new authentication framework with stronger passwords and real salts - please proofread!

main
Jan-Philipp Litza 12 years ago
parent 697b756c4e
commit db95fe6485

@ -0,0 +1,7 @@
<?php
// make the Passwort column in the User table longer to store more advanced hashes with salts
$res = sql_select("DESCRIBE `User` `Passwort`");
if ($res[0]['Type'] == 'varchar(40)') {
sql_query("ALTER TABLE `User` CHANGE `Passwort` `Passwort` VARCHAR(128) NULL");
$applied = true;
}

@ -240,7 +240,7 @@ function admin_user() {
case 'change_pw' : case 'change_pw' :
if ($_REQUEST['new_pw'] != "" && $_REQUEST['new_pw'] == $_REQUEST['new_pw2']) { if ($_REQUEST['new_pw'] != "" && $_REQUEST['new_pw'] == $_REQUEST['new_pw2']) {
sql_query("UPDATE `User` SET `Passwort`='" . sql_escape(PassCrypt($_REQUEST['new_pw'])) . "' WHERE `UID`=" . sql_escape($id) . " LIMIT 1"); set_password($id, $_REQUEST['new_pw']);
$html .= success("Passwort neu gesetzt.", true); $html .= success("Passwort neu gesetzt.", true);
} else { } else {
$html .= error("Die Eingaben müssen übereinstimmen und dürfen nicht leer sein!", true); $html .= error("Die Eingaben müssen übereinstimmen und dürfen nicht leer sein!", true);

@ -71,10 +71,8 @@ function guest_register() {
} }
} }
if (isset ($_REQUEST['password']) && strlen($_REQUEST['password']) >= 6) { if (isset ($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) {
if ($_REQUEST['password'] == $_REQUEST['password2']) { if ($_REQUEST['password'] != $_REQUEST['password2']) {
$password_hash = PassCrypt($_REQUEST['password']);
} else {
$ok = false; $ok = false;
$msg .= error(Get_Text("makeuser_error_password1"), true); $msg .= error(Get_Text("makeuser_error_password1"), true);
} }
@ -112,9 +110,10 @@ function guest_register() {
"', `email`='" . sql_escape($mail) . "', `ICQ`='" . sql_escape($icq) . "', `jabber`='" . sql_escape($jabber) . "', `Size`='" . sql_escape($tshirt_size) . "', `email`='" . sql_escape($mail) . "', `ICQ`='" . sql_escape($icq) . "', `jabber`='" . sql_escape($jabber) . "', `Size`='" . sql_escape($tshirt_size) .
"', `Passwort`='" . sql_escape($password_hash) . "', `kommentar`='" . sql_escape($comment) . "', `Hometown`='" . sql_escape($hometown) . "', `CreateDate`=NOW(), `Sprache`='" . sql_escape($_SESSION["Sprache"]) . "'"); "', `Passwort`='" . sql_escape($password_hash) . "', `kommentar`='" . sql_escape($comment) . "', `Hometown`='" . sql_escape($hometown) . "', `CreateDate`=NOW(), `Sprache`='" . sql_escape($_SESSION["Sprache"]) . "'");
// Assign user-group // Assign user-group and set password
$user_id = sql_id(); $user_id = sql_id();
sql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape($user_id) . ", `group_id`=-2"); sql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape($user_id) . ", `group_id`=-2");
set_password($user_id, $_REQUEST['password']);
// Assign angel-types // Assign angel-types
foreach ($selected_angel_types as $selected_angel_type_id) foreach ($selected_angel_types as $selected_angel_type_id)
@ -176,7 +175,7 @@ function guest_login() {
if (count($login_user) > 0) { if (count($login_user) > 0) {
$login_user = $login_user[0]; $login_user = $login_user[0];
if (isset ($_REQUEST['password'])) { if (isset ($_REQUEST['password'])) {
if ($login_user['Passwort'] != PassCrypt($_REQUEST['password'])) { if (!verify_password($_REQUEST['password'], $login_user['Passwort'], $login_user['UID'])) {
$ok = false; $ok = false;
$msg .= error(Get_Text("pub_index_pass_no_ok"), true); $msg .= error(Get_Text("pub_index_pass_no_ok"), true);
} }

