CoreLibs/development
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Backport new password interface to legacy classes

Browse Source
This commit is contained in:
Clemens Schwaighofer
2018-05-09 11:47:16 +09:00
parent 7b085f86f0
commit 85a327f45f
3 changed files with 97 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
www/libs/Class.Basic.inc
View File

@@ -145,12 +145,13 @@ class basic
// error char for the char conver // error char for the char conver
public $mbErrorChar; public $mbErrorChar;
// crypt saslt prefix // [!!! DEPRECATED !!!] crypt saslt prefix
public $cryptSaltPrefix = ''; public $cryptSaltPrefix = '';
public $cryptSaltSuffix = ''; public $cryptSaltSuffix = '';
public $cryptIterationCost = 7; // this is for staying backwards compatible with the old ones public $cryptIterationCost = 7; // this is for staying backwards compatible with the old ones
public $cryptSaltSize = 22; // default 22 chars for blowfish, 2 for STD DES, 8 for MD5, public $cryptSaltSize = 22; // default 22 chars for blowfish, 2 for STD DES, 8 for MD5,
// new better password management
protected $password_options = array ();
// session name // session name
private $session_name = ''; private $session_name = '';
private $session_id = ''; private $session_id = '';
@@ -337,8 +338,10 @@ class basic
$this->session_id = session_id(); $this->session_id = session_id();
} }
// init crypt settings // [!!! DEPRECATED !!!] init crypt settings
$this->cryptInit(); $this->cryptInit();
// new better password init
$this->passwordInit();
// start logging running time // start logging running time
$this->running_time(); $this->running_time();
@@ -1572,6 +1575,11 @@ class basic
return false; return false;
} }
// [!!! DEPRECATED !!!]
// ALL crypt* methids are DEPRECATED and SHALL NOT BE USED
// use the new password* instead
// [!!! DEPRECATED !!!] -> passwordInit
// METHOD: cryptInit // METHOD: cryptInit
// PARAMS: none // PARAMS: none
// RETURN: none // RETURN: none
@@ -1618,6 +1626,7 @@ class basic
} }
} }
// [!!! DEPRECATED !!!] -> not needed
// METHOD: cryptSaltString // METHOD: cryptSaltString
// PARAMS: random string length, default is 22 (for blowfish crypt) // PARAMS: random string length, default is 22 (for blowfish crypt)
// RETURN: random string // RETURN: random string
@@ -1645,6 +1654,7 @@ class basic
return $salt_string; return $salt_string;
} }
// [!!! DEPRECATED !!!] -> passwordSet
// METHOD: cryptString // METHOD: cryptString
// PARAMS: string to be crypted (one way) // PARAMS: string to be crypted (one way)
// RETURN: encrypted string // RETURN: encrypted string
@@ -1656,6 +1666,7 @@ class basic
return crypt($string, $this->cryptSaltPrefix.$this->cryptSaltString($this->cryptSaltSize).$this->cryptSaltSuffix); return crypt($string, $this->cryptSaltPrefix.$this->cryptSaltString($this->cryptSaltSize).$this->cryptSaltSuffix);
} }
// [!!! DEPRECATED !!!] -> passwordVerify
// METHOD: verifyCryptString // METHOD: verifyCryptString
// PARAMS: plain string (eg password) // PARAMS: plain string (eg password)
// full crypted string (from cryptString // full crypted string (from cryptString
@@ -1671,6 +1682,61 @@ class basic
} }
} }
// *** BETTER PASSWORD OPTIONS, must be used ***
// METHOD: passwordInit
// PARAMS: none
// RETURN: none
// DESC : inits the password options set
// currently this is et empty, and the default options are used
private function passwordInit()
{
// set default password cost: use default set automatically
$this->password_options = array (
// 'cost' => PASSWORD_BCRYPT_DEFAULT_COST
);
}
// METHOD: passwordSet
// PARAMS: password
// RETURN: hashed password
// DESC : creates the password hash
public function passwordSet($password)
{
// always use the PHP default for the password
// password options ca be set in the password init, but should be kept as default
return password_hash($password, PASSWORD_DEFAULT, $this->password_options);
}
// METHOD: passwordVerify
// PARAMS: password and hash
// RETURN: true or false
// DESC : checks if the entered password matches the hash
public function passwordVerify($password, $hash)
{
if (password_verify($password, $hash)) {
return true;
} else {
return false;
}
// in case something strange, return false on default
return false;
}
// METHOD: passwordRehashCheck
// PARAMS: hash
// RETURN: true or false
// DESC : checks if the password needs to be rehashed
public function passwordRehashCheck($hash)
{
if (password_needs_rehash($hash, PASSWORD_DEFAULT, $this->password_options)) {
return true;
} else {
return false;
}
// in case of strange, force re-hash
return true;
}
// *** COLORS *** // *** COLORS ***
// METHOD: hex2rgb // METHOD: hex2rgb

