Commit 2d6d9eb4 authored by Marius Burkard's avatar Marius Burkard
Browse files

- Support CRYPT-SHA512 and SHA256 for passwords, implements #5353

parent f343e169
ALTER TABLE `client` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;
ALTER TABLE `ftp_user` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;
ALTER TABLE `shell_user` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;
ALTER TABLE `sys_user` CHANGE COLUMN `passwort` `passwort` VARCHAR(200) DEFAULT NULL;
ALTER TABLE `webdav_user` CHANGE COLUMN `password` `password` VARCHAR(200) DEFAULT NULL;
\ No newline at end of file
...@@ -243,7 +243,7 @@ CREATE TABLE `client` ( ...@@ -243,7 +243,7 @@ CREATE TABLE `client` (
`limit_openvz_vm_template_id` int(11) NOT NULL DEFAULT '0', `limit_openvz_vm_template_id` int(11) NOT NULL DEFAULT '0',
`parent_client_id` int(11) unsigned NOT NULL DEFAULT '0', `parent_client_id` int(11) unsigned NOT NULL DEFAULT '0',
`username` varchar(64) DEFAULT NULL, `username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL, `password` varchar(200) DEFAULT NULL,
`language` char(2) NOT NULL DEFAULT 'en', `language` char(2) NOT NULL DEFAULT 'en',
`usertheme` varchar(32) NOT NULL DEFAULT 'default', `usertheme` varchar(32) NOT NULL DEFAULT 'default',
`template_master` int(11) unsigned NOT NULL DEFAULT '0', `template_master` int(11) unsigned NOT NULL DEFAULT '0',
...@@ -705,7 +705,7 @@ CREATE TABLE `ftp_user` ( ...@@ -705,7 +705,7 @@ CREATE TABLE `ftp_user` (
`parent_domain_id` int(11) unsigned NOT NULL default '0', `parent_domain_id` int(11) unsigned NOT NULL default '0',
`username` varchar(64) default NULL, `username` varchar(64) default NULL,
`username_prefix` varchar(50) NOT NULL default '', `username_prefix` varchar(50) NOT NULL default '',
`password` varchar(64) default NULL, `password` varchar(200) default NULL,
`quota_size` bigint(20) NOT NULL default '-1', `quota_size` bigint(20) NOT NULL default '-1',
`active` enum('n','y') NOT NULL default 'y', `active` enum('n','y') NOT NULL default 'y',
`uid` varchar(64) default NULL, `uid` varchar(64) default NULL,
...@@ -1440,7 +1440,7 @@ CREATE TABLE `shell_user` ( ...@@ -1440,7 +1440,7 @@ CREATE TABLE `shell_user` (
`parent_domain_id` int(11) unsigned NOT NULL default '0', `parent_domain_id` int(11) unsigned NOT NULL default '0',
`username` varchar(64) default NULL, `username` varchar(64) default NULL,
`username_prefix` varchar(50) NOT NULL default '', `username_prefix` varchar(50) NOT NULL default '',
`password` varchar(64) default NULL, `password` varchar(200) default NULL,
`quota_size` bigint(20) NOT NULL default '-1', `quota_size` bigint(20) NOT NULL default '-1',
`active` enum('n','y') NOT NULL default 'y', `active` enum('n','y') NOT NULL default 'y',
`puser` varchar(255) default NULL, `puser` varchar(255) default NULL,
...@@ -1864,7 +1864,7 @@ CREATE TABLE `sys_user` ( ...@@ -1864,7 +1864,7 @@ CREATE TABLE `sys_user` (
`sys_perm_group` varchar(5) NOT NULL default 'riud', `sys_perm_group` varchar(5) NOT NULL default 'riud',
`sys_perm_other` varchar(5) NOT NULL default '', `sys_perm_other` varchar(5) NOT NULL default '',
`username` varchar(64) NOT NULL default '', `username` varchar(64) NOT NULL default '',
`passwort` varchar(64) NOT NULL default '', `passwort` varchar(200) NOT NULL default '',
`modules` varchar(255) NOT NULL default '', `modules` varchar(255) NOT NULL default '',
`startmodule` varchar(255) NOT NULL default '', `startmodule` varchar(255) NOT NULL default '',
`app_theme` varchar(32) NOT NULL default 'default', `app_theme` varchar(32) NOT NULL default 'default',
...@@ -1899,7 +1899,7 @@ CREATE TABLE `webdav_user` ( ...@@ -1899,7 +1899,7 @@ CREATE TABLE `webdav_user` (
`parent_domain_id` int(11) unsigned NOT NULL DEFAULT '0', `parent_domain_id` int(11) unsigned NOT NULL DEFAULT '0',
`username` varchar(64) DEFAULT NULL, `username` varchar(64) DEFAULT NULL,
`username_prefix` varchar(50) NOT NULL default '', `username_prefix` varchar(50) NOT NULL default '',
`password` varchar(64) DEFAULT NULL, `password` varchar(200) DEFAULT NULL,
`active` enum('n','y') NOT NULL DEFAULT 'y', `active` enum('n','y') NOT NULL DEFAULT 'y',
`dir` varchar(255) DEFAULT NULL, `dir` varchar(255) DEFAULT NULL,
PRIMARY KEY (`webdav_user_id`) PRIMARY KEY (`webdav_user_id`)
......
