diff --git includes/password.inc includes/password.inc deleted file mode 100644 index 98de037..0000000 --- includes/password.inc +++ /dev/null @@ -1,243 +0,0 @@ -> 6) & 0x3f]; - if ($i++ >= $count) { - break; - } - if ($i < $count) { - $value |= ord($input[$i]) << 16; - } - $output .= $itoa64[($value >> 12) & 0x3f]; - if ($i++ >= $count) { - break; - } - $output .= $itoa64[($value >> 18) & 0x3f]; - } while ($i < $count); - - return $output; -} - -/** - * Generates a random base 64-encoded salt prefixed with settings for the hash. - * - * Proper use of salts may defeat a number of attacks, including: - * - The ability to try candidate passwords against multiple hashes at once. - * - The ability to use pre-hashed lists of candidate passwords. - * - The ability to determine whether two users have the same (or different) - * password without actually having to guess one of the passwords. - * - * @param $count_log2 - * Integer that determines the number of iterations used in the hashing - * process. A larger value is more secure, but takes more time to complete. - * - * @return - * A 12 character string containing the iteration count and a random salt. - */ -function _password_generate_salt($count_log2) { - $output = '$P$'; - // Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT. - $count_log2 = max($count_log2, DRUPAL_MIN_HASH_COUNT); - // Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT. - // We encode the final log2 iteration count in base 64. - $itoa64 = _password_itoa64(); - $output .= $itoa64[min($count_log2, DRUPAL_MAX_HASH_COUNT)]; - // 6 bytes is the standard salt for a portable phpass hash. - $output .= _password_base64_encode(drupal_random_bytes(6), 6); - return $output; -} - -/** - * Hash a password using a secure stretched hash. - * - * By using a salt and repeated hashing the password is "stretched". Its - * security is increased because it becomes much more computationally costly - * for an attacker to try to break the hash by brute-force computation of the - * hashes of a large number of plain-text words or strings to find a match. - * - * @param $password - * The plain-text password to hash. - * @param $setting - * An existing hash or the output of _password_generate_salt(). - * - * @return - * A string containing the hashed password (and salt) or FALSE on failure. - */ -function _password_crypt($password, $setting) { - // The first 12 characters of an existing hash are its setting string. - $setting = substr($setting, 0, 12); - - if (substr($setting, 0, 3) != '$P$') { - return FALSE; - } - $count_log2 = _password_get_count_log2($setting); - // Hashes may be imported from elsewhere, so we allow != DRUPAL_HASH_COUNT - if ($count_log2 < DRUPAL_MIN_HASH_COUNT || $count_log2 > DRUPAL_MAX_HASH_COUNT) { - return FALSE; - } - $salt = substr($setting, 4, 8); - // Hashes must have an 8 character salt. - if (strlen($salt) != 8) { - return FALSE; - } - - // We must use md5() or sha1() here since they are the only cryptographic - // primitives always available in PHP 5. To implement our own low-level - // cryptographic function in PHP would result in much worse performance and - // consequently in lower iteration counts and hashes that are quicker to crack - // (by non-PHP code). - - $count = 1 << $count_log2; - - $hash = md5($salt . $password, TRUE); - do { - $hash = md5($hash . $password, TRUE); - } while (--$count); - - $output = $setting . _password_base64_encode($hash, 16); - // _password_base64_encode() of a 16 byte MD5 will always be 22 characters. - return (strlen($output) == 34) ? $output : FALSE; -} - -/** - * Parse the log2 iteration count from a stored hash or setting string. - */ -function _password_get_count_log2($setting) { - $itoa64 = _password_itoa64(); - return strpos($itoa64, $setting[3]); -} - -/** - * Hash a password using a secure hash. - * - * @param $password - * A plain-text password. - * @param $count_log2 - * Optional integer to specify the iteration count. Generally used only during - * mass operations where a value less than the default is needed for speed. - * - * @return - * A string containing the hashed password (and a salt), or FALSE on failure. - */ -function user_hash_password($password, $count_log2 = 0) { - if (empty($count_log2)) { - // Use the standard iteration count. - $count_log2 = variable_get('password_count_log2', DRUPAL_HASH_COUNT); - } - return _password_crypt($password, _password_generate_salt($count_log2)); -} - -/** - * Check whether a plain text password matches a stored hashed password. - * - * Alternative implementations of this function may use other data in the - * $account object, for example the uid to look up the hash in a custom table - * or remote database. - * - * @param $password - * A plain-text password - * @param $account - * A user object with at least the fields from the {users} table. - * - * @return - * TRUE or FALSE. - */ -function user_check_password($password, $account) { - if (substr($account->pass, 0, 3) == 'U$P') { - // This may be an updated password from user_update_7000(). Such hashes - // have 'U' added as the first character and need an extra md5(). - $stored_hash = substr($account->pass, 1); - $password = md5($password); - } - else { - $stored_hash = $account->pass; - } - $hash = _password_crypt($password, $stored_hash); - return ($hash && $stored_hash == $hash); -} - -/** - * Check whether a user's hashed password needs to be replaced with a new hash. - * - * This is typically called during the login process when the plain text - * password is available. A new hash is needed when the desired iteration count - * has changed through a change in the variable password_count_log2 or - * DRUPAL_HASH_COUNT or if the user's password hash was generated in an update - * like user_update_7000(). - * - * Alternative implementations of this function might use other criteria based - * on the fields in $account. - * - * @param $account - * A user object with at least the fields from the {users} table. - * - * @return - * TRUE or FALSE. - */ -function user_needs_new_hash($account) { - // Check whether this was an updated password. - if ((substr($account->pass, 0, 3) != '$P$') || (strlen($account->pass) != 34)) { - return TRUE; - } - // Check whether the iteration count used differs from the standard number. - return (_password_get_count_log2($account->pass) != variable_get('password_count_log2', DRUPAL_HASH_COUNT)); -} - diff --git modules/dblog/dblog.test modules/dblog/dblog.test index 8545867..e460b48 100644 --- modules/dblog/dblog.test +++ modules/dblog/dblog.test @@ -177,7 +177,7 @@ class DBLogTestCase extends DrupalWebTestCase { private function doUser() { // Set user variables. $name = $this->randomName(); - $pass = user_password(); + $pass = user_generate_password(); // Add user using form to generate add user event (which is not triggered by drupalCreateUser). $edit = array(); $edit['name'] = $name; diff --git modules/openid/openid.module modules/openid/openid.module index 5651fc6..e2556b3 100644 --- modules/openid/openid.module +++ modules/openid/openid.module @@ -134,7 +134,7 @@ function openid_form_user_register_alter(&$form, &$form_state) { // with random password to avoid confusion. if (!variable_get('user_email_verification', TRUE)) { $form['pass']['#type'] = 'hidden'; - $form['pass']['#value'] = user_password(); + $form['pass']['#value'] = user_generate_password(); } $form['auth_openid'] = array('#type' => 'hidden', '#value' => $_SESSION['openid']['values']['auth_openid']); } @@ -427,7 +427,7 @@ function openid_authentication($response) { $form_state['redirect'] = NULL; $form_state['values']['name'] = (empty($response['openid.sreg.nickname'])) ? $identity : $response['openid.sreg.nickname']; $form_state['values']['mail'] = (empty($response['openid.sreg.email'])) ? '' : $response['openid.sreg.email']; - $form_state['values']['pass'] = user_password(); + $form_state['values']['pass'] = user_generate_password(); $form_state['values']['status'] = variable_get('user_register', 1) == 1; $form_state['values']['response'] = $response; $form = drupal_retrieve_form('user_register', $form_state); diff --git modules/simpletest/drupal_web_test_case.php modules/simpletest/drupal_web_test_case.php index 10c0235..2c7c6f9 100644 --- modules/simpletest/drupal_web_test_case.php +++ modules/simpletest/drupal_web_test_case.php @@ -854,7 +854,7 @@ class DrupalWebTestCase extends DrupalTestCase { $edit['name'] = $this->randomName(); $edit['mail'] = $edit['name'] . '@example.com'; $edit['roles'] = array($rid => $rid); - $edit['pass'] = user_password(); + $edit['pass'] = user_generate_password(); $edit['status'] = 1; $account = user_save('', $edit); diff --git modules/user/user.info modules/user/user.info index e0066a7..4a8de41 100644 --- modules/user/user.info +++ modules/user/user.info @@ -8,5 +8,6 @@ files[] = user.module files[] = user.admin.inc files[] = user.pages.inc files[] = user.install +files[] = user.password.inc files[] = user.test required = TRUE diff --git modules/user/user.install modules/user/user.install index 7a63b2f..8524ccb 100644 --- modules/user/user.install +++ modules/user/user.install @@ -256,8 +256,7 @@ function user_schema() { */ function user_update_7000(&$sandbox) { $ret = array('#finished' => 0); - // Lower than DRUPAL_HASH_COUNT to make the update run at a reasonable speed. - $hash_count_log2 = 11; + // Multi-part update. if (!isset($sandbox['user_from'])) { db_change_field($ret, 'users', 'pass', 'pass', array('type' => 'varchar', 'length' => 128, 'not null' => TRUE, 'default' => '')); @@ -265,15 +264,16 @@ function user_update_7000(&$sandbox) { $sandbox['user_count'] = db_query("SELECT COUNT(uid) FROM {users}")->fetchField(); } else { - require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc'); // Hash again all current hashed passwords. + // Lower than default strength to make the update run at a better speed. + user_authenticator()->setHashStrength(0.1); $has_rows = FALSE; // Update this many per page load. $count = 1000; $result = db_query_range("SELECT uid, pass FROM {users} WHERE uid > 0 ORDER BY uid", array(), $sandbox['user_from'], $count); foreach ($result as $account) { $has_rows = TRUE; - $new_hash = user_hash_password($account->pass, $hash_count_log2); + $new_hash = user_authenticator()->hashPassword($account['pass']); if ($new_hash) { // Indicate an updated password. $new_hash = 'U' . $new_hash; @@ -287,7 +287,7 @@ function user_update_7000(&$sandbox) { $sandbox['user_from'] += $count; if (!$has_rows) { $ret['#finished'] = 1; - $ret[] = array('success' => TRUE, 'query' => "UPDATE {users} SET pass = 'U' . user_hash_password(pass) WHERE uid > 0"); + $ret[] = array('success' => TRUE, 'query' => "UPDATE {users} SET pass = 'U' . user_authenticator()->hashPassword(pass) WHERE uid > 0"); } } return $ret; diff --git modules/user/user.module modules/user/user.module index f55c140..2368303 100644 --- modules/user/user.module +++ modules/user/user.module @@ -348,9 +348,7 @@ function user_save($account, $edit = array(), $category = 'account') { $user_fields = $table['fields']; if (!empty($edit['pass'])) { - // Allow alternate password hashing schemes. - require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc'); - $edit['pass'] = user_hash_password(trim($edit['pass'])); + $edit['pass'] = user_authenticator()->hashPassword(trim($edit['pass'])); // Abort if the hashing failed and returned FALSE. if (!$edit['pass']) { return FALSE; @@ -619,7 +617,7 @@ function user_validate_picture(&$form, &$form_state) { /** * Generate a random alphanumeric password. */ -function user_password($length = 10) { +function user_generate_password($length = 10) { // This variable contains the list of allowable characters for the // password. Note that the number 0 and the letter 'O' have been // removed to avoid confusion between the two. The same is true @@ -1653,16 +1651,12 @@ function user_authenticate(&$form_state) { if (!empty($form_state['values']['name']) && !empty($password)) { $account = db_query("SELECT * FROM {users} WHERE name = :name AND status = 1", array(':name' => $form_state['values']['name']))->fetchObject(); if ($account) { - // Allow alternate password hashing schemes. - require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc'); - if (user_check_password($password, $account)) { - + if (user_authenticator()->checkPassword($password, $account)) { // Successful authentication. Set a flag for user_login_final_validate(). $form_state['uid'] = $account->uid; - - // Update user to new password scheme if needed. - if (user_needs_new_hash($account)) { - $new_hash = user_hash_password($password); + // Update user's hashed password if needed (e.g. if the hash is weak). + if (user_authenticator()->needsNewHash($account)) { + $new_hash = user_authenticator()->hashPassword($password); if ($new_hash) { db_update('users') ->fields(array('pass' => $new_hash)) @@ -1724,7 +1718,7 @@ function user_external_login_register($name, $module) { // Register this new user. $userinfo = array( 'name' => $name, - 'pass' => user_password(), + 'pass' => user_generate_password(), 'init' => $name, 'status' => 1, 'access' => REQUEST_TIME @@ -2759,7 +2753,7 @@ function user_register_submit($form, &$form_state) { $pass = $form_state['values']['pass']; } else { - $pass = user_password(); + $pass = user_generate_password(); }; $notify = isset($form_state['values']['notify']) ? $form_state['values']['notify'] : NULL; $from = variable_get('site_mail', ini_get('sendmail_from')); @@ -2919,3 +2913,24 @@ function _user_forms(&$edit, $account, $category, $hook = 'form') { return empty($groups) ? FALSE : $groups; } +/** + * Returns a password hashing object that implements AuthenticatorInterface. + */ +function user_authenticator() { + static $instance; + + if (empty($instance)) { + $class = variable_get('authentication_system', 'UserPassword'); + $interfaces = class_implements($class); + if (isset($interfaces['AuthenticatorInterface'])) { + $instance = new $class; + // Set a default hash strength. + $instance->setHashStrength(variable_get('password_hash_strength', 1.0)); + } + else { + throw new Exception(t('Class %class does not implement interface %interface', array('%class' => $class, '%interface' => 'AuthenticatorInterface'))); + } + } + return $instance; +} + diff --git modules/user/user.password.inc modules/user/user.password.inc new file mode 100644 index 0000000..838dd02 --- /dev/null +++ modules/user/user.password.inc @@ -0,0 +1,240 @@ +itoa64[$value & 0x3f]; + if ($i < $count) { + $value |= ord($input[$i]) << 8; + } + $output .= $this->itoa64[($value >> 6) & 0x3f]; + if ($i++ >= $count) { + break; + } + if ($i < $count) { + $value |= ord($input[$i]) << 16; + } + $output .= $this->itoa64[($value >> 12) & 0x3f]; + if ($i++ >= $count) { + break; + } + $output .= $this->itoa64[($value >> 18) & 0x3f]; + } while ($i < $count); + + return $output; + } + + /** + * Generates a random base 64-encoded salt prefixed with settings for the hash. + * + * Proper use of salts may defeat a number of attacks, including: + * - The ability to try candidate passwords against multiple hashes at once. + * - The ability to use pre-hashed lists of candidate passwords. + * - The ability to determine whether two users have the same (or different) + * password without actually having to guess one of the passwords. + * + * @return + * A 12 character string containing the iteration count and a random salt. + */ + private function generateSalt() { + // $P$ is the hash identifier for phpass. + $output = '$P$'; + // Minimum log2 iterations is DRUPAL_MIN_HASH_COUNT. + $count_log2 = max($this->countLog2Setting, self::MIN_HASH_COUNT); + // Maximum log2 iterations is DRUPAL_MAX_HASH_COUNT. + // We encode the final log2 iteration count in base 64. + $output .= $this->itoa64[min($count_log2, self::MAX_HASH_COUNT)]; + // 6 bytes is the standard salt for a portable phpass hash. + $output .= $this->base64Encode(drupal_random_bytes(6), 6); + return $output; + } + + /** + * Hash a password using a secure stretched hash. + * + * By using a salt and repeated hashing the password is "stretched". Its + * security is increased because it becomes much more computationally costly + * for an attacker to try to break the hash by brute-force computation of the + * hashes of a large number of plain-text words or strings to find a match. + * + * @param $password + * The plain-text password to hash. + * @param $setting + * An existing hash or the output of generate_salt(). + * + * @return + * A string containing the hashed password (and salt) or FALSE on failure. + */ + private function passwordCrypt($password, $setting) { + // The first 12 characters of an existing hash are its setting string. + $setting = substr($setting, 0, 12); + + if (substr($setting, 0, 3) != '$P$') { + return FALSE; + } + $count_log2 = $this->getCountLog2($setting); + // Hashes may be imported from elsewhere, so we allow != DEFAULT_HASH_COUNT + if ($count_log2 < self::MIN_HASH_COUNT || $count_log2 > self::MAX_HASH_COUNT) { + return FALSE; + } + $salt = substr($setting, 4, 8); + // Hashes must have an 8 character salt. + if (strlen($salt) != 8) { + return FALSE; + } + + // We must use md5() or sha1() here since they are the only cryptographic + // primitives always available in PHP 5. To implement our own low-level + // cryptographic function in PHP would result in much worse performance and + // consequently in lower iteration counts and hashes that are quicker to crack + // (by non-PHP code). + + $count = 1 << $count_log2; + + $hash = md5($salt . $password, TRUE); + do { + $hash = md5($hash . $password, TRUE); + } while (--$count); + + $output = $setting . $this->base64Encode($hash, 16); + // password_base64_encode() of a 16 byte MD5 will always be 22 characters. + return (strlen($output) == 34) ? $output : FALSE; + } + + /** + * Parse the log2 iteration count from a stored hash or setting string. + */ + private function getCountLog2($setting) { + return strpos($this->itoa64, $setting[3]); + } + + /** + * Set the relative hash strength as compared to the default. + * + * @param $strength + * A positive number; 1.0 for the default. Typical range is 0.01 - 1000.0. + */ + public function setHashStrength($strength) { + // We accept a linear scale strength and convert it to a base 2 logarithm. + $this->countLog2Setting = (int)(log($strength, 2) + self::DEFAULT_HASH_COUNT); + } + + /** + * Hash a password using a secure hash. + * + * @param $password + * A plain-text password. + * + * @return + * A string containing the hashed password (and a salt), or FALSE on failure. + */ + public function hashPassword($password) { + return $this->passwordCrypt($password, $this->generateSalt()); + } + + /** + * Check whether a plain text password matches a stored hashed password. + * + * @param $password + * A plain-text password + * @param $account + * A user object with at least the fields from the {users} table. + * + * @return + * TRUE or FALSE. + */ + public function checkPassword($password, $account) { + if (substr($account->pass, 0, 3) == 'U$P') { + // This may be an updated password from user_update_7000(). Such hashes + // have 'U' added as the first character and need an extra md5(). + $stored_hash = substr($account->pass, 1); + $password = md5($password); + } + else { + $stored_hash = $account->pass; + } + $hash = $this->passwordCrypt($password, $stored_hash); + return ($hash && $stored_hash == $hash); + } + + /** + * Check whether a user's hashed password needs to be replaced with a new hash. + * + * This is typically called during the login process when the plain text + * password is available. A new hash is needed when the desired iteration count + * has changed through a change in the variable password_hash_strength or + * DEFAULT_HASH_COUNT or if the user's password hash was generated in an update + * like user_update_7000(). + * + * @param $account + * A user object with at least the fields from the {users} table. + * + * @return + * TRUE or FALSE. + */ + public function needsNewHash($account) { + // Check whether this was an updated password. + if ((substr($account->pass, 0, 3) != '$P$') || (strlen($account->pass) != 34)) { + return TRUE; + } + // Check whether the iteration count used differs from the standard number. + return ($this->getCountLog2($account->pass) != $this->countLog2Setting); + } +} + diff --git modules/user/user.test modules/user/user.test index 9c37d9a..2981288 100644 --- modules/user/user.test +++ modules/user/user.test @@ -31,22 +31,22 @@ class UserRegistrationTestCase extends DrupalWebTestCase { $this->assertText(t('Your password and further instructions have been sent to your e-mail address.'), t('User registered successfully.')); // Check database for created user. - $users = user_load_multiple(array(), array('name' => $name, 'mail' => $mail)); - $user = reset($users); - $this->assertTrue($user, t('User found in database.')); - $this->assertTrue($user->uid > 0, t('User has valid user id.')); + $accounts = user_load_multiple(array(), array('name' => $name, 'mail' => $mail)); + $account = reset($accounts); + $this->assertTrue($account, t('User found in database.')); + $this->assertTrue($account->uid > 0, t('User has valid user id.')); // Check user fields. - $this->assertEqual($user->name, $name, t('Username matches.')); - $this->assertEqual($user->mail, $mail, t('E-mail address matches.')); - $this->assertEqual($user->theme, '', t('Correct theme field.')); - $this->assertEqual($user->signature, '', t('Correct signature field.')); - $this->assertTrue(($user->created > REQUEST_TIME - 20 ), t('Correct creation time.')); - $this->assertEqual($user->status, variable_get('user_register', 1) == 1 ? 