mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-04-05 11:32:12 +09:00
fix #1315 인증메일 및 비밀번호 찾기에서 새 비밀번호 및 인증키 발급 개선
This commit is contained in:
bnu
parent
867fb4ab10
commit
445a41411e
2 changed files with 124 additions and 41 deletions
|
|
@ -4,7 +4,7 @@
|
||||||
/**
|
/**
|
||||||
* This class can be used to hash passwords using various algorithms and check their validity.
|
* This class can be used to hash passwords using various algorithms and check their validity.
|
||||||
* It is fully compatible with previous defaults, while also supporting bcrypt and pbkdf2.
|
* It is fully compatible with previous defaults, while also supporting bcrypt and pbkdf2.
|
||||||
*
|
*
|
||||||
* @file Password.class.php
|
* @file Password.class.php
|
||||||
* @author Kijin Sung (kijin@kijinsung.com)
|
* @author Kijin Sung (kijin@kijinsung.com)
|
||||||
* @package /classes/security
|
* @package /classes/security
|
||||||
|
|
@ -40,7 +40,7 @@ class Password
|
||||||
$algos = $this->getSupportedAlgorithms();
|
$algos = $this->getSupportedAlgorithms();
|
||||||
return key($algos);
|
return key($algos);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Return the currently selected hashing algorithm
|
* @brief Return the currently selected hashing algorithm
|
||||||
* @return string
|
* @return string
|
||||||
|
|
@ -62,7 +62,7 @@ class Password
|
||||||
}
|
}
|
||||||
return $algorithm;
|
return $algorithm;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Return the currently configured work factor for bcrypt and other adjustable algorithms
|
* @brief Return the currently configured work factor for bcrypt and other adjustable algorithms
|
||||||
* @return int
|
* @return int
|
||||||
|
|
@ -84,7 +84,7 @@ class Password
|
||||||
}
|
}
|
||||||
return $work_factor;
|
return $work_factor;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Create a hash using the specified algorithm
|
* @brief Create a hash using the specified algorithm
|
||||||
* @param string $password The password
|
* @param string $password The password
|
||||||
|
|
@ -101,28 +101,28 @@ class Password
|
||||||
{
|
{
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$password = trim($password);
|
$password = trim($password);
|
||||||
|
|
||||||
switch($algorithm)
|
switch($algorithm)
|
||||||
{
|
{
|
||||||
case 'md5':
|
case 'md5':
|
||||||
return md5($password);
|
return md5($password);
|
||||||
|
|
||||||
case 'pbkdf2':
|
case 'pbkdf2':
|
||||||
$iterations = pow(2, $this->getWorkFactor() + 5);
|
$iterations = pow(2, $this->getWorkFactor() + 5);
|
||||||
$salt = $this->createSecureSalt(12);
|
$salt = $this->createSecureSalt(12);
|
||||||
$hash = base64_encode($this->pbkdf2($password, $salt, 'sha256', $iterations, 24));
|
$hash = base64_encode($this->pbkdf2($password, $salt, 'sha256', $iterations, 24));
|
||||||
return 'sha256:'.sprintf('%07d', $iterations).':'.$salt.':'.$hash;
|
return 'sha256:'.sprintf('%07d', $iterations).':'.$salt.':'.$hash;
|
||||||
|
|
||||||
case 'bcrypt':
|
case 'bcrypt':
|
||||||
return $this->bcrypt($password);
|
return $this->bcrypt($password);
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Check if a password matches a hash
|
* @brief Check if a password matches a hash
|
||||||
* @param string $password The password
|
* @param string $password The password
|
||||||
|
|
@ -136,36 +136,36 @@ class Password
|
||||||
{
|
{
|
||||||
$algorithm = $this->checkAlgorithm($hash);
|
$algorithm = $this->checkAlgorithm($hash);
|
||||||
}
|
}
|
||||||
|
|
||||||
$password = trim($password);
|
$password = trim($password);
|
||||||
|
|
||||||
switch($algorithm)
|
switch($algorithm)
|
||||||
{
|
{
|
||||||
case 'md5':
|
case 'md5':
|
||||||
return md5($password) === $hash || md5(sha1(md5($password))) === $hash;
|
return md5($password) === $hash || md5(sha1(md5($password))) === $hash;
|
||||||
|
|
||||||
case 'mysql_old_password':
|
case 'mysql_old_password':
|
||||||
return (class_exists('Context') && substr(Context::getDBType(), 0, 5) === 'mysql') ?
|
return (class_exists('Context') && substr(Context::getDBType(), 0, 5) === 'mysql') ?
|
||||||
DB::getInstance()->isValidOldPassword($password, $hash) : false;
|
DB::getInstance()->isValidOldPassword($password, $hash) : false;
|
||||||
|
|
||||||
case 'mysql_password':
|
case 'mysql_password':
|
||||||
return $hash[0] === '*' && substr($hash, 1) === strtoupper(sha1(sha1($password, true)));
|
return $hash[0] === '*' && substr($hash, 1) === strtoupper(sha1(sha1($password, true)));
|
||||||
|
|
||||||
case 'pbkdf2':
|
case 'pbkdf2':
|
||||||
$hash = explode(':', $hash);
|
$hash = explode(':', $hash);
|
||||||
$hash[3] = base64_decode($hash[3]);
|
$hash[3] = base64_decode($hash[3]);
|
||||||
$hash_to_compare = $this->pbkdf2($password, $hash[2], $hash[0], intval($hash[1], 10), strlen($hash[3]));
|
$hash_to_compare = $this->pbkdf2($password, $hash[2], $hash[0], intval($hash[1], 10), strlen($hash[3]));
|
||||||
return $this->strcmpConstantTime($hash_to_compare, $hash[3]);
|
return $this->strcmpConstantTime($hash_to_compare, $hash[3]);
|
||||||
|
|
||||||
case 'bcrypt':
|
case 'bcrypt':
|
||||||
$hash_to_compare = $this->bcrypt($password, $hash);
|
$hash_to_compare = $this->bcrypt($password, $hash);
|
||||||
return $this->strcmpConstantTime($hash_to_compare, $hash);
|
return $this->strcmpConstantTime($hash_to_compare, $hash);
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Check the algorithm used to create a hash
|
* @brief Check the algorithm used to create a hash
|
||||||
* @param string $hash The hash
|
* @param string $hash The hash
|
||||||
|
|
@ -198,7 +198,7 @@ class Password
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Check the work factor of a hash
|
* @brief Check the work factor of a hash
|
||||||
* @param string $hash The hash
|
* @param string $hash The hash
|
||||||
|
|
@ -219,7 +219,7 @@ class Password
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Generate a cryptographically secure random string to use as a salt
|
* @brief Generate a cryptographically secure random string to use as a salt
|
||||||
* @param int $length The number of bytes to return
|
* @param int $length The number of bytes to return
|
||||||
|
|
@ -230,10 +230,10 @@ class Password
|
||||||
{
|
{
|
||||||
// Find out how many bytes of entropy we really need
|
// Find out how many bytes of entropy we really need
|
||||||
$entropy_required_bytes = ceil(($format === 'hex') ? ($length / 2) : ($length * 3 / 4));
|
$entropy_required_bytes = ceil(($format === 'hex') ? ($length / 2) : ($length * 3 / 4));
|
||||||
|
|
||||||
// Cap entropy to 256 bits from any one source, because anything more is meaningless
|
// Cap entropy to 256 bits from any one source, because anything more is meaningless
|
||||||
$entropy_capped_bytes = min(32, $entropy_required_bytes);
|
$entropy_capped_bytes = min(32, $entropy_required_bytes);
|
||||||
|
|
||||||
// Find and use the most secure way to generate a random string
|
// Find and use the most secure way to generate a random string
|
||||||
$is_windows = (defined('PHP_OS') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
|
$is_windows = (defined('PHP_OS') && strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
|
||||||
if(function_exists('openssl_random_pseudo_bytes') && (!$is_windows || version_compare(PHP_VERSION, '5.4', '>=')))
|
if(function_exists('openssl_random_pseudo_bytes') && (!$is_windows || version_compare(PHP_VERSION, '5.4', '>=')))
|
||||||
|
|
@ -262,14 +262,14 @@ class Password
|
||||||
$entropy .= pack('S', rand(0, 65536) ^ mt_rand(0, 65535));
|
$entropy .= pack('S', rand(0, 65536) ^ mt_rand(0, 65535));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Mixing (see RFC 4086 section 5)
|
// Mixing (see RFC 4086 section 5)
|
||||||
$output = '';
|
$output = '';
|
||||||
for($i = 0; $i < $entropy_required_bytes; $i += 32)
|
for($i = 0; $i < $entropy_required_bytes; $i += 32)
|
||||||
{
|
{
|
||||||
$output .= hash('sha256', $entropy . $i . rand(), true);
|
$output .= hash('sha256', $entropy . $i . rand(), true);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Encode and return the random string
|
// Encode and return the random string
|
||||||
if($format === 'hex')
|
if($format === 'hex')
|
||||||
{
|
{
|
||||||
|
|
@ -282,7 +282,7 @@ class Password
|
||||||
return strtr($salt, '+/=', $replacements);
|
return strtr($salt, '+/=', $replacements);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Generate the PBKDF2 hash of a string using a salt
|
* @brief Generate the PBKDF2 hash of a string using a salt
|
||||||
* @param string $password The password
|
* @param string $password The password
|
||||||
|
|
@ -315,7 +315,7 @@ class Password
|
||||||
return substr($output, 0, $length);
|
return substr($output, 0, $length);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Generate the bcrypt hash of a string using a salt
|
* @brief Generate the bcrypt hash of a string using a salt
|
||||||
* @param string $password The password
|
* @param string $password The password
|
||||||
|
|
@ -330,7 +330,7 @@ class Password
|
||||||
}
|
}
|
||||||
return crypt($password, $salt);
|
return crypt($password, $salt);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Compare two strings in constant time
|
* @brief Compare two strings in constant time
|
||||||
* @param string $a The first string
|
* @param string $a The first string
|
||||||
|
|
@ -347,6 +347,84 @@ class Password
|
||||||
}
|
}
|
||||||
return $diff === 0;
|
return $diff === 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief Generates a strong password
|
||||||
|
*
|
||||||
|
* @param int $length
|
||||||
|
* @param bool $add_dashes
|
||||||
|
* @param string $available_sets
|
||||||
|
* @return string
|
||||||
|
*
|
||||||
|
* @link https://gist.github.com/tylerhall/521810
|
||||||
|
*
|
||||||
|
* Generates a strong password of N length containing at least one lower case letter,
|
||||||
|
* one uppercase letter, one digit, and one special character. The remaining characters
|
||||||
|
* in the password are chosen at random from those four sets.
|
||||||
|
*
|
||||||
|
* The available characters in each set are user friendly - there are no ambiguous
|
||||||
|
* characters such as i, l, 1, o, 0, etc. This, coupled with the $add_dashes option,
|
||||||
|
* makes it much easier for users to manually type or speak their passwords.
|
||||||
|
*
|
||||||
|
* Note: the $add_dashes option will increase the length of the password by
|
||||||
|
* floor(sqrt(N)) characters.
|
||||||
|
*/
|
||||||
|
function generateStrongPassword($length = 10, $add_dashes = false, $available_sets = 'luds')
|
||||||
|
{
|
||||||
|
$sets = array();
|
||||||
|
if(strpos($available_sets, 'l') !== false)
|
||||||
|
{
|
||||||
|
$sets[] = 'abcdefghjkmnpqrstuvwxyz';
|
||||||
|
}
|
||||||
|
|
||||||
|
if(strpos($available_sets, 'u') !== false)
|
||||||
|
{
|
||||||
|
$sets[] = 'ABCDEFGHJKMNPQRSTUVWXYZ';
|
||||||
|
}
|
||||||
|
|
||||||
|
if(strpos($available_sets, 'd') !== false)
|
||||||
|
{
|
||||||
|
$sets[] = '23456789';
|
||||||
|
}
|
||||||
|
|
||||||
|
if(strpos($available_sets, 's') !== false)
|
||||||
|
{
|
||||||
|
$sets[] = '!@#$%&*?';
|
||||||
|
}
|
||||||
|
|
||||||
|
$all = '';
|
||||||
|
$password = '';
|
