mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Move from SHA1 to bcrypt

Browse Source 
SHA1 is not an ideal password hash, even when salted, because it is cheap to compute. Since version 5.5 PHP offers bcrypt built in, which is a more expensive and secure hash function specifically suited for passwords
This commit is contained in:
onli 2018-03-13 20:35:00 +01:00
parent 52a41b37d5
commit eafc4dd625
1 changed files with 34 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
include/functions_config.inc.php
View File

@ -554,9 +554,8 @@ function serendipity_authenticate_author($username = '', $password = '', $is_has
if ($is_valid_user) continue; if ($is_valid_user) continue;
$is_valid_user = false; $is_valid_user = false;
// Old MD5 hashing routine. Will convert user.
if (empty($row['hashtype']) || $row['hashtype'] == 0) { if (empty($row['hashtype']) || $row['hashtype'] == 0) {
// Old MD5 hashing routine. Will convert user.
if (isset($serendipity['hashkey']) && (time() - $serendipity['hashkey']) >= 15768000) { if (isset($serendipity['hashkey']) && (time() - $serendipity['hashkey']) >= 15768000) {
die('You can no longer login with an old-style MD5 hash to prevent MD5-Hostage abuse. die('You can no longer login with an old-style MD5 hash to prevent MD5-Hostage abuse.
Please ask the Administrator to set you a new password.'); Please ask the Administrator to set you a new password.');
@ -575,14 +574,30 @@ function serendipity_authenticate_author($username = '', $password = '', $is_has
continue; continue;
} }
} else { } else {
if ( ($is_hashed === false && (string)$row['password'] === (string)serendipity_hash($password)) || if ($row['hashtype'] == 1) {
($is_hashed !== false && (string)$row['password'] === (string)$password) ) { // Old sha1 hashing routine. Will convert user.
if ( ($is_hashed === false && (string)$row['password'] === (string)serendipity_sha1_hash($password)) ||
($is_hashed !== false && (string)$row['password'] === (string)$password) ) {
$is_valid_user = true; serendipity_db_query("UPDATE {$serendipity['dbPrefix']}authors
if ($debug) fwrite($fp, date('Y-m-d H:i') . ' - Validated ' . $row['password'] . ' == ' . ($is_hashed === false ? 'unhash:' . serendipity_hash($password) : 'hash:' . $password) . "\n"); SET password = '" . ($is_hashed === false ? serendipity_hash($password) : $password) . "',
hashtype = 2
WHERE authorid = '" . $row['authorid'] . "'");
if ($debug) fwrite($fp, date('Y-m-d H:i') . ' - Migrated user:' . $row['username'] . "\n");
$is_valid_user = true;
} else {
continue;
}
} else { } else {
if ($debug) fwrite($fp, date('Y-m-d H:i') . ' - INValidated ' . $row['password'] . ' == ' . ($is_hashed === false ? 'unhash:' . serendipity_hash($password) : 'hash:' . $password) . "\n"); if ( ($is_hashed === false && password_verify((string)$password, $row['password'])) ||
continue; ($is_hashed !== false && (string)$row['password'] === (string)$password) ) {
$is_valid_user = true;
if ($debug) fwrite($fp, date('Y-m-d H:i') . ' - Validated ' . $row['password'] . ' == ' . ($is_hashed === false ? 'unhash:' . serendipity_hash($password) : 'hash:' . $password) . "\n");
} else {
if ($debug) fwrite($fp, date('Y-m-d H:i') . ' - INValidated ' . $row['password'] . ' == ' . ($is_hashed === false ? 'unhash:' . serendipity_hash($password) : 'hash:' . $password) . "\n");
continue;
}
} }
} }
@ -2227,12 +2242,22 @@ function serendipity_hasPluginPermissions($plugin, $groupid = null) {
} }
/** /**
* Return the SHA1 (with pre-hash) of a value * Return the bcrypt hash of a value
* *
* @param string The string to hash * @param string The string to hash
* @return string The hashed string * @return string The hashed string
*/ */
function serendipity_hash($string) { function serendipity_hash($string) {
return password_hash($string, PASSWORD_BCRYPT);
}
/**
* Return the SHA1 (with pre-hash) of a value
*
* @param string The string to hash
* @return string The hashed string
*/
function serendipity_sha1_hash($string) {
global $serendipity; global $serendipity;
if (empty($serendipity['hashkey'])) { if (empty($serendipity['hashkey'])) {