Implement new password hashing (PBKDF2-SHA1)

inc/Classes/Auth.php

@@ -293,7 +293,7 @@ public function login($email, $password, $show_confirmation = 1)
                 $func->log_event(t('Login fehlgeschlagen. Email (%1) nicht verifiziert', $user['email']), "2", "Authentifikation");
 
             // User login and wrong password?
-            } elseif ($user["user_login"] and $tmp_login_pass != $user["password"]) {
+            } elseif ($user["user_login"] and !PasswordHash::verify($password, $user["password"])) {
                 ($cfg["sys_internet"])? $remindtext = t('Hast du dein Passwort vergessen?<br/><a href="./index.php?mod=usrmgr&action=pwrecover"/>Hier kannst du ein neues Passwort generieren</a>.') : $remindtext = t('Solltest du dein Passwort vergessen haben, wende dich bitte an die Organisation.');
                 $func->information(t('Die von dir eingebenen Login-Daten sind fehlerhaft. Bitte überprüfe deine Eingaben.') . HTML_NEWLINE . HTML_NEWLINE . $remindtext, '', 1);
                 $func->log_event(t('Login für %1 fehlgeschlagen (Passwort-Fehler).', $tmp_login_email), "2", "Authentifikation");
@@ -319,6 +319,15 @@ public function login($email, $password, $show_confirmation = 1)
 
             // Everything fine!
             } else {
+                if ($user["user_login"] and PasswordHash::needsRehash($user["password"])) {
+                    try {
+                        $db->qry('UPDATE %prefix%user SET password = %string% WHERE userid = %int%', PasswordHash::hash($password), $user["userid"]);
+                        $func->information(t('Es wurde ein Sicherheitsupgrade von deinem Passwort durchgeführt.'), '', 1);
+                    } catch (\Exception $e) {
+                        $func->error(t('Sicherheitsupgrade von deinem Passwort ist fehlgeschlagen!'));
+                    }
+                }
+
                 // Set Logonstats
                 $db->qry('UPDATE %prefix%user SET logins = logins + 1, changedate = changedate, lastlogin = NOW() WHERE userid = %int%', $user['userid']);
 

inc/Classes/MasterForm.php

@@ -1056,7 +1056,7 @@ public function SendForm($BaseURL, $table, $idname = '', $id = 0)
                                             // Convert Passwords
                                             if ($field['type'] == self::IS_NEW_PASSWORD && $_POST[$field['name']] != '') {
                                                 $_POST[$field['name'] .'_original'] = $_POST[$field['name']];
-                                                $_POST[$field['name']] = md5($_POST[$field['name']]);
+                                                $_POST[$field['name']] = PasswordHash::hash($_POST[$field['name']]);
                                             }
                                         }
                                     }

