hashed password

2007-11-07 21:02:13 +00:00 · 2007-11-07 21:02:13 +00:00 · 6260184600
parent 3344c1e960
commit 6260184600
5 changed files with 55 additions and 13 deletions
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@ -170,7 +170,7 @@ class LAMConfig {
 	var $Admins;

 	/** Password to edit preferences */
-	var $Passwd;
+	private $Passwd;

 	/** LDAP suffix for tree view */
 	var $treesuffix;
@ -846,7 +846,7 @@ class LAMCfgMain {
 	public $default;

 	/** Password to change config.cfg */
-	public $password;
+	private $password;

 	/** Time of inactivity before session times out (minutes) */
 	public $sessionTimeout;
@ -952,6 +952,50 @@ class LAMCfgMain {
 			exit;
 		}
 	}
+	
+	/**
+	 * Sets a new config password.
+	 *
+	 * @param String $password new password
+	 */
+	public function setPassword($password) {
+		mt_srand((microtime() * 1000000));
+		$rand = mt_rand();
+		$salt0 = substr(pack("h*", md5($rand)), 0, 8);
+		$salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4);
+		$this->password = $this->hashPassword($password, $salt);	
+	}
+	
+	/**
+	 * Checks if the given password matches.
+	 *
+	 * @param String $password password
+	 * @return boolean true, if password matches
+	 */
+	public function checkPassword($password) {
+		if (substr($this->password, 0, 6) == "{SSHA}") {
+			// check hashed password
+			$value = substr($this->password, 6);
+			$parts = explode(" ", $value);
+			$salt = base64_decode($parts[1]);
+			return ($this->hashPassword($password, $salt) === $this->password);
+		}
+		else {
+			// old nonhashed password
+			return ($password === $this->password);
+		}
+	}
+	
+	/**
+	 * Returns the hashed password.
+	 *
+	 * @param String $password password
+	 * @param String $salt salt
+	 * @return String hash value
+	 */
+	private function hashPassword($password, $salt) {
+		return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt);
+	}

 }

--- a/lam/templates/config/mainlogin.php
+++ b/lam/templates/config/mainlogin.php
@ -47,7 +47,7 @@ if (isset($_SESSION["mainconf_password"])) unset($_SESSION["mainconf_password"])
 // check if user entered a password
 if (isset($_POST['passwd'])) {
 	$cfgMain = new LAMCfgMain();
-	if (isset($_POST['passwd']) && ($_POST['passwd'] == $cfgMain->password)) {
+	if (isset($_POST['passwd']) && ($cfgMain->checkPassword($_POST['passwd']))) {
 		$_SESSION["mainconf_password"] = $_POST['passwd'];
 		metaRefresh("mainmanage.php");
 		exit();
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@ -44,7 +44,7 @@ setlanguage();
 $cfg = new LAMCfgMain();

 // check if user is logged in
-if (!isset($_SESSION["mainconf_password"]) || ($_SESSION["mainconf_password"] != $cfg->password)) {
+if (!isset($_SESSION["mainconf_password"]) || (!$cfg->checkPassword($_SESSION["mainconf_password"]))) {
 	require('mainlogin.php');
 	exit();
 }
@ -81,7 +81,7 @@ if ($_POST['submit']) {
 	// set master password
 	if (isset($_POST['masterpassword']) && ($_POST['masterpassword'] != "")) {
 		if ($_POST['masterpassword'] && $_POST['masterpassword2'] && ($_POST['masterpassword'] == $_POST['masterpassword2'])) {
-			$cfg->password = $_POST['masterpassword'];
+			$cfg->setPassword($_POST['masterpassword']);
 			$msg = _("New master password set successfully.");
 			unset($_SESSION["mainconf_password"]);
 		}
--- a/lam/templates/config/profmanage.php
+++ b/lam/templates/config/profmanage.php
@ -64,7 +64,7 @@ $cfg = new LAMCfgMain();
 // check if submit button was pressed
 if ($_POST['submit']) {
 	// check master password
-	if ($cfg->password != $_POST['passwd']) {
+	if (!$cfg->checkPassword($_POST['passwd'])) {
 		$error = _("Master password is wrong!");
 	}
 	// add new profile
@ -134,7 +134,7 @@ if ($_POST['submit']) {


 // check if config.cfg is valid
-if (!isset($cfg->default) && !isset($cfg->password)) {
+if (!isset($cfg->default)) {
 	StatusMessage("ERROR", _("Please set up your master configuration file (config/config.cfg) first!"), "");
 	echo "</body>\n</html>\n";
 	die();
--- a/lam/tests/conf-main-test.php
+++ b/lam/tests/conf-main-test.php
@ -35,36 +35,34 @@ include ("../lib/config.inc");
 $conf = new LAMCfgMain();
 echo "<html><head><title></title><link rel=\"stylesheet\" type=\"text/css\" href=\"../style/layout.css\"></head><body>";
 echo ("<b> Current Values</b><br><br>");
-echo "<b>Password: </b>" . $conf->password . "<br>\n";
 echo "<b>Default: </b>" . $conf->default . "<br>\n";
 echo ("<br><br><big><b> Starting Test...</b></big><br><br>");
 // now all prferences are loaded
 echo ("Loading preferences...");
-$password = $conf->password;
+$password = 'lam';
 $default = $conf->default;
 echo ("done<br>");
 // next we modify them and save config.cfg
 echo ("Changing preferences...");
-$conf->password = "123456";
+$conf->setPassword("123456");
 $conf->default = "lam";
 $conf->save();
 echo ("done<br>");
 // at last all preferences are read from config.cfg and compared
 echo ("Loading and comparing...");
 $conf = new LAMCfgMain();
-if ($conf->password != "123456") echo ("<br><font color=\"#FF0000\">Saving password failed!</font><br>");
+if (!$conf->checkPassword("123456")) echo ("<br><font color=\"#FF0000\">Saving password failed!</font><br>");
 if ($conf->default != "lam") echo ("<br><font color=\"#FF0000\">Saving Default failed!</font><br>");
 echo ("done<br>");
 // restore old values
 echo ("Restoring old preferences...");
-$conf->password = $password;
+$conf->setPassword($password);
 $conf->default = $default;
 $conf->save();
 echo ("done<br>");
 // finished
 echo ("<br><b><font color=\"#00C000\">Test is complete.</font></b>");
 echo ("<br><br><b> Current Config</b><br><br>");
-echo "<b>Password: </b>" . $conf->password . "<br>\n";
 echo "<b>Default: </b>" . $conf->default . "<br>\n";

 ?>