Use Argon2id as password hashing algorithm
parent
5559355635
commit
c4ce814333
|
@ -15,11 +15,22 @@
|
|||
|
||||
while($rowAuth = $statementAuth->fetch())
|
||||
{
|
||||
if(md5(md5($password).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash'])
|
||||
{
|
||||
return true;
|
||||
$passwordCorrect = false;
|
||||
if(strlen($rowAuth['passwordHash']) == 32) {
|
||||
if(md5(md5($password).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
|
||||
$passwordCorrect = true;
|
||||
|
||||
$newHash = password_hash($password, PASSWORD_ARGON2ID);
|
||||
$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
|
||||
$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
|
||||
}
|
||||
}
|
||||
else {
|
||||
$passwordCorrect = password_verify($password, $rowAuth['passwordHash']);
|
||||
}
|
||||
|
||||
return $passwordCorrect;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
|
|
|
@ -30,7 +30,21 @@
|
|||
|
||||
while($rowAuth = $statementAuth->fetch())
|
||||
{
|
||||
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash'])
|
||||
$passwordCorrect = false;
|
||||
if(strlen($rowAuth['passwordHash']) == 32) {
|
||||
if(md5(md5($_POST['password']).":".$rowAuth['passwordSalt']) == $rowAuth['passwordHash']) {
|
||||
$passwordCorrect = true;
|
||||
|
||||
$newHash = password_hash($_POST['password'], PASSWORD_ARGON2ID);
|
||||
$updateHash = $RUNTIME['PDO']->prepare("UPDATE auth SET passwordHash = ?, passwordSalt = ? WHERE UUID = ?");
|
||||
$updateHash->execute(array($newHash, '', $rowUser['PrincipalID']));
|
||||
}
|
||||
}
|
||||
else {
|
||||
$passwordCorrect = password_verify($_POST['password'], $rowAuth['passwordHash']);
|
||||
}
|
||||
|
||||
if($passwordCorrect)
|
||||
{
|
||||
session_unset(); // Unset pre-session variables, next request will generate a new CSRF token
|
||||
$_SESSION['USERNAME'] = trim($_POST['username']);
|
||||
|
|
|
@ -9,9 +9,9 @@
|
|||
|
||||
if($OLDPassword != "")
|
||||
{
|
||||
if(md5(md5($OLDPassword).":".$_SESSION['SALT']) == $_SESSION['PASSWORD'])
|
||||
if(password_verify($OLDPassword, $_SESSION['PASSWORD']))
|
||||
{
|
||||
if(isset($_REQUEST['newPassword']) || @$_REQUEST['newPassword'] != "")
|
||||
if(isset($_REQUEST['newPassword']) && $_REQUEST['newPassword'] != "")
|
||||
{
|
||||
$NewPassword = trim($_REQUEST['newPassword']);
|
||||
|
||||
|
@ -25,9 +25,10 @@
|
|||
{
|
||||
if($NewPasswordRepeate == $NewPassword)
|
||||
{
|
||||
$hash = password_hash($NewPassword, PASSWORD_ARGON2ID);
|
||||
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
|
||||
$statement->execute(['PasswordHash' => md5(md5($NewPassword).":".$_SESSION['SALT']), 'PrincipalID' => $_SESSION['UUID']]);
|
||||
$_SESSION['PASSWORD'] = md5(md5($NewPassword).":".$_SESSION['SALT']);
|
||||
$statement->execute(['PasswordHash' => $hash, 'PrincipalID' => $_SESSION['UUID']]);
|
||||
$_SESSION['PASSWORD'] = $hash;
|
||||
$_SESSION['pwChanged'] = true;
|
||||
|
||||
header('Location: index.php?page=password');
|
||||
|
|
|
@ -91,11 +91,10 @@
|
|||
displayPage("Der gewählte Standardavatar existiert nicht.");
|
||||
}
|
||||
$avatarUUID = $RUNTIME['OPENSIM']->gen_uuid();
|
||||
$passwordSalt = md5($avatarUUID.time());
|
||||
$passwordHash = md5(md5($RUNTIME['REGISTER']['PASS']).":".$passwordSalt);
|
||||
$passwordHash = password_hash($RUNTIME['REGISTER']['PASS'], PASSWORD_ARGON2ID);
|
||||
$avatarNameParts = explode(" ", $RUNTIME['REGISTER']['Name']);
|
||||
$statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `passwordSalt`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :SALTVALUE, :WEBKEY, :ACCTYPE)');
|
||||
$statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'SALTVALUE' => $passwordSalt, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]);
|
||||
$statementAuth = $RUNTIME['PDO']->prepare('INSERT INTO `auth` (`UUID`, `passwordHash`, `webLoginKey`, `accountType`) VALUES (:UUID, :HASHVALUE, :WEBKEY, :ACCTYPE)');
|
||||
$statementAuth->execute(['UUID' => $avatarUUID, 'HASHVALUE' => $passwordHash, 'WEBKEY' => "00000000-0000-0000-0000-000000000000", 'ACCTYPE' => "UserAccount"]);
|
||||
$statementAccounts = $RUNTIME['PDO']->prepare('INSERT INTO `UserAccounts` (`PrincipalID`, `ScopeID`, `FirstName`, `LastName`, `Email`, `ServiceURLs`, `Created`, `UserLevel`, `UserFlags`, `UserTitle`, `active`) VALUES (:PrincipalID, :ScopeID, :FirstName, :LastName, :Email, :ServiceURLs, :Created, :UserLevel, :UserFlags, :UserTitle, :active )');
|
||||
$statementAccounts->execute(['PrincipalID' => $avatarUUID, 'ScopeID' => "00000000-0000-0000-0000-000000000000", 'FirstName' => $avatarNameParts[0], 'LastName' => $avatarNameParts[1], 'Email' => $RUNTIME['REGISTER']['EMAIL'], 'ServiceURLs' => "HomeURI= GatekeeperURI= InventoryServerURI= AssetServerURI= ", 'Created' => time(), 'UserLevel' => 0, 'UserFlags' => 0, 'UserTitle' => "", 'active' => 1]);
|
||||
$statementProfile = $RUNTIME['PDO']->prepare('INSERT INTO `userprofile` (`useruuid`, `profilePartner`, `profileImage`, `profileFirstImage`) VALUES (:useruuid, :profilePartner, :profileImage, :profileFirstImage)');
|
||||
|
@ -123,7 +122,6 @@
|
|||
$_SESSION['LASTNAME'] = trim($avatarNameParts[1]);
|
||||
$_SESSION['EMAIL'] = trim($RUNTIME['REGISTER']['EMAIL']);
|
||||
$_SESSION['PASSWORD'] = $passwordHash;
|
||||
$_SESSION['SALT'] = $passwordSalt;
|
||||
$_SESSION['UUID'] = $avatarUUID;
|
||||
$_SESSION['LEVEL'] = 0;
|
||||
$_SESSION['DISPLAYNAME'] = strtoupper(trim($RUNTIME['REGISTER']['Name']));
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
$NEWPW = generateRandomString(10);
|
||||
|
||||
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
|
||||
$statement->execute(['PasswordHash' => md5(md5($NEWPW).":".$SALT), 'PrincipalID' => $_REQUEST['userid']]);
|
||||
$statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);
|
||||
|
||||
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID');
|
||||
$statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
|
||||
|
|
Loading…
Reference in New Issue