fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-08 03:01:43 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix #1315 인증메일 및 비밀번호 찾기에서 새 비밀번호 및 인증키 발급 개선

Browse source
This commit is contained in:
bnu 2015-03-06 13:50:14 +09:00
parent 867fb4ab10
commit 445a41411e
2 changed files with 124 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

132
classes/security/Password.class.php
View file

@ -4,7 +4,7 @@
/**
* This class can be used to hash passwords using various algorithms and check their validity.
* It is fully compatible with previous defaults, while also supporting bcrypt and pbkdf2.
*
*
* @file Password.class.php
* @author Kijin Sung (kijin@kijinsung.com)
* @package /classes/security
@ -40,7 +40,7 @@ class Password
$algos = $this->getSupportedAlgorithms();
return key($algos);
}
/**
* @brief Return the currently selected hashing algorithm
* @return string
@ -62,7 +62,7 @@ class Password
}
return $algorithm;
}
/**
* @brief Return the currently configured work factor for bcrypt and other adjustable algorithms
* @return int
@ -84,7 +84,7 @@ class Password
}
return $work_factor;
}
/**
* @brief Create a hash using the specified algorithm
* @param string $password The password
@ -101,28 +101,28 @@ class Password
{
return false;
}
$password = trim($password);
switch($algorithm)
{
case 'md5':
return md5($password);
case 'pbkdf2':
$iterations = pow(2, $this->getWorkFactor() + 5);
$salt = $this->createSecureSalt(12);
$hash = base64_encode($this->pbkdf2($password, $salt, 'sha256', $iterations, 24));
return 'sha256:'.sprintf('%07d', $iterations).':'.$salt.':'.$hash;
case 'bcrypt':
return $this->bcrypt($password);
default:
return false;
}
}
/**
* @brief Check if a password matches a hash
* @param string $password The password
@ -136,36 +136,36 @@ class Password
{
$algorithm = $this->checkAlgorithm($hash);
}
$password = trim($password);
switch($algorithm)
{
case 'md5':
return md5($password) === $hash || md5(sha1(md5($password))) === $hash;
case 'mysql_old_password':
return (class_exists('Context') && substr(Context::getDBType(), 0, 5) === 'mysql') ?
DB::getInstance()->isValidOldPassword($password, $hash) : false;
case 'mysql_password':
return $hash[0] === '*' && substr($hash, 1) === strtoupper(sha1(sha1($password, true)));
case 'pbkdf2':
$hash = explode(':', $hash);
$hash[3] = base64_decode($hash[3]);
$hash_to_compare = $this->pbkdf2($password, $hash[2], $hash[0], intval($hash[1], 10), strlen($hash[3]));
return $this->strcmpConstantTime($hash_to_compare, $hash[3]);
case 'bcrypt':
$hash_to_compare = $this->bcrypt($password, $hash);
return $this->strcmpConstantTime($hash_to_compare, $hash);
default:
return false;
}
}
/**
* @brief Check the algorithm used to create a hash
* @param string $hash The hash
@ -198,7 +198,7 @@ class Password
return false;
}
}
/**
* @brief Check the work factor of a hash
* @param string $hash The hash
@ -219,7 +219,7 @@ class Password
return false;
}
}
/**
* @brief Generate a cryptographically secure random string to use as a salt
* @param int $length The number of bytes to return
@ -230,10 +230,10 @@ class Password
{
// Find out how many bytes of entropy we really need
$entropy_required_bytes = ceil(($format === 'hex') ? ($length / 2) : ($length * 3 / 4));
// Cap entropy to 256 bits from any one source, because anything more is meaningless
$entropy_capped_bytes = min(32, $entropy_required_bytes);
// Find and use the most secure way to generate a random string
$is_windows = (defined('PHP_OS') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
if(function_exists('openssl_random_pseudo_bytes') && (!$is_windows || version_compare(PHP_VERSION, '5.4', '>=')))
@ -262,14 +262,14 @@ class Password
$entropy .= pack('S', rand(0, 65536) ^ mt_rand(0, 65535));
}
}
// Mixing (see RFC 4086 section 5)
$output = '';
for($i = 0; $i < $entropy_required_bytes; $i += 32)
{
$output .= hash('sha256', $entropy . $i . rand(), true);
}
// Encode and return the random string
if($format === 'hex')
{
@ -282,7 +282,7 @@ class Password
return strtr($salt, '+/=', $replacements);
}
}
/**
* @brief Generate the PBKDF2 hash of a string using a salt
* @param string $password The password
@ -315,7 +315,7 @@ class Password
return substr($output, 0, $length);
}
}
/**
* @brief Generate the bcrypt hash of a string using a salt
* @param string $password The password
@ -330,7 +330,7 @@ class Password
}
return crypt($password, $salt);
}
/**
* @brief Compare two strings in constant time
* @param string $a The first string
@ -347,6 +347,84 @@ class Password
}
return $diff === 0;
}
/**
* @brief Generates a strong password
*
* @param int $length
* @param bool $add_dashes
* @param string $available_sets
* @return string
*
* @link https://gist.github.com/tylerhall/521810
*
* Generates a strong password of N length containing at least one lower case letter,
* one uppercase letter, one digit, and one special character. The remaining characters
* in the password are chosen at random from those four sets.
*
* The available characters in each set are user friendly - there are no ambiguous
* characters such as i, l, 1, o, 0, etc. This, coupled with the $add_dashes option,
* makes it much easier for users to manually type or speak their passwords.
*
* Note: the $add_dashes option will increase the length of the password by
* floor(sqrt(N)) characters.
*/
function generateStrongPassword($length = 10, $add_dashes = false, $available_sets = 'luds')
{
$sets = array();
if(strpos($available_sets, 'l') !== false)
{
$sets[] = 'abcdefghjkmnpqrstuvwxyz';
}
if(strpos($available_sets, 'u') !== false)
{
$sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
}
if(strpos($available_sets, 'd') !== false)
{
$sets[] = '23456789';
}
if(strpos($available_sets, 's') !== false)
{
$sets[] = '!@#$%&*?';
}
$all = '';
$password = '';
foreach($sets as $set)
{
$password .= $set[array_rand(str_split($set))];
$all .= $set;
}
$all = str_split($all);
for($i = 0; $i < $length - count($sets); $i++)
{
$password .= $all[array_rand($all)];
}
$password = str_shuffle($password);
if(!$add_dashes)
{
return $password;
}
$dash_len = floor(sqrt($length));
$dash_str = '';
while(strlen($password) > $dash_len)
{
$dash_str .= substr($password, 0, $dash_len) . '-';
$password = substr($password, $dash_len);
}
$dash_str .= $password;
return $dash_str;
}
}
/* End of file : Password.class.php */
/* Location: ./classes/security/Password.class.php */

33
modules/member/member.controller.php
View file

@ -966,11 +966,12 @@ class memberController extends member
}
// Insert data into the authentication DB
$oPassword = new Password();
$args = new stdClass();
$args->user_id = $member_info->user_id;
$args->member_srl = $member_info->member_srl;
$args->new_password = rand(111111,999999);
$args->auth_key = md5( rand(0,999999 ) );
$args->new_password = $oPassword->generateStrongPassword();
$args->auth_key = $oPassword->createSecureSalt(40);
$args->is_register = 'N';
$output = executeQuery('member.insertAuthMail', $args);
@ -1070,17 +1071,17 @@ class memberController extends member
}
// Update to a temporary password and set change_password_date to 1
$args = new stdClass;
$args->member_srl = $member_srl;
list($usec, $sec) = explode(" ", microtime());
$temp_password = substr(md5($user_id . $member_info->find_account_answer. $usec . $sec),0,15);
$oPassword = new Password();
$temp_password = $oPassword->generateStrongPassword();
$args = new stdClass();
$args->member_srl = $member_srl;
$args->password = $temp_password;
$args->change_password_date = '1';
$output = $this->updateMemberPassword($args);
if(!$output->toBool()) return $output;
$_SESSION['xe_temp_password_'.$user_id] = $temp_password;
$_SESSION['xe_temp_password_' . $user_id] = $temp_password;
$this->add('user_id',$user_id);
@ -1177,10 +1178,11 @@ class memberController extends member
$chk_args->member_srl = $member_srl;
$output = executeQuery('member.chkAuthMail', $chk_args);
if($output->toBool() && $output->data->count == '0') return new Object(-1, 'msg_invalid_request');
// Insert data into the authentication DB
$auth_args = new stdClass;
$auth_args->member_srl = $member_srl;
$auth_args->auth_key = md5(rand(0, 999999));
$auth_args->auth_key = $oPassword->createSecureSalt(40);
$output = executeQuery('member.updateAuthMail', $auth_args);
if(!$output->toBool())
@ -1355,11 +1357,12 @@ class memberController extends member
$this->_clearMemberCache($args->member_srl);
// generate new auth key
$auth_args = new stdClass;
$oPassword = new Password();
$auth_args = new stdClass();
$auth_args->user_id = $memberInfo->user_id;
$auth_args->member_srl = $memberInfo->member_srl;
$auth_args->new_password = $memberInfo->password;
$auth_args->auth_key = md5( rand(0,999999 ) );
$auth_args->auth_key = $oPassword->createSecureSalt(40);
$auth_args->is_register = 'Y';
$output = executeQuery('member.insertAuthMail', $auth_args);
@ -2067,11 +2070,12 @@ class memberController extends member
if($args->denied == 'Y')
{
// Insert data into the authentication DB
$auth_args = new stdClass;
$oPassword = new Password();
$auth_args = new stdClass();
$auth_args->user_id = $args->user_id;
$auth_args->member_srl = $args->member_srl;
$auth_args->new_password = $args->password;
$auth_args->auth_key = md5(rand(0, 999999));
$auth_args->auth_key = $oPassword->createSecureSalt(40);
$auth_args->is_register = 'Y';
$output = executeQuery('member.insertAuthMail', $auth_args);
@ -2445,10 +2449,11 @@ class memberController extends member
}
unset($_SESSION['rechecked_password_step']);
$auth_args = new stdClass;
$oPassword = new Password();
$auth_args = new stdClass();
$auth_args->user_id = $newEmail;
$auth_args->member_srl = $member_info->member_srl;
$auth_args->auth_key = md5(rand(0, 999999));
$auth_args->auth_key = $oPassword->createSecureSalt(40);
$auth_args->new_password = 'XE_change_emaill_address';
$output = executeQuery('member.insertAuthMail', $auth_args);