diff options
author | Andrew Dolgov <[email protected]> | 2021-03-01 15:24:18 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2021-03-01 15:24:18 +0300 |
commit | 6359259dbb1e8d5b569f569a7089abffd9259d30 (patch) | |
tree | 69fc8e95b55d4c9ab0e3345e6f52d3c5632f038a /plugins/auth_internal/init.php | |
parent | 320503dd3911de93d059ebe1ba8b96004d8f6b03 (diff) |
simplify internal authentication code and bump default algo to SSHA-512
Diffstat (limited to 'plugins/auth_internal/init.php')
-rw-r--r-- | plugins/auth_internal/init.php | 150 |
1 files changed, 47 insertions, 103 deletions
diff --git a/plugins/auth_internal/init.php b/plugins/auth_internal/init.php index 0cff439cf..9a8417d4f 100644 --- a/plugins/auth_internal/init.php +++ b/plugins/auth_internal/init.php @@ -19,8 +19,6 @@ class Auth_Internal extends Auth_Base { function authenticate($login, $password, $service = '') { - $pwd_hash1 = encrypt_password($password); - $pwd_hash2 = encrypt_password($password, $login); $otp = (int) ($_REQUEST["otp"] ?? 0); // don't bother with null/null logins for auth_external etc @@ -135,117 +133,54 @@ class Auth_Internal extends Auth_Base { return $user_id; } - if (get_schema_version() > 87) { - - $sth = $this->pdo->prepare("SELECT salt FROM ttrss_users WHERE LOWER(login) = LOWER(?)"); - $sth->execute([$login]); - - if ($row = $sth->fetch()) { - $salt = $row['salt']; - - if ($salt == "") { - - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)"); - - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); - - // verify and upgrade password to new salt base - - if ($row = $sth->fetch()) { - // upgrade password to MODE2 - - $user_id = $row['id']; - - $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $pwd_hash = encrypt_password($password, $salt, true); - - $sth = $this->pdo->prepare("UPDATE ttrss_users SET - pwd_hash = ?, salt = ? WHERE LOWER(login) = LOWER(?)"); - - $sth->execute([$pwd_hash, $salt, $login]); - - return $user_id; - - } else { - return false; - } - - } else { - $pwd_hash = encrypt_password($password, $salt, true); - - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND pwd_hash = ?"); - $sth->execute([$login, $pwd_hash]); - - if ($row = $sth->fetch()) { - return $row['id']; - } - } + if ($login) { + $try_user_id = $this->find_user_by_login($login); - } else { - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)"); - - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); - - if ($row = $sth->fetch()) { - return $row['id']; - } - } - } else { - $sth = $this->pdo->prepare("SELECT id - FROM ttrss_users WHERE - LOWER(login) = LOWER(?) AND (pwd_hash = ? OR pwd_hash = ?)"); - - $sth->execute([$login, $pwd_hash1, $pwd_hash2]); - - if ($row = $sth->fetch()) { - return $row['id']; + if ($try_user_id) { + return $this->check_password($try_user_id, $password); } } return false; } - function check_password($owner_uid, $password, $service = '') { + function check_password(int $owner_uid, string $password, string $service = '') { + + if (get_schema_version() > 87) { + $sth = $this->pdo->prepare("SELECT salt,login,otp_enabled,pwd_hash FROM ttrss_users WHERE id = ?"); + } else { + $sth = $this->pdo->prepare("SELECT login,otp_enabled,pwd_hash FROM ttrss_users WHERE id = ?"); + } - $sth = $this->pdo->prepare("SELECT salt,login,otp_enabled FROM ttrss_users WHERE - id = ?"); $sth->execute([$owner_uid]); if ($row = $sth->fetch()) { - $salt = $row['salt']; + $salt = $row['salt'] ?? ""; $login = $row['login']; + $pwd_hash = $row['pwd_hash']; + + list ($pwd_algo, $raw_hash) = explode(":", $pwd_hash, 2); // check app password only if service is specified if ($service && get_schema_version() > 138) { return $this->check_app_password($login, $password, $service); } - if (!