forked from leftypol/leftypol
auth.php: use secure salt source, use a cryptographically secure hashing algorithm for login tokens
This commit is contained in:
parent
8cffb479fa
commit
3c0779992a
1 changed files with 21 additions and 22 deletions
|
|
@ -5,7 +5,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
use Vichan\Context;
|
use Vichan\Context;
|
||||||
use Vichan\Functions\Net;
|
use Vichan\Functions\{Hide, Net};
|
||||||
|
|
||||||
defined('TINYBOARD') or exit;
|
defined('TINYBOARD') or exit;
|
||||||
|
|
||||||
|
|
@ -14,30 +14,32 @@ function mkhash($username, $password, $salt = false) {
|
||||||
global $config;
|
global $config;
|
||||||
|
|
||||||
if (!$salt) {
|
if (!$salt) {
|
||||||
// create some sort of salt for the hash
|
// Create some salt for the hash.
|
||||||
$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);
|
$salt = \bin2hex(\random_bytes(15)); // 20 characters.
|
||||||
|
|
||||||
$generated_salt = true;
|
$generated_salt = true;
|
||||||
|
} else {
|
||||||
|
$generated_salt = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// generate hash (method is not important as long as it's strong)
|
// generate hash (method is not important as long as it's strong)
|
||||||
$hash = substr(
|
$hash = \substr(
|
||||||
base64_encode(
|
Hide\secure_hash(
|
||||||
md5(
|
$username . $config['cookies']['salt'] . Hide\secure_hash(
|
||||||
$username . $config['cookies']['salt'] . sha1(
|
$username . $password . $salt . (
|
||||||
$username . $password . $salt . (
|
$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
|
||||||
$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
|
), true
|
||||||
), true
|
) . Hide\secure_hash($config['password_crypt_version'], true), // Log out users being logged in with older password encryption schema
|
||||||
) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema
|
false
|
||||||
, true
|
),
|
||||||
)
|
0,
|
||||||
), 0, 20
|
40
|
||||||
);
|
);
|
||||||
|
|
||||||
if (isset($generated_salt))
|
if ($generated_salt) {
|
||||||
return array($hash, $salt);
|
return [ $hash, $salt ];
|
||||||
else
|
} else {
|
||||||
return $hash;
|
return $hash;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function crypt_password($password) {
|
function crypt_password($password) {
|
||||||
|
|
@ -50,16 +52,13 @@ function crypt_password($password) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function test_password($password, $salt, $test) {
|
function test_password($password, $salt, $test) {
|
||||||
global $config;
|
|
||||||
|
|
||||||
// Version = 0 denotes an old password hashing schema. In the same column, the
|
// Version = 0 denotes an old password hashing schema. In the same column, the
|
||||||
// password hash was kept previously
|
// password hash was kept previously
|
||||||
$version = (strlen($salt) <= 8) ? (int) $salt : 0;
|
$version = (strlen($salt) <= 8) ? (int) $salt : 0;
|
||||||
|
|
||||||
if ($version == 0) {
|
if ($version == 0) {
|
||||||
$comp = hash('sha256', $salt . sha1($test));
|
$comp = hash('sha256', $salt . sha1($test));
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
$comp = crypt($test, $password);
|
$comp = crypt($test, $password);
|
||||||
}
|
}
|
||||||
return array($version, hash_equals($password, $comp));
|
return array($version, hash_equals($password, $comp));
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue