diff --git a/config/application.php b/config/application.php index d7978f36a..0fac89692 100644 --- a/config/application.php +++ b/config/application.php @@ -53,6 +53,7 @@ 'GMPasswordMinSymbol' => 1, // Number of symbols to require in passwords for GM accounts. 'RandomPasswordLength' => 16, // This is the length of the random password generated by the "Reset Password" feature. (NOTE: Hardcoded minimum value of 8) 'AllowUserInPassword' => false, // Whether or not to allow the password to contain the username. (NOTE: A case-insensitive search is performed) + 'BcryptCost' => 10, // The cost Bcrypt will use. Decrease to lessen CPU usage. 'AllowDuplicateEmails' => false, // Whether or not to allow duplicate e-mails to be used in registration. (See Mailer config options) 'RequireEmailConfirm' => false, // Require e-mail confirmation during registration. 'RequireChangeConfirm' => false, // Require confirmation when changing e-mail addresses. diff --git a/lib/Flux.php b/lib/Flux.php index 4a5feb11f..567be09a2 100644 --- a/lib/Flux.php +++ b/lib/Flux.php @@ -592,8 +592,11 @@ public static function getAthenaServerByName($serverName, $athenaServerName) */ public static function hashPassword($password) { - // Default hashing schema is MD5. - return md5($password); + // Default hashing schema is Brypt. + $options = [ + 'cost' => Flux::config('BcryptCost'), + ]; + return password_hash($password, PASSWORD_BCRYPT, $options); } /** diff --git a/lib/Flux/LoginServer.php b/lib/Flux/LoginServer.php index c8e637534..44330668d 100644 --- a/lib/Flux/LoginServer.php +++ b/lib/Flux/LoginServer.php @@ -71,28 +71,19 @@ public function isAuth($username, $password) return false; } - if ($this->config->get('UseMD5')) { - $password = Flux::hashPassword($password); - } - - $sql = "SELECT userid FROM {$this->loginDatabase}.login WHERE sex != 'S' AND group_id >= 0 "; + $sql = "SELECT userid AND user_pass FROM {$this->loginDatabase}.login WHERE sex != 'S' AND group_id >= 0 "; if ($this->config->getNoCase()) { $sql .= 'AND LOWER(userid) = LOWER(?) '; } else { $sql .= 'AND CAST(userid AS BINARY) = ? '; } - $sql .= "AND user_pass = ? LIMIT 1"; + $sql .= "LIMIT 1"; $sth = $this->connection->getStatement($sql); - $sth->execute(array($username, $password)); + $sth->execute(array($username)); $res = $sth->fetch(); - if ($res) { - return true; - } - else { - return false; - } + return password_verify($password, $res->user_pass); } /** @@ -190,9 +181,7 @@ public function register($username, $password, $confirmPassword, $email,$email2, } } - if ($this->config->getUseMD5()) { - $password = Flux::hashPassword($password); - } + $password = Flux::hashPassword($password); $sql = "INSERT INTO {$this->loginDatabase}.login (userid, user_pass, email, sex, group_id, birthdate) VALUES (?, ?, ?, ?, ?, ?)"; $sth = $this->connection->getStatement($sql); diff --git a/modules/account/changepass.php b/modules/account/changepass.php index 7660878a7..6bb2c0f1d 100644 --- a/modules/account/changepass.php +++ b/modules/account/changepass.php @@ -61,11 +61,9 @@ $sth->execute(array($session->account->account_id)); $account = $sth->fetch(); - $useMD5 = $session->loginServer->config->getUseMD5(); - $currentPassword = $useMD5 ? Flux::hashPassword($currentPassword) : $currentPassword; - $newPassword = $useMD5 ? Flux::hashPassword($newPassword) : $newPassword; - - if ($currentPassword != $account->currentPassword) { + $newPassword = Flux::hashPassword($newPassword); + + if (password_verify($currentPassword, $account->currentPassword)) { $errorMessage = Flux::message('OldPasswordInvalid'); } else { diff --git a/modules/account/login.php b/modules/account/login.php index f7aca2f3d..9e9ef61cd 100644 --- a/modules/account/login.php +++ b/modules/account/login.php @@ -19,9 +19,7 @@ $session->login($serverGroupName, $username, $password, $code); $returnURL = $params->get('return_url'); - if ($session->loginAthenaGroup->loginServer->config->getUseMD5()) { - $password = Flux::hashPassword($password); - } + $password = Flux::hashPassword($password); $sql = "INSERT INTO {$session->loginAthenaGroup->loginDatabase}.$loginLogTable "; $sql .= "(account_id, username, password, ip, error_code, login_date) "; @@ -56,9 +54,7 @@ if ($row) { $accountID = $row->account_id; - if ($loginAthenaGroup->loginServer->config->getUseMD5()) { - $password = Flux::hashPassword($password); - } + $password = Flux::hashPassword($password); $sql = "INSERT INTO {$loginAthenaGroup->loginDatabase}.$loginLogTable "; $sql .= "(account_id, username, password, ip, error_code, login_date) "; diff --git a/modules/account/resetpw.php b/modules/account/resetpw.php index 64d18b92e..fa9407bc2 100644 --- a/modules/account/resetpw.php +++ b/modules/account/resetpw.php @@ -49,9 +49,7 @@ } $unhashedNewPassword = $newPassword; -if ($loginAthenaGroup->loginServer->config->getUseMD5()) { - $newPassword = Flux::hashPassword($newPassword); -} +$newPassword = Flux::hashPassword($newPassword); if (!$sth->execute(array($_SERVER['REMOTE_ADDR'], $newPassword, $reset->id))) { $session->setMessageData(Flux::message('ResetPwFailed'));