$salt) { - $password_hash1 = encrypt_password($password); - $password_hash2 = encrypt_password($password, $login); - - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - id = ? AND (pwd_hash = ? OR pwd_hash = ?)"); - - $sth->execute([$owner_uid, $password_hash1, $password_hash2]); + $test_hash = UserHelper::hash_password($password, $salt, $pwd_algo); - return $sth->fetch(); + if (hash_equals($pwd_hash, $test_hash)) { + if ($pwd_algo != UserHelper::HASH_ALGOS[0]) { + Logger::log(E_USER_NOTICE, "Upgrading password of user $login to " . UserHelper::HASH_ALGOS[0]); - } else { - $password_hash = encrypt_password($password, $salt, true); + $new_hash = UserHelper::hash_password($password, $salt, UserHelper::HASH_ALGOS[0]); - $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE - id = ? AND pwd_hash = ?"); - - $sth->execute([$owner_uid, $password_hash]); - - return $sth->fetch(); + if ($new_hash) { + $usth = $this->pdo->prepare("UPDATE ttrss_users SET pwd_hash = ? WHERE id = ?"); + $usth->execute([$new_hash, $owner_uid]); + } + } + return $owner_uid; } } @@ -256,15 +191,16 @@ class Auth_Internal extends Auth_Base { if ($this->check_password($owner_uid, $old_password)) { - $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $new_password_hash = encrypt_password($new_password, $new_salt, true); + $new_salt = UserHelper::get_salt(); + $new_password_hash = UserHelper::hash_password($new_password, $new_salt, UserHelper::HASH_ALGOS[0]); $sth = $this->pdo->prepare("UPDATE ttrss_users SET pwd_hash = ?, salt = ?, otp_enabled = false WHERE id = ?"); $sth->execute([$new_password_hash, $new_salt, $owner_uid]); - $_SESSION["pwd_hash"] = $new_password_hash; + if ($_SESSION["uid"] ?? 0 == $owner_uid) + $_SESSION["pwd_hash"] = $new_password_hash; $sth = $this->pdo->prepare("SELECT email, login FROM ttrss_users WHERE id = ?"); $sth->execute([$owner_uid]); @@ -303,19 +239,27 @@ class Auth_Internal extends Auth_Base { $sth->execute([$login, $service]); while ($row = $sth->fetch()) { - list ($algo, $hash, $salt) = explode(":", $row["pwd_hash"]); + list ($pwd_algo, $raw_hash, $salt) = explode(":", $row["pwd_hash"]); + + $test_hash = UserHelper::hash_password($password, $salt, $pwd_algo); + + if (hash_equals("$pwd_algo:$raw_hash", $test_hash)) { + $usth = $this->pdo->prepare("UPDATE ttrss_app_passwords SET last_used = NOW() WHERE id = ?"); + $usth->execute([$row['id']]); - if ($algo == "SSHA-512") { - $test_hash = hash('sha512', $salt . $password); + if ($pwd_algo != UserHelper::HASH_ALGOS[0]) { + // upgrade password to current algo + Logger::log(E_USER_NOTICE, "Upgrading app password of user $login to " . UserHelper::HASH_ALGOS[0]); - if ($test_hash == $hash) { - $usth = $this->pdo->prepare("UPDATE ttrss_app_passwords SET last_used = NOW() WHERE id = ?"); - $usth->execute([$row['id']]); + $new_hash = UserHelper::hash_password($password, $salt, UserHelper::HASH_ALGOS[0]); - return $row['uid']; + if ($new_hash) { + $usth = $this->pdo->prepare("UPDATE ttrss_app_passwords SET pwd_hash = ? WHERE id = ?"); + $usth->execute(["$new_hash:$salt", $row['id']]); + } } - } else { - user_error("Got unknown algo of app password for user $login: $algo"); + + return $row['uid']; } } |