From e90053fe8400893190f6b91bb4b78abe481f2e7f Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sun, 22 Jan 2012 11:48:08 +0400 Subject: improve password storage (use sha256 and long random salt) bump schema --- include/functions.php | 82 ++++++++++++++++++++++++++++++------------------ include/sanity_check.php | 2 +- 2 files changed, 52 insertions(+), 32 deletions(-) (limited to 'include') diff --git a/include/functions.php b/include/functions.php index f0b90b6f6..357fff787 100644 --- a/include/functions.php +++ b/include/functions.php @@ -701,20 +701,59 @@ // First login ? if (db_num_rows($result) == 0) { - $pwd_hash = encrypt_password(make_password(), $login); + $salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250); + $pwd_hash = encrypt_password($password, $salt, true); $query2 = "INSERT INTO ttrss_users - (login,access_level,last_login,created,pwd_hash) - VALUES ('$login', 0, null, NOW(), '$pwd_hash')"; + (login,access_level,last_login,created,pwd_hash,salt) + VALUES ('$login', 0, null, NOW(), '$pwd_hash','$salt')"; db_query($link, $query2); } } } else { - $query = "SELECT id,login,access_level,pwd_hash - FROM ttrss_users WHERE - login = '$login' AND (pwd_hash = '$pwd_hash1' OR + $result = db_query($link, "SELECT salt FROM ttrss_users WHERE + login = '$login'"); + + $salt = db_fetch_result($result, 0, "salt"); + + if ($salt == "") { + + $query = "SELECT id,login,access_level,pwd_hash + FROM ttrss_users WHERE + login = '$login' AND (pwd_hash = '$pwd_hash1' OR pwd_hash = '$pwd_hash2')"; + + // verify and upgrade password to new salt base + + $result = db_query($link, $query); + + if (db_num_rows($result) == 1) { + // upgrade password to MODE2 + + $salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250); + $pwd_hash = encrypt_password($password, $salt, true); + + db_query($link, "UPDATE ttrss_users SET + pwd_hash = '$pwd_hash', salt = '$salt' WHERE login = '$login'"); + + $query = "SELECT id,login,access_level,pwd_hash + FROM ttrss_users WHERE + login = '$login' AND pwd_hash = '$pwd_hash'"; + + } else { + return false; + } + + } else { + + $pwd_hash = encrypt_password($password, $salt, true); + + $query = "SELECT id,login,access_level,pwd_hash + FROM ttrss_users WHERE + login = '$login' AND pwd_hash = '$pwd_hash'"; + + } } $result = db_query($link, $query); @@ -774,20 +813,7 @@ function make_password($length = 8) { - $password = ""; - $possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ"; - - $i = 0; - - while ($i < $length) { - $char = substr($possible, mt_rand(0, strlen($possible)-1), 1); - - if (!strstr($password, $char)) { - $password .= $char; - $i++; - } - } - return $password; + return substr(bin2hex(openssl_random_pseudo_bytes($length / 2)), 0, $length); } // this is called after user is created to initialize default feeds, labels @@ -3448,22 +3474,16 @@ return $url_path; } // function add_feed_url - /** - * Encrypt a password in SHA1. - * - * @param string $pass The password to encrypt. - * @param string $login A optionnal login. - * @return string The encrypted password. - */ - function encrypt_password($pass, $login = '') { - if ($login) { - return "SHA1X:" . sha1("$login:$pass"); + function encrypt_password($pass, $salt = '', $mode2 = false) { + if ($salt && $mode2) { + return "MODE2:" . hash('sha256', $salt . $pass); + } else if ($salt) { + return "SHA1X:" . sha1("$salt:$pass"); } else { return "SHA1:" . sha1($pass); } } // function encrypt_password - function sanitize_article_content($text) { # we don't support CDATA sections in articles, they break our own escaping $text = preg_replace("/\[\[CDATA/", "", $text); diff --git a/include/sanity_check.php b/include/sanity_check.php index 4fe28c307..1cd2873df 100644 --- a/include/sanity_check.php +++ b/include/sanity_check.php @@ -6,7 +6,7 @@ } else { define('EXPECTED_CONFIG_VERSION', 25); - define('SCHEMA_VERSION', 87); + define('SCHEMA_VERSION', 88); require_once "config.php"; require_once "sanity_config.php"; -- cgit v1.2.3