From 445a41411e1e66ac9ab07714ce05175654d59d89 Mon Sep 17 00:00:00 2001 From: bnu Date: Fri, 6 Mar 2015 13:50:14 +0900 Subject: [PATCH] =?UTF-8?q?fix=20#1315=20=EC=9D=B8=EC=A6=9D=EB=A9=94?= =?UTF-8?q?=EC=9D=BC=20=EB=B0=8F=20=EB=B9=84=EB=B0=80=EB=B2=88=ED=98=B8=20?= =?UTF-8?q?=EC=B0=BE=EA=B8=B0=EC=97=90=EC=84=9C=20=EC=83=88=20=EB=B9=84?= =?UTF-8?q?=EB=B0=80=EB=B2=88=ED=98=B8=20=EB=B0=8F=20=EC=9D=B8=EC=A6=9D?= =?UTF-8?q?=ED=82=A4=20=EB=B0=9C=EA=B8=89=20=EA=B0=9C=EC=84=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- classes/security/Password.class.php | 132 +++++++++++++++++++++------ modules/member/member.controller.php | 33 ++++--- 2 files changed, 124 insertions(+), 41 deletions(-) diff --git a/classes/security/Password.class.php b/classes/security/Password.class.php index 75ff1e039..965185184 100644 --- a/classes/security/Password.class.php +++ b/classes/security/Password.class.php @@ -4,7 +4,7 @@ /** * This class can be used to hash passwords using various algorithms and check their validity. * It is fully compatible with previous defaults, while also supporting bcrypt and pbkdf2. - * + * * @file Password.class.php * @author Kijin Sung (kijin@kijinsung.com) * @package /classes/security @@ -40,7 +40,7 @@ class Password $algos = $this->getSupportedAlgorithms(); return key($algos); } - + /** * @brief Return the currently selected hashing algorithm * @return string @@ -62,7 +62,7 @@ class Password } return $algorithm; } - + /** * @brief Return the currently configured work factor for bcrypt and other adjustable algorithms * @return int @@ -84,7 +84,7 @@ class Password } return $work_factor; } - + /** * @brief Create a hash using the specified algorithm * @param string $password The password @@ -101,28 +101,28 @@ class Password { return false; } - + $password = trim($password); - + switch($algorithm) { case 'md5': return md5($password); - + case 'pbkdf2': $iterations = pow(2, $this->getWorkFactor() + 5); $salt = $this->createSecureSalt(12); $hash = base64_encode($this->pbkdf2($password, $salt, 'sha256', $iterations, 24)); return 'sha256:'.sprintf('%07d', $iterations).':'.$salt.':'.$hash; - + case 'bcrypt': return $this->bcrypt($password); - + default: return false; } } - + /** * @brief Check if a password matches a hash * @param string $password The password @@ -136,36 +136,36 @@ class Password { $algorithm = $this->checkAlgorithm($hash); } - + $password = trim($password); - + switch($algorithm) { case 'md5': return md5($password) === $hash || md5(sha1(md5($password))) === $hash; - + case 'mysql_old_password': return (class_exists('Context') && substr(Context::getDBType(), 0, 5) === 'mysql') ? DB::getInstance()->isValidOldPassword($password, $hash) : false; - + case 'mysql_password': return $hash[0] === '*' && substr($hash, 1) === strtoupper(sha1(sha1($password, true))); - + case 'pbkdf2': $hash = explode(':', $hash); $hash[3] = base64_decode($hash[3]); $hash_to_compare = $this->pbkdf2($password, $hash[2], $hash[0], intval($hash[1], 10), strlen($hash[3])); return $this->strcmpConstantTime($hash_to_compare, $hash[3]); - + case 'bcrypt': $hash_to_compare = $this->bcrypt($password, $hash); return $this->strcmpConstantTime($hash_to_compare, $hash); - + default: return false; } } - + /** * @brief Check the algorithm used to create a hash * @param string $hash The hash @@ -198,7 +198,7 @@ class Password return false; } } - + /** * @brief Check the work factor of a hash * @param string $hash The hash @@ -219,7 +219,7 @@ class Password return false; } } - + /** * @brief Generate a cryptographically secure random string to use as a salt * @param int $length The number