Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-08 10:38:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8063 from Alabate/develop

Browse Source 
NEW : Add password_hash as hash algorithm
This commit is contained in:
Laurent Destailleur
2018-01-26 18:01:13 +01:00
committed by GitHub
parent 6cae36cc33 b86a5d5623
commit ae1641f4b9
4 changed files with 36 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
htdocs/core/lib/security.lib.php
View File

@@ -82,6 +82,10 @@ function dol_hash($chain, $type='0')
{ {
global $conf; global $conf;
// No need to add salt for password_hash
if ($type == '0' && ! empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists('password_hash'))
return password_hash($chain, PASSWORD_DEFAULT);
// Salt value // Salt value
if (! empty($conf->global->MAIN_SECURITY_SALT)) $chain=$conf->global->MAIN_SECURITY_SALT.$chain; if (! empty($conf->global->MAIN_SECURITY_SALT)) $chain=$conf->global->MAIN_SECURITY_SALT.$chain;
@@ -97,6 +101,32 @@ function dol_hash($chain, $type='0')
return md5($chain); return md5($chain);
} }
/**
* Compute a hash and compare it to the given one
* For backward compatibility reasons, if the hash is not in the password_hash format, we will try to match against md5 and sha1md5
* If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function.
* If constant MAIN_SECURITY_SALT is defined, we use it as a salt.
*
* @param string $chain String to hash
* @param string $hash hash to compare
* @param string $type Type of hash ('0':auto, '1':sha1, '2':sha1+md5, '3':md5, '4':md5 for OpenLdap, '5':sha256). Use '3' here, if hash is not needed for security purpose, for security need, prefer '0'.
* @return bool True if the computed hash is the same as the given one
*/
function dol_verifyHash($chain, $hash, $type='0')
{
global $conf;
if ($type == '0' && ! empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'password_hash' && function_exists('password_verify')) {
if ($hash[0] == '$') return password_verify($chain, $hash);
else if(strlen($hash) == 32) return dol_verifyHash($chain, $hash, '3'); // md5
else if(strlen($hash) == 40) return dol_verifyHash($chain, $hash, '2'); // sha1md5
return false;
}
return dol_hash($chain, $type) == $hash;
}
/** /**
* Check permissions of a user to show a page and an object. Check read permission. * Check permissions of a user to show a page and an object. Check read permission.
@@ -607,4 +637,3 @@ function accessforbidden($message='',$printheader=1,$printfooter=1,$showonlymess
if ($printfooter && function_exists("llxFooter")) llxFooter(); if ($printfooter && function_exists("llxFooter")) llxFooter();
exit(0); exit(0);
} }

4
htdocs/core/login/functions_dolibarr.php
View File

@@ -84,7 +84,7 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
// Check crypted password according to crypt algorithm // Check crypted password according to crypt algorithm
if ($cryptType == 'md5') if ($cryptType == 'md5')
{ {
if (dol_hash($passtyped) == $passcrypted) if (dol_verifyHash($passtyped, $passcrypted))
{ {
$passok=true; $passok=true;
dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ok - ".$cryptType." of pass is ok"); dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ok - ".$cryptType." of pass is ok");
@@ -152,5 +152,3 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
return $login; return $login;
} }

5
htdocs/install/step5.php
View File

@@ -181,7 +181,10 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i',$action))
// Define default setup for password encryption // Define default setup for password encryption
dolibarr_set_const($db, "DATABASE_PWD_ENCRYPTED", "1", 'chaine', 0, '', $conf->entity); dolibarr_set_const($db, "DATABASE_PWD_ENCRYPTED", "1", 'chaine', 0, '', $conf->entity);
dolibarr_set_const($db, "MAIN_SECURITY_SALT", dol_print_date(dol_now(), 'dayhourlog'), 'chaine', 0, '', 0); // All entities dolibarr_set_const($db, "MAIN_SECURITY_SALT", dol_print_date(dol_now(), 'dayhourlog'), 'chaine', 0, '', 0); // All entities
dolibarr_set_const($db, "MAIN_SECURITY_HASH_ALGO", 'sha1md5', 'chaine', 0, '', 0); // All entities if (function_exists('password_hash'))
dolibarr_set_const($db, "MAIN_SECURITY_HASH_ALGO", 'password_hash', 'chaine', 0, '', 0); // All entities
else
dolibarr_set_const($db, "MAIN_SECURITY_HASH_ALGO", 'sha1md5', 'chaine', 0, '', 0); // All entities
} }
} }

3
htdocs/user/passwordforgotten.php
View File

@@ -78,7 +78,7 @@ if ($action == 'validatenewpassword' && $username && $passwordhash)
} }
else else
{ {
if (dol_hash($edituser->pass_temp) == $passwordhash) if (dol_verifyHash($edituser->pass_temp, $passwordhash))
{ {
$newpassword=$edituser->setPassword($user,$edituser->pass_temp,0); $newpassword=$edituser->setPassword($user,$edituser->pass_temp,0);
dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database"); dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database");
@@ -218,4 +218,3 @@ $reshook = $hookmanager->executeHooks('getPasswordForgottenPageExtraOptions',$pa
$moreloginextracontent = $hookmanager->resPrint; $moreloginextracontent = $hookmanager->resPrint;
include $template_dir.'passwordforgotten.tpl.php'; // To use native PHP include $template_dir.'passwordforgotten.tpl.php'; // To use native PHP