From f34103ab5e521b6ae34fc5a063b253da271e2940 Mon Sep 17 00:00:00 2001 From: hecht Date: Sun, 4 Oct 2015 10:36:32 +0000 Subject: [PATCH] ported the password handling to use bcrypt instead of the old AES stuffz --- ag/include/user.inc.php | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/ag/include/user.inc.php b/ag/include/user.inc.php index 1097b44..91a42e8 100644 --- a/ag/include/user.inc.php +++ b/ag/include/user.inc.php @@ -90,39 +90,42 @@ function checkCookiePassword($username, $password){ } function checkLoginPassword($username, $password){ + // We should now use the BCRYPT algo to store passwords + $pw = encryptPassword($password); + $sql = 'SELECT SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as encrypt_password, passwort from user where nickname = \''.$username.'\''; // echo $sql.'
'; $row = mysql_fetch_assoc(mysql_query($sql)); if($row){ - if($row['encrypt_password'] != $row['passwort'] && md5($password) == $row['passwort']){ + if($row['passwort'] == $pw) { + return true; // already bcrypt based! + } + if($row['encrypt_password'] == $row['passwort'] || md5($password) == $row['passwort']){ setPassword($username, $password); return true; - } else{ - return $row['encrypt_password'] == $row['passwort']; } - } else{ - return false; } + return false; } function setCookies($nick_name, $password){ + $pw = encryptPassword($password); checkCookies($nick_name, $_COOKIE['yps']); - $row = mysql_fetch_assoc(mysql_query('select SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as pw')); setcookie('name',$nick_name,time()+864000); - setcookie('passwort',$row['pw'],time()+864000); + setcookie('passwort',$pw,time()+864000); setcookie('yps',$nick_name.','.md5($nick_name),time()+864000); } function setPassword($username, $password){ - $sql = 'UPDATE user set passwort = SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) where nickname = \''.$username.'\''; + $pw = encryptPassword($password); + $sql = 'UPDATE user set passwort = \''.$pw.'\' where nickname = \''.$username.'\''; // echo $sql.'
'; mysql_query($sql); } function encryptPassword($password){ - $sql = 'SELECT SHA1(AES_ENCRYPT(\''.$password.'\',\''.$GLOBALS['PW_AES_KEY'].'\')) as pw'; - $result = mysql_fetch_assoc(mysql_query($sql)); - return $result['pw']; + $pw = password_hash($password, PASSWORD_BCRYPT, array('salt' => $GLOBALS['PW_AES_KEY'])); + return $pw; } function getUserMetaData($userid) {