From c4ce814333ccd35af29997feb1bf9ae34a12c404 Mon Sep 17 00:00:00 2001
From: Anonymous Contributor <anonymous@invalid>
Date: Wed, 23 Aug 2023 18:16:34 +0200
Subject: [PATCH] Use Argon2id as password hashing algorithm

---
 classen/OpenSim.php | 17 ++++++++++++++---
 pages/login.php     | 16 +++++++++++++++-
 pages/password.php  |  9 +++++----
 pages/register.php  |  8 +++-----
 pages/users.php     |  2 +-
 5 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/classen/OpenSim.php b/classen/OpenSim.php
index 00c8615..60ed064 100644
--- a/classen/OpenSim.php
+++ b/classen/OpenSim.php
@@ -15,10 +15,21 @@
 
 				while($rowAuth = $statementAuth->fetch()) 
 				{
-					if(md5(md5($password).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash'])
-					{
-						return true;
+					$passwordCorrect = false;
+					if(strlen($rowAuth['passwordHash']) == 32) {
+						if(md5(md5($password).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
+							$passwordCorrect = true;
+							
+							$newHash = password_hash($password, PASSWORD_ARGON2ID);
+							$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
+							$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
+						}
 					}
+					else {
+						$passwordCorrect = password_verify($password, $rowAuth['passwordHash']);
+					}
+
+					return $passwordCorrect;
 				}
 			}
 
diff --git a/pages/login.php b/pages/login.php
index ddffa77..02eb40c 100644
--- a/pages/login.php
+++ b/pages/login.php
@@ -30,7 +30,21 @@
 
 				while($rowAuth = $statementAuth->fetch()) 
 				{
-					if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash'])
+					$passwordCorrect = false;
+					if(strlen($rowAuth['passwordHash']) == 32) {
+						if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
+							$passwordCorrect = true;
+							
+							$newHash = password_hash($_POST['password'], PASSWORD_ARGON2ID);
+							$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
+							$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
+						}
+					}
+					else {
+						$passwordCorrect = password_verify($_POST['password'], $rowAuth['passwordHash']);
+					}
+
+					if($passwordCorrect)
 					{
 						session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
 						$_SESSION['USERNAME'] = trim($_POST['username']);
diff --git a/pages/password.php b/pages/password.php
index fe1ab6e..77df625 100644
--- a/pages/password.php
+++ b/pages/password.php
@@ -9,9 +9,9 @@
 
         if($OLDPassword != "")
         {
-            if(md5(md5($OLDPassword).":".$_SESSION['SALT']) == $_SESSION['PASSWORD'])
+            if(password_verify($OLDPassword, $_SESSION['PASSWORD']))
             {
-                if(isset($_REQUEST['newPassword']) || @$_REQUEST['newPassword'] != "")
+                if(isset($_REQUEST['newPassword']) && $_REQUEST['newPassword'] != "")
                 {
                     $NewPassword = trim($_REQUEST['newPassword']);
             
@@ -25,9 +25,10 @@
                             {
                                 if($NewPasswordRepeate == $NewPassword)
                                 {
+                                    $hash = password_hash($NewPassword, PASSWORD_ARGON2ID);
                                     $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); 
-                                    $statement->execute(['PasswordHash' => md5(md5($NewPassword).":".$_SESSION['SALT']), 'PrincipalID' => $_SESSION['UUID']]);
-                                    $_SESSION['PASSWORD'] = md5(md5($NewPassword).":".$_SESSION['SALT']);
+                                    $statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
+                                    $_SESSION['PASSWORD'] = $hash;
                                     $_SESSION['pwChanged'] = true;
 
                                     header('Location: index.php?page=password');
diff --git a/pages/register.php b/pages/register.php
index 84356e4..a52dc5b 100644
--- a/pages/register.php
+++ b/pages/register.php
@@ -91,11 +91,10 @@
 		displayPage("Der gewählte Standardavatar existiert nicht.");
 	}
 	$avatarUUID = $RUNTIME['OPENSIM']->gen_uuid();
-	$passwordSalt = md5($avatarUUID.time());
-	$passwordHash = md5(md5($RUNTIME['REGISTER']['PASS']).":".$passwordSalt);
+	$passwordHash = password_hash($RUNTIME['REGISTER']['PASS'], PASSWORD_ARGON2ID);
 	$avatarNameParts = explode(" ", $RUNTIME['REGISTER']['Name']);
-	$statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `passwordSalt`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :SALTVALUE, :WEBKEY, :ACCTYPE)'); 
-	$statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'SALTVALUE' => $passwordSalt, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]);
+	$statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :WEBKEY, :ACCTYPE)'); 
+	$statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]);
 	$statementAccounts = $RUNTIME['PDO']->prepare('INSERT INTO `UserAccounts` (`PrincipalID`, `ScopeID`, `FirstName`, `LastName`, `Email`, `ServiceURLs`, `Created`, `UserLevel`, `UserFlags`, `UserTitle`, `active`) VALUES (:PrincipalID, :ScopeID, :FirstName, :LastName, :Email, :ServiceURLs, :Created, :UserLevel, :UserFlags, :UserTitle, :active )'); 
 	$statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $avatarNameParts[0], 'LastName' => $avatarNameParts[1], 'Email' => $RUNTIME['REGISTER']['EMAIL'], 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]);
 	$statementProfile = $RUNTIME['PDO']->prepare('INSERT INTO `userprofile` (`useruuid`, `profilePartner`, `profileImage`, `profileFirstImage`) VALUES (:useruuid, :profilePartner, :profileImage, :profileFirstImage)'); 
@@ -123,7 +122,6 @@
 	$_SESSION['LASTNAME'] = trim($avatarNameParts[1]);
 	$_SESSION['EMAIL'] = trim($RUNTIME['REGISTER']['EMAIL']);
 	$_SESSION['PASSWORD'] = $passwordHash;
-	$_SESSION['SALT'] = $passwordSalt;
 	$_SESSION['UUID'] = $avatarUUID;
 	$_SESSION['LEVEL'] = 0;
 	$_SESSION['DISPLAYNAME'] = strtoupper(trim($RUNTIME['REGISTER']['Name']));
diff --git a/pages/users.php b/pages/users.php
index 156688f..9b8e9bf 100644
--- a/pages/users.php
+++ b/pages/users.php
@@ -21,7 +21,7 @@
         $NEWPW  =   generateRandomString(10);
 
         $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); 
-        $statement->execute(['PasswordHash' => md5(md5($NEWPW).":".$SALT), 'PrincipalID' => $_REQUEST['userid']]);
+        $statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);
 
         $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); 
         $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);