From caaf741691c9d44a9a186d6ce924fecb04f4f347 Mon Sep 17 00:00:00 2001 From: czaks Date: Fri, 22 Apr 2016 05:35:43 +0200 Subject: [PATCH] [SECURITY] keep up with modern password hashing standards --- inc/config.php | 15 ++++++++++ inc/mod/auth.php | 71 +++++++++++++++++++++++++++++++++++++++-------- inc/mod/pages.php | 11 +++----- install.php | 7 ++++- install.sql | 4 +-- 5 files changed, 87 insertions(+), 21 deletions(-) diff --git a/inc/config.php b/inc/config.php index d5bdbfe5..c0e967af 100644 --- a/inc/config.php +++ b/inc/config.php @@ -1672,3 +1672,18 @@ ''. ''. ''; + + // Password hashing function + // + // $5$ <- SHA256 + // $6$ <- SHA512 + // + // 25000 rounds make for ~0.05s on my 2015 Core i3 computer. + // + // https://secure.php.net/manual/en/function.crypt.php + $config['password_crypt'] = '$6$rounds=25000$'; + + // Password hashing method version + // If set to 0, it won't upgrade hashes using old password encryption schema, only create new. + // You can set it to a higher value, to further migrate to other password hashing function. + $config['password_crypt_version'] = 1; diff --git a/inc/mod/auth.php b/inc/mod/auth.php index 01ed5b68..fa1a0f4f 100644 --- a/inc/mod/auth.php +++ b/inc/mod/auth.php @@ -18,7 +18,18 @@ function mkhash($username, $password, $salt = false) { } // generate hash (method is not important as long as it's strong) - $hash = substr(base64_encode(md5($username . $config['cookies']['salt'] . sha1($username . $password . $salt . ($config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''), true), true)), 0, 20); + $hash = substr( + base64_encode( + md5( + $username . $config['cookies']['salt'] . sha1( + $username . $password . $salt . ( + $config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : '' + ), true + ) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema + , true + ) + ), 0, 20 + ); if (isset($generated_salt)) return array($hash, $salt); @@ -26,25 +37,63 @@ function mkhash($username, $password, $salt = false) { return $hash; } -function generate_salt() { - mt_srand(microtime(true) * 100000 + memory_get_usage(true)); - return md5(uniqid(mt_rand(), true)); +function crypt_password_old($password) { + $salt = generate_salt(); + $password = hash('sha256', $salt . sha1($password)); + return array($salt, $password); } -function login($username, $password, $makehash=true) { - global $mod; - - // SHA1 password - if ($makehash) { - $password = sha1($password); +function crypt_password($password) { + global $config; + // `salt` database field is reused as a version value. We don't want it to be 0. + $version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1; + $new_salt = generate_salt(); + $password = crypt($password, $config['password_crypt'] . $new_salt . "$"); + return array($version, $password); +} + +function test_password($password, $salt, $test) { + global $config; + + // Version = 0 denotes an old password hashing schema. In the same column, the + // password hash was kept previously + $version = (strlen($salt) <= 8) ? (int) $salt : 0; + + if ($version == 0) { + $comp = hash('sha256', $salt . sha1($test)); } + else { + $comp = crypt($test, $password); + } + return array($version, hash_equals($password, $comp)); +} + +function generate_salt() { + // 128 bits of entropy + return strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.'); +} + +function login($username, $password) { + global $mod, $config; $query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username"); $query->bindValue(':username', $username); $query->execute() or error(db_error($query)); if ($user = $query->fetch(PDO::FETCH_ASSOC)) { - if ($user['password'] === hash('sha256', $user['salt'] . $password)) { + list($version, $ok) = test_password($user['password'], $user['salt'], $password); + + if ($ok) { + if ($config['password_crypt_version'] > $version) { + // It's time to upgrade the password hashing method! + list ($user['salt'], $user['password']) = crypt_password($password); + $query = prepare("UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id"); + $query->bindValue(':password', $user['password']); + $query->bindValue(':salt', $user['salt']); + $query->bindValue(':id', $user['id']); + $query->execute() or error(db_error($query)); + } + return $mod = array( 'id' => $user['id'], 'type' => $user['type'], diff --git a/inc/mod/pages.php b/inc/mod/pages.php index 2c679b20..a07de4c7 100644 --- a/inc/mod/pages.php +++ b/inc/mod/pages.php @@ -1734,9 +1734,8 @@ function mod_user($uid) { } if ($_POST['password'] != '') { - $salt = generate_salt(); - $password = hash('sha256', $salt . sha1($_POST['password'])); - + list($salt, $password) = crypt_password($_POST['password']); + $query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); $query->bindValue(':id', $uid); $query->bindValue(':password', $password); @@ -1761,8 +1760,7 @@ function mod_user($uid) { if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) { if ($_POST['password'] != '') { - $salt = generate_salt(); - $password = hash('sha256', $salt . sha1($_POST['password'])); + list($salt, $password) = crypt_password($_POST['password']); $query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); $query->bindValue(':id', $uid); @@ -1834,8 +1832,7 @@ function mod_user_new() { if (!isset($config['mod']['groups'][$type]) || $type == DISABLED) error(sprintf($config['error']['invalidfield'], 'type')); - $salt = generate_salt(); - $password = hash('sha256', $salt . sha1($_POST['password'])); + list($salt, $password) = crypt_password($_POST['password']); $query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)'); $query->bindValue(':username', $_POST['username']); diff --git a/install.php b/install.php index 95caf8ec..5a2d724a 100644 --- a/install.php +++ b/install.php @@ -1,10 +1,12 @@ $config, @@ -551,6 +553,9 @@ if (file_exists($config['has_installed'])) { foreach ($boards as &$board) { query(sprintf('ALTER TABLE ``posts_%s`` ADD `slug` VARCHAR(255) DEFAULT NULL AFTER `embed`;', $board['uri'])) or error(db_error()); } + case '4.9.93': + query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error()); + query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error()); case false: // TODO: enhance Tinyboard -> vichan upgrade path. query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error()); diff --git a/install.sql b/install.sql index 969107a2..fbf220c1 100644 --- a/install.sql +++ b/install.sql @@ -131,8 +131,8 @@ CREATE TABLE IF NOT EXISTS `modlogs` ( CREATE TABLE IF NOT EXISTS `mods` ( `id` smallint(6) unsigned NOT NULL AUTO_INCREMENT, `username` varchar(30) NOT NULL, - `password` char(64) CHARACTER SET ascii NOT NULL COMMENT 'SHA256', - `salt` char(32) CHARACTER SET ascii NOT NULL, + `password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256', + `salt` varchar(64) CHARACTER SET ascii NOT NULL, `type` smallint(2) NOT NULL, `boards` text CHARACTER SET utf8 NOT NULL, PRIMARY KEY (`id`),