move crypt password hash verification to its own function
Hanno Böck commited on 2023-12-08 21:33:48
Zeige 2 geänderte Dateien mit 25 Einfügungen und 7 Löschungen.
- inc/security.php 4919da7..a8d64d8
- session/checkuser.php c2632c9..f5fb78a
| ... | ... |
@@ -12,8 +12,28 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r |
| 12 | 12 |
*/ |
| 13 | 13 |
|
| 14 | 14 |
require_once('inc/error.php');
|
| 15 |
+require_once('inc/base.php');
|
|
| 15 | 16 |
require_once('vendor/autoload.php');
|
| 16 | 17 |
|
| 18 |
+function gen_pw_hash($password) |
|
| 19 |
+{
|
|
| 20 |
+ $pwhash = crypt($password, '$6$' . random_string(6)); |
|
| 21 |
+ if (strlen($pwhash) < 13) {
|
|
| 22 |
+ /* returns a string shorter than 13 chars on failure */ |
|
| 23 |
+ system_failure("Failed to calculate password hash!");
|
|
| 24 |
+ } |
|
| 25 |
+ return $pwhash; |
|
| 26 |
+} |
|
| 27 |
+ |
|
| 28 |
+function check_pw_hash($password, $pwhash) |
|
| 29 |
+{
|
|
| 30 |
+ $checkhash = crypt($password, $pwhash); |
|
| 31 |
+ if (strlen($checkhash) < 13) {
|
|
| 32 |
+ /* returns a string shorter than 13 chars on failure */ |
|
| 33 |
+ system_failure("Invalid password hash!");
|
|
| 34 |
+ } |
|
| 35 |
+ return hash_equals($checkhash, $pwhash); |
|
| 36 |
+} |
|
| 17 | 37 |
|
| 18 | 38 |
function strong_password($password, $user = []) |
| 19 | 39 |
{
|
| ... | ... |
@@ -12,6 +12,7 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r |
| 12 | 12 |
*/ |
| 13 | 13 |
|
| 14 | 14 |
require_once('inc/base.php');
|
| 15 |
+require_once('inc/security.php');
|
|
| 15 | 16 |
require_once('inc/debug.php');
|
| 16 | 17 |
require_once('inc/error.php');
|
| 17 | 18 |
|
| ... | ... |
@@ -52,8 +53,7 @@ function find_role($login, $password, $i_am_admin = false) |
| 52 | 53 |
return null; |
| 53 | 54 |
} |
| 54 | 55 |
$db_password = $entry->password; |
| 55 |
- $hash = crypt($password, $db_password); |
|
| 56 |
- if (($entry->status == 0 && $hash == $db_password) || $i_am_admin) {
|
|
| 56 |
+ if (($entry->status == 0 && check_pw_hash($password, $db_password)) || $i_am_admin) {
|
|
| 57 | 57 |
$role = ROLE_SYSTEMUSER; |
| 58 | 58 |
if ($entry->primary) {
|
| 59 | 59 |
$role = $role | ROLE_CUSTOMER; |
| ... | ... |
@@ -117,8 +117,7 @@ function find_role($login, $password, $i_am_admin = false) |
| 117 | 117 |
if (@$result->rowCount() > 0) {
|
| 118 | 118 |
$entry = $result->fetch(PDO::FETCH_OBJ); |
| 119 | 119 |
$db_password = $entry->cryptpass; |
| 120 |
- $hash = crypt($password, $db_password); |
|
| 121 |
- if ($hash == $db_password || $i_am_admin) {
|
|
| 120 |
+ if (check_pw_hash($password, $db_password) || $i_am_admin) {
|
|
| 122 | 121 |
logger(LOG_INFO, "session/checkuser", "login", "logged in e-mail-account »{$account}«.");
|
| 123 | 122 |
return ROLE_MAILACCOUNT; |
| 124 | 123 |
} |
| ... | ... |
@@ -131,8 +130,7 @@ function find_role($login, $password, $i_am_admin = false) |
| 131 | 130 |
if (@$result->rowCount() > 0) {
|
| 132 | 131 |
$entry = $result->fetch(PDO::FETCH_OBJ); |
| 133 | 132 |
$db_password = $entry->cryptpass; |
| 134 |
- $hash = crypt($password, $db_password); |
|
| 135 |
- if ($hash == $db_password || $i_am_admin) {
|
|
| 133 |
+ if (check_pw_hash($password, $db_password) || $i_am_admin) {
|
|
| 136 | 134 |
logger(LOG_INFO, "session/checkuser", "login", "logged in virtual e-mail-account »{$account}«.");
|
| 137 | 135 |
return ROLE_VMAIL_ACCOUNT; |
| 138 | 136 |
} |
| ... | ... |
@@ -260,7 +258,7 @@ function set_systemuser_password($uid, $newpass) |
| 260 | 258 |
{
|
| 261 | 259 |
$uid = (int) $uid; |
| 262 | 260 |
require_once('inc/base.php');
|
| 263 |
- $newpass = crypt($newpass, '$6$' . random_string(8) . '$'); |
|
| 261 |
+ $newpass = gen_pw_hash($newpass); |
|
| 264 | 262 |
db_query("UPDATE system.passwoerter SET passwort=:newpass WHERE uid=:uid", [":newpass" => $newpass, ":uid" => $uid]);
|
| 265 | 263 |
logger(LOG_INFO, "session/checkuser", "pwchange", "changed user's password."); |
| 266 | 264 |
} |
| 267 | 265 |