diff options
| author | Lukas Fleischer <lfleischer@archlinux.org> | 2017-02-24 19:52:28 +0100 |
|---|---|---|
| committer | Lukas Fleischer <lfleischer@archlinux.org> | 2017-02-24 22:04:49 +0100 |
| commit | 29a48708bb7c3e00e80275a6b898f557f63dff69 (patch) | |
| tree | c1b4f3ec1e5caffaacb796916e5bdb89b5cb19ff /web/lib/aur.inc.php | |
| parent | 31754909b1ebbc2a50f1faecbb0cf5058953b840 (diff) | |
| download | aur-29a48708bb7c3e00e80275a6b898f557f63dff69.tar.gz aur-29a48708bb7c3e00e80275a6b898f557f63dff69.tar.xz | |
Use bcrypt to hash passwords
Replace the default hash function used for storing passwords by
password_hash() which internally uses bcrypt. Legacy MD5 hashes are
still supported and are immediately converted to the new format when a
user logs in.
Since big parts of the authentication system needed to be rewritten in
this context, this patch also includes some simplification and
refactoring of all code related to password checking and resetting.
Fixes FS#52297.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web/lib/aur.inc.php')
| -rw-r--r-- | web/lib/aur.inc.php | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 94a38499..d58df406 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -538,63 +538,6 @@ function mkurl($append) { } /** - * Determine a user's salt from the database - * - * @param string $user_id The user ID of the user trying to log in - * - * @return string|void Return the salt for the requested user, otherwise void - */ -function get_salt($user_id) { - $dbh = DB::connect(); - $q = "SELECT Salt FROM Users WHERE ID = " . $user_id; - $result = $dbh->query($q); - if ($result) { - $row = $result->fetch(PDO::FETCH_NUM); - return $row[0]; - } - return; -} - -/** - * Save a user's salted password in the database - * - * @param string $user_id The user ID of the user who is salting their password - * @param string $passwd The password of the user logging in - */ -function save_salt($user_id, $passwd) { - $dbh = DB::connect(); - $salt = generate_salt(); - $hash = salted_hash($passwd, $salt); - $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", "; - $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id; - return $dbh->exec($q); -} - -/** - * Generate a string to be used for salting passwords - * - * @return string MD5 hash of concatenated random number and current time - */ -function generate_salt() { - return md5(uniqid(mt_rand(), true)); -} - -/** - * Combine salt and password to form a hash - * - * @param string $passwd User plaintext password - * @param string $salt MD5 hash to be used as user salt - * - * @return string The MD5 hash of the concatenated salt and user password - */ -function salted_hash($passwd, $salt) { - if (strlen($salt) != 32) { - trigger_error('Salt does not look like an md5 hash', E_USER_WARNING); - } - return md5($salt . $passwd); -} - -/** * Get a package comment * * @param int $comment_id The ID of the comment |