diff options
| -rw-r--r-- | data/config_example.pl | 5 | ||||
| -rw-r--r-- | data/global.pl | 3 | ||||
| -rw-r--r-- | lib/Multi/API.pm | 6 | ||||
| -rw-r--r-- | lib/VNDB/Util/Auth.pm | 23 | ||||
| -rw-r--r-- | util/sql/schema.sql | 3 | ||||
| -rw-r--r-- | util/updates/update_2.26.sql | 3 |
6 files changed, 9 insertions, 34 deletions
diff --git a/data/config_example.pl b/data/config_example.pl index b1e405ce..96f003fc 100644 --- a/data/config_example.pl +++ b/data/config_example.pl @@ -17,9 +17,8 @@ package VNDB; %S, url => 'http://your.site.root/', url_static => 'http://your.static.site.root/', - global_salt => '<some long unique string>', - form_salt => '<another unique string>', - scrypt_salt => '<yet another unique string>', + form_salt => '<some unique string>', + scrypt_salt => '<another unique string>', ); diff --git a/data/global.pl b/data/global.pl index 4fefee29..1e3f90dc 100644 --- a/data/global.pl +++ b/data/global.pl @@ -21,8 +21,7 @@ our %S; url => 'http://vndb.org', # Only used by Multi, web pages infer their own address url_static => 'http://s.vndb.org', skin_default => 'angel', - global_salt => 'any-private-string-here', - form_salt => 'a-different-private-string-here', + form_salt => 'a-private-string-here', scrypt_args => [ 65536, 8, 1 ], # N, r, p scrypt_salt => 'another-random-string', regen_static => 0, diff --git a/lib/Multi/API.pm b/lib/Multi/API.pm index f75ea4f9..1ed62682 100644 --- a/lib/Multi/API.pm +++ b/lib/Multi/API.pm @@ -11,7 +11,6 @@ use Multi::Core; use AnyEvent::Socket; use AnyEvent::Handle; use POE::Filter::VNDBAPI 'encode_filters'; -use Digest::SHA 'sha256'; use Encode 'encode_utf8', 'decode_utf8'; use Crypt::ScryptKDF 'scrypt_raw';; use VNDBUtil 'normalize_query', 'norm_ip'; @@ -277,10 +276,7 @@ sub login_verify { my $uid = $res->value(0,0); my $accepted = 0; - if(length $passwd == 41) { # Old sha256 - my $salt = substr $passwd, 0, 9; - $accepted = sha256($VNDB::S{global_salt}.encode_utf8($arg->{password}).$salt) eq substr $passwd, 9; - } elsif(length $passwd == 46) { # New scrypt + if(length $passwd == 46) { # scrypt my($N, $r, $p, $salt, $hash) = unpack 'NCCa8a*', $passwd; $accepted = $hash eq scrypt_raw($arg->{password}, $VNDB::S{scrypt_salt} . $salt, $N, $r, $p, 32); } else { diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index a1c6cf08..0c3b5b73 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -5,7 +5,7 @@ package VNDB::Util::Auth; use strict; use warnings; use Exporter 'import'; -use Digest::SHA qw|sha1 sha1_hex sha256|; +use Digest::SHA qw|sha1 sha1_hex|; use Crypt::URandom 'urandom'; use Crypt::ScryptKDF 'scrypt_raw'; use Encode 'encode_utf8'; @@ -112,16 +112,7 @@ sub _authCheck { my $d = $self->dbUserGet(username => $user, what => 'extended notifycount')->[0]; return 0 if !$d->{id}; - # Old-style hashes - if(length $d->{passwd} == 41) { - return 0 if _authPreparePassSha256($self, $pass, substr $d->{passwd}, 0, 9) ne $d->{passwd}; - $self->{_auth} = $d; - # Update database with new hash format, now that we have the plain text password - $self->dbUserEdit($d->{id}, passwd => $self->authPreparePass($pass)); - return 1; - } - - # New scrypt hashes + # scrypt format if(length $d->{passwd} == 46) { my($N, $r, $p, $salt) = unpack 'NCCa8', $d->{passwd}; return 0 if $self->authPreparePass($pass, $salt, $N, $r, $p) ne $d->{passwd}; @@ -144,16 +135,6 @@ sub authPreparePass { } -# Same as authPreparePass, but for the old sha256 hash. -# Arguments: pass, optionally salt -# Returns: encrypted password (as a binary string) -sub _authPreparePassSha256 { - my($self, $pass, $salt) = @_; - $salt ||= encode_utf8(randomascii(9)); - return $salt.sha256($self->{global_salt} . encode_utf8($pass) . $salt); -} - - # Generates a random token that can be used to reset the password. # Returns: token (hex string), token-encrypted (binary string) sub authPrepareReset { diff --git a/util/sql/schema.sql b/util/sql/schema.sql index 9f78cf51..ffc20cc2 100644 --- a/util/sql/schema.sql +++ b/util/sql/schema.sql @@ -551,9 +551,6 @@ CREATE TABLE users ( -- First 9 bytes: salt (ASCII) -- Latter 20 bytes: sha1(hex(token) + salt) -- 'token' is a sha1 digest obtained from random data. - -- * 41 bytes: sha256 password - -- First 9 bytes: salt (ASCII) - -- Latter 32 bytes: sha256(global_salt + password + salt) -- * 46 bytes: scrypt password -- 4 bytes: N (big endian) -- 1 byte: r diff --git a/util/updates/update_2.26.sql b/util/updates/update_2.26.sql index 5d1c403f..04534b98 100644 --- a/util/updates/update_2.26.sql +++ b/util/updates/update_2.26.sql @@ -1,2 +1,5 @@ -- No more 'staffedit' permission flag UPDATE users SET perm = (perm & ~8); + +-- Removed support for sha256-hashed passwords +UPDATE users SET passwd = '' WHERE length(passwd) = 41; |