1 : 0, t('Correct status field.')); - $this->assertEqual($user->timezone, variable_get('date_default_timezone'), t('Correct time zone field.')); - $this->assertEqual($user->language, '', t('Correct language field.')); - $this->assertEqual($user->picture, '', t('Correct picture field.')); - $this->assertEqual($user->init, $mail, t('Correct init field.')); + $this->assertEqual($account->name, $name, t('Username matches.')); + $this->assertEqual($account->mail, $mail, t('E-mail address matches.')); + $this->assertEqual($account->theme, '', t('Correct theme field.')); + $this->assertEqual($account->signature, '', t('Correct signature field.')); + $this->assertTrue(($account->created > REQUEST_TIME - 20 ), t('Correct creation time.')); + $this->assertEqual($account->status, variable_get('user_register', 1) == 1 ? 1 : 0, t('Correct status field.')); + $this->assertEqual($account->timezone, variable_get('date_default_timezone'), t('Correct time zone field.')); + $this->assertEqual($account->language, '', t('Correct language field.')); + $this->assertEqual($account->picture, '', t('Correct picture field.')); + $this->assertEqual($account->init, $mail, t('Correct init field.')); // Attempt to login with incorrect password. $edit = array(); @@ -56,7 +56,7 @@ class UserRegistrationTestCase extends DrupalWebTestCase { $this->assertText(t('Sorry, unrecognized username or password. Have you forgotten your password?'), t('Invalid login attempt failed.')); // Login using password reset page. - $url = user_pass_reset_url($user); + $url = user_pass_reset_url($account); $this->drupalGet($url); $this->assertText(t('This login can be used only once.'), t('Login can be used only once.')); @@ -72,36 +72,33 @@ class UserRegistrationTestCase extends DrupalWebTestCase { $this->assertNoText(t('The changes have been saved.'), t('Save user password with mismatched type in password confirm.')); // Change user password. - $new_pass = user_password(); + $new_pass = user_generate_password(); $edit = array(); $edit['pass[pass1]'] = $new_pass; $edit['pass[pass2]'] = $new_pass; $this->drupalPost(NULL, $edit, t('Save')); $this->assertText(t('The changes have been saved.'), t('Password changed to @password', array('@password' => $new_pass))); - // Make sure password changes are present in database. - require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc'); - - $user = user_load($user->uid, TRUE); - $this->assertTrue(user_check_password($new_pass, $user), t('Correct password in database.')); + $account = user_load($account->uid, TRUE); + $this->assertTrue(user_authenticator()->checkPassword($new_pass, $account), t('Correct password in database.')); // Logout of user account. $this->clickLink(t('Log out')); - $this->assertNoText($user->name, t('Logged out.')); + $this->assertNoText($account->name, t('Logged out.')); // Login user. $edit = array(); - $edit['name'] = $user->name; + $edit['name'] = $account->name; $edit['pass'] = $new_pass; $this->drupalPost('user', $edit, t('Log in')); $this->assertText(t('Log out'), t('Logged in.')); - $this->assertText($user->name, t('[logged in] Username found.')); + $this->assertText($account->name, t('[logged in] Username found.')); $this->assertNoText(t('Sorry. Unrecognized username or password.'), t('[logged in] No message for unrecognized username or password.')); $this->assertNoText(t('User login'), t('[logged in] No user login form present.')); $this->drupalGet('user'); - $this->assertText($user->name, t('[user auth] Not login page.')); + $this->assertText($account->name, t('[user auth] Not login page.')); $this->assertText(t('View'), t('[user auth] Found view tab on the profile page.')); $this->assertText(t('Edit'), t('[user auth] Found edit tab on the profile page.')); }