Exemplo n.º 1
0
 /**
  * Formats a password using the current encryption. If the user ID is given
  * and the hash does not fit the current hashing algorithm, it automatically
  * updates the hash.
  *
  * @param   string   $password  The plaintext password to check.
  * @param   string   $hash      The hash to verify against.
  * @param   integer  $user_id   ID of the user if the password hash should be updated
  *
  * @return  boolean  True if the password and hash match, false otherwise
  *
  * @since   3.2.1
  */
 public static function verifyPassword($password, $hash, $user_id = 0)
 {
     $rehash = false;
     $match = false;
     // If we are using phpass
     if (strpos($hash, '$P$') === 0) {
         // Use PHPass's portable hashes with a cost of 10.
         $phpass = new PasswordHash(10, true);
         $match = $phpass->CheckPassword($password, $hash);
         $rehash = false;
     } else {
         // Check the password
         $parts = explode(':', $hash);
         $crypt = $parts[0];
         $salt = @$parts[1];
         $rehash = true;
         $testcrypt = md5($password . $salt) . ($salt ? ':' . $salt : '');
         $match = JCrypt::timingSafeCompare($hash, $testcrypt);
     }
     // If we have a match and rehash = true, rehash the password with the current algorithm.
     if ((int) $user_id > 0 && $match && $rehash) {
         $user = new JUser($user_id);
         $user->password = self::hashPassword($password);
         $user->save();
     }
     return $match;
 }
Exemplo n.º 2
0
 /**
  * Formats a password using the current encryption. If the user ID is given
  * and the hash does not fit the current hashing algorithm, it automatically
  * updates the hash.
  *
  * @param   string   $password  The plaintext password to check.
  * @param   string   $hash      The hash to verify against.
  * @param   integer  $user_id   ID of the user if the password hash should be updated
  *
  * @return  boolean  True if the password and hash match, false otherwise
  *
  * @since   3.2.1
  */
 public static function verifyPassword($password, $hash, $user_id = 0)
 {
     $rehash = false;
     $match = false;
     // If we are using phpass
     if (strpos($hash, '$P$') === 0) {
         // Use PHPass's portable hashes with a cost of 10.
         $phpass = new PasswordHash(10, true);
         $match = $phpass->CheckPassword($password, $hash);
         $rehash = true;
     } elseif ($hash[0] == '$') {
         // JCrypt::hasStrongPasswordSupport() includes a fallback for us in the worst case
         JCrypt::hasStrongPasswordSupport();
         $match = password_verify($password, $hash);
         // Uncomment this line if we actually move to bcrypt.
         $rehash = password_needs_rehash($hash, PASSWORD_DEFAULT);
     } elseif (substr($hash, 0, 8) == '{SHA256}') {
         // Check the password
         $parts = explode(':', $hash);
         $crypt = $parts[0];
         $salt = @$parts[1];
         $testcrypt = static::getCryptedPassword($password, $salt, 'sha256', true);
         $match = JCrypt::timingSafeCompare($hash, $testcrypt);
         $rehash = true;
     } else {
         // Check the password
         $parts = explode(':', $hash);
         $crypt = $parts[0];
         $salt = @$parts[1];
         $rehash = true;
         // Compile the hash to compare
         // If the salt is empty AND there is a ':' in the original hash, we must append ':' at the end
         $testcrypt = md5($password . $salt) . ($salt ? ':' . $salt : (strpos($hash, ':') !== false ? ':' : ''));
         $match = JCrypt::timingSafeCompare($hash, $testcrypt);
     }
     // If we have a match and rehash = true, rehash the password with the current algorithm.
     if ((int) $user_id > 0 && $match && $rehash) {
         $user = new JUser($user_id);
         $user->password = static::hashPassword($password);
         $user->save();
     }
     return $match;
 }
 /**
  * This method should handle any authentication and report back to the subject
  *
  * @param   array   $credentials  Array holding the user credentials
  * @param   array   $options      Array of extra options
  * @param   object  &$response    Authentication response object
  *
  * @return  boolean
  *
  * @since   3.2
  */
 public function onUserAuthenticate($credentials, $options, &$response)
 {
     // No remember me for admin
     if ($this->app->isAdmin()) {
         return false;
     }
     JLoader::register('JAuthentication', JPATH_LIBRARIES . '/joomla/user/authentication.php');
     $response->type = 'Cookie';
     // We need to validate the cookie data because there may be no Remember Me plugin to do it.