@ -114,29 +114,17 @@ function user_settings() {
elseif (isset ($_REQUEST['submit_password'])) { elseif (isset ($_REQUEST['submit_password'])) {
$ok = true; $ok = true;
if (!isset ($_REQUEST['password']) || $user['Passwort'] != PassCrypt($_REQUEST['password'])) { if (!isset ($_REQUEST['password']) || !verify_password($_REQUEST['password'], $user['Passwort'], $user['UID']))
$ok = false;
$msg .= error(Get_Text(30), true); $msg .= error(Get_Text(30), true);
} elseif (strlen($_REQUEST['new_password']) <= MIN_PASSWORD_LENGTH)
$msg .= error(Get_Text("makeuser_error_password2"));
if (isset ($_REQUEST['new_password']) && strlen($_REQUEST['new_password']) >= 6) { elseif ($_REQUEST['new_password'] != $_REQUEST['new_password2'])
if ($_REQUEST['new_password'] == $_REQUEST['new_password2']) { $msg .= error(Get_Text("makeuser_error_password1"), true);
$password_hash = PassCrypt($_REQUEST['new_password']); elseif(set_password($user['UID'], $_REQUEST['new_password']))
} else {
$ok = false;
$msg .= error(Get_Text("makeuser_error_password1"), true);
}
} else {
$ok = false;
$msg .= error(Get_Text("makeuser_error_password2"), true);
}
if ($ok) {
sql_query("UPDATE `User` SET `Passwort`='" . sql_escape($password_hash) . "' WHERE `UID`=" . sql_escape($user['UID']));
success("Password saved."); success("Password saved.");
redirect(page_link_to('user_settings')); else
} error("Failed setting password.");
redirect(page_link_to('user_settings'));
} }
elseif (isset ($_REQUEST['submit_theme'])) { elseif (isset ($_REQUEST['submit_theme'])) {
$ok = true; $ok = true;

@ -28,15 +28,40 @@ function load_auth() {
$privileges = isset ($user) ? privileges_for_user($user['UID']) : privileges_for_group(-1); $privileges = isset ($user) ? privileges_for_user($user['UID']) : privileges_for_group(-1);
} }
function PassCrypt($passwort) { // generate a salt (random string) of arbitrary length suitable for the use with crypt()
global $crypt_system; function generate_salt($length = 16) {
$alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
switch ($crypt_system) { $salt = "";
case "crypt" : for ($i = 0; $i < $length; $i++) {
return "{crypt}" . crypt($passwort, "77"); $salt .= $alphabet[rand(0, strlen($alphabet)-1)];
case "md5" :
return md5($passwort);
} }
return $salt;
}
// set the password of a user
function set_password($uid, $password) {
$res = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "' WHERE `UID` = " . intval($uid) . " LIMIT 1");
return $res && (mysql_affected_rows() > 0);
}
// verify a password given a precomputed salt.
// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
function verify_password($password, $salt, $uid = false) {
$correct = false;
if (substr($salt, 0, 1) == '$') // new-style crypt()
$correct = crypt($password, $salt) == $salt;
elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore
$correct = crypt($password, '77') == $salt;
elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore
$correct = md5($password) == $salt;
if($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) {
// this password is stored in another format than we want it to be.
// let's update it!
// we duplicate the query from the above set_password() function to have the extra safety of checking the old hash
sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1");
}
return $correct;
} }
// JSON Authorisierungs-Schnittstelle // JSON Authorisierungs-Schnittstelle
@ -50,11 +75,12 @@ function json_auth_service() {
$SourceOuth = $_REQUEST['so']; $SourceOuth = $_REQUEST['so'];
if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) { if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) {
$sql = "SELECT * FROM `User` WHERE `Nick`='" . sql_escape($User) . "'"; $sql = "SELECT `UID`, `Passwort` FROM `User` WHERE `Nick`='" . sql_escape($User) . "'";
$Erg = sql_query($sql); $Erg = sql_select($sql);
if (mysql_num_rows($Erg) == 1) { if (count($Erg) == 1) {
if (mysql_result($Erg, 0, "Passwort") == PassCrypt($Pass)) { $Erg = $Erg[0];
if (verify_password($Pass, $Erg["Passwort"], $Erg["UID"])) {
$UID = mysql_result($Erg, 0, "UID"); $UID = mysql_result($Erg, 0, "UID");
$user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($UID) . ";"); $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($UID) . ";");

@ -17,11 +17,16 @@ $DISPLAY_NEWS = 6;
// Anzahl Stunden bis zum Austragen eigener Schichten // Anzahl Stunden bis zum Austragen eigener Schichten
$LETZTES_AUSTRAGEN=3; $LETZTES_AUSTRAGEN=3;
//Setzt den zu verwendenden Crypto algorismis // Setzt den zu verwendenden Crypto-Algorismus (entsprechend der Dokumentation von crypt()).
// mp5 oder crypt // Falls ein Benutzerpasswort in einem anderen Format gespeichert ist,
// achtung crypt schaltet password ändern ab // wird es bei der ersten Benutzung des Klartext-Passworts in das neue Format
$crypt_system="md5"; // konvertiert.
//$crypt_system="crypt"; //define('CRYPT_ALG', '$1'); // MD5
//define('CRYPT_ALG', '$2y$13'); // Blowfish
//define('CRYPT_ALG', '$5$rounds=5000'); // SHA-256
define('CRYPT_ALG', '$6$rounds=5000'); // SHA-512
define('MIN_PASSWORD_LENGTH', 8);
// Wenn Engel beim Registrieren oder in ihrem Profil eine T-Shirt Größe angeben sollen, auf true setzen: // Wenn Engel beim Registrieren oder in ihrem Profil eine T-Shirt Größe angeben sollen, auf true setzen:
$enable_tshirt_size = false; $enable_tshirt_size = false;

Loading…
Cancel
Save