||||||
|
foreach($sets as $set)
|
||||||
|
{
|
||||||
|
$password .= $set[array_rand(str_split($set))];
|
||||||
|
$all .= $set;
|
||||||
|
}
|
||||||
|
|
||||||
|
$all = str_split($all);
|
||||||
|
for($i = 0; $i < $length - count($sets); $i++)
|
||||||
|
{
|
||||||
|
$password .= $all[array_rand($all)];
|
||||||
|
}
|
||||||
|
|
||||||
|
$password = str_shuffle($password);
|
||||||
|
|
||||||
|
if(!$add_dashes)
|
||||||
|
{
|
||||||
|
return $password;
|
||||||
|
}
|
||||||
|
|
||||||
|
$dash_len = floor(sqrt($length));
|
||||||
|
$dash_str = '';
|
||||||
|
while(strlen($password) > $dash_len)
|
||||||
|
{
|
||||||
|
$dash_str .= substr($password, 0, $dash_len) . '-';
|
||||||
|
$password = substr($password, $dash_len);
|
||||||
|
}
|
||||||
|
|
||||||
|
$dash_str .= $password;
|
||||||
|
|
||||||
|
return $dash_str;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
/* End of file : Password.class.php */
|
/* End of file : Password.class.php */
|
||||||
/* Location: ./classes/security/Password.class.php */
|
/* Location: ./classes/security/Password.class.php */
|
||||||
|
|
|
||||||
|
|
@ -966,11 +966,12 @@ class memberController extends member
|
||||||
}
|
}
|
||||||
|
|
||||||
// Insert data into the authentication DB
|
// Insert data into the authentication DB
|
||||||
|
$oPassword = new Password();
|
||||||
$args = new stdClass();
|
$args = new stdClass();
|
||||||
$args->user_id = $member_info->user_id;
|
$args->user_id = $member_info->user_id;
|
||||||
$args->member_srl = $member_info->member_srl;
|
$args->member_srl = $member_info->member_srl;
|
||||||
$args->new_password = rand(111111,999999);
|
$args->new_password = $oPassword->generateStrongPassword();
|
||||||
$args->auth_key = md5( rand(0,999999 ) );
|
$args->auth_key = $oPassword->createSecureSalt(40);
|
||||||
$args->is_register = 'N';
|
$args->is_register = 'N';
|
||||||
|
|
||||||
$output = executeQuery('member.insertAuthMail', $args);
|
$output = executeQuery('member.insertAuthMail', $args);
|
||||||
|
|
@ -1070,17 +1071,17 @@ class memberController extends member
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update to a temporary password and set change_password_date to 1
|
// Update to a temporary password and set change_password_date to 1
|
||||||
$args = new stdClass;
|
$oPassword = new Password();
|
||||||
$args->member_srl = $member_srl;
|
$temp_password = $oPassword->generateStrongPassword();
|
||||||
list($usec, $sec) = explode(" ", microtime());
|
|
||||||
$temp_password = substr(md5($user_id . $member_info->find_account_answer. $usec . $sec),0,15);
|
|
||||||
|
|
||||||
|
$args = new stdClass();
|
||||||
|
$args->member_srl = $member_srl;
|
||||||
$args->password = $temp_password;
|
$args->password = $temp_password;
|
||||||
$args->change_password_date = '1';
|
$args->change_password_date = '1';
|
||||||
$output = $this->updateMemberPassword($args);
|
$output = $this->updateMemberPassword($args);
|
||||||
if(!$output->toBool()) return $output;
|
if(!$output->toBool()) return $output;
|
||||||
|
|
||||||
$_SESSION['xe_temp_password_'.$user_id] = $temp_password;
|
$_SESSION['xe_temp_password_' . $user_id] = $temp_password;
|
||||||
|
|
||||||
$this->add('user_id',$user_id);
|
$this->add('user_id',$user_id);
|
||||||
|
|
||||||
|
|
@ -1177,10 +1178,11 @@ class memberController extends member
|
||||||
$chk_args->member_srl = $member_srl;
|
$chk_args->member_srl = $member_srl;
|
||||||
$output = executeQuery('member.chkAuthMail', $chk_args);
|
$output = executeQuery('member.chkAuthMail', $chk_args);
|
||||||
if($output->toBool() && $output->data->count == '0') return new Object(-1, 'msg_invalid_request');