of bytes to return @@ -230,10 +230,10 @@ class Password { // Find out how many bytes of entropy we really need $entropy_required_bytes = ceil(($format === 'hex') ? ($length / 2) : ($length * 3 / 4)); - + // Cap entropy to 256 bits from any one source, because anything more is meaningless $entropy_capped_bytes = min(32, $entropy_required_bytes); - + // Find and use the most secure way to generate a random string $is_windows = (defined('PHP_OS') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'); if(function_exists('openssl_random_pseudo_bytes') && (!$is_windows || version_compare(PHP_VERSION, '5.4', '>='))) @@ -262,14 +262,14 @@ class Password $entropy .= pack('S', rand(0, 65536) ^ mt_rand(0, 65535)); } } - + // Mixing (see RFC 4086 section 5) $output = ''; for($i = 0; $i < $entropy_required_bytes; $i += 32) { $output .= hash('sha256', $entropy . $i . rand(), true); } - + // Encode and return the random string if($format === 'hex') { @@ -282,7 +282,7 @@ class Password return strtr($salt, '+/=', $replacements); } } - + /** * @brief Generate the PBKDF2 hash of a string using a salt * @param string $password The password @@ -315,7 +315,7 @@ class Password return substr($output, 0, $length); } } - + /** * @brief Generate the bcrypt hash of a string using a salt * @param string $password The password @@ -330,7 +330,7 @@ class Password } return crypt($password, $salt); } - + /** * @brief Compare two strings in constant time * @param string $a The first string @@ -347,6 +347,84 @@ class Password } return $diff === 0; } + + /** + * @brief Generates a strong password + * + * @param int $length + * @param bool $add_dashes + * @param string $available_sets + * @return string + * + * @link https://gist.github.com/tylerhall/521810 + * + * Generates a strong password of N length containing at least one lower case letter, + * one uppercase letter, one digit, and one special character. The remaining characters + * in the password are chosen at random from those four sets. + * + * The available characters in each set are user friendly - there are no ambiguous + * characters such as i, l, 1, o, 0, etc. This, coupled with the $add_dashes option, + * makes it much easier for users to manually type or speak their passwords. + * + * Note: the $add_dashes option will increase the length of the password by + * floor(sqrt(N)) characters. + */ + function generateStrongPassword($length = 10, $add_dashes = false, $available_sets = 'luds') + { + $sets = array(); + if(strpos($available_sets, 'l') !== false) + { + $sets[] = 'abcdefghjkmnpqrstuvwxyz'; + } + + if(strpos($available_sets, 'u') !== false) + { + $sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ'; + } + + if(strpos($available_sets, 'd') !== false) + { + $sets[] = '23456789'; + } + + if(strpos($available_sets, 's') !== false) + { + $sets[] = '!@#$%&*?'; + } + + $all = ''; + $password = ''; + foreach($sets as $set) + { + $password .= $set[array_rand(str_split($set))]; + $all .= $set; + } + + $all = str_split($all); + for($i = 0; $i < $length - count($sets); $i++) + { + $password .= $all[array_rand($all)]; + } + + $password = str_shuffle($password); + + if(!$add_dashes) + { + return $password; + } + + $dash_len = floor(sqrt($length)); + $dash_str = ''; + while(strlen($password) > $dash_len) + { + $dash_str .= substr($password, 0, $dash_len) . '-'; + $password = substr($password, $dash_len); + } + + $dash_str .