From 31f657e550ab8b1ea00953cc3a26f4661ee4458c Mon Sep 17 00:00:00 2001
From: Michael Foster <savetheinternet@tinyboard.org>
Date: Wed, 24 Jul 2013 11:15:55 -0400
Subject: [PATCH] Long overdue: Salted password hashes

---
 inc/mod/auth.php  | 34 +++++++++++++++++++++-------------
 inc/mod/pages.php | 24 ++++++++++++++++++------
 install.php       | 21 ++++++++++++++++++++-
 install.sql       |  7 ++++---
 4 files changed, 63 insertions(+), 23 deletions(-)

diff --git a/inc/mod/auth.php b/inc/mod/auth.php
index 173190ab..1bc27dff 100644
--- a/inc/mod/auth.php
+++ b/inc/mod/auth.php
@@ -29,6 +29,11 @@ function mkhash($username, $password, $salt = false) {
 		return $hash;
 }
 
+function generate_salt() {
+	mt_srand(microtime(true) * 100000 + memory_get_usage(true));
+	return md5(uniqid(mt_rand(), true));
+}
+
 function login($username, $password, $makehash=true) {
 	global $mod;
 	
@@ -37,20 +42,23 @@ function login($username, $password, $makehash=true) {
 		$password = sha1($password);
 	}
 	
-	$query = prepare("SELECT `id`,`type`,`boards` FROM `mods` WHERE `username` = :username AND `password` = :password LIMIT 1");
+	$query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM `mods` WHERE `username` = :username");
 	$query->bindValue(':username', $username);
-	$query->bindValue(':password', $password);
 	$query->execute() or error(db_error($query));
 	
-	if ($user = $query->fetch()) {
-		return $mod = array(
-			'id' => $user['id'],
-			'type' => $user['type'],
-			'username' => $username,
-			'hash' => mkhash($username, $password),
-			'boards' => explode(',', $user['boards'])
-		);
-	} else return false;
+	if ($user = $query->fetch(PDO::FETCH_ASSOC)) {
+		if ($user['password'] === hash('sha256', $user['salt'] . $password)) {
+			return $mod = array(
+				'id' => $user['id'],
+				'type' => $user['type'],
+				'username' => $username,
+				'hash' => mkhash($username, $user['password']),
+				'boards' => explode(',', $user['boards'])
+			);
+		}
+	}
+	
+	return false;
 }
 
 function setCookies() {
@@ -104,10 +112,10 @@ if (isset($_COOKIE[$config['cookies']['mod']])) {
 		exit;
 	}
 	
-	$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username LIMIT 1");
+	$query = prepare("SELECT `id`, `type`, `boards`, `password` FROM `mods` WHERE `username` = :username");
 	$query->bindValue(':username', $cookie[0]);
 	$query->execute() or error(db_error($query));
-	$user = $query->fetch();
+	$user = $query->fetch(PDO::FETCH_ASSOC);
 	
 	// validate password hash
 	if ($cookie[1] !== mkhash($cookie[0], $user['password'], $cookie[2])) {
diff --git a/inc/mod/pages.php b/inc/mod/pages.php
index cddecad0..1ed9a94b 100644
--- a/inc/mod/pages.php
+++ b/inc/mod/pages.php
@@ -1407,9 +1407,13 @@ function mod_user($uid) {
 		}
 		
 		if ($_POST['password'] != '') {
-			$query = prepare('UPDATE `mods` SET `password` = SHA1(:password) WHERE `id` = :id');
+			$salt = generate_salt();
+			$password = hash('sha256', $salt . sha1($_POST['password']));
+			
+			$query = prepare('UPDATE `mods` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
 			$query->bindValue(':id', $uid);
-			$query->bindValue(':password', $_POST['password']);
+			$query->bindValue(':password', $password);
+			$query->bindValue(':salt', $salt);
 			$query->execute() or error(db_error($query));
 			
 			modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>');
@@ -1430,9 +1434,13 @@ function mod_user($uid) {
 	
 	if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
 		if ($_POST['password'] != '') {
-			$query = prepare('UPDATE `mods` SET `password` = SHA1(:password) WHERE `id` = :id');
+			$salt = generate_salt();
+			$password = hash('sha256', $salt . sha1($_POST['password']));
+
+			$query = prepare('UPDATE `mods` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
 			$query->bindValue(':id', $uid);
-			$query->bindValue(':password', $_POST['password']);
+			$query->bindValue(':password', $password);
+			$query->bindValue(':salt', $salt);
 			$query->execute() or error(db_error($query));
 			
 			modLog('Changed own password');
@@ -1494,9 +1502,13 @@ function mod_user_new() {
 		if ($_POST['type'] !== JANITOR && $_POST['type'] !== MOD && $_POST['type'] !== ADMIN)
 			error(sprintf($config['error']['invalidfield'], 'type'));
 		