inc/Classes/PasswordHash.php

@@ -0,0 +1,171 @@
+<?php
+
+namespace LanSuite;
+
+class PasswordHash
+{
+    public static function hash($password)
+    {
+        $algo_cfg = self::getAlgoCfg();
+
+        switch ($algo_cfg['algo']) {
+            case 'md5':
+                return md5($password);
+
+            case 'pbkdf2-sha1':
+                /*
+                 * Hash format: $pbkdf2-sha1$(iterations)$(salt)$(hash)
+                 * Example:     $pbkdf2-sha1$500000$o2ermOW/WQy1XFFDVfx/Zw==$otf1NOkfKFTrIh9Au1oTPdwdnTc=
+                 * Parameters:
+                 *   - iterations: integer
+                 *   - salt: base64-encoded salt
+                 *   - hash: base64-encoded hash
+                 */
+
+                $iterations = $algo_cfg['iterations'];
+                if (!is_numeric($iterations) || $iterations < 1) {
+                    throw new Exception('Unexpected iterations value');
+                }
+                $iterations = intval($iterations);
+
+                $rawsalt = random_bytes(16);
+                $rawhash = hash_pbkdf2('sha1', $password, $rawsalt, $iterations, 0, true);
+
+                $b64salt = base64_encode($rawsalt);
+                $b64hash = base64_encode($rawhash);
+                if ($b64salt === false || $b64hash === false) {
+                    throw new Exception('Unexpected base64_encode error');
+                }
+
+                return '$pbkdf2-sha1$'.$iterations.'$'.$b64salt.'$'.$b64hash;
+        }
+
+        throw new Exception('Unsupported password hashing algorithm');
+    }
+
+    public static function verify($password, $hash)
+    {
+        $info = self::getInfo($hash);
+
+        switch ($info['algo']) {
+            case 'md5':
+                $newhash = md5($password);
+                return hash_equals($info['hash'], $newhash);
+            case 'pbkdf2-sha1':
+                $newhash = hash_pbkdf2('sha1', $password, $info['salt'], intval($info['iterations']), 0, true);
+                return hash_equals($info['hash'], $newhash);
+        }
+
+        return false;
+    }
+
+    public static function needsRehash($hash)
+    {
+        global $config;
+
+        $algo_cfg = self::getAlgoCfg();
+
+        $info = self::getInfo($hash);
+
+        foreach ($info as $key => $value) {
+            if ($key === 'hash' || $key === 'salt') {
+                continue;
+            }
+
+            if ($algo_cfg[$key] !== $value) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private static function getInfo($hash)
+    {
+        if ($hash[0] === '$') {
+            $parts = explode('$', $hash);
+            if (count($parts) !== 5) {
+                throw new Exception('Unexpected hash format');
+            }
+            list($dummy, $algo, $iterations, $b64salt, $b64hash) = $parts;
+
+            if (!is_numeric($iterations) || $iterations < 1) {
+                throw new Exception('Unexpected iterations value');
+            }
+            $rawsalt = base64_decode($b64salt, true);
+            $rawhash = base64_decode($b64hash, true);
+            if ($rawsalt === false || $rawhash === false) {
+                throw new Exception('Unexpected base64_decode error');
+            }
+
+            return array('algo' => $algo, 'iterations' => $iterations, 'hash' => $rawhash, 'salt' => $rawsalt);
+        } else {
+            return array('algo' => 'md5', 'hash' => $hash);
+        }
+    }
+
+    private static function getAlgo()
+    {
+        global $cfg;
+
+        if (array_key_exists('pwhash_algo', $cfg)) {
+            $pwhash_algo = $cfg['pwhash_algo'];
+        } else {
+            $pwhash_algo = 'md5';
+        }
+
+        if ($pwhash_algo === 'default') {
+            $pwhash_algo = 'pbkdf2-sha1';
+        }
+
+        return $pwhash_algo;
+    }
+
+    private static function getDefaultAlgoCfg($algo)
+    {
+        switch ($algo) {
+            case 'pbkdf2-sha1':
+                return array('iterations' => '500000');
+        }
+
+        return array();
+    }
+
+    private static function parseAlgoCfg($algo_cfg_str)
+    {
+        $algo_cfg = array();
+
+        $pairs = explode(',', $algo_cfg_str);
+
+        foreach ($pairs as $pair) {
+            $parts = explode('=', $pair, 2);
+
+            $key = $parts[0];
+
+            if (count($parts) > 1) {
+                $value = $parts[1];
+            } else {
+                $value = null;
+            }
+
+            $algo_cfg[$key] = $value;
+        }
+
+        return $algo_cfg;
+    }
+
+    private static function getAlgoCfg()
+    {
+        global $cfg;
+
+        $algo = self::getAlgo();
+        $algo_cfg = self::getDefaultAlgoCfg($algo);
+
+        if (array_key_exists('pwhash_algo_cfg', $cfg)) {
+            $custom_algo_cfg = self::parseAlgoCfg($cfg['pwhash_algo_cfg']);
+            $algo_cfg = array_merge($algo_cfg, $custom_algo_cfg);
+        }
+
+        return array_merge($algo_cfg, array('algo' => $algo));
+    }
+}

modules/clanmgr/Functions/CheckClanPW.php

@@ -1,5 +1,7 @@
 <?php
 
+use LanSuite\PasswordHash;
+
 /**
  * @param string $clanpw
  * @return bool
@@ -9,7 +11,7 @@ function CheckClanPW($clanpw)
     global $db;
 
     $clan = $db->qry_first("SELECT password FROM %prefix%clan WHERE clanid = %int%", $_GET['clanid']);
-    if ($clan['password'] and $clan['password'] == md5($clanpw)) {
+    if ($clan['password'] and PasswordHash::verify($clanpw, $clan['password'])) {
         return true;
     }
     return false;

modules/clanmgr/mod_settings/db.xml

@@ -30,7 +30,7 @@
 			</field>
 			<field>
 				<name>password</name>
-				<type>char(32)</type>
+				<type>varchar(255)</type>
 				<null></null>
 				<key></key>
 				<default></default>

modules/install/adminaccount.php

@@ -1,4 +1,7 @@
 <?php
+
+use LanSuite\PasswordHash;
+
 $db->connect();
 
 $dsp->NewContent(t('Adminaccount anlegen'), t('Lege hier einen Adminaccount an, über welchen du Zugriff auf diese Admin-Seite erhälst. Wenn du bereits Benutzer-Daten importiert hast musst du hier keinen weiteren Account anlegen.'));
@@ -24,7 +27,7 @@
                 username = 'ADMIN',
                 email=%string%,
                 password = %string%,
-                type = '3'", $_POST["email"], md5($_POST["password"]));
+                type = '3'", $_POST["email"], PasswordHash::hash($_POST["password"]));
             $userid = $db->insert_id();
 
             // Add administrator to party

modules/install/mod_settings/config.xml

@@ -174,6 +174,25 @@
       </entry>
     </entries>
   </typedefinition>
+  <typedefinition>
+    <head>
+      <name>passwordhashalgo</name>
+    </head>
+    <entries>
+      <entry>
+        <value>default</value>
+        <description>Standard</description>
+      </entry>
+      <entry>
+        <value>pbkdf2-sha1</value>
+        <description>PBKDF2-SHA1 (kompatibel mit ejabberd)</description>
+      </entry>
+      <entry>
+        <value>md5</value>
+        <description>MD5 (Legacy, DANGEROUS!)</description>
+      </entry>
+    </entries>
+  </typedefinition>
   <typedefinition>
     <head>
       <name>email_dns_verification</name>
@@ -310,6 +329,18 @@ eintagsmail.de
 nospamfor.us</default>
         <description>Email-Domain-Blacklist (Um Wegwerf-Mailadressen zu vermeiden)</description>
       </item>
+      <item>
+        <name>pwhash_algo</name>
+        <type>passwordhashalgo</type>
+        <default>default</default>
+        <description>Passwort Hashing Algorithmus</description>
+      </item>
+      <item>
+        <name>pwhash_algo_cfg</name>
+        <type>string</type>
+        <default></default>
+        <description>Parameter für Passwort Hashing Algorithmus</description>
+      </item>
     </items>
   </group>
   <group>

modules/install/wizard.php

@@ -1,5 +1,7 @@
 <?php
 
+use LanSuite\PasswordHash;
+
 if ($request->request->get('resetdb')) {
     $db->success = 0;
 }
@@ -30,15 +32,15 @@
             if ($row !== false) {
                 $db->qry(
                     "UPDATE %prefix%user SET password = %string%, type = '3' WHERE email=%string%",
-                    md5($_POST["password"]),
+                    PasswordHash::hash($_POST["password"]),
                     $_POST["email"]
                 );
             // If not found, insert
             } else {
                 $db->qry(
                     "INSERT INTO %prefix%user SET username = 'ADMIN', firstname = 'ADMIN', name = 'ADMIN', email=%string%, password = %string%, type = '3', lastlogin = NOW(), comment = '', birthday = NULL, signature = ''",
                     $_POST["email"],
-                    md5($_POST["password"])
+                    PasswordHash::hash($_POST["password"])
                 );
                 $userid = $db->insert_id();
             }

modules/tournament2/Classes/Team.php

@@ -2,6 +2,8 @@
 
 namespace LanSuite\Module\Tournament2;
 
+use LanSuite\PasswordHash;
+
 class Team
 {
 
@@ -241,7 +243,7 @@ public function join($teamid, $userid, $password = null)
                 team.teamid = %int%", $teamid);
 
             // Check password, if set and if acction is not performed, by teamadmin or ls-admin
-            if (($auth['userid'] != $team['leaderid']) and ($auth['type'] <= 1) and ($team['password'] != '') and (md5($password) != $team['password'])) {
+            if (($auth['userid'] != $team['leaderid']) and ($auth['type'] <= 1) and ($team['password'] != '') and !PasswordHash::verify($password, $team['password'])) {
                 $func->information(t('Das eingegebene Kennwort ist nicht korrekt'));
                 return false;
 
@@ -357,7 +359,7 @@ public function create($tournamentid, $leaderid, $name = null, $password = null,
                     leaderid = %int%,
                     comment = %string%,
                     banner = %string%,
-                    password = %string%", $tournamentid, $name, $leaderid, $comment, $_FILES[$banner]["name"], md5($password));
+                    password = %string%", $tournamentid, $name, $leaderid, $comment, $_FILES[$banner]["name"], PasswordHash::hash($password));
 
                 $func->log_event(t('Der Benutzer %1 hat sich zum Turnier %2 angemeldet', $auth["username"], $t["name"]), 1, t('Turnier Teamverwaltung'));
             }
@@ -402,7 +404,7 @@ public function edit($teamid, $name = null, $password = null, $comment = null, $
 
         // Set Password
         if ($password != "") {
-            $db->qry("UPDATE %prefix%t2_teams SET password = %string% WHERE teamid = %int%", md5($password), $_GET["teamid"]);
+            $db->qry("UPDATE %prefix%t2_teams SET password = %string% WHERE teamid = %int%", PasswordHash::hash($password), $_GET["teamid"]);
         }
 
         $db->qry("

modules/tournament2/mod_settings/db.xml

@@ -219,7 +219,7 @@
 			</field>
 			<field>
 				<name>password</name>
-				<type>char(32)</type>
+				<type>varchar(255)</type>
 				<null></null>
 				<key></key>
 				<default></default>
@@ -530,4 +530,4 @@
 			</field>
 		</structure>
 	</table>
-</lansuite>
+</lansuite>

modules/usrmgr/Functions/CheckClanPWUsrMgr.php

@@ -1,5 +1,7 @@
 <?php
 
+use LanSuite\PasswordHash;
+
 /**
  * @param string $clanpw
  */
@@ -9,7 +11,7 @@ function CheckClanPWUsrMgr($clanpw): bool|string
 
     if (!$_POST['new_clan_select'] and $auth['type'] <= 1 and $auth['clanid'] != $_POST['clan']) {
         $clan = $db->qry_first("SELECT password FROM %prefix%clan WHERE clanid = %int%", $_POST['clan']);
-        if ($clan['password'] and $clan['password'] != md5($clanpw)) {
+        if ($clan['password'] and !PasswordHash::verify($clanpw, $clan['password'])) {
             return t('Passwort falsch!');
         }
     }