= $password; + + return $dash_str; + } } /* End of file : Password.class.php */ /* Location: ./classes/security/Password.class.php */ diff --git a/modules/member/member.controller.php b/modules/member/member.controller.php index 4db5059ff..5446b0352 100644 --- a/modules/member/member.controller.php +++ b/modules/member/member.controller.php @@ -966,11 +966,12 @@ class memberController extends member } // Insert data into the authentication DB + $oPassword = new Password(); $args = new stdClass(); $args->user_id = $member_info->user_id; $args->member_srl = $member_info->member_srl; - $args->new_password = rand(111111,999999); - $args->auth_key = md5( rand(0,999999 ) ); + $args->new_password = $oPassword->generateStrongPassword(); + $args->auth_key = $oPassword->createSecureSalt(40); $args->is_register = 'N'; $output = executeQuery('member.insertAuthMail', $args); @@ -1070,17 +1071,17 @@ class memberController extends member } // Update to a temporary password and set change_password_date to 1 - $args = new stdClass; - $args->member_srl = $member_srl; - list($usec, $sec) = explode(" ", microtime()); - $temp_password = substr(md5($user_id . $member_info->find_account_answer. $usec . $sec),0,15); + $oPassword = new Password(); + $temp_password = $oPassword->generateStrongPassword(); + $args = new stdClass(); + $args->member_srl = $member_srl; $args->password = $temp_password; $args->change_password_date = '1'; $output = $this->updateMemberPassword($args); if(!$output->toBool()) return $output; - $_SESSION['xe_temp_password_'.$user_id] = $temp_password; + $_SESSION['xe_temp_password_' . $user_id] = $temp_password; $this->add('user_id',$user_id); @@ -1177,10 +1178,11 @@ class memberController extends member $chk_args->member_srl = $member_srl; $output = executeQuery('member.chkAuthMail', $chk_args); if($output->toBool() && $output->data->count == '0') return new Object(-1, 'msg_invalid_request'); + // Insert data into the authentication DB $auth_args = new stdClass; $auth_args->member_srl = $member_srl; - $auth_args->auth_key = md5(rand(0, 999999)); + $auth_args->auth_key = $oPassword->createSecureSalt(40); $output = executeQuery('member.updateAuthMail', $auth_args); if(!$output->toBool()) @@ -1355,11 +1357,12 @@ class memberController extends member $this->_clearMemberCache($args->member_srl); // generate new auth key - $auth_args = new stdClass; + $oPassword = new Password(); + $auth_args = new stdClass(); $auth_args->user_id = $memberInfo->user_id; $auth_args->member_srl = $memberInfo->member_srl; $auth_args->new_password = $memberInfo->password; - $auth_args->auth_key = md5( rand(0,999999 ) ); + $auth_args->auth_key = $oPassword->createSecureSalt(40); $auth_args->is_register = 'Y'; $output = executeQuery('member.insertAuthMail', $auth_args); @@ -2067,11 +2070,12 @@ class memberController extends member if($args->denied == 'Y') { // Insert data into the authentication DB - $auth_args = new stdClass; + $oPassword = new Password(); + $auth_args = new stdClass(); $auth_args->user_id = $args->user_id; $auth_args->member_srl = $args->member_srl; $auth_args->new_password = $args->password; - $auth_args->auth_key = md5(rand(0, 999999)); + $auth_args->auth_key = $oPassword->createSecureSalt(40); $auth_args->is_register = 'Y'; $output = executeQuery('member.insertAuthMail', $auth_args); @@ -2445,10 +2449,11 @@ class memberController extends member } unset($_SESSION['rechecked_password_step']); - $auth_args = new stdClass; + $oPassword = new Password(); + $auth_args = new stdClass(); $auth_args->user_id = $newEmail; $auth_args->member_srl = $member_info->member_srl; - $auth_args->auth_key = md5(rand(0, 999999)); + $auth_args->auth_key = $oPassword->createSecureSalt(40); $auth_args->new_password = 'XE_change_emaill_address'; $output = executeQuery('member.insertAuthMail', $auth_args);