Permalink
Browse files

Support old password hashes w/o reducing security

  • Loading branch information...
franzliedke committed Jan 3, 2019
1 parent e1399ca commit 4dd1a00f5dc5cb608c0c4fe55f8e94af8edf70dd
Showing with 30 additions and 19 deletions.
  1. +25 −14 include/functions.php
  2. +3 −3 login.php
  3. +2 −2 profile.php
@@ -1111,19 +1111,30 @@ function flux_password_hash($pass)
// used by flux_password_hash, but is also
// backwards-compatible with older versions of this software.
//
function flux_password_verify($pass, $hash, $salt = null)
function flux_password_verify($pass, $hash)
{
// MD5 from 1.2
if (strlen($hash) < 40)
return hash_equals(md5($pass), $hash);
// SHA1-With-Salt from 1.3
if (!empty($salt))
return hash_equals(sha1($salt . sha1($pass)), $hash);
// SHA1-Without-Salt from 1.4
if (strlen($hash) == 40)
return hash_equals(sha1($pass), $hash);
if ($hash[0] == '#')
{
// MD5 from 1.2
if (substr($hash, 0, 5) == '#MD5#')
{
$pass = md5($pass);
$hash = substr($hash, 5);
}
// SHA1-With-Salt from 1.3
else if (substr($hash, 0, 8) == '#SHA1-S#')
{
preg_match('/^#SHA1-S#(.+)#(.+)$/', $hash, $matches);
list(, $salt, $hash) = $matches;
$pass = sha1($salt.sha1($pass));
}
// SHA1-Without-Salt from 1.4
else if (substr($hash, 0, 6) == '#SHA1#')
{
$pass = sha1($pass);
$hash = substr($hash, 6);
}
}
// Support current password standard
return password_verify($pass, $hash);
@@ -1137,8 +1148,8 @@ function flux_password_needs_rehash($hash)
{
global $password_hash_cost;
// Check for legacy md5 or sha1 hash
if (strlen($hash) <= 40)
// Check for legacy password (md5 or sha1 hash)
if ($hash[0] === '#')
return true;
// Check for out-of-date hash type or cost
@@ -41,14 +41,14 @@
// this allows the cookie token to reflect the new hash
$user_password = $cur_user['password'];
if (flux_password_verify($form_password, $user_password, $cur_user['salt']))
if (flux_password_verify($form_password, $user_password))
{
$authorized = true;
if (!empty($cur_user['salt']) || flux_password_needs_rehash($user_password))
if (flux_password_needs_rehash($user_password))
{
$user_password = flux_password_hash($form_password);
$db->query('UPDATE '.$db->prefix.'users SET salt=NULL, password=\''.$db->escape($user_password).'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($user_password).'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
}
}
}
@@ -55,7 +55,7 @@
message($lang_profile['Pass key bad'].' <a href="mailto:'.pun_htmlspecialchars($pun_config['o_admin_email']).'">'.pun_htmlspecialchars($pun_config['o_admin_email']).'</a>.');
else
{
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($cur_user['activate_string']).'\', activate_string=NULL, activate_key=NULL'.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($cur_user['activate_string']).'\', activate_string=NULL, activate_key=NULL WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
message($lang_profile['Pass updated'], true);
}
@@ -111,7 +111,7 @@
$new_password_hash = flux_password_hash($new_password1);
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($new_password_hash).'\''.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
$db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($new_password_hash).'\' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
if ($pun_user['id'] == $id)
pun_setcookie($pun_user['id'], $new_password_hash, time() + $pun_config['o_timeout_visit']);

0 comments on commit 4dd1a00

Please sign in to comment.