Website
/
Manager
1
0
Fork 0
Code Releases 11 Activity

Use Argon2id as password hashing algorithm

master
Anonymous Contributor 2023-08-23 18:16:34 +02:00
parent 5559355635
commit c4ce814333
5 changed files with 38 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
classen/OpenSim.php
View File

@ -15,11 +15,22 @@
while($rowAuth = $statementAuth->fetch()) while($rowAuth = $statementAuth->fetch())
{ {
if(md5(md5($password).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) $passwordCorrect = false;
{ if(strlen($rowAuth['passwordHash']) == 32) {
return true; if(md5(md5($password).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
$passwordCorrect = true;
$newHash = password_hash($password, PASSWORD_ARGON2ID);
$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
} }
} }
else {
$passwordCorrect = password_verify($password, $rowAuth['passwordHash']);
}
return $passwordCorrect;
}
} }
return false; return false;

16
pages/login.php
View File

@ -30,7 +30,21 @@
while($rowAuth = $statementAuth->fetch()) while($rowAuth = $statementAuth->fetch())
{ {
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) $passwordCorrect = false;
if(strlen($rowAuth['passwordHash']) == 32) {
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
$passwordCorrect = true;
$newHash = password_hash($_POST['password'], PASSWORD_ARGON2ID);
$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
}
}
else {
$passwordCorrect = password_verify($_POST['password'], $rowAuth['passwordHash']);
}
if($passwordCorrect)
{ {
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
$_SESSION['USERNAME'] = trim($_POST['username']); $_SESSION['USERNAME'] = trim($_POST['username']);

9
pages/password.php
View File

@ -9,9 +9,9 @@
if($OLDPassword != "") if($OLDPassword != "")
{ {
if(md5(md5($OLDPassword).":".$_SESSION['SALT']) == $_SESSION['PASSWORD']) if(password_verify($OLDPassword, $_SESSION['PASSWORD']))
{ {
if(isset($_REQUEST['newPassword']) || @$_REQUEST['newPassword'] != "") if(isset($_REQUEST['newPassword']) && $_REQUEST['newPassword'] != "")
{ {
$NewPassword = trim($_REQUEST['newPassword']); $NewPassword = trim($_REQUEST['newPassword']);
@ -25,9 +25,10 @@
{ {
if($NewPasswordRepeate == $NewPassword) if($NewPasswordRepeate == $NewPassword)
{ {
$hash = password_hash($NewPassword, PASSWORD_ARGON2ID);
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
$statement->execute(['PasswordHash' => md5(md5($NewPassword).":".$_SESSION['SALT']), 'PrincipalID' => $_SESSION['UUID']]); $statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
$_SESSION['PASSWORD'] = md5(md5($NewPassword).":".$_SESSION['SALT']); $_SESSION['PASSWORD'] = $hash;
$_SESSION['pwChanged'] = true; $_SESSION['pwChanged'] = true;
header('Location: index.php?page=password'); header('Location: index.php?page=password');

8
pages/register.php
View File

@ -91,11 +91,10 @@
displayPage("Der gewählte Standardavatar existiert nicht."); displayPage("Der gewählte Standardavatar existiert nicht.");
} }
$avatarUUID = $RUNTIME['OPENSIM']->gen_uuid(); $avatarUUID = $RUNTIME['OPENSIM']->gen_uuid();
$passwordSalt = md5($avatarUUID.time()); $passwordHash = password_hash($RUNTIME['REGISTER']['PASS'], PASSWORD_ARGON2ID);
$passwordHash = md5(md5($RUNTIME['REGISTER']['PASS']).":".$passwordSalt);
$avatarNameParts = explode(" ", $RUNTIME['REGISTER']['Name']); $avatarNameParts = explode(" ", $RUNTIME['REGISTER']['Name']);
$statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `passwordSalt`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :SALTVALUE, :WEBKEY, :ACCTYPE)'); $statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :WEBKEY, :ACCTYPE)');
$statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'SALTVALUE' => $passwordSalt, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]); $statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]);
$statementAccounts = $RUNTIME['PDO']->prepare('INSERT INTO `UserAccounts` (`PrincipalID`, `ScopeID`, `FirstName`, `LastName`, `Email`, `ServiceURLs`, `Created`, `UserLevel`, `UserFlags`, `UserTitle`, `active`) VALUES (:PrincipalID, :ScopeID, :FirstName, :LastName, :Email, :ServiceURLs, :Created, :UserLevel, :UserFlags, :UserTitle, :active )'); $statementAccounts = $RUNTIME['PDO']->prepare('INSERT INTO `UserAccounts` (`PrincipalID`, `ScopeID`, `FirstName`, `LastName`, `Email`, `ServiceURLs`, `Created`, `UserLevel`, `UserFlags`, `UserTitle`, `active`) VALUES (:PrincipalID, :ScopeID, :FirstName, :LastName, :Email, :ServiceURLs, :Created, :UserLevel, :UserFlags, :UserTitle, :active )');
$statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $avatarNameParts[0], 'LastName' => $avatarNameParts[1], 'Email' => $RUNTIME['REGISTER']['EMAIL'], 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]); $statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $avatarNameParts[0], 'LastName' => $avatarNameParts[1], 'Email' => $RUNTIME['REGISTER']['EMAIL'], 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]);
$statementProfile = $RUNTIME['PDO']->prepare('INSERT INTO `userprofile` (`useruuid`, `profilePartner`, `profileImage`, `profileFirstImage`) VALUES (:useruuid, :profilePartner, :profileImage, :profileFirstImage)'); $statementProfile = $RUNTIME['PDO']->prepare('INSERT INTO `userprofile` (`useruuid`, `profilePartner`, `profileImage`, `profileFirstImage`) VALUES (:useruuid, :profilePartner, :profileImage, :profileFirstImage)');
@ -123,7 +122,6 @@
$_SESSION['LASTNAME'] = trim($avatarNameParts[1]); $_SESSION['LASTNAME'] = trim($avatarNameParts[1]);
$_SESSION['EMAIL'] = trim($RUNTIME['REGISTER']['EMAIL']); $_SESSION['EMAIL'] = trim($RUNTIME['REGISTER']['EMAIL']);
$_SESSION['PASSWORD'] = $passwordHash; $_SESSION['PASSWORD'] = $passwordHash;
$_SESSION['SALT'] = $passwordSalt;
$_SESSION['UUID'] = $avatarUUID; $_SESSION['UUID'] = $avatarUUID;
$_SESSION['LEVEL'] = 0; $_SESSION['LEVEL'] = 0;
$_SESSION['DISPLAYNAME'] = strtoupper(trim($RUNTIME['REGISTER']['Name'])); $_SESSION['DISPLAYNAME'] = strtoupper(trim($RUNTIME['REGISTER']['Name']));

2
pages/users.php
View File

@ -21,7 +21,7 @@
$NEWPW = generateRandomString(10); $NEWPW = generateRandomString(10);
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
$statement->execute(['PasswordHash' => md5(md5($NEWPW).":".$SALT), 'PrincipalID' => $_REQUEST['userid']]); $statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID');
$statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]); $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);