From db95fe6485f13c0041bbafbb0004b171cd9122e7 Mon Sep 17 00:00:00 2001 From: Jan-Philipp Litza Date: Wed, 12 Dec 2012 02:31:54 +0100 Subject: [PATCH] new authentication framework with stronger passwords and real salts - please proofread! --- db/update.d/19_password_field.php | 7 +++++ includes/pages/admin_user.php | 2 +- includes/pages/guest_login.php | 11 ++++--- includes/pages/user_settings.php | 30 ++++++------------- includes/sys_auth.php | 50 +++++++++++++++++++++++-------- install/default-conf/config.php | 15 ++++++---- 6 files changed, 70 insertions(+), 45 deletions(-) create mode 100644 db/update.d/19_password_field.php diff --git a/db/update.d/19_password_field.php b/db/update.d/19_password_field.php new file mode 100644 index 00000000..85333f28 --- /dev/null +++ b/db/update.d/19_password_field.php @@ -0,0 +1,7 @@ += 6) { - if ($_REQUEST['password'] == $_REQUEST['password2']) { - $password_hash = PassCrypt($_REQUEST['password']); - } else { + if (isset ($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) { + if ($_REQUEST['password'] != $_REQUEST['password2']) { $ok = false; $msg .= error(Get_Text("makeuser_error_password1"), true); } @@ -112,9 +110,10 @@ function guest_register() { "', `email`='" . sql_escape($mail) . "', `ICQ`='" . sql_escape($icq) . "', `jabber`='" . sql_escape($jabber) . "', `Size`='" . sql_escape($tshirt_size) . "', `Passwort`='" . sql_escape($password_hash) . "', `kommentar`='" . sql_escape($comment) . "', `Hometown`='" . sql_escape($hometown) . "', `CreateDate`=NOW(), `Sprache`='" . sql_escape($_SESSION["Sprache"]) . "'"); - // Assign user-group + // Assign user-group and set password $user_id = sql_id(); sql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape($user_id) . ", `group_id`=-2"); + set_password($user_id, $_REQUEST['password']); // Assign angel-types foreach ($selected_angel_types as $selected_angel_type_id) @@ -176,7 +175,7 @@ function guest_login() { if (count($login_user) > 0) { $login_user = $login_user[0]; if (isset ($_REQUEST['password'])) { - if ($login_user['Passwort'] != PassCrypt($_REQUEST['password'])) { + if (!verify_password($_REQUEST['password'], $login_user['Passwort'], $login_user['UID'])) { $ok = false; $msg .= error(Get_Text("pub_index_pass_no_ok"), true); } diff --git a/includes/pages/user_settings.php b/includes/pages/user_settings.php index 5ea4af27..cfeb38cf 100644 --- a/includes/pages/user_settings.php +++ b/includes/pages/user_settings.php @@ -114,29 +114,17 @@ function user_settings() { elseif (isset ($_REQUEST['submit_password'])) { $ok = true; - if (!isset ($_REQUEST['password']) || $user['Passwort'] != PassCrypt($_REQUEST['password'])) { - $ok = false; + if (!isset ($_REQUEST['password']) || !verify_password($_REQUEST['password'], $user['Passwort'], $user['UID'])) $msg .= error(Get_Text(30), true); - } - - if (isset ($_REQUEST['new_password']) && strlen($_REQUEST['new_password']) >= 6) { - if ($_REQUEST['new_password'] == $_REQUEST['new_password2']) { - $password_hash = PassCrypt($_REQUEST['new_password']); - } else { - $ok = false; - $msg .= error(Get_Text("makeuser_error_password1"), true); - } - } else { - $ok = false; - $msg .= error(Get_Text("makeuser_error_password2"), true); - } - - if ($ok) { - sql_query("UPDATE `User` SET `Passwort`='" . sql_escape($password_hash) . "' WHERE `UID`=" . sql_escape($user['UID'])); - + elseif (strlen($_REQUEST['new_password']) <= MIN_PASSWORD_LENGTH) + $msg .= error(Get_Text("makeuser_error_password2")); + elseif ($_REQUEST['new_password'] != $_REQUEST['new_password2']) + $msg .