forked from leftypol/leftypol
Merge pull request 'Better authentication token generation' (#116) from auth-sha256 into config
Reviewed-on: leftypol/leftypol#116
This commit is contained in:
commit
8d189eb9c8
4 changed files with 34 additions and 27 deletions
|
|
@ -25,6 +25,7 @@
|
|||
"inc/polyfill.php",
|
||||
"inc/error.php",
|
||||
"inc/functions.php",
|
||||
"inc/functions/hide.php",
|
||||
"inc/functions/net.php"
|
||||
]
|
||||
},
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
|
|||
|
||||
$microtime_start = microtime(true);
|
||||
|
||||
use Vichan\Functions\Hide;
|
||||
use Lifo\IP\IP; // for expanding IPv6 address in DNSBL()
|
||||
|
||||
// the user is not currently logged in as a moderator
|
||||
|
|
@ -1691,7 +1692,7 @@ function checkSpam(array $extra_salt = array()) {
|
|||
$_hash = sha1($_hash . $extra_salt);
|
||||
|
||||
if ($hash != $_hash) {
|
||||
return true;
|
||||
return true;
|
||||
}
|
||||
|
||||
$query = prepare('SELECT `passed` FROM ``antispam`` WHERE `hash` = :hash');
|
||||
|
|
@ -2583,11 +2584,11 @@ function rrmdir($dir) {
|
|||
function poster_id($ip, $thread) {
|
||||
global $config;
|
||||
|
||||
if ($id = event('poster-id', $ip, $thread))
|
||||
if ($id = event('poster-id', $ip, $thread)) {
|
||||
return $id;
|
||||
}
|
||||
|
||||
// Confusing, hard to brute-force, but simple algorithm
|
||||
return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread) . $config['secure_trip_salt']), 0, $config['poster_id_length']);
|
||||
return \substr(Hide\secure_hash($ip . $config['secure_trip_salt'] . $thread . $config['secure_trip_salt'], false), 0, $config['poster_id_length']);
|
||||
}
|
||||
|
||||
function generate_tripcode($name) {
|
||||
|
|
@ -2615,7 +2616,7 @@ function generate_tripcode($name) {
|
|||
if (isset($config['custom_tripcode']["##{$trip}"]))
|
||||
$trip = $config['custom_tripcode']["##{$trip}"];
|
||||
else
|
||||
$trip = '!!' . substr(crypt($trip, str_replace('+', '.', '_..A.' . substr(base64_encode(sha1($trip . $config['secure_trip_salt'], true)), 0, 4))), -10);
|
||||
$trip = '!!' . substr(crypt($trip, str_replace('+', '.', '_..A.' . substr(Hide\secure_hash($trip . $config['secure_trip_salt'], false), 0, 4))), -10);
|
||||
} else {
|
||||
if (isset($config['custom_tripcode']["#{$trip}"]))
|
||||
$trip = $config['custom_tripcode']["#{$trip}"];
|
||||
|
|
|
|||
6
inc/functions/hide.php
Normal file
6
inc/functions/hide.php
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
<?php
|
||||
namespace Vichan\Functions\Hide;
|
||||
|
||||
function secure_hash(string $data, bool $binary): string {
|
||||
return \hash('tiger160,3', $data, $binary);
|
||||
}
|
||||
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
|
||||
use Vichan\Context;
|
||||
use Vichan\Functions\Net;
|
||||
use Vichan\Functions\{Hide, Net};
|
||||
|
||||
defined('TINYBOARD') or exit;
|
||||
|
||||
|
|
@ -14,30 +14,32 @@ function mkhash($username, $password, $salt = false) {
|
|||
global $config;
|
||||
|
||||
if (!$salt) {
|
||||
// create some sort of salt for the hash
|
||||
$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);
|
||||
|
||||
// Create some salt for the hash.
|
||||
$salt = \bin2hex(\random_bytes(15)); // 20 characters.
|
||||
$generated_salt = true;
|
||||
} else {
|
||||
$generated_salt = false;
|
||||
}
|
||||
|
||||
// generate hash (method is not important as long as it's strong)
|
||||
$hash = substr(
|
||||
base64_encode(
|
||||
md5(
|
||||
$username . $config['cookies']['salt'] . sha1(
|
||||
$username . $password . $salt . (
|
||||
$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
|
||||
), true
|
||||
) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema
|
||||
, true
|
||||
)
|
||||
), 0, 20
|
||||
$hash = \substr(
|
||||
Hide\secure_hash(
|
||||
$username . $config['cookies']['salt'] . Hide\secure_hash(
|
||||
$username . $password . $salt . (
|
||||
$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
|
||||
), true
|
||||
) . Hide\secure_hash($config['password_crypt_version'], true), // Log out users being logged in with older password encryption schema
|
||||
false
|
||||
),
|
||||
0,
|
||||
40
|
||||
);
|
||||
|
||||
if (isset($generated_salt))
|
||||
return array($hash, $salt);
|
||||
else
|
||||
if ($generated_salt) {
|
||||
return [ $hash, $salt ];
|
||||
} else {
|
||||
return $hash;
|
||||
}
|
||||
}
|
||||
|
||||
function crypt_password($password) {
|
||||
|
|
@ -50,16 +52,13 @@ function crypt_password($password) {
|
|||
}
|
||||
|
||||
function test_password($password, $salt, $test) {
|
||||
global $config;
|
||||
|
||||
// Version = 0 denotes an old password hashing schema. In the same column, the
|
||||
// password hash was kept previously
|
||||
$version = (strlen($salt) <= 8) ? (int) $salt : 0;
|
||||
|
||||
if ($version == 0) {
|
||||
$comp = hash('sha256', $salt . sha1($test));
|
||||
}
|
||||
else {
|
||||
} else {
|
||||
$comp = crypt($test, $password);
|
||||
}
|
||||
return array($version, hash_equals($password, $comp));
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue