www: login and change password update to dotconfig fix

Adding new functions to get method used, salt and counter for the different type of encryptation methods. By this moment, the web interface encrypts using md5 with a random salt by default. Old method removed.

www: login and change password update to dotconfig fix
Adding new functions to get method used, salt and counter for the different type of encryptation methods. By this moment, the web interface encrypts using md5 with a random salt by default. Old method removed.
dd4f7761 · José Luis Gutiérrez · Alessandro Rubini · 0b90a01f · dd4f7761 · dd4f7761
Commit dd4f7761 authored Jul 16, 2015 by José Luis Gutiérrez Committed by Alessandro Rubini Jul 17, 2015
Showing with 102 additions and 12 deletions

change_passwd.php userspace/rootfs_override/var/www/change_passwd.php +17 -11

functions.php userspace/rootfs_override/var/www/functions.php +81 -0

login.php userspace/rootfs_override/var/www/login.php +4 -1

No files found.
--- a/userspace/rootfs_override/var/www/change_passwd.php
+++ b/userspace/rootfs_override/var/www/change_passwd.php
@@ -36,9 +36,8 @@
 	<?php
 		//Change user password

-		if((empty($_POST['oldpasswd']) || empty($_POST['newpasswd']) || empty($_POST['confirmpasswd']))){
-			echo '<br><br><p align="center">*Please fill all fields.</p>';
-	
+		if(!(!empty($_POST["oldpasswd"]) || !empty($_POST["newpasswd"]) || !empty($_POST["confirmpasswd"]))){
+			echo '<br><br><p align="center">*Please fill all fields.</p>';	
 		}else{

 			$username = $_POST["user"];
@@ -49,12 +48,15 @@
 			/* Changing the password from the web interface will always save
 			 * the password encrypted for security reasons...
 			 * */
-			if(!empty($_SESSION['KCONFIG']['CONFIG_ROOT_PWD_IS_ENCRYPTED'])){ 
+			if(!empty($_SESSION['KCONFIG']['CONFIG_ROOT_PWD_IS_ENCRYPTED'])){
 				/* Previous password was encrypted */
 				/* password shall be here: ROOT_PWD_CYPHER */
-				$dotconfig_old_passwd = $_SESSION['KCONFIG']['CONFIG_ROOT_PWD_CYPHER'];
-				$oldpassword = shell_exec('/usr/bin/mkpasswd --method=md5 "'.$oldpassword.'"');
-			}else{ 
+				$dotconfig_passwd = $_SESSION['KCONFIG']['CONFIG_ROOT_PWD_CYPHER'];
+				$salt = get_encrypt_salt($dotconfig_passwd);
+				$method = get_encrypt_method($dotconfig_passwd);
+				$rounds = get_encrypt_rounds($dotconfig_passwd);
+				$oldpassword = encrypt_password($oldpassword, $salt, $rounds, $method);
+			}else{
 				/* previous password was not encrypted */
 				/* password shall be here: ROOT_PWD_CLEAR */
 				$dotconfig_old_passwd = $_SESSION['KCONFIG']['CONFIG_ROOT_PWD_CLEAR'];
@@ -64,7 +66,11 @@
 				echo '<br><br><div id="alert" align="center">New and confirm password are different.</div>';
 				exit;
 			}else{
-				$newpasswd=shell_exec('/usr/bin/mkpasswd --method=md5 "'.$newpasswd.'"');
+				$method = "CRYPT_MD5";
+				$rounds = "";
+				$salt = substr(substr( "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" ,
+							mt_rand( 0 ,50 ) ,1 ) .substr( md5( time() ), 1), 4, 8);
+				$newpasswd = encrypt_password($newpasswd, $salt, $rounds, $method);
 			}

 			if(strcmp($newpasswd,"")==0){ /* using mkpasswd it can never be NULL */
@@ -72,12 +78,11 @@
 				exit;
 			}