...@@ -231,12 +231,27 @@ class auth { ...@@ -231,12 +231,27 @@ class auth {
if($charset != 'UTF-8') { if($charset != 'UTF-8') {
$cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8'); $cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
} }
$salt="$1$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) {
for ($n=0;$n<8;$n++) { $salt = '$6$rounds=5000$';
$salt.=$base64_alphabet[mt_rand(0, 63)]; $salt_length = 16;
} elseif(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1) {
$salt = '$5$rounds=5000$';
$salt_length = 16;
} else {
$salt = '$1$';
$salt_length = 12;
}
if(function_exists('openssl_random_pseudo_bytes')) {
$salt .= substr(bin2hex(openssl_random_pseudo_bytes($salt_length)), 0, $salt_length);
} else {
$base64_alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
for($n = 0; $n < $salt_length; $n++) {
$salt .= $base64_alphabet[mt_rand(0, 63)];
}
} }
$salt.="$"; $salt .= "$";
return crypt($cleartext_password, $salt); return crypt($cleartext_password, $salt);
} }
......
...@@ -604,11 +604,9 @@ class remoting_client extends remoting { ...@@ -604,11 +604,9 @@ class remoting_client extends remoting {
if($user) { if($user) {
$saved_password = stripslashes($user['password']); $saved_password = stripslashes($user['password']);
if(substr($saved_password, 0, 3) == '$1$') { if(preg_match('/^\$[156]\$/', $saved_password)) {
//* The password is crypt-md5 encrypted //* The password is crypt encrypted
$salt = '$1$'.substr($saved_password, 3, 8).'$'; if(crypt(stripslashes($password), $saved_password) !== $saved_password) {
if(crypt(stripslashes($password), $salt) != $saved_password) {
$user = false; $user = false;
} }
} else { } else {
...@@ -636,11 +634,9 @@ class remoting_client extends remoting { ...@@ -636,11 +634,9 @@ class remoting_client extends remoting {
if($user) { if($user) {
$saved_password = stripslashes($user['passwort']); $saved_password = stripslashes($user['passwort']);
if(substr($saved_password, 0, 3) == '$1$') { if(preg_match('/^\$[156]\$/', $saved_password)) {
//* The password is crypt-md5 encrypted //* The password is crypt-md5 encrypted
$salt = '$1$'.substr($saved_password, 3, 8).'$'; if(crypt(stripslashes($password), $saved_password) != $saved_password) {
if(crypt(stripslashes($password), $salt) != $saved_password) {
$user = false; $user = false;
} }
} else { } else {
......
...@@ -99,28 +99,22 @@ class remoting { ...@@ -99,28 +99,22 @@ class remoting {
if($user) { if($user) {
$saved_password = stripslashes($user['passwort']); $saved_password = stripslashes($user['passwort']);
if(substr($saved_password, 0, 3) == '$1$') { if(preg_match('/^\$[156]\$/', $saved_password)) {
//* The password is crypt-md5 encrypted //* The password is crypt-md5 encrypted
$salt = '$1$'.substr($saved_password, 3, 8).'$'; if(crypt(stripslashes($password), $saved_password) != $saved_password) {
if(crypt(stripslashes($password), $salt) != $saved_password) {
throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.'); throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
return false;
} }
} else { } else {
//* The password is md5 encrypted //* The password is md5 encrypted
if(md5($password) != $saved_password) { if(md5($password) != $saved_password) {
throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.'); throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
return false;
} }
} }
} else { } else {
throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.'); throw new SoapFault('client_login_failed', 'The login failed. Username or password wrong.');
return false;
} }
if($user['active'] != 1) { if($user['active'] != 1) {
throw new SoapFault('client_login_failed', 'The login failed. User is blocked.'); throw new SoapFault('client_login_failed', 'The login failed. User is blocked.');
return false;
} }
// now we need the client data // now we need the client data
......
