Changeset 500 for trunk/lib/Auth_SQL.inc.php

Timestamp:

Nov 15, 2014 9:34:39 PM (10 years ago)

Author:

anonymous

Message:

Many auth and crypto changes; various other bugfixes while working on pulso.

File:

• trunk/lib/Auth_SQL.inc.php (modified) (14 diffs)

trunk/lib/Auth_SQL.inc.php

@@ -39 +39 @@
     const ENCRYPT_MD5 = 5;
     const ENCRYPT_MD5_HARDENED = 6;
+    const ENCRYPT_PASSWORD_BCRYPT = 7;
+    const ENCRYPT_PASSWORD_DEFAULT = 8;
 
     // Namespace of this auth object.
@@ -174 +176 @@
                 " . $this->getParam('db_username_column') . " varchar(255) NOT NULL default '',
                 userpass VARCHAR(255) NOT NULL DEFAULT '',
+                userpass_hashtype TINYINT UNSIGNED NOT NULL DEFAULT '0',
                 first_name VARCHAR(255) NOT NULL DEFAULT '',
                 last_name VARCHAR(255) NOT NULL DEFAULT '',
@@ -260 +263 @@
             $params['login_abuse_exempt_usernames'] = array_map('strtolower', $params['login_abuse_exempt_usernames']);
         }
+        if (isset($params['encryption_type']) && version_compare(PHP_VERSION, '5.5.0', '<') && in_array($params['encryption_type'], array(self::ENCRYPT_PASSWORD_BCRYPT, self::ENCRYPT_PASSWORD_DEFAULT))) {
+            // These hash types require the password_* userland lib in PHP < 5.5.0
+            $pw_compat_lib = 'vendor/ircmaxell/password-compat/lib/password.php';
+            if (false !== stream_resolve_include_path($pw_compat_lib)) {
+                include_once $pw_compat_lib;
+            } else {
+                $app =& App::getInstance();
+                $app->logMsg(sprintf('Encryption type %s requires password-compat lib in PHP < 5.5.0; falling back to ENCRYPT_SHA1', $params['encryption_type']), LOG_ERR, __FILE__, __LINE__);
+                $params['encryption_type'] = self::ENCRYPT_SHA1;
+            }
+        }
         if (isset($params) && is_array($params)) {
             // Merge new parameters with old overriding only those passed.
@@ -353 +367 @@
 
     /**
-     * Find out if a set of login credentials are valid.
+     * Retrieve and verify the given username and password against a matching user record in the database.
      *
      * @access private
@@ -367 +381 @@
         $this->initDB();
 
