Skip to content

G
gnu-social

The source project of this merge request has been removed.

Opened by 1

Update AuthCryptPlugin with backwards compatible bcrypt and argon2i password hashing support, fix timing attacks

This adds support for modern password hashing algorithms, and fixes timing attacks for old password verification.

For older versions of PHP that do not support password_hash() or password_verify(), the existing method will be used as a fallback. Passwords will be automatically updated to the newest default algorithm (PASSWORD_BCRYPT) if supported by that PHP version.

Edited by dansup
{{ resolvedDiscussionCount }}/{{ discussionCount }} {{ resolvedCountText }} resolved
  • dansup @dansup

    changed the description

    changed the description

    Toggle commit list
  • dansup @dansup

    changed target branch from master to nightly

    changed target branch from master to nightly

    Toggle commit list
  • dansup @dansup commented
    1

    @mmn What do you think?

  • dansup @dansup

    added 1 commit

    • 61f766c8 - Remove function_exists() calls and add up default bcrypt cost to 12.

    Compare with previous version

    added 1 commit

    • 61f766c8 - Remove function_exists() calls and add up default bcrypt cost to 12.

    Compare with previous version

    Toggle commit list
  • dansup
    @dansup started a discussion on commit 61f766c8
    plugins/AuthCrypt/AuthCryptPlugin.php
    71 64 // If we check StatusNet hash, for backwards compatibility and migration
    72 65 if ($this->statusnet && $user->password === md5($password . $user->id)) {
    73 66 // and update password hash entry to crypt() compatible
    74 if ($this->overwrite && function_exists('password_hash')) {
    67 if ($this->overwrite) {
    75 68 $this->changePassword($user->nickname, null, $password);
    76 69 }
    77 70 return $user;
    78 71 }
    79 72
    73 // Timing safe password verification on supported PHP versions
    • dansup @dansup commented
      1

      I moved the password_verify() call so $this->changePassword() will be called for older passwords, otherwise old passwords would never be updated.

      Edited by dansup
    Please register or sign in to reply
  • Maiyannah Bishop @maiyannah commented

    I'd love to include this in postActiv if you could submit it to me there: http://gitea.postactiv.com/postActiv/postActiv/pulls

  • dansup @dansup commented
    1

    @maiyannah Hi, since postActiv is a fork, feel free to merge this patch!

  • Maiyannah Bishop @maiyannah commented

    Hmm, when I have merged gitlab repos in the past it's lost attribution, which is why I'd asked if you can submit it there, but if its a fuss I can see what I can do from my end.

  • dansup @dansup commented
    1

    @maiyannah Oh, no worries. I don't need attribution, just would prefer to push to git.gnu.io since I already have that set up.

  • Maiyannah Bishop @maiyannah commented

    @dansup well luckily gitea seems to figure things out. So now its in postActiv nightly: http://gitea.postactiv.com/postActiv/postActiv/commits/nightly

  • dansup @dansup commented
    1

    @maiyannah Glad to hear that! I have a few branches on my fork with some exciting new features. Checkout issue #308 (closed) for more info.

  • Maiyannah Bishop @maiyannah commented

    Should tag me on the fediverse so we don't pollute issues discussion with chat, you can find me at maiyannah@community.highlandarrow.com

  • dansup @dansup

    closed

    closed

    Toggle commit list
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment