data['cur_password'], $user->data['user_password']))
|
||||
if (!$passwords_manager->check($data['cur_password'], $user->data['user_password']))
|
||||
{
|
||||
$error[] = ($data['cur_password']) ? 'CUR_PASSWORD_ERROR' : 'CUR_PASSWORD_EMPTY';
|
||||
}
|
||||
@@ -105,7 +108,7 @@ class ucp_profile
|
||||
'username_clean' => ($auth->acl_get('u_chgname') && $config['allow_namechange']) ? utf8_clean_string($data['username']) : $user->data['username_clean'],
|
||||
'user_email' => ($auth->acl_get('u_chgemail')) ? $data['email'] : $user->data['user_email'],
|
||||
'user_email_hash' => ($auth->acl_get('u_chgemail')) ? phpbb_email_hash($data['email']) : $user->data['user_email_hash'],
|
||||
'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? phpbb_hash($data['new_password']) : $user->data['user_password'],
|
||||
'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? $passwords_manager->hash($data['new_password']) : $user->data['user_password'],
|
||||
'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,
|
||||
);
|
||||
|
||||
@@ -114,7 +117,7 @@ class ucp_profile
|
||||
add_log('user', $user->data['user_id'], 'LOG_USER_UPDATE_NAME', $user->data['username'], $data['username']);
|
||||
}
|
||||
|
||||
if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !phpbb_check_hash($data['new_password'], $user->data['user_password']))
|
||||
if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !$passwords_manager->check($data['new_password'], $user->data['user_password']))
|
||||
{
|
||||
$user->reset_login_keys();
|
||||
add_log('user', $user->data['user_id'], 'LOG_USER_NEW_PASSWORD', $data['username']);
|
||||
|
||||
@@ -294,9 +294,12 @@ class ucp_register
|
||||
$user_inactive_time = 0;
|
||||
}
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
$user_row = array(
|
||||
'username' => $data['username'],
|
||||
'user_password' => phpbb_hash($data['new_password']),
|
||||
'user_password' => $passwords_manager->hash($data['new_password']),
|
||||
'user_email' => $data['email'],
|
||||
'group_id' => (int) $group_id,
|
||||
'user_timezone' => $data['tz'],
|
||||
|
||||
@@ -27,7 +27,7 @@ class ucp_remind
|
||||
function main($id, $mode)
|
||||
{
|
||||
global $config, $phpbb_root_path, $phpEx;
|
||||
global $db, $user, $auth, $template;
|
||||
global $db, $user, $auth, $template, $phpbb_container;;
|
||||
|
||||
if (!$config['allow_password_reset'])
|
||||
{
|
||||
@@ -88,8 +88,11 @@ class ucp_remind
|
||||
// For the activation key a random length between 6 and 10 will do.
|
||||
$user_actkey = gen_rand_string(mt_rand(6, 10));
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
$sql = 'UPDATE ' . USERS_TABLE . "
|
||||
SET user_newpasswd = '" . $db->sql_escape(phpbb_hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
|
||||
SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
|
||||
WHERE user_id = " . $user_row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user