= error(Get_Text("makeuser_error_password1"), true); + elseif(set_password($user['UID'], $_REQUEST['new_password'])) success("Password saved."); - redirect(page_link_to('user_settings')); - } + else + error("Failed setting password."); + redirect(page_link_to('user_settings')); } elseif (isset ($_REQUEST['submit_theme'])) { $ok = true; diff --git a/includes/sys_auth.php b/includes/sys_auth.php index e1869029..68cf17e4 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -28,15 +28,40 @@ function load_auth() { $privileges = isset ($user) ? privileges_for_user($user['UID']) : privileges_for_group(-1); } -function PassCrypt($passwort) { - global $crypt_system; - - switch ($crypt_system) { - case "crypt" : - return "{crypt}" . crypt($passwort, "77"); - case "md5" : - return md5($passwort); +// generate a salt (random string) of arbitrary length suitable for the use with crypt() +function generate_salt($length = 16) { + $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; + $salt = ""; + for ($i = 0; $i < $length; $i++) { + $salt .= $alphabet[rand(0, strlen($alphabet)-1)]; } + return $salt; +} + +// set the password of a user +function set_password($uid, $password) { + $res = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "' WHERE `UID` = " . intval($uid) . " LIMIT 1"); + return $res && (mysql_affected_rows() > 0); +} + +// verify a password given a precomputed salt. +// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically +function verify_password($password, $salt, $uid = false) { + $correct = false; + if (substr($salt, 0, 1) == '$') // new-style crypt() + $correct = crypt($password, $salt) == $salt; + elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore + $correct = crypt($password, '77') == $salt; + elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore + $correct = md5($password) == $salt; + + if($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) { + // this password is stored in another format than we want it to be. + // let's update it! + // we duplicate the query from the above set_password() function to have the extra safety of checking the old hash + sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1"); + } + return $correct; } // JSON Authorisierungs-Schnittstelle @@ -50,11 +75,12 @@ function json_auth_service() { $SourceOuth = $_REQUEST['so']; if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) { - $sql = "SELECT * FROM `User` WHERE `Nick`='" . sql_escape($User) . "'"; - $Erg = sql_query($sql); + $sql = "SELECT `UID`, `Passwort` FROM `User` WHERE `Nick`='" . sql_escape($User) . "'"; + $Erg = sql_select($sql); - if (mysql_num_rows($Erg) == 1) { - if (mysql_result($Erg, 0, "Passwort") == PassCrypt($Pass)) { + if (count($Erg) == 1) { + $Erg = $Erg[0]; + if (verify_password($Pass, $Erg["Passwort"], $Erg["UID"])) { $UID = mysql_result($Erg, 0, "UID"); $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($UID) . ";"); diff --git a/install/default-conf/config.php b/install/default-conf/config.php index 44833167..d27d809a 100644 --- a/install/default-conf/config.php +++ b/install/default-conf/config.php @@ -17,11 +17,16 @@ $DISPLAY_NEWS = 6; // Anzahl Stunden bis zum Austragen eigener Schichten $LETZTES_AUSTRAGEN=3; -//Setzt den zu verwendenden Crypto algorismis -// mp5 oder crypt -// achtung crypt schaltet password ändern ab -$crypt_system="md5"; -//$crypt_system="crypt"; +// Setzt den zu verwendenden Crypto-Algorismus (entsprechend der Dokumentation von crypt()). +// Falls ein Benutzerpasswort in einem anderen Format gespeichert ist, +// wird es bei der ersten Benutzung des Klartext-Passworts in das neue Format +// konvertiert. +//define('CRYPT_ALG', '$1'); // MD5 +//define('CRYPT_ALG', '$2y$13'); // Blowfish +//define('CRYPT_ALG', '$5$rounds=5000'); // SHA-256 +define('CRYPT_ALG', '$6$rounds=5000'); // SHA-512 + +define('MIN_PASSWORD_LENGTH', 8); // Wenn Engel beim Registrieren oder in ihrem Profil eine T-Shirt Größe angeben sollen, auf true setzen: $enable_tshirt_size = false;