From 72f09f317fd2d4c1fdbc11769e583c0737ab46cd Mon Sep 17 00:00:00 2001 From: Imran Hussain Date: Thu, 23 Dec 2021 11:25:46 +0000 Subject: [PATCH 1/3] [lib/member_functions.php] new cryptPassword() func and generateLdif() update --- lib/member_functions.php | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/member_functions.php b/lib/member_functions.php index 412f486..75dbd8e 100644 --- a/lib/member_functions.php +++ b/lib/member_functions.php @@ -29,6 +29,19 @@ function make_password($length = 8) return $password; } +// https://stackoverflow.com/a/44428794 +function cryptPassword($password, $salt = "", $rounds = 5000) +{ + if ($salt == "") { + // Generate random salt + $salt = substr(bin2hex(openssl_random_pseudo_bytes(16)),0,16); + } + // $6$ specifies SHA512 + $hash = crypt($password, sprintf('$6$rounds=%d$%s$', $rounds, $salt)); + + return $hash; +} + function generateUid() { @@ -63,7 +76,7 @@ function generateLdif($uid, $password, $type, $realname, $username) // explode the realname $nameexplode = explode(' ', trim($realname)); // hash the password - $ldappassword = "{SHA}" . base64_encode(pack("H*", sha1($password))); + $ldappassword = "{CRYPT}" . cryptPassword($password); // compile ldif $ldif = "dn: uid=" . $username . ",ou=People,dc=sucs,dc=org\n"; $ldif .= "uid: " . $username . "\n"; -- GitLab From 7fa450bc987bedd5a1a35c6276f2e24a8632a992 Mon Sep 17 00:00:00 2001 From: Imran Hussain Date: Thu, 23 Dec 2021 11:34:26 +0000 Subject: [PATCH 2/3] [components/options.php] Update changePassword() to use new password hash --- components/options.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/options.php b/components/options.php index 851d431..774b91c 100644 --- a/components/options.php +++ b/components/options.php @@ -5,6 +5,8 @@ require_once("../lib/validation.php"); require_once("Net/MAC.php"); include_once("../lib/date.php"); +// password hash, renewal functions +include_once("../lib/member_functions.php"); // Some Constants // These could possibly be moved somewhere saner? @@ -47,7 +49,7 @@ function changePassword($oldpass, $newpass1, $newpass2) // if everything looks OK, attempt to make the change $success = ldap_mod_replace($ldap, "uid=" . $session->username . ",ou=People,dc=sucs,dc=org", - array('userpassword' => "{SHA}" . base64_encode(pack("H*", sha1($newpass1))))); + array('userpassword' => "{CRYPT}" . cryptPassword($newpass1)); ldap_close($ldap); return $success; @@ -214,7 +216,6 @@ function updateRenew() return FALSE; } - include_once("../lib/member_functions.php"); renew_membership($member['username']); $sucsDB->Execute("update signup set activated=NOW(), username=? where id=?", array($member['username'], $signup['id'])); return TRUE; -- GitLab From 3dbedd6b0681c758720603572802609f1ce75080 Mon Sep 17 00:00:00 2001 From: Imran Hussain Date: Thu, 23 Dec 2021 11:36:44 +0000 Subject: [PATCH 3/3] [components/options.php] add missing ) --- components/options.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/options.php b/components/options.php index 774b91c..db0ac5d 100644 --- a/components/options.php +++ b/components/options.php @@ -49,7 +49,7 @@ function changePassword($oldpass, $newpass1, $newpass2) // if everything looks OK, attempt to make the change $success = ldap_mod_replace($ldap, "uid=" . $session->username . ",ou=People,dc=sucs,dc=org", - array('userpassword' => "{CRYPT}" . cryptPassword($newpass1)); + array('userpassword' => "{CRYPT}" . cryptPassword($newpass1))); ldap_close($ldap); return $success; -- GitLab