Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Bcrypt instead of MD5/plaintext #343

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Use Bcrypt instead of MD5/plaintext #343

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config/application.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@
'GMPasswordMinSymbol' => 1, // Number of symbols to require in passwords for GM accounts.
'RandomPasswordLength' => 16, // This is the length of the random password generated by the "Reset Password" feature. (NOTE: Hardcoded minimum value of 8)
'AllowUserInPassword' => false, // Whether or not to allow the password to contain the username. (NOTE: A case-insensitive search is performed)
'BcryptCost' => 10, // The cost Bcrypt will use. Decrease to lessen CPU usage.
'AllowDuplicateEmails' => false, // Whether or not to allow duplicate e-mails to be used in registration. (See Mailer config options)
'RequireEmailConfirm' => false, // Require e-mail confirmation during registration.
'RequireChangeConfirm' => false, // Require confirmation when changing e-mail addresses.
Expand Down
7 changes: 5 additions & 2 deletions lib/Flux.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -592,8 +592,11 @@ public static function getAthenaServerByName($serverName, $athenaServerName)
*/
public static function hashPassword($password)
{
// Default hashing schema is MD5.
return md5($password);
// Default hashing schema is Brypt.
$options = [
'cost' => Flux::config('BcryptCost'),
];
return password_hash($password, PASSWORD_BCRYPT, $options);
}

/**
Expand Down
21 changes: 5 additions & 16 deletions lib/Flux/LoginServer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,28 +71,19 @@ public function isAuth($username, $password)
return false;
}

if ($this->config->get('UseMD5')) {
$password = Flux::hashPassword($password);
}

$sql = "SELECT userid FROM {$this->loginDatabase}.login WHERE sex != 'S' AND group_id >= 0 ";
$sql = "SELECT userid AND user_pass FROM {$this->loginDatabase}.login WHERE sex != 'S' AND group_id >= 0 ";
if ($this->config->getNoCase()) {
$sql .= 'AND LOWER(userid) = LOWER(?) ';
}
else {
$sql .= 'AND CAST(userid AS BINARY) = ? ';
}
$sql .= "AND user_pass = ? LIMIT 1";
$sql .= "LIMIT 1";
$sth = $this->connection->getStatement($sql);
$sth->execute(array($username, $password));
$sth->execute(array($username));

$res = $sth->fetch();
if ($res) {
return true;
}
else {
return false;
}
return password_verify($password, $res->user_pass);
}

/**
Expand Down Expand Up @@ -190,9 +181,7 @@ public function register($username, $password, $confirmPassword, $email,$email2,
}
}

if ($this->config->getUseMD5()) {
$password = Flux::hashPassword($password);
}
$password = Flux::hashPassword($password);

$sql = "INSERT INTO {$this->loginDatabase}.login (userid, user_pass, email, sex, group_id, birthdate) VALUES (?, ?, ?, ?, ?, ?)";
$sth = $this->connection->getStatement($sql);
Expand Down
8 changes: 3 additions & 5 deletions modules/account/changepass.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,9 @@
$sth->execute(array($session->account->account_id));

$account = $sth->fetch();
$useMD5 = $session->loginServer->config->getUseMD5();
$currentPassword = $useMD5 ? Flux::hashPassword($currentPassword) : $currentPassword;
$newPassword = $useMD5 ? Flux::hashPassword($newPassword) : $newPassword;

if ($currentPassword != $account->currentPassword) {
$newPassword = Flux::hashPassword($newPassword);

if (password_verify($currentPassword, $account->currentPassword)) {
$errorMessage = Flux::message('OldPasswordInvalid');
}
else {
Expand Down
8 changes: 2 additions & 6 deletions modules/account/login.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,7 @@
$session->login($serverGroupName, $username, $password, $code);
$returnURL = $params->get('return_url');

if ($session->loginAthenaGroup->loginServer->config->getUseMD5()) {
$password = Flux::hashPassword($password);
}
$password = Flux::hashPassword($password);

$sql = "INSERT INTO {$session->loginAthenaGroup->loginDatabase}.$loginLogTable ";
$sql .= "(account_id, username, password, ip, error_code, login_date) ";
Expand Down Expand Up @@ -56,9 +54,7 @@
if ($row) {
$accountID = $row->account_id;

if ($loginAthenaGroup->loginServer->config->getUseMD5()) {
$password = Flux::hashPassword($password);
}
$password = Flux::hashPassword($password);

$sql = "INSERT INTO {$loginAthenaGroup->loginDatabase}.$loginLogTable ";
$sql .= "(account_id, username, password, ip, error_code, login_date) ";
Expand Down
4 changes: 1 addition & 3 deletions modules/account/resetpw.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,7 @@
}

$unhashedNewPassword = $newPassword;
if ($loginAthenaGroup->loginServer->config->getUseMD5()) {
$newPassword = Flux::hashPassword($newPassword);
}
$newPassword = Flux::hashPassword($newPassword);

if (!$sth->execute(array($_SERVER['REMOTE_ADDR'], $newPassword, $reset->id))) {
$session->setMessageData(Flux::message('ResetPwFailed'));
Expand Down