use real password hashes for subusers (5339d3a) - webinterface.git

use real password hashes for subusers

Hanno Böck commited on 2024-01-07 07:49:12
Zeige 3 geänderte Dateien mit 20 Einfügungen und 5 Löschungen.

inc/security.php 060239c..635cdba
modules/subusers/include/subuser.php cf9e258..166ceea
session/checkuser.php 81d4d04..b3f66d9

inc/security.php

@@ -30,6 +30,22 @@ function gen_pw_hash($password)
     return $pwhash;
 }
 
+
+function legacy_pw_verify($password, $hash)
+{
+    /* Supports legacy SHA1/SHA256 hashes without salt,
+       for new use cases use password_verify() instead */
+    if ($hash[0] == '$') {
+        return password_verify($password, $hash);
+    } elseif (strlen($hash) == 40) {
+        return hash_equals(sha1($password), $hash);
+    } elseif (strlen($hash) == 64) {
+        return hash_equals(hash("sha256", $password), $hash);
+    }
+    return false;
+}
+
+
 function strong_password($password, $user = [])
 {
     $pwcheck = config('pwcheck');

modules/subusers/include/subuser.php

Zeige Datei @ 5339d3a

@@ -104,7 +104,7 @@ function new_subuser($username, $requested_modules, $password)
 
     $args = [":uid" => $_SESSION['userinfo']['uid'],
                 ":username" => $username,
-                ":password" => hash("sha256", $password),
+                ":password" => gen_pw_hash($password),
                 ":modules" => implode(',', $modules), ];
 
     db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES (:uid, :username, :password, :modules)", $args);
@@ -159,7 +159,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
         if ($result !== true) {
             system_failure("Unsicheres Passwort: " . $result);
         }
-        $args[':password'] = hash("sha256", $password);
+        $args[':password'] = gen_pw_hash($password);
         $pwchange = ", password=:password";
     }
 

session/checkuser.php

Zeige Datei @ 5339d3a

@@ -86,8 +86,7 @@ function find_role($login, $password, $i_am_admin = false)
     if (@$result->rowCount() > 0) {
         $entry = $result->fetch(PDO::FETCH_OBJ);
         $db_password = $entry->password;
-        // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
-        if (hash("sha1", $password) == $db_password || hash("sha256", $password) == $db_password || $i_am_admin) {
+        if (legacy_pw_verify($password, $db_password) || $i_am_admin) {
             logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
             return ROLE_SUBUSER;
         }
@@ -249,7 +248,7 @@ function set_subuser_password($subuser, $newpass)
 {
     $args = [":subuser" => $subuser,
                 ":uid" => (int) $_SESSION['userinfo']['uid'],
-                ":newpass" => sha1($newpass), ];
+                ":newpass" => gen_pw_hash($newpass), ];
     db_query("UPDATE system.subusers SET password=:newpass WHERE username=:subuser AND uid=:uid", $args);
     logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password.");
 }


...	...	@@ -104,7 +104,7 @@ function new_subuser($username, $requested_modules, $password)
104	104
105	105	$args = [":uid" => $_SESSION['userinfo']['uid'],
106	106	":username" => $username,
107		- ":password" => hash("sha256", $password),
	107	+ ":password" => gen_pw_hash($password),
108	108	":modules" => implode(',', $modules), ];
109	109
110	110	db_query("INSERT INTO system.subusers (uid, username, password, modules) VALUES (:uid, :username, :password, :modules)", $args);
...	...	@@ -159,7 +159,7 @@ function edit_subuser($id, $username, $requested_modules, $password)
159	159	if ($result !== true) {
160	160	system_failure("Unsicheres Passwort: " . $result);
161	161	}
162		- $args[':password'] = hash("sha256", $password);
	162	+ $args[':password'] = gen_pw_hash($password);
163	163	$pwchange = ", password=:password";
164	164	}
165	165

...	...	@@ -86,8 +86,7 @@ function find_role($login, $password, $i_am_admin = false)
86	86	if (@$result->rowCount() > 0) {
87	87	$entry = $result->fetch(PDO::FETCH_OBJ);
88	88	$db_password = $entry->password;
89		- // SHA1 für alte Subuser (kaylee), SHA256 für neue Subuser
90		- if (hash("sha1", $password) == $db_password \|\| hash("sha256", $password) == $db_password \|\| $i_am_admin) {
	89	+ if (legacy_pw_verify($password, $db_password) \|\| $i_am_admin) {
91	90	logger(LOG_INFO, "session/checkuser", "login", "logged in virtual subuser »{$login}«.");
92	91	return ROLE_SUBUSER;
93	92	}
...	...	@@ -249,7 +248,7 @@ function set_subuser_password($subuser, $newpass)
249	248	{
250	249	$args = [":subuser" => $subuser,
251	250	":uid" => (int) $_SESSION['userinfo']['uid'],
252		- ":newpass" => sha1($newpass), ];
	251	+ ":newpass" => gen_pw_hash($newpass), ];
253	252	db_query("UPDATE system.subusers SET password=:newpass WHERE username=:subuser AND uid=:uid", $args);
254	253	logger(LOG_INFO, "session/checkuser", "pwchange", "changed subuser's password.");
255	254	}
256	255

...	...	@@ -30,6 +30,22 @@ function gen_pw_hash($password)
30	30	return $pwhash;
31	31	}
32	32
	33	+
	34	+function legacy_pw_verify($password, $hash)
	35	+{
	36	+ /* Supports legacy SHA1/SHA256 hashes without salt,
	37	+ for new use cases use password_verify() instead */
	38	+ if ($hash[0] == '$') {
	39	+ return password_verify($password, $hash);
	40	+ } elseif (strlen($hash) == 40) {
	41	+ return hash_equals(sha1($password), $hash);
	42	+ } elseif (strlen($hash) == 64) {
	43	+ return hash_equals(hash("sha256", $password), $hash);
	44	+ }
	45	+ return false;
	46	+}
	47	+
	48	+
33	49	function strong_password($password, $user = [])
34	50	{
35	51	$pwcheck = config('pwcheck');