|
if($output->toBool() && $output->data->count == '0') return new Object(-1, 'msg_invalid_request');
|
||||||
|
|
||||||
// Insert data into the authentication DB
|
// Insert data into the authentication DB
|
||||||
$auth_args = new stdClass;
|
$auth_args = new stdClass;
|
||||||
$auth_args->member_srl = $member_srl;
|
$auth_args->member_srl = $member_srl;
|
||||||
$auth_args->auth_key = md5(rand(0, 999999));
|
$auth_args->auth_key = $oPassword->createSecureSalt(40);
|
||||||
|
|
||||||
$output = executeQuery('member.updateAuthMail', $auth_args);
|
$output = executeQuery('member.updateAuthMail', $auth_args);
|
||||||
if(!$output->toBool())
|
if(!$output->toBool())
|
||||||
|
|
@ -1355,11 +1357,12 @@ class memberController extends member
|
||||||
$this->_clearMemberCache($args->member_srl);
|
$this->_clearMemberCache($args->member_srl);
|
||||||
|
|
||||||
// generate new auth key
|
// generate new auth key
|
||||||
$auth_args = new stdClass;
|
$oPassword = new Password();
|
||||||
|
$auth_args = new stdClass();
|
||||||
$auth_args->user_id = $memberInfo->user_id;
|
$auth_args->user_id = $memberInfo->user_id;
|
||||||
$auth_args->member_srl = $memberInfo->member_srl;
|
$auth_args->member_srl = $memberInfo->member_srl;
|
||||||
$auth_args->new_password = $memberInfo->password;
|
$auth_args->new_password = $memberInfo->password;
|
||||||
$auth_args->auth_key = md5( rand(0,999999 ) );
|
$auth_args->auth_key = $oPassword->createSecureSalt(40);
|
||||||
$auth_args->is_register = 'Y';
|
$auth_args->is_register = 'Y';
|
||||||
|
|
||||||
$output = executeQuery('member.insertAuthMail', $auth_args);
|
$output = executeQuery('member.insertAuthMail', $auth_args);
|
||||||
|
|
@ -2067,11 +2070,12 @@ class memberController extends member
|
||||||
if($args->denied == 'Y')
|
if($args->denied == 'Y')
|
||||||
{
|
{
|
||||||
// Insert data into the authentication DB
|
// Insert data into the authentication DB
|
||||||
$auth_args = new stdClass;
|
$oPassword = new Password();
|
||||||
|
$auth_args = new stdClass();
|
||||||
$auth_args->user_id = $args->user_id;
|
$auth_args->user_id = $args->user_id;
|
||||||
$auth_args->member_srl = $args->member_srl;
|
$auth_args->member_srl = $args->member_srl;
|
||||||
$auth_args->new_password = $args->password;
|
$auth_args->new_password = $args->password;
|
||||||
$auth_args->auth_key = md5(rand(0, 999999));
|
$auth_args->auth_key = $oPassword->createSecureSalt(40);
|
||||||
$auth_args->is_register = 'Y';
|
$auth_args->is_register = 'Y';
|
||||||
|
|
||||||
$output = executeQuery('member.insertAuthMail', $auth_args);
|
$output = executeQuery('member.insertAuthMail', $auth_args);
|
||||||
|
|
@ -2445,10 +2449,11 @@ class memberController extends member
|
||||||
}
|
}
|
||||||
unset($_SESSION['rechecked_password_step']);
|
unset($_SESSION['rechecked_password_step']);
|
||||||
|
|
||||||
$auth_args = new stdClass;
|
$oPassword = new Password();
|
||||||
|
$auth_args = new stdClass();
|
||||||
$auth_args->user_id = $newEmail;
|
$auth_args->user_id = $newEmail;
|
||||||
$auth_args->member_srl = $member_info->member_srl;
|
$auth_args->member_srl = $member_info->member_srl;
|
||||||
$auth_args->auth_key = md5(rand(0, 999999));
|
$auth_args->auth_key = $oPassword->createSecureSalt(40);
|
||||||
$auth_args->new_password = 'XE_change_emaill_address';
|
$auth_args->new_password = 'XE_change_emaill_address';
|
||||||
|
|
||||||
$output = executeQuery('member.insertAuthMail', $auth_args);
|
$output = executeQuery('member.insertAuthMail', $auth_args);
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue