Replacing PHPass with password_compat #10219
Conversation
|
Thanks a lot for your contribution! Contributions to the core repo require a signed contributors agreement http://owncloud.org/contribute/agreement/ Alternatively you can add a comment here stating that this contribution is MIT licensed. Some more details about out pull request workflow can be found here: http://owncloud.org/code-reviews-on-github/ |
|
Phpass is used in some apps as well. Please grep for it. Thx |
|
@DeepDiver1975 i was grepping for the filename i see the usages now i'll update them in one moment after reverting the composer update |
|
@owncloud-bot this is okay to test |
|
@karlitschek @craigpg looks like @th3fallen is not yet member of the owncloud orga here on github - can you please take care? THX |
|
@DeepDiver1975 they are probably waiting until I start on Monday. |
|
@th3fallen Check your email :-) |
|
@karlitschek you work fast lol thanks. |
|
@owncloud-bot retest this please |
|
🚀 Test Passed. 🚀 |
| '91dvsoahmc' => '$2a$08$8hll38YeDb4osgZ6klqL3uUrBnnl4HOf1B1lJnjZuecaqvE.Nw3BS', | ||
| ); | ||
|
|
||
| foreach ($passes as $key => $val) { |
There was a problem hiding this comment.
You probably should use dataProvider instead of a loop.
|
@th3fallen before this can be merged into master we need to submit the prs to the other repos - because of it touches enterprise code we shall merge this AFTER OC7EE release - THX |
| if (password_verify($password, $storedHash)) { | ||
| // Check and see if our password needs to be rehashed | ||
| if (password_needs_rehash($storedHash, PASSWORD_BCRYPT)) { | ||
| password_hash($password, PASSWORD_BCRYPT); |
There was a problem hiding this comment.
This looks incomplete. You will have to actually put the updated password hash into the database. Even if the password is the same, the hash changes and needs to be updated.
$this->setPassword(); ?
|
this will also resolve #5150 Please do not merge until after OC7EE release |
| @@ -99,10 +98,7 @@ public static function authenticate($linkItem, $password) { | |||
| if ($password !== null) { | |||
| if ($linkItem['share_type'] == \OCP\Share::SHARE_TYPE_LINK) { | |||
| // Check Password | |||
| $forcePortable = (CRYPT_BLOWFISH != 1); | |||
| $hasher = new PasswordHash(8, $forcePortable); | |||
| if (!($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), | |||
There was a problem hiding this comment.
This seems also to break old passwords.
There was a problem hiding this comment.
You are correct, my generated passes in the test where incorrect i will correct this.
|
Just a note for myself as this is not the focus currently
|
|
looks like there is a modernized version of phpass - https://github.com/hautelook/phpass - which adds composer support and is compliant with php 5.5 and php 5.6 @th3fallen @LukasReschke are there still needs to replace phpass with something else? The effort to update phpass is for sure less then introducing ppassword-compat - THX |
|
Well, password_compat is nearly considered a standard library with thousands of users nowadays but the updated phpass version has not even 40 stars. I'd still stick to a change to password_compat. |
|
@DeepDiver1975 That version is still the same just namespaced, and restyled. It is still exposing the hash used for passwords and falls back to md5 generation for some configurations. I still think that password_compat is going to be more secure in the long run and more future proof. |
|
@LukasReschke @th3fallen understood your points - but is there really a hard security issue with phpass? As stated above the password hash migration adds quite some risk. |
Well, in terms of security using phpass is completely fine. And even if it would have a vulnerability it would be very hard to abuse. (and if somebody has already access to the DB he can do worse things than cracking your password) This is more about getting rid of unsupported and not really anylonger maintained software (it even has some hacks included to work with phpBB3 hashes....) and replacing it with a proper alternative that is even directly bundled with PHP. The password_compat lib is only required as fallback when an older PHP version is used. I'd welcome a change to that because that is certainly a more future-proof approach and offers quite some advantages. Absolutely, migration requires proper testing and is not that easy but better be safe than sorry. |
|
Thanks @LukasReschke - @th3fallen we will revive this pr these days - tech-dept attached meanwhile I'll push phpass to composer to get rid of all require_once out there in the wild ..... THX |
We are reusing this class in many places - this is shit @LukasReschke wasn't there an public api for hashing passwords in core? THX |
No. - Also I'm not sure if it makes sense adding one if we anyways plan to switch to https://github.com/ircmaxell/password_compat |
well - the question is if we ever have to switch again or password_compat is changing their interface/deprecating a function in favor of another/... we have to change a dozen of locations again. |
|
|
I see - but we should at least offer a migration function to handle old hashes vs new hashes - let me have a look at the code we have in here ... |
| } else { | ||
| return true; | ||
| } | ||
| return password_verify($password, $linkItem['share_with']); |
There was a problem hiding this comment.
How will this ever work? All hashes need to be migrated - as a result we need to ship password_compat AND phpass with the next major version and offer a proper migration pass for all apps as well.
|
After chatting with @LukasReschke we agreed on defining a public api in core which will encapsulate hashing functionalities. We will basically have two functions:
verify will return the newHash in case the existing hash know to be outdated (long time ago sha hashes or phpass hashes) password salt and any other options will be taken care of within the implementation of verify() I'm closing this PR now as we have to walk a different path |
Public interface for hashing which also works with legacy ownCloud hashes and supports updating the legacy hash via a passed reference. Follow-up of #10219 (comment) Requires owncloud-archive/3rdparty#136
Public interface for hashing which also works with legacy ownCloud hashes and supports updating the legacy hash via a passed reference. Follow-up of #10219 (comment) Requires owncloud-archive/3rdparty#136
Per #10050 (comment)
also owncloud-archive/3rdparty#110