-		$query = prepare('INSERT INTO `mods` VALUES (NULL, :username, SHA1(:password), :type, :boards)');
+		$salt = generate_salt();
+		$password = hash('sha256', $salt . sha1($_POST['password']));
+		
+		$query = prepare('INSERT INTO `mods` VALUES (NULL, :username, :password, :salt, :type, :boards)');
 		$query->bindValue(':username', $_POST['username']);
-		$query->bindValue(':password', $_POST['password']);
+		$query->bindValue(':password', $password);
+		$query->bindValue(':salt', $salt);
 		$query->bindValue(':type', $_POST['type']);
 		$query->bindValue(':boards', implode(',', $boards));
 		$query->execute() or error(db_error($query));
diff --git a/install.php b/install.php
index 71d1c910..3c65a4b8 100644
--- a/install.php
+++ b/install.php
@@ -1,7 +1,7 @@
 <?php
 
 // Installation/upgrade file	
-define('VERSION', 'v0.9.6-dev-8');
+define('VERSION', 'v0.9.6-dev-9');
 
 require 'inc/functions.php';
 
@@ -229,6 +229,25 @@ if (file_exists($config['has_installed'])) {
 			}
 		case 'v0.9.6-dev-7':
 			query("ALTER TABLE  `bans` ADD  `seen` BOOLEAN NOT NULL") or error(db_error());
+		case 'v0.9.6-dev-8':
+			query("ALTER TABLE  `mods` CHANGE  `password`  `password` CHAR( 64 ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT  'SHA256'") or error(db_error());
+			query("ALTER TABLE  `mods` ADD  `salt` CHAR( 32 ) NOT NULL AFTER  `password`") or error(db_error());
+			$query = query("SELECT `id`,`password` FROM `mods`") or error(db_error());
+			while ($user = $query->fetch(PDO::FETCH_ASSOC)) {
+				if (strlen($user['password']) == 40) {
+					mt_srand(microtime(true) * 100000 + memory_get_usage(true));
+					$salt = md5(uniqid(mt_rand(), true));
+			
+					$user['salt'] = $salt;
+					$user['password'] = hash('sha256', $user['salt'] . $user['password']);
+			
+					$_query = prepare("UPDATE `mods` SET `password` = :password, `salt` = :salt WHERE `id` = :id");
+					$_query->bindValue(':username', $user['id']);
+					$_query->bindValue(':password', $user['password']);
+					$_query->bindValue(':salt', $user['salt']);
+					$_query->execute() or error(db_error($_query));
+				}
+			}
 		case false:
 			// Update version number
 			file_write($config['has_installed'], VERSION);
diff --git a/install.sql b/install.sql
index 04896681..d32c3e3e 100644
--- a/install.sql
+++ b/install.sql
@@ -129,9 +129,10 @@ CREATE TABLE IF NOT EXISTS `modlogs` (
 --
 
 CREATE TABLE IF NOT EXISTS `mods` (
-  `id` smallint(6) UNSIGNED NOT NULL AUTO_INCREMENT,
+  `id` smallint(6) unsigned NOT NULL AUTO_INCREMENT,
   `username` varchar(30) NOT NULL,
-  `password` char(40) NOT NULL COMMENT 'SHA1',
+  `password` char(64) NOT NULL COMMENT 'SHA256',
+  `salt` char(32) NOT NULL,
   `type` smallint(1) NOT NULL COMMENT '0: janitor, 1: mod, 2: admin',
   `boards` text NOT NULL,
   PRIMARY KEY (`id`),
@@ -143,7 +144,7 @@ CREATE TABLE IF NOT EXISTS `mods` (
 --
 
 INSERT INTO `mods` (`id`, `username`, `password`, `type`, `boards`) VALUES
-(1, 'admin', '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8', 2, '*');
+(1, 'admin', 'cedad442efeef7112fed0f50b011b2b9bf83f6898082f995f69dd7865ca19fb7', '4a44c6c55df862ae901b413feecb0d49', 2, '*');
 
 -- --------------------------------------------------------