-        switch ($this->_params['encryption_type']) {
-        case self::ENCRYPT_CRYPT :
-            // Query DB for user matching credentials. Compare cyphertext with salted-encrypted password.
-            $qid = $db->query("
-                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
-                FROM " . $this->_params['db_table'] . "
-                WHERE " . $this->_params['db_username_column'] . " = '" . $db->escapeString($username) . "'
-                AND BINARY userpass = ENCRYPT('" . $db->escapeString($password) . "', LEFT(userpass, 2)))
-            ");
-            break;
-        case self::ENCRYPT_PLAINTEXT :
-        case self::ENCRYPT_MD5 :
-        case self::ENCRYPT_SHA1 :
-        default :
-            // Query DB for user matching credentials. Directly compare cyphertext with result from encryptPassword().
-            $qid = $db->query("
-                SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
-                FROM " . $this->_params['db_table'] . "
-                WHERE " . $this->_params['db_username_column'] . " = '" . $db->escapeString($username) . "'
-                AND BINARY userpass = '" . $db->escapeString($this->encryptPassword($password)) . "'
-            ");
-            break;
-        }
-
-        // Return user data if found.
-        if ($user_data = mysql_fetch_assoc($qid)) {
-            // Don't return password value.
-            unset($user_data['userpass']);
-            $app->logMsg(sprintf('Authentication successful for user_id %s (%s)', $user_data['user_id'], $username), LOG_INFO, __FILE__, __LINE__);
+        // Get user data for specified username.
+        // Query DB for user matching credentials. Compare cyphertext with salted-encrypted password.
+        $qid = $db->query("
+            SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
+            FROM " . $this->_params['db_table'] . "
+            WHERE " . $this->_params['db_username_column'] . " = '" . $db->escapeString($username) . "'
+        ");
+        if (!$user_data = mysql_fetch_assoc($qid)) {
+            $app->logMsg(sprintf('Username %s not found for authentication', $username), LOG_NOTICE, __FILE__, __LINE__);
+            return false;
+        }
+
+        if ($this->verifyPassword($password, $user_data['userpass'])) {
+            $app->logMsg(sprintf('Authentication successful for %s (user_id=%s)', $username, $user_data['user_id']), LOG_INFO, __FILE__, __LINE__);
+            unset($user_data['userpass']); // Avoid revealing the encrypted password in the $user_data.
             return $user_data;
-        } else {
-            $app->logMsg(sprintf('Authentication failed for username %s (encrypted attempted password: %s)', $username, $this->encryptPassword($password)), LOG_NOTICE, __FILE__, __LINE__);
-            return false;
-        }
+        }
+
+        $app->logMsg(sprintf('Authentication failed for %s (user_id=%s)', $username, $user_data['user_id']), LOG_NOTICE, __FILE__, __LINE__);
+        return false;
     }
 
@@ -553 +553 @@
                 SELECT 1 FROM " . $this->_params['db_table'] . "
                 WHERE " . $this->_params['db_primary_key'] . " = '" . $db->escapeString($user_id) . "'
-                AND DATE_ADD(last_login_datetime, INTERVAL '" . $this->_params['login_timeout'] . "' SECOND) > NOW()
-                AND DATE_ADD(last_access_datetime, INTERVAL '" . $this->_params['idle_timeout'] . "' SECOND) > NOW()
+                AND last_login_datetime > DATE_SUB(NOW(), INTERVAL '" . $this->_params['login_timeout'] . "' SECOND)
+                AND last_access_datetime > DATE_SUB(NOW(), INTERVAL '" . $this->_params['idle_timeout'] . "' SECOND)
             ");
             $login_status = (mysql_num_rows($qid) > 0);
@@ -809 +809 @@
     }
 
-    /**
-     * Returns a randomly generated password based on $pattern. The pattern is any
-     * sequence of 'x', 'V', 'C', 'v', 'c', or 'd' and if it is something like 'cvccv' this
-     * function will generate a pronounceable password. Recommend using more complex
-     * patterns, at minimum the US State Department standard: cvcddcvc.
-     *
-     * - x    A random upper or lower character, digit, or punctuation.
-     * - C    A random upper or lower consonant.
-     * - V    A random upper or lower vowel.
-     * - c    A random lowercase consonant.
-     * - v    A random lowercase vowel.
-     * - d    A random digit.
-     *
-     * @param  string $pattern  a sequence of character types, above.
-     * @return string           a password
-     */
-    public function generatePassword($pattern='CvcdCvc')
-    {
-        $app =& App::getInstance();
-        if (preg_match('/[^xCVcvd]/', $pattern)) {
-            $app->logMsg(sprintf('Invalid pattern: %s', $pattern), LOG_WARNING, __FILE__, __LINE__);
-            $pattern='CvcdCvc';
-        }
-        $str = '';
-        for ($i=0; $i<mb_strlen($pattern); $i++) {
-            $x = mb_substr('bcdfghjklmnprstvwxzBCDFGHJKLMNPRSTVWXZaeiouyAEIOUY0123456789!@#%&*-=+.?', (mt_rand() % 71), 1);
-            $c = mb_substr('bcdfghjklmnprstvwxz', (mt_rand() % 19), 1);
-            $C = mb_substr('bcdfghjklmnprstvwxzBCDFGHJKLMNPRSTVWXZ', (mt_rand() % 38), 1);
-            $v = mb_substr('aeiouy', (mt_rand() % 6), 1);
-            $V = mb_substr('aeiouyAEIOUY', (mt_rand() % 12), 1);
-            $d = mb_substr('0123456789', (mt_rand() % 10), 1);
-            $str .= $$pattern[$i];
-        }
-        return $str;
+    /*
+    * Generate a cryptographically secure, random password.
+    *
+    * @access   public
+    * @param    int  $bytes     Length of password (in bytes)
+    * @return   string          Random string of characters.
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    15 Nov 2014 20:30:27
+    */
+    public function generatePassword($bytes=10)
+    {
+        $app =& App::getInstance();
+
+        $bytes = is_numeric($bytes) ? $bytes : 10;
+        $string = strtok(base64_encode(openssl_random_pseudo_bytes($bytes, $strong)), '=');
+        if (!$strong) {
+            $app->logMsg(sprintf('Password generated was not "cryptographically strong"; check your openssl.', null), LOG_NOTICE, __FILE__, __LINE__);
+        }
+
+        return $string;
     }
 
