Merge pull request 'Better authentication token generation' (#116) from auth-sha256 into config

Reviewed-on: leftypol/leftypol#116

composer.json

@@ -25,6 +25,7 @@
             "inc/polyfill.php",
             "inc/error.php",
             "inc/functions.php",
+            "inc/functions/hide.php",
             "inc/functions/net.php"
         ]
     },

inc/functions.php

@@ -11,6 +11,7 @@ if (realpath($_SERVER['SCRIPT_FILENAME']) == str_replace('\\', '/', __FILE__)) {
 
 $microtime_start = microtime(true);
 
+use Vichan\Functions\Hide;
 use Lifo\IP\IP; // for expanding IPv6 address in DNSBL()
 
 // the user is not currently logged in as a moderator
@@ -2583,11 +2584,11 @@ function rrmdir($dir) {
 function poster_id($ip, $thread) {
 	global $config;
 
-	if ($id = event('poster-id', $ip, $thread))
+	if ($id = event('poster-id', $ip, $thread)) {
 		return $id;
+	}
 
-	// Confusing, hard to brute-force, but simple algorithm
+	return \substr(Hide\secure_hash($ip . $config['secure_trip_salt'] . $thread . $config['secure_trip_salt'], false), 0, $config['poster_id_length']);
-	return substr(sha1(sha1($ip . $config['secure_trip_salt'] . $thread) . $config['secure_trip_salt']), 0, $config['poster_id_length']);
 }
 
 function generate_tripcode($name) {
@@ -2615,7 +2616,7 @@ function generate_tripcode($name) {
 		if (isset($config['custom_tripcode']["##{$trip}"]))
 			$trip = $config['custom_tripcode']["##{$trip}"];
 		else
-			$trip = '!!' . substr(crypt($trip, str_replace('+', '.', '_..A.' . substr(base64_encode(sha1($trip . $config['secure_trip_salt'], true)), 0, 4))), -10);
+			$trip = '!!' . substr(crypt($trip, str_replace('+', '.', '_..A.' . substr(Hide\secure_hash($trip . $config['secure_trip_salt'], false), 0, 4))), -10);
 	} else {
 		if (isset($config['custom_tripcode']["#{$trip}"]))
 			$trip = $config['custom_tripcode']["#{$trip}"];

inc/functions/hide.php

@@ -0,0 +1,6 @@
+<?php
+namespace Vichan\Functions\Hide;
+
+function secure_hash(string $data, bool $binary): string {
+	return \hash('tiger160,3', $data, $binary);
+}

inc/mod/auth.php

@@ -5,7 +5,7 @@
  */
 
 use Vichan\Context;
-use Vichan\Functions\Net;
+use Vichan\Functions\{Hide, Net};
 
 defined('TINYBOARD') or exit;
 
@@ -14,31 +14,33 @@ function mkhash($username, $password, $salt = false) {
 	global $config;
 
 	if (!$salt) {
-		// create some sort of salt for the hash
+		// Create some salt for the hash.
-		$salt = substr(base64_encode(sha1(rand() . time(), true) . $config['cookies']['salt']), 0, 15);
+		$salt = \bin2hex(\random_bytes(15)); // 20 characters.
-
 		$generated_salt = true;
+	} else {
+		$generated_salt = false;
 	}
 
 	// generate hash (method is not important as long as it's strong)
-	$hash = substr(
+	$hash = \substr(
-		base64_encode(
+		Hide\secure_hash(
-			md5(
+			$username . $config['cookies']['salt'] . Hide\secure_hash(
-				$username . $config['cookies']['salt'] . sha1(
 				$username . $password . $salt . (
 					$config['mod']['lock_ip'] ? $_SERVER['REMOTE_ADDR'] : ''
 				), true
-				) . sha1($config['password_crypt_version']) // Log out users being logged in with older password encryption schema
+			) . Hide\secure_hash($config['password_crypt_version'], true), // Log out users being logged in with older password encryption schema
-				, true
+			false
-			)
+		),
-		), 0, 20
+		0,
+		40
 	);
 
-	if (isset($generated_salt))
+	if ($generated_salt) {
-		return array($hash, $salt);
+		return [ $hash, $salt ];
-	else
+	} else {
 		return $hash;
 	}
+}
 
 function crypt_password($password) {
 	global $config;
@@ -50,16 +52,13 @@ function crypt_password($password) {
 }
 
 function test_password($password, $salt, $test) {
-	global $config;
-
 	// Version = 0 denotes an old password hashing schema. In the same column, the
 	// password hash was kept previously
 	$version = (strlen($salt) <= 8) ? (int) $salt : 0;
 
 	if ($version == 0) {
 		$comp = hash('sha256', $salt . sha1($test));
-	}
+	} else {
-	else {
 		$comp = crypt($test, $password);
 	}
 	return array($version, hash_equals($password, $comp));