31
www/libs/Class.Form.Generate.inc
View File

@@ -917,16 +917,16 @@ class form extends db_array_io
} // switch } // switch
} // for each error to check } // for each error to check
} elseif ($value["mandatory"] && } elseif ($value["mandatory"] &&
( (
// for all "normal" fields // for all "normal" fields
($this->table_array[$key]["type"] != "password" && $this->table_array[$key]["type"] != "drop_down_db_input" && !$this->table_array[$key]["value"]) || ($this->table_array[$key]["type"] != "password" && $this->table_array[$key]["type"] != "drop_down_db_input" && !$this->table_array[$key]["value"]) ||
// for drop_down_db_input check if one of both fields filled // for drop_down_db_input check if one of both fields filled
($this->table_array[$key]["type"] == "drop_down_db_input" && !$this->table_array[$key]["input_value"] && !$this->table_array[$key]["value"]) || ($this->table_array[$key]["type"] == "drop_down_db_input" && !$this->table_array[$key]["input_value"] && !$this->table_array[$key]["value"]) ||
// for password // for password
($this->table_array[$key]["type"] == "password" && !$this->table_array[$key]["value"] && !$this->table_array[$key]["HIDDEN_value"]) ($this->table_array[$key]["type"] == "password" && !$this->table_array[$key]["value"] && !$this->table_array[$key]["HIDDEN_value"])
) )
// main if end // main if end
) { ) {
// if mandatory && no input // if mandatory && no input
//$this->debug('form', "A: ".$this->table_array[$key]["type"]." -- ".$this->table_array[$key]["input_value"]." -- ".$this->table_array[$key]["value"]); //$this->debug('form', "A: ".$this->table_array[$key]["type"]." -- ".$this->table_array[$key]["input_value"]." -- ".$this->table_array[$key]["value"]);
if (!$this->table_array[$key]["value"] && $this->table_array[$key]["type"] != "binary") { if (!$this->table_array[$key]["value"] && $this->table_array[$key]["type"] != "binary") {
@@ -1171,7 +1171,6 @@ class form extends db_array_io
// DESC save a table, reference and all input fields // DESC save a table, reference and all input fields
public function form_save_table_array($addslashes = 0) public function form_save_table_array($addslashes = 0)
{ {
// global $_FILES;
// for drop_down_db_input check if text field is filled and if, if not yet in db ... // for drop_down_db_input check if text field is filled and if, if not yet in db ...
// and upload files // and upload files
if (!is_array($this->table_array)) { if (!is_array($this->table_array)) {
@@ -1234,8 +1233,8 @@ class form extends db_array_io
// if smth in $$key_file -> save or overwrite // if smth in $$key_file -> save or overwrite
// if smth in $key && $$key_delete && !$$key_file-> delte // if smth in $key && $$key_delete && !$$key_file-> delte
// if smth in $key, keep as is // if smth in $key, keep as is
// $_file=$key."_file"; // $_file=$key."_file";
// $_delete=$key."_delete"; // $_delete=$key."_delete";
//$this->debug('form', "UF: ".$GLOBALS["_FILES"][$key."_file"]['name']); //$this->debug('form', "UF: ".$GLOBALS["_FILES"][$key."_file"]['name']);
//$this->debug('form', "delete: ".$key."_delete => ".$GLOBALS[$key.'_delete']); //$this->debug('form', "delete: ".$key."_delete => ".$GLOBALS[$key.'_delete']);
if ($GLOBALS["_FILES"][$key."_file"]['name']) { if ($GLOBALS["_FILES"][$key."_file"]['name']) {
@@ -1266,11 +1265,11 @@ class form extends db_array_io
// for password crypt it as blowfish, or if not available MD5 // for password crypt it as blowfish, or if not available MD5
if ($this->table_array[$key]['type'] == 'password') { if ($this->table_array[$key]['type'] == 'password') {
if ($this->table_array[$key]["value"]) { if ($this->table_array[$key]["value"]) {
// password is stored in blowfish format, or in the format supported by this PHP version // use the better new passwordSet instead of crypt based
$this->table_array[$key]["value"] = $this->cryptString($this->table_array[$key]["value"]); $this->table_array[$key]['value'] = $this->passwordSet($this->table_array[$key]['value']);
$this->table_array[$key]["HIDDEN_value"] = $this->table_array[$key]["value"]; $this->table_array[$key]["HIDDEN_value"] = $this->table_array[$key]["value"];
} else { } else {
// $this->table_array[$key]["HIDDEN_value"] = // $this->table_array[$key]["HIDDEN_value"] =
} }
} }
} // go through each field } // go through each field

14
www/libs/Class.Login.inc
View File

@@ -283,13 +283,25 @@ class login extends db_io
} elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) && CRYPT_BLOWFISH != 1) || (preg_match("/^\\$1\\$/", $res['password']) && CRYPT_MD5 != 1) || (preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && CRYPT_STD_DES != 1)) { } elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) && CRYPT_BLOWFISH != 1) || (preg_match("/^\\$1\\$/", $res['password']) && CRYPT_MD5 != 1) || (preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && CRYPT_STD_DES != 1)) {
// this means password cannot be decrypted because of missing crypt methods // this means password cannot be decrypted because of missing crypt methods
$this->login_error = 9999; $this->login_error = 9999;
} elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) || preg_match("/^\\$1\\$/", $res['password']) || preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password'])) && !$this->verifyCryptString($this->password, $res['password'])) { } elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) || preg_match("/^\\$1\\$/", $res['password']) || preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password'])) && preg_match("/\\$07\\$/", $res['password']) && !$this->verifyCryptString($this->password, $res['password'])) {
// check passwword as crypted, $2a$ or $2y$ is blowfish start, $1$ is MD5 start, $\w{12} is standard DES // check passwword as crypted, $2a$ or $2y$ is blowfish start, $1$ is MD5 start, $\w{12} is standard DES
// this is only for OLD $07$ password
$this->login_error = 1011; $this->login_error = 1011;
} elseif (preg_match("/^\\$2y\\$/", $res['password']) && !preg_match("/\\$07\\$/", $res['password']) && !$this->passwordVerify($this->password, $res['password'])) {
// this is the new password hash methid, is only $2y$
$this->login_error = 1013;
} elseif (!preg_match("/^\\$2(a|y)\\$/", $res['password']) && !preg_match("/^\\$1\\$/", $res['password']) && !preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && $res['password'] != $this->password) { } elseif (!preg_match("/^\\$2(a|y)\\$/", $res['password']) && !preg_match("/^\\$1\\$/", $res['password']) && !preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && $res['password'] != $this->password) {
// check old plain password, non case sensitive // check old plain password, non case sensitive
$this->login_error = 1012; $this->login_error = 1012;
} else { } else {
// check if the current password is an invalid hash and do a rehash and set password
// $this->debug('LOGIN', 'Hash: '.$res['password'].' -> VERIFY: '.($this->passwordVerify($this->password, $res['password']) ? 'OK' : 'FAIL').' => HASH: '.($this->passwordRehashCheck($res['password']) ? 'NEW NEEDED' : 'OK'));
if ($this->passwordRehashCheck($res['password'])) {
$new_hash = $this->passwordSet($this->password);
// update password hash to new one now
$q = "UPDATE edit_user SET password = '".$this->dbEscapeString($new_hash)."' WHERE edit_user_id = ".$res['edit_user_id'];
$this->dbExec($q);
}
// normal user processing // normal user processing
// set class var and session var // set class var and session var
$_SESSION["EUID"] = $this->euid = $res["edit_user_id"]; $_SESSION["EUID"] = $this->euid = $res["edit_user_id"];