@@ -851 +838 @@
     {
         $app =& App::getInstance();
+
+        $password = (string)$password;
 
         // Existing password hashes rely on the same key/salt being used to compare encryptions.
@@ -858 +847 @@
         switch ($this->_params['encryption_type']) {
         case self::ENCRYPT_PLAINTEXT :
-            return $password;
+            $encrypted_password = $password;
             break;
 
         case self::ENCRYPT_CRYPT :
-            // If comparing plaintext password with a hash, provide first two chars of the hash as the salt.
-            return isset($salt) ? crypt($password, mb_substr($salt, 0, 2)) : crypt($password);
+            // If comparing password with an existing hashed password, provide the hashed password as the salt.
+            $encrypted_password = isset($salt) ? crypt($password, $salt) : crypt($password);
             break;
 
         case self::ENCRYPT_SHA1 :
-            return sha1($password);
+            $encrypted_password = sha1($password);
             break;
 
         case self::ENCRYPT_SHA1_HARDENED :
-            $hash = sha1($app->getParam('signing_key') . $password . $more_salt);
-            // Increase key strength by 12 bits.
-            for ($i=0; $i < 4096; $i++) {
-                $hash = sha1($hash);
-            }
-            return $hash;
+            $encrypted_password = sha1($app->getParam('signing_key') . $password . $more_salt);
+            for ($i=0; $i < pow(2, 20); $i++) {
+                $encrypted_password = sha1($password . $encrypted_password);
+            }
             break;
 
         case self::ENCRYPT_MD5 :
-            return md5($password);
+            $encrypted_password = md5($password);
             break;
 
         case self::ENCRYPT_MD5_HARDENED :
-            // Include salt to improve hash
-            $hash = md5($app->getParam('signing_key') . $password . $more_salt);
-            // Increase key strength by 12 bits.
-            for ($i=0; $i < 4096; $i++) {
-                $hash = md5($hash);
-            }
-            return $hash;
+            $encrypted_password = md5($app->getParam('signing_key') . $password . $more_salt);
+            for ($i=0; $i < pow(2, 20); $i++) {
+                $encrypted_password = md5($password . $encrypted_password);
+            }
+            break;
+
+        case self::ENCRYPT_PASSWORD_BCRYPT :
+            $encrypted_password = password_hash($password, PASSWORD_BCRYPT, array('cost' => 12));
+            break;
+
+        case self::ENCRYPT_PASSWORD_DEFAULT :
+            $encrypted_password = password_hash($password, PASSWORD_DEFAULT, array('cost' => 12));
             break;
 
