Rewrite session handling

inc/classes/class_masterform.php

@@ -1,5 +1,7 @@
 <?php
 
+require_once("inc/classes/class_pwhash.php");
+
 define('FIELD_OPTIONAL', 1);
 define('HTML_ALLOWED', 1);
 define('LSCODE_ALLOWED', 1);
@@ -779,7 +781,7 @@ public function SendForm($BaseURL, $table, $idname = '', $id = 0)
                     // Convert Passwords
                                             if ($field['type'] == IS_NEW_PASSWORD and $_POST[$field['name']] != '') {
                                                 $_POST[$field['name'] .'_original'] = $_POST[$field['name']];
-                                                $_POST[$field['name']] = md5($_POST[$field['name']]);
+                                                $_POST[$field['name']] = PasswordHash::hash($_POST[$field['name']]);
                                             }
                                         }
                                     }

inc/classes/class_pwhash.php

@@ -0,0 +1,169 @@
+<?php
+
+class PasswordHash
+{
+    public static function hash($password)
+    {
+        $algo_cfg = self::getAlgoCfg();
+
+        switch ($algo_cfg['algo']) {
+            case 'md5':
+                return md5($password);
+
+            case 'pbkdf2-sha1':
+                /*
+                 * Hash format: $pbkdf2-sha1$(iterations)$(salt)$(hash)
+                 * Example:     $pbkdf2-sha1$500000$o2ermOW/WQy1XFFDVfx/Zw==$otf1NOkfKFTrIh9Au1oTPdwdnTc=
+                 * Parameters:
+                 *   - iterations: integer
+                 *   - salt: base64-encoded salt
+                 *   - hash: base64-encoded hash
+                 */
+
+                $iterations = $algo_cfg['iterations'];
+                if (!is_numeric($iterations) || $iterations < 1) {
+                    throw new Exception('Unexpected iterations value');
+                }
+                $iterations = intval($iterations);
+
+                $rawsalt = random_bytes(16);
+                $rawhash = hash_pbkdf2('sha1', $password, $rawsalt, $iterations, 0, true);
+
+                $b64salt = base64_encode($rawsalt);
+                $b64hash = base64_encode($rawhash);
+                if ($b64salt === false || $b64hash === false) {
+                    throw new Exception('Unexpected base64_encode error');
+                }
+
+                return '$pbkdf2-sha1$'.$iterations.'$'.$b64salt.'$'.$b64hash;
+        }
+
+        throw new Exception('Unsupported password hashing algorithm');
+    }
+
+    public static function verify($password, $hash)
+    {
+        $info = self::getInfo($hash);
+
+        switch ($info['algo']) {
+            case 'md5':
+                $newhash = md5($password);
+                return hash_equals($info['hash'], $newhash);
+            case 'pbkdf2-sha1':
+                $newhash = hash_pbkdf2('sha1', $password, $info['salt'], intval($info['iterations']), 0, true);
+                return hash_equals($info['hash'], $newhash);
+        }
+
+        return false;
+    }
+
+    public static function needsRehash($hash)
+    {
+        global $config;
+
+        $algo_cfg = self::getAlgoCfg();
+
+        $info = self::getInfo($hash);
+
+        foreach ($info as $key => $value) {
+            if ($key === 'hash' || $key === 'salt') {
+                continue;
+            }
+
+            if ($algo_cfg[$key] !== $value) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private static function getInfo($hash)
+    {
+        if ($hash[0] === '$') {
+            $parts = explode('$', $hash);
+            if (count($parts) !== 5) {
+                throw new Exception('Unexpected hash format');
+            }
+            list($dummy, $algo, $iterations, $b64salt, $b64hash) = $parts;
+
+            if (!is_numeric($iterations) || $iterations < 1) {
+                throw new Exception('Unexpected iterations value');
+            }
+            $rawsalt = base64_decode($b64salt, true);
+            $rawhash = base64_decode($b64hash, true);
+            if ($rawsalt === false || $rawhash === false) {
+                throw new Exception('Unexpected base64_decode error');
+            }
+
+            return array('algo' => $algo, 'iterations' => $iterations, 'hash' => $rawhash, 'salt' => $rawsalt);
+        } else {
+            return array('algo' => 'md5', 'hash' => $hash);
+        }
+    }
+
+    private static function getAlgo()
+    {
+        global $cfg;
+
+        if (array_key_exists('pwhash_algo', $cfg)) {
+            $pwhash_algo = $cfg['pwhash_algo'];
+        } else {
+            $pwhash_algo = 'md5';
+        }
+
+        if ($pwhash_algo === 'default') {
+            $pwhash_algo = 'pbkdf2-sha1';
+        }
+
+        return $pwhash_algo;
+    }
+
+    private static function getDefaultAlgoCfg($algo)
+    {
+        switch ($algo) {
+            case 'pbkdf2-sha1':
+                return array('iterations' => '500000');
+        }
+
+        return array();
+    }
+
+    private static function parseAlgoCfg($algo_cfg_str)
+    {
+        $algo_cfg = array();
+
+        $pairs = explode(',', $algo_cfg_str);
+
+        foreach ($pairs as $pair) {
+            $parts = explode('=', $pair, 2);
+
+            $key = $parts[0];
+
+            if (count($parts) > 1) {
+                $value = $parts[1];
+            } else {
+                $value = null;
+            }
+
+            $algo_cfg[$key] = $value;
+        }
+
+        return $algo_cfg;
+    }
+
+    private static function getAlgoCfg()
+    {
+        global $cfg;
+
+        $algo = self::getAlgo();
+        $algo_cfg = self::getDefaultAlgoCfg($algo);
+
+        if (array_key_exists('pwhash_algo_cfg', $cfg)) {
+            $custom_algo_cfg = self::parseAlgoCfg($cfg['pwhash_algo_cfg']);
+            $algo_cfg = array_merge($algo_cfg, $custom_algo_cfg);
+        }
+
+        return array_merge($algo_cfg, array('algo' => $algo));
+    }
+}

index.php

@@ -347,7 +347,7 @@ function myErrorHandler($errno, $errstr, $errfile, $errline)
     ### Start autentication, just if LS is working
     include_once("inc/classes/class_auth.php");
     $authentication = new auth($frmwrkmode);
-    $auth      = $authentication->check_logon();    // Testet Cookie / Session ob User eingeloggt ist
+    $auth      = $authentication->check_logon();    // Testet Session ob User eingeloggt ist
     $olduserid = $authentication->get_olduserid();  // Olduserid for Switback on Boxes
 }
 

modules/clanmgr/clanmgr.php

@@ -1,5 +1,7 @@
 <?php
 
+require_once("inc/classes/class_pwhash.php");
+
 function ShowRole($role)
 {
     global $auth, $line;
@@ -22,10 +24,8 @@ function CheckClanPW($clanpw)
     global $db, $auth;
 
     $clan = $db->qry_first("SELECT password FROM %prefix%clan WHERE clanid = %int%", $_GET['clanid']);
-    if ($clan['password'] and $clan['password'] == md5($clanpw)) {
-        return true;
-    }
-    return false;
+
+    return $clan['password'] and PasswordHash::verify($clanpw, $clan['password']);
 }
 
 function CheckExistingClan()

modules/clanmgr/class_clan.php

@@ -1,5 +1,7 @@
 <?php
 
+require_once("inc/classes/class_pwhash.php");
+
 class Clan
 {
 
@@ -60,9 +62,7 @@ public function CheckClanPW($clanid, $clanpw)
         global $db, $auth;
 
         $clan = $db->qry_first("SELECT password FROM %prefix%clan WHERE clanid = %int%", $clanid);
-        if ($clan['password'] and $clan['password'] == md5($clanpw)) {
-            return true;
-        }
-        return false;
+
+        return $clan['password'] and PasswordHash::verify($clanpw, $clan['password']);
     }
 }

modules/clanmgr/mod_settings/db.xml

@@ -30,7 +30,7 @@
 			</field>
 			<field>
 				<name>password</name>
-				<type>char(32)</type>
+				<type>varchar(255)</type>
 				<null></null>
 				<key></key>
 				<default></default>

modules/install/adminaccount.php

@@ -1,4 +1,7 @@
 <?php
+
+require_once("inc/classes/class_pwhash.php");
+
 $db->connect();
 
 $dsp->NewContent(t('Adminaccount anlegen'), t('Lege hier einen Adminaccount an, über welchen du Zugriff auf diese Admin-Seite erh�lst. Wenn du bereits Benutzer-Daten importiert hast musst du hier keinen weiteren Account anlegen.'));
@@ -23,7 +26,7 @@
 					email=%string%,
 					password = %string%,
 					type = '3'
-					", $_POST["email"], md5($_POST["password"]));
+					", $_POST["email"], PasswordHash::hash($_POST["password"]));
             $userid = $db->insert_id();
             // Admin zur Party hinzuf�gen
             $party->add_user_to_party($userid, 1, "1", "1");

modules/install/mod_settings/config.xml

@@ -174,6 +174,25 @@
       </entry>
     </entries>
   </typedefinition>
+  <typedefinition>
+    <head>
+      <name>passwordhashalgo</name>
+    </head>
+    <entries>
+      <entry>
+        <value>default</value>
+        <description>Standard</description>
+      </entry>
+      <entry>
+        <value>pbkdf2-sha1</value>
+        <description>PBKDF2-SHA1 (kompatibel mit ejabberd)</description>
+      </entry>
+      <entry>
+        <value>md5</value>
+        <description>MD5 (Legacy, DANGEROUS!)</description>
+      </entry>
+    </entries>
+  </typedefinition>
   <group>
     <head>
       <name>Allgemein</name>
@@ -257,6 +276,18 @@ eintagsmail.de
 nospamfor.us</default>
         <description>Email-Domain-Blacklist (Um Wegwerf-Mailadressen zu vermeiden)</description>
       </item>
+      <item>
+        <name>pwhash_algo</name>
+        <type>passwordhashalgo</type>
+        <default>default</default>
+        <description>Passwort Hashing Algorithmus</description>
+      </item>
+      <item>
+        <name>pwhash_algo_cfg</name>
+        <type>string</type>
+        <default></default>
+        <description>Parameter für Passwort Hashing Algorithmus</description>
+      </item>
     </items>
   </group>
   <group>