     // Create the cookie name and data.
     $rememberArray = JUserHelper::getRememberCookieData();
     if ($rememberArray == false) {
         return false;
     }
     list($privateKey, $series, $uastring) = $rememberArray;
     // Find the matching record if it exists.
     $query = $this->db->getQuery(true)->select($this->db->quoteName(array('user_id', 'token', 'series', 'time', 'invalid')))->from($this->db->quoteName('#__user_keys'))->where($this->db->quoteName('series') . ' = ' . $this->db->quote(base64_encode($series)))->where($this->db->quoteName('uastring') . ' = ' . $this->db->quote($uastring))->order($this->db->quoteName('time') . ' DESC');
     $results = $this->db->setQuery($query)->loadObjectList();
     $countResults = count($results);
     if ($countResults !== 1) {
         $response->status = JAuthentication::STATUS_FAILURE;
         return;
     } else {
         if (substr($results[0]->token, 0, 4) === '$2y$') {
             if (JCrypt::hasStrongPasswordSupport()) {
                 $match = password_verify($privateKey, $results[0]->token);
             }
         } else {
             if (JCrypt::timingSafeCompare($results[0]->token, $privateKey)) {
                 $match = true;
             }
         }
         if (empty($match)) {
             JUserHelper::invalidateCookie($results[0]->user_id, $uastring);
             JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_LOGIN_FAILED', $user->username), JLog::WARNING, 'security');
             $response->status = JAuthentication::STATUS_FAILURE;
             return false;
         }
     }
     // Set cookie params.
     if (!empty($options['lifetime']) && !empty($options['length']) && !empty($options['secure'])) {
         $response->lifetime = $options['lifetime'];
         $response->length = $options['length'];
         $response->secure = $options['secure'];
     }
     // Make sure there really is a user with this name and get the data for the session.
     $query = $this->db->getQuery(true)->select($this->db->quoteName(array('id', 'username', 'password')))->from($this->db->quoteName('#__users'))->where($this->db->quoteName('username') . ' = ' . $this->db->quote($credentials['username']));
     $result = $this->db->setQuery($query)->loadObject();
     if ($result) {
         // Bring this in line with the rest of the system
         $user = JUser::getInstance($result->id);
         $cookieName = JUserHelper::getShortHashedUserAgent();
         // If there is no cookie, bail out
         if (!$this->app->input->cookie->get($cookieName)) {
             return;
         }
         // Set response data.
         $response->username = $result->username;
         $response->email = $user->email;
         $response->fullname = $user->name;
         $response->password = $result->password;
         $response->language = $user->getParam('language');
         // Set response status.
         $response->status = JAuthentication::STATUS_SUCCESS;
         $response->error_message = '';
     } else {
         $response->status = JAuthentication::STATUS_FAILURE;
         $response->error_message = JText::_('JGLOBAL_AUTH_NO_USER');
     }
 }
Exemplo n.º 4
0
 /**
  * Verifies a password hash
  *
  * @param   string  $password  The password to verify.
  * @param   string  $hash      The password hash to check.
  *
  * @return  boolean  True if the password is valid, false otherwise.