@@ -897 +889 @@
             return false;
             break;
+        }
+
+        // In case our hashing function returns 'false' or another empty value, bail out.
+        if ('' == trim((string)$encrypted_password)) {
+            $app->logMsg(sprintf('Invalid password hash returned; check yo crypto!', null), LOG_ALERT, __FILE__, __LINE__);
+            return false;
+        }
+
+        return $encrypted_password;
+    }
+
+    /*
+    *
+    *
+    * @access   public
+    * @param
+    * @return
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    15 Nov 2014 21:37:28
+    */
+    public function verifyPassword($password, $encrypted_password)
+    {
+        switch ($this->_params['encryption_type']) {
+        case self::ENCRYPT_CRYPT :
+            return $this->encryptPassword($password, $encrypted_password) == $encrypted_password;
+
+        case self::ENCRYPT_PLAINTEXT :
+        case self::ENCRYPT_MD5 :
+        case self::ENCRYPT_MD5_HARDENED :
+        case self::ENCRYPT_SHA1 :
+        case self::ENCRYPT_SHA1_HARDENED :
+        default :
+            return $this->encryptPassword($password) == $encrypted_password;
+
+        case self::ENCRYPT_PASSWORD_BCRYPT :
+        case self::ENCRYPT_PASSWORD_DEFAULT :
+            return password_verify($password, $encrypted_password);
         }
     }
@@ -920 +950 @@
         ");
         if (!list($old_encrypted_password) = mysql_fetch_row($qid)) {
-            $app->logMsg(sprintf('Cannot set password for nonexistent user_id %s', $user_id), LOG_NOTICE, __FILE__, __LINE__);
+            $app->logMsg(sprintf('Cannot set password for nonexistent user_id %s', $user_id), LOG_WARNING, __FILE__, __LINE__);
             return false;
         }
 
         // Compare old with new to ensure we're actually *changing* the password.
-        $encrypted_password = $this->encryptPassword($password);
-        if ($old_encrypted_password == $encrypted_password) {
+        if ($this->verifyPassword($password, $old_encrypted_password)) {
             $app->logMsg(sprintf('Not setting password: new is the same as old.', null), LOG_INFO, __FILE__, __LINE__);
-            return false;
+            return null;
+        }
+
+        // Save the hash method used if a table exists for it.
+        $userpass_hashtype = '';
+        if ($db->columnExists($this->_params['db_table'], 'userpass_hashtype', false)) {
+            $userpass_hashtype = ", userpass_hashtype = '" . $db->escapeString($this->getParam('encryption_type')) . "'";
         }
 
@@ -934 +969 @@
         $db->query("
             UPDATE " . $this->_params['db_table'] . "
-            SET userpass = '" . $db->escapeString($encrypted_password) . "'
+            SET userpass = '" . $db->escapeString($this->encryptPassword($password)) . "'
+            $userpass_hashtype
             WHERE " . $this->_params['db_primary_key'] . " = '" . $db->escapeString($user_id) . "'
         ");
@@ -943 +979 @@
         }
 
+        $app->logMsg(sprintf('Password change successful for user_id %s', $user_id), LOG_INFO, __FILE__, __LINE__);
         return true;
     }
@@ -1008 +1045 @@
     }
 
