Use PHP's built-in password hashing and verification for user accounts

2018-04-15 18:26:41 -04:00 · 2018-04-15 18:26:41 -04:00 · 6084650181
parent bbb3e7c0e3
commit 6084650181
3 changed files with 18 additions and 5 deletions
--- a/bureau/class/functions.php
+++ b/bureau/class/functions.php
@ -541,6 +541,19 @@ function _md5cr($pass, $salt = "") {
    return crypt($pass, $salt);
 }

+/**
+ * Transtional function to check if a string matches a saved password hash.
+ * @param string $pass string
+ * @param string $hash string
+ * @return bool
+ */
+function _password_verify($pass, $hash) {
+    if (strncmp($hash, '$1$', 3) == 0) {
+        // @TODO Raise a warning for the user to update their password.
+        return _md5cr($pass, $hash) == $hash;
+    }
+    return password_verify($pass, $hash);
+}

 /** split mysql database name between username and custom database name
 * @param string $dbname database name
--- a/bureau/class/m_admin.php
+++ b/bureau/class/m_admin.php
@ -634,7 +634,7 @@ class m_admin {
            $msg->raise("ERROR", "admin", _("Login can only contains characters a-z, 0-9 and -"));
            return false;
        }
-        $pass = _md5cr($pass);
+        $pass = password_hash($pass);
        $db = new DB_System();
        // Already exist?
        $db->query("SELECT count(*) AS cnt FROM membres WHERE login= ?;", array($login));
@ -772,7 +772,7 @@ class m_admin {
        $db = new DB_System();

        if ($pass) {
-            $pass = _md5cr($pass);
+            $pass = password_hash($pass);
            $second_query = "UPDATE membres SET mail= ?, canpass= ?, enabled= ?, `type`= ?, notes= ? , pass = ? WHERE uid= ?;";
            $second_query_args = array($mail, $canpass, $enabled, $type, $notes, $pass, $uid);
        } else {
--- a/bureau/class/m_mem.php
+++ b/bureau/class/m_mem.php
@ -93,7 +93,7 @@ class m_mem {
            return false;
        }
        $db->next_record();
-        if (_md5cr($password, $db->f("pass")) != $db->f("pass")) {
+        if (!_password_verify($password, $db->f('pass'))) {
            $db->query("UPDATE membres SET lastfail=lastfail+1 WHERE uid= ? ;", array($db->f("uid")));
            $msg->raise("ERROR", "mem", _("User or password incorrect"));
            return false;
@ -396,7 +396,7 @@ class m_mem {
            $msg->raise("ERROR", "mem", _("You are not allowed to change your password."));
            return false;
        }
-        if ($this->user["pass"] != _md5cr($oldpass, $this->user["pass"])) {
+        if (!_password_verify($oldpass, $this->user['pass'])) {
            $msg->raise("ERROR", "mem", _("The old password is incorrect"));
            return false;
        }
@ -410,7 +410,7 @@ class m_mem {
        if (!$admin->checkPolicy("mem", $login, $newpass)) {
            return false; // The error has been raised by checkPolicy()
        }
-        $newpass = _md5cr($newpass);
+        $newpass = password_hash($newpass);
        $db->query("UPDATE membres SET pass= ? WHERE uid= ?;", array($newpass, $cuid));
        $msg->init_msgs();
        return true;