  *
  * @since   12.2
  * @deprecated  4.0  Use PHP 5.5's native password hashing API
  */
 public function verify($password, $hash)
 {
     // Check if the hash is a blowfish hash.
     if (substr($hash, 0, 4) == '$2a$' || substr($hash, 0, 4) == '$2y$') {
         $type = '$2a$';
         if (JCrypt::hasStrongPasswordSupport()) {
             $type = '$2y$';
         }
         return password_verify($password, $hash);
     }
     // Check if the hash is an MD5 hash.
     if (substr($hash, 0, 3) == '$1$') {
         return JCrypt::timingSafeCompare(crypt($password, $hash), $hash);
     }
     // Check if the hash is a Joomla hash.
     if (preg_match('#[a-z0-9]{32}:[A-Za-z0-9]{32}#', $hash) === 1) {
         // Check the password
         $parts = explode(':', $hash);
         $salt = @$parts[1];
         // Compile the hash to compare
         // If the salt is empty AND there is a ':' in the original hash, we must append ':' at the end
         $testcrypt = md5($password . $salt) . ($salt ? ':' . $salt : (strpos($hash, ':') !== false ? ':' : ''));
         return JCrypt::timingSafeCompare($hash, $testcrypt);
     }
     return false;
 }
Exemplo n.º 5
0
 /**
  * Remember me method to run onAfterInitialise
  *
  * @return  boolean
  *
  * @since   1.5
  * @throws  InvalidArgumentException
  */
 public function onAfterInitialise()
 {
     // No remember me for admin
     if ($this->app->isAdmin()) {
         return false;
     }
     $user = JFactory::getUser();
     $this->app->rememberCookieLifetime = $this->lifetime;
     $this->app->rememberCookieSecure = $this->secure;
     $this->app->rememberCookieLength = $this->length;
     // Check for a cookie
     if ($user->get('guest') == 1) {
         // Create the cookie name and data
         $rememberArray = JUserHelper::getRememberCookieData();
         if ($rememberArray !== false) {
             if (count($rememberArray) != 3) {
                 // Destroy the cookie in the browser.
                 $this->app->input->cookie->set(end($rememberArray), false, time() - 42000, $this->app->get('cookie_path'), $this->app->get('cookie_domain'));
                 JLog::add('Invalid cookie detected.', JLog::WARNING, 'error');
                 return false;
             }
             list($privateKey, $series, $uastring) = $rememberArray;
             if (!JUserHelper::clearExpiredTokens($this)) {
                 JLog::add('Error in deleting expired cookie tokens.', JLog::WARNING, 'error');
             }
             // Find the matching record if it exists
             $query = $this->db->getQuery(true)->select($this->db->quoteName(array('user_id', 'token', 'series', 'time', 'invalid')))->from($this->db->quoteName('#__user_keys'))->where($this->db->quoteName('series') . ' = ' . $this->db->quote(base64_encode($series)))->where($this->db->quoteName('uastring') . ' = ' . $this->db->quote($uastring))->order($this->db->quoteName('time') . ' DESC');
             $results = $this->db->setQuery($query)->loadObjectList();
             $countResults = count($results);
             // We have a user but a cookie that is not in the database, or it is invalid. This is a possible attack, so invalidate everything.
             if (($countResults === 0 || $results[0]->invalid != 0) && !empty($results[0]->user_id)) {
                 JUserHelper::invalidateCookie($results[0]->user_id, $uastring);
                 JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_INVALIDATED_COOKIES', $user->username), JLog::WARNING, 'security');
                 // Possibly e-mail user and admin here.
                 return false;
             }
             // We have a user with one cookie with a valid series and a corresponding record in the database.
             if ($countResults === 1) {
                 if (!JCrypt::timingSafeCompare($results[0]->token, $privateKey)) {
                     JUserHelper::invalidateCookie($results[0]->user_id, $uastring);
                     JLog::add(JText::sprintf('PLG_SYSTEM_REMEMBER_ERROR_LOG_LOGIN_FAILED', $user->username), JLog::WARNING, 'security');
                     return false;
                 }
                 // Set up the credentials array to pass to onUserAuthenticate
                 $credentials = array('username' => $results[0]->user_id);
                 return $this->app->login($credentials, array('silent' => true, 'lifetime' => $this->lifetime, 'secure' => $this->secure, 'length' => $this->length));
             }
         }
     }
     return false;
 }