-    /**
-     * If the current user has access to the specified $security_zone, return true.
-     * If the optional $user_type is supplied, test that against the zone.
-     *
-     * NOTE: "user_type" used to be called "priv" in some older implementations.
-     *
-     * @param  constant $security_zone   string of comma delimited privileges for the zone
-     * @param  string   $user_type       a privilege that might be found in a zone
-     * @return bool     true if user is a member of security zone, false otherwise
-     */
-    public function inClearanceZone($security_zone, $user_type='')
-    {
-        $zone_members = preg_split('/,\s*/', $security_zone);
-        $user_type = empty($user_type) ? $this->get('user_type') : $user_type;
-
-        // If the current user's privilege level is NOT in that array or if the
-        // user has no privilege, return false. Otherwise the user is clear.
-        if (!in_array($user_type, $zone_members) || empty($user_type)) {
-            return false;
-        } else {
-            return true;
-        }
-    }
-
-    /**
-     * This function tests a list of arguments $security_zone against the priv that the current user has.
-     * If the user doesn't have one of the supplied privs, die.
-     *
-     * NOTE: "user_type" used to be called "priv" in some older implementations.
-     *
-     * @param  constant $security_zone   string of comma delimited privileges for the zone
-     */
-    public function requireAccessClearance($security_zone, $message='')
-    {
-        $app =& App::getInstance();
-
-        $zone_members = preg_split('/,\s*/', $security_zone);
-
-        /* If the current user's privilege level is NOT in that array or if the
-         * user has no privilege, DIE with a message. */
-        if (!in_array($this->get('user_type'), $zone_members) || !$this->get('user_type')) {
-            $message = empty($message) ? _("You have insufficient privileges to view that page.") : $message;
-            $app->raiseMsg($message, MSG_NOTICE, __FILE__, __LINE__);
-            $app->dieBoomerangURL();
-        }
-    }
-
 } // end class
-
-// CIDR cheat-sheet
-//
-// Netmask              Netmask (binary)                 CIDR     Notes
-// _____________________________________________________________________________
-// 255.255.255.255  11111111.11111111.11111111.11111111  /32  Host (single addr)
-// 255.255.255.254  11111111.11111111.11111111.11111110  /31  Unusable
-// 255.255.255.252  11111111.11111111.11111111.11111100  /30    2  useable
-// 255.255.255.248  11111111.11111111.11111111.11111000  /29    6  useable
-// 255.255.255.240  11111111.11111111.11111111.11110000  /28   14  useable
-// 255.255.255.224  11111111.11111111.11111111.11100000  /27   30  useable
-// 255.255.255.192  11111111.11111111.11111111.11000000  /26   62  useable
-// 255.255.255.128  11111111.11111111.11111111.10000000  /25  126  useable
-// 255.255.255.0    11111111.11111111.11111111.00000000  /24 "Class C" 254 useable
-//
-// 255.255.254.0    11111111.11111111.11111110.00000000  /23    2  Class C's
-// 255.255.252.0    11111111.11111111.11111100.00000000  /22    4  Class C's
-// 255.255.248.0    11111111.11111111.11111000.00000000  /21    8  Class C's
-// 255.255.240.0    11111111.11111111.11110000.00000000  /20   16  Class C's
-// 255.255.224.0    11111111.11111111.11100000.00000000  /19   32  Class C's
-// 255.255.192.0    11111111.11111111.11000000.00000000  /18   64  Class C's
-// 255.255.128.0    11111111.11111111.10000000.00000000  /17  128  Class C's
-// 255.255.0.0      11111111.11111111.00000000.00000000  /16  "Class B"
-//
-// 255.254.0.0      11111111.11111110.00000000.00000000  /15    2  Class B's
-// 255.252.0.0      11111111.11111100.00000000.00000000  /14    4  Class B's
-// 255.248.0.0      11111111.11111000.00000000.00000000  /13    8  Class B's
-// 255.240.0.0      11111111.11110000.00000000.00000000  /12   16  Class B's
-// 255.224.0.0      11111111.11100000.00000000.00000000  /11   32  Class B's
-// 255.192.0.0      11111111.11000000.00000000.00000000  /10   64  Class B's
-// 255.128.0.0      11111111.10000000.00000000.00000000  /9   128  Class B's
-// 255.0.0.0        11111111.00000000.00000000.00000000  /8   "Class A"
-//
-// 254.0.0.0        11111110.00000000.00000000.00000000  /7
-// 252.0.0.0        11111100.00000000.00000000.00000000  /6
-// 248.0.0.0        11111000.00000000.00000000.00000000  /5
-// 240.0.0.0        11110000.00000000.00000000.00000000  /4
-// 224.0.0.0        11100000.00000000.00000000.00000000  /3
-// 192.0.0.0        11000000.00000000.00000000.00000000  /2
-// 128.0.0.0        10000000.00000000.00000000.00000000  /1
-// 0.0.0.0          00000000.00000000.00000000.00000000  /0   IP space