From 92cdd4cc7f6955760236e134126d8a68efa13360 Mon Sep 17 00:00:00 2001
From: Andreas Baumann <mail@andreasbaumann.cc>
Date: Wed, 12 Feb 2020 19:21:35 +0100
Subject: hand-picked changes for better password functions from tyzoids branch

---
 login.php | 38 +++++++++++++++-----------------------
 1 file changed, 15 insertions(+), 23 deletions(-)

(limited to 'login.php')

diff --git a/login.php b/login.php
index 323629a..63d1663 100644
--- a/login.php
+++ b/login.php
@@ -38,33 +38,25 @@ if (isset($_POST['form_sent']) && $action == 'in')
 
 	if (!empty($cur_user['password']))
 	{
-		$form_password_hash = pun_hash($form_password); // Will result in a SHA-1 hash
+		// Represents the hash of the user's password
+		// If it's transparently changed in this function,
+		// this allows the cookie token to reflect the new hash
+		$user_password = $cur_user['password'];
 
-		// If there is a salt in the database we have upgraded from 1.3-legacy though haven't yet logged in
-		if (!empty($cur_user['salt']))
+		if (pun_password_verify_legacy($form_password, $user_password, $cur_user['salt']))
 		{
-			$is_salt_authorized = pun_hash_equals(sha1($cur_user['salt'].sha1($form_password)), $cur_user['password']);
-			if ($is_salt_authorized) // 1.3 used sha1(salt.sha1(pass))
- 			{
-				$authorized = true;
-
-				$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
-			}
-		}
-		// If the length isn't 40 then the password isn't using sha1, so it must be md5 from 1.2
-		else if (strlen($cur_user['password']) != 40)
-		{
-			$is_md5_authorized = pun_hash_equals(md5($form_password), $cur_user['password']);
-			if ($is_md5_authorized)
+			$authorized = true;
+			
+			$remove_salt = !empty($cur_user['salt']);
+			$rehash = $remove_salt || pun_password_needs_rehash($user_password);
+			
+			if ($rehash)
 			{
-				$authorized = true;
-
-				$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
+				$user_password = pun_password_hash($form_password);
+				$salt_sql = ($remove_salt ? 'salt=NULL,' : '');
+				$db->query('UPDATE '.$db->prefix.'users SET '.$salt_sql.' password=\''.$db->escape($user_password).'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
 			}
 		}
-		// Otherwise we should have a normal sha1 password
-		else
-			$authorized = pun_hash_equals($cur_user['password'], $form_password_hash);
 	}
 
 	if (!$authorized)
@@ -91,7 +83,7 @@ if (isset($_POST['form_sent']) && $action == 'in')
 		$db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape(get_remote_address()).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
 
 		$expire = ($save_pass == '1') ? time() + 1209600 : time() + $pun_config['o_timeout_visit'];
-		pun_setcookie($cur_user['id'], $form_password_hash, $expire);
+		pun_setcookie($cur_user['id'], $user_password, $expire);
 
 		// Reset tracked topics
 		set_tracked_topics(null);
-- 
cgit v1.2.3-54-g00ecf