Permalink
Browse files

Update phpass implementation

  • Loading branch information...
1 parent 10439b6 commit c368f305072f9d0002da1ea0c441d6f55bed5c62 @haraldpdl haraldpdl committed Aug 28, 2010
@@ -45,7 +45,7 @@
$check_customer_query = tep_db_query("select customers_password from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'");
$check_customer = tep_db_fetch_array($check_customer_query);
- if (tep_validate_password($password_current, $check_customer['customers_password'], (int)$customer_id)) {
+ if (tep_validate_password($password_current, $check_customer['customers_password']) {
tep_db_query("update " . TABLE_CUSTOMERS . " set customers_password = '" . tep_encrypt_password($password_new) . "' where customers_id = '" . (int)$customer_id . "'");
tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_account_last_modified = now() where customers_info_id = '" . (int)$customer_id . "'");
@@ -5,56 +5,35 @@
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
- Copyright (c) 2009 osCommerce
+ Copyright (c) 2010 osCommerce
Released under the GNU General Public License
*/
////
-// This funstion validates a plain text password with an
-// encrpyted password
- function tep_validate_password($plain, $encrypted, $admin_id = '') {
- $validated = false;
- global $hasher;
+// This function validates a plain text password with a
+// salted or phpass password
+ function tep_validate_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
- $password_hash_style = tep_what_password($encrypted);
- switch ($password_hash_style) {
- case 'salted':
- $check_old = tep_validate_old_password($plain, $encrypted);
- if ($check_old == true) {
- $validated = true;
-// insert password hash using PasswordHash into
- $new_password_hash = tep_encrypt_password($plain);
- if (strlen($new_password_hash) > 19 && (int)$admin_id > 0) {
- tep_db_query("update " . TABLE_ADMINISTRATORS . " set user_password = '" . $new_password_hash . "' where id = '" . (int)$admin_id . "'");
- } else {
-// error with PasswordHash
- unset($hasher);
- }
- }
- break;
- case 'phpass':
- if (!is_object($hasher)) {
- require_once(DIR_WS_CLASSES . 'PasswordHash.php');
-// hard coded: number of base-2 logarithms of the iteration count used for password stretching (10)
-// Since the admin(s) always have access to the database and can truncate the table
-// administrators when moving to a server that does the encryption differently we can go for
-// the better security and not use portable hashes
- $hasher = new PasswordHash(10, false);
- }
- $validated = $hasher->CheckPassword($plain, $encrypted);
- break;
- case 'unknown':
- $validated = false;
- break;
- default:
- $validated = false;
- break;
- }
+ if (tep_password_type($encrypted) == 'salt') {
+ return tep_validate_old_password($plain, $encrypted);
+ }
+
+ if (!class_exists('PasswordHash')) {
+ include(DIR_WS_CLASSES . 'PasswordHash.php');
+ }
+
+ $hasher = new PasswordHash(10, true);
+
+ return $hasher->CheckPassword($plain, $encrypted);
}
- return $validated;
+
+ return false;
}
-
+
+////
+// This function validates a plain text password with a
+// salted password
function tep_validate_old_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
@@ -71,21 +50,21 @@ function tep_validate_old_password($plain, $encrypted) {
}
////
-// This function makes a new password from a plaintext password.
+// This function encrypts a phpass password from a plaintext
+// password.
function tep_encrypt_password($plain) {
- global $hasher;
- if (!is_object($hasher)) {
- require_once(DIR_WS_CLASSES . 'PasswordHash.php');
-// hard coded: number of base-2 logarithms of the iteration count used for password stretching (10)
-// Since the admin(s) always have access to the database and can truncate the table
-// administrators when moving to a server that does the encryption differently we can go for
-// the better security and not use portable hashes
- $hasher = new PasswordHash(10, false);
+ if (!class_exists('PasswordHash')) {
+ include(DIR_WS_CLASSES . 'PasswordHash.php');
}
- $password = $hasher->HashPassword($plain);
- return $password;
+
+ $hasher = new PasswordHash(10, true);
+
+ return $hasher->HashPassword($plain);
}
+////
+// This function encrypts a salted password from a plaintext
+// password.
function tep_encrypt_old_password($plain) {
$password = '';
@@ -99,17 +78,16 @@ function tep_encrypt_old_password($plain) {
return $password;
}
-
- function tep_what_password($encrypted) {
- if (strlen($encrypted) == 20 || (strlen($encrypted) > 20 && (substr($encrypted, 0, 3) == '$P$')) || (strlen($encrypted) == 60 && (substr($encrypted, 0, 4) == '$2a$'))) {
-// phpass style starting with $P$ (portable), $2a$ (CRYPT_BLOWFISH) or length 20 (CRYPT_EXT_DES)
- return 'phpass';
- } elseif ((substr($encrypted, 0, 3) != '$P$') && strlen($encrypted) == 35 && (32 == strpos($encrypted, ':'))) {
-// password hash with salt (old version)
- return 'salted';
- } else {
- return 'unknown';
+
+////
+// This function returns the type of the encrpyted password
+// (phpass or salt)
+ function tep_password_type($encrypted) {
+ if (preg_match('/^[A-Z0-9]{32}\:[A-Z0-9]{2}$/i', $encrypted) === 1) {
+ return 'salt';
}
+
+ return 'phpass';
}
////
View
@@ -41,7 +41,12 @@
if (tep_db_num_rows($check_query) == 1) {
$check = tep_db_fetch_array($check_query);
- if (tep_validate_password($password, $check['user_password'], $check['id'])) {
+ if (tep_validate_password($password, $check['user_password'])) {
+// migrate old hashed password to new phpass password
+ if (tep_password_type($check['user_password']) != 'phpass') {
+ tep_db_query("update " . TABLE_ADMINISTRATORS . " set user_password = '" . tep_encrypt_password($password) . "' where id = '" . (int)$check['id'] . "'");
+ }
+
tep_session_register('admin');
$admin = array('id' => $check['id'],
@@ -5,54 +5,35 @@
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
- Copyright (c) 2003 osCommerce
+ Copyright (c) 2010 osCommerce
Released under the GNU General Public License
*/
////
-// This funstion validates a plain text password with an
-// encrpyted password
- function tep_validate_password($plain, $encrypted, $customers_id = '') {
- $validated = false;
- global $hasher;
+// This function validates a plain text password with a
+// salted or phpass password
+ function tep_validate_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
- $password_hash_style = tep_what_password($encrypted);
- switch ($password_hash_style) {
- case 'salted':
- $check_old = tep_validate_old_password($plain, $encrypted);
- if ($check_old == true) {
- $validated = true;
-// insert password hash using PasswordHash into
- $new_password_hash = tep_encrypt_password($plain);
- if (strlen($new_password_hash) > 19 && (int)$customers_id > 0) {
- tep_db_query("update " . TABLE_CUSTOMERS . " set customers_password = '" . $new_password_hash . "' where customers_id = '" . (int)$customers_id . "'");
- } else {
-// error with PasswordHash
- unset($hasher);
- }
- }
- break;
- case 'phpass':
- if (!is_object($hasher)) {
- require_once(DIR_WS_CLASSES . 'PasswordHash.php');
-// hard coded: number of base-2 logarithms of the iteration count used for password stretching (10)
-// and the use of portable hashes
- $hasher = new PasswordHash(10, true);
- }
- $validated = $hasher->CheckPassword($plain, $encrypted);
- break;
- case 'unknown':
- $validated = false;
- break;
- default:
- $validated = false;
- break;
- }
+ if (tep_password_type($encrypted) == 'salt') {
+ return tep_validate_old_password($plain, $encrypted);
+ }
+
+ if (!class_exists('PasswordHash')) {
+ include(DIR_WS_CLASSES . 'PasswordHash.php');
+ }
+
+ $hasher = new PasswordHash(10, true);
+
+ return $hasher->CheckPassword($plain, $encrypted);
}
- return $validated;
+
+ return false;
}
-
+
+////
+// This function validates a plain text password with a
+// salted password
function tep_validate_old_password($plain, $encrypted) {
if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
@@ -69,19 +50,21 @@ function tep_validate_old_password($plain, $encrypted) {
}
////
-// This function makes a new password from a plaintext password.
+// This function encrypts a phpass password from a plaintext
+// password.
function tep_encrypt_password($plain) {
- global $hasher;
- if (!is_object($hasher)) {
- require_once(DIR_WS_CLASSES . 'PasswordHash.php');
-// hard coded: number of base-2 logarithms of the iteration count used for password stretching (10)
-// and the use of portable hashes
- $hasher = new PasswordHash(10, true);
+ if (!class_exists('PasswordHash')) {
+ include(DIR_WS_CLASSES . 'PasswordHash.php');
}
- $password = $hasher->HashPassword($plain);
- return $password;
+
+ $hasher = new PasswordHash(10, true);
+
+ return $hasher->HashPassword($plain);
}
+////
+// This function encrypts a salted password from a plaintext
+// password.
function tep_encrypt_old_password($plain) {
$password = '';
@@ -95,16 +78,15 @@ function tep_encrypt_old_password($plain) {
return $password;
}
-
- function tep_what_password($encrypted) {
- if (strlen($encrypted) > 20 && (substr($encrypted, 0, 3) == '$P$')) {
-// phpass style starting with $P$
- return 'phpass';
- } elseif ((substr($encrypted, 0, 3) != '$P$') && strlen($encrypted) == 35 && (32 == strpos($encrypted, ':'))) {
-// password hash with salt (old version)
- return 'salted';
- } else {
- return 'unknown';
+
+////
+// This function returns the type of the encrpyted password
+// (phpass or salt)
+ function tep_password_type($encrypted) {
+ if (preg_match('/^[A-Z0-9]{32}\:[A-Z0-9]{2}$/i', $encrypted) === 1) {
+ return 'salt';
}
+
+ return 'phpass';
}
?>
@@ -196,7 +196,7 @@ CREATE TABLE customers (
customers_default_address_id int,
customers_telephone varchar(255) NOT NULL,
customers_fax varchar(255),
- customers_password varchar(40) NOT NULL,
+ customers_password varchar(60) NOT NULL,
customers_newsletter char(1),
PRIMARY KEY (customers_id),
KEY idx_customers_email_address (customers_email_address)
View
@@ -31,13 +31,18 @@
} else {
$check_customer = tep_db_fetch_array($check_customer_query);
// Check that password is good
- if (!tep_validate_password($password, $check_customer['customers_password'], $check_customer['customers_id'])) {
+ if (!tep_validate_password($password, $check_customer['customers_password'])) {
$error = true;
} else {
if (SESSION_RECREATE == 'True') {
tep_session_recreate();
}
+// migrate old hashed password to new phpass password
+ if (tep_password_type($check_customer['customers_password']) != 'phpass') {
+ tep_db_query("update " . TABLE_CUSTOMERS . " set customers_password = '" . tep_encrypt_password($password) . "' where customers_id = '" . (int)$check_customer['customers_id'] . "'");
+ }
+
$check_country_query = tep_db_query("select entry_country_id, entry_zone_id from " . TABLE_ADDRESS_BOOK . " where customers_id = '" . (int)$check_customer['customers_id'] . "' and address_book_id = '" . (int)$check_customer['customers_default_address_id'] . "'");
$check_country = tep_db_fetch_array($check_country_query);

0 comments on commit c368f30

Please sign in to comment.