-			if(!strcmp($dotconfig_old_passwd,$oldpassword)==0){
+			if(!strcmp($dotconfig_passwd,$oldpassword)==0){
 				echo '<br><br><div id="alert" align="center">Old password was not correct.</div>';
 				exit;
 			}else{ /* Save to dotconfig... */
-				
-				if(!empty($_SESSION['KCONFIG']['CONFIG_ROOT_PWD_IS_ENCRYPTED'])){ 
+				if(!empty($_SESSION['KCONFIG']['CONFIG_ROOT_PWD_IS_ENCRYPTED'])){
 					$_SESSION['KCONFIG']['CONFIG_ROOT_PWD_CYPHER'] = $newpasswd;
 				}else{ /* previous was not encrypted */
 					$_SESSION['KCONFIG']['CONFIG_ROOT_PWD_IS_ENCRYPTED']="y";
@@ -88,6 +93,7 @@
 				}
 				save_kconfig();
 				apply_kconfig();
+				load_kconfig();
 				header('Location: logout.php');
 			}
 		}

--- a/userspace/rootfs_override/var/www/functions.php
+++ b/userspace/rootfs_override/var/www/functions.php
@@ -1382,4 +1382,85 @@ function apply_kconfig(){
 	shell_exec($dotconfigapp. " local_config > /dev/null 2>&1 &");
 }

+function encrypt_password($password, $salt, $rounds, $method){
+
+	$encrypted_passwd = "";
+
+	switch ($method) {
+		case "CRYPT_STD_DES":
+			$encrypted_passwd = shell_exec('/wr/bin/mkpasswd --method=des "'.$password.'" --salt="'.$salt.'"');
+			$encrypted_passwd = str_replace("\n", "", $encrypted_passwd);
+			break;
+		case "CRYPT_MD5":
+			$encrypted_passwd = shell_exec('/wr/bin/mkpasswd --method=md5 "'.$password.'" --salt="'.$salt.'"');
+			$encrypted_passwd = str_replace("\n", "", $encrypted_passwd);
+			break;
+		case "CRYPT_BLOWFISH":
+			$encrypted_passwd = shell_exec('/wr/bin/mkpasswd --method=bf "'.$password.'" --salt="'.$salt.'"');
+			$encrypted_passwd = str_replace("\n", "", $encrypted_passwd);
+			break;
+		case "CRYPT_SHA256":
+			$encrypted_passwd = shell_exec('/wr/bin/mkpasswd --method=sha-256 "'.$password.'" --salt="'.$salt.'" --rounds="'.$rounds.'"');
+			$encrypted_passwd = str_replace("\n", "", $encrypted_passwd);
+			break;
+		case "CRYPT_SHA512":
+			$encrypted_passwd = shell_exec('/wr/bin/mkpasswd --method=sha-512 "'.$password.'" --salt="'.$salt.'" --rounds="'.$rounds.'"');
+			$encrypted_passwd = str_replace("\n", "", $encrypted_passwd);
+			break;
+	}
+
+	return $encrypted_passwd;
+}
+
+function get_encrypt_method($enc_password){
+
+	$method = "";
+	if (strpos($enc_password,'$1$') !== false)
+		$method = "CRYPT_MD5";
+	else if (strpos($enc_password,'$2a$07$') !== false)
+		$method = "CRYPT_BLOWFISH";
+	else if (strpos($enc_password,'$5$') !== false)
+		$method = "CRYPT_SHA256";
+	else if (strpos($enc_password,'$6$') !== false)
+		$method = "CRYPT_SHA512";
+
+	return $method;
+}
+
+function get_encrypt_rounds($enc_password){
+
+	$elements = explode("$", $enc_password);
+	$rounds = "";
+
+	foreach ($elements as $element){
+		if (strpos($element,'rounds=') !== false){
+			$rounds = str_replace("rounds=","",$element);
+		}
+	}
+	return $rounds;
+}
+
+function get_encrypt_salt($enc_password){
+	$method = get_encrypt_method($enc_password);
+	$salt = "";
+
+	$elements = explode("$", $enc_password);
+
+	switch ($method) {
+		case "CRYPT_MD5":
+			$salt = $elements[2];
+			break;
+		case "CRYPT_BLOWFISH":
+			$salt = $elements[3];
+			break;
+		case