...@@ -104,6 +104,8 @@ class page_action extends tform_actions { ...@@ -104,6 +104,8 @@ class page_action extends tform_actions {
function onAfterUpdate() { function onAfterUpdate() {
global $app, $conf; global $app, $conf;
$app->uses('auth');
$client = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ?", $this->id); $client = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE userid = ?", $this->id);
$client_id = $app->functions->intval($client['client_id']); $client_id = $app->functions->intval($client['client_id']);
$username = $this->dataRecord["username"]; $username = $this->dataRecord["username"];
...@@ -121,13 +123,7 @@ class page_action extends tform_actions { ...@@ -121,13 +123,7 @@ class page_action extends tform_actions {
// password changed // password changed
if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["passwort"]) && $this->dataRecord["passwort"] != '') { if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["passwort"]) && $this->dataRecord["passwort"] != '') {
$password = $this->dataRecord["passwort"]; $password = $this->dataRecord["passwort"];
$salt="$1$"; $password = $app->auth->crypt_password($password);
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
for ($n=0;$n<8;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
$password = crypt(stripslashes($password), $salt);
$sql = "UPDATE client SET password = ? WHERE client_id = ? AND username = ?"; $sql = "UPDATE client SET password = ? WHERE client_id = ? AND username = ?";
$app->db->query($sql, $password, $client_id, $username); $app->db->query($sql, $password, $client_id, $username);
} }
......
...@@ -200,6 +200,9 @@ class page_action extends tform_actions { ...@@ -200,6 +200,9 @@ class page_action extends tform_actions {
*/ */
function onAfterInsert() { function onAfterInsert() {
global $app, $conf; global $app, $conf;
$app->uses('auth');
// Create the group for the reseller // Create the group for the reseller
$groupid = $app->db->datalogInsert('sys_group', array("name" => $this->dataRecord["username"], "description" => '', "client_id" => $this->id), 'groupid'); $groupid = $app->db->datalogInsert('sys_group', array("name" => $this->dataRecord["username"], "description" => '', "client_id" => $this->id), 'groupid');
$groups = $groupid; $groups = $groupid;
...@@ -213,14 +216,8 @@ class page_action extends tform_actions { ...@@ -213,14 +216,8 @@ class page_action extends tform_actions {
$active = 1; $active = 1;
$language = $this->dataRecord["language"]; $language = $this->dataRecord["language"];
$salt="$1$"; $password = $app->auth->crypt_password(stripslashes($password));
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
for ($n=0;$n<8;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
$password = crypt(stripslashes($password), $salt);
// Create the controlpaneluser for the reseller // Create the controlpaneluser for the reseller
$sql = "INSERT INTO sys_user (`username`,`passwort`,`modules`,`startmodule`,`app_theme`,`typ`, `active`,`language`,`groups`,`default_group`,`client_id`) $sql = "INSERT INTO sys_user (`username`,`passwort`,`modules`,`startmodule`,`app_theme`,`typ`, `active`,`language`,`groups`,`default_group`,`client_id`)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"; VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
...@@ -313,6 +310,8 @@ class page_action extends tform_actions { ...@@ -313,6 +310,8 @@ class page_action extends tform_actions {
function onAfterUpdate() { function onAfterUpdate() {
global $app, $conf; global $app, $conf;
$app->uses('auth');
// username changed // username changed
if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord['username']) && $this->dataRecord['username'] != '' && $this->oldDataRecord['username'] != $this->dataRecord['username']) { if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord['username']) && $this->dataRecord['username'] != '' && $this->oldDataRecord['username'] != $this->dataRecord['username']) {
$username = $this->dataRecord["username"]; $username = $this->dataRecord["username"];
...@@ -329,13 +328,8 @@ class page_action extends tform_actions { ...@@ -329,13 +328,8 @@ class page_action extends tform_actions {
if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["password"]) && $this->dataRecord["password"] != '') { if(isset($conf['demo_mode']) && $conf['demo_mode'] != true && isset($this->dataRecord["password"]) && $this->dataRecord["password"] != '') {
$password = $this->dataRecord["password"]; $password = $this->dataRecord["password"];
$client_id = $this->id; $client_id = $this->id;
$salt="$1$";
$base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; $password = $app->auth->crypt_password(stripslashes($password));
for ($n=0;$n<8;$n++) {
$salt.=$base64_alphabet[mt_rand(0, 63)];
}
$salt.="$";
$password = crypt(stripslashes($password), $salt);
$sql = "UPDATE sys_user SET passwort = ? WHERE client_id = ?"; $sql = "UPDATE sys_user SET passwort = ? WHERE client_id = ?";
$app->db->query($sql, $password, $client_id); $app->db->query($sql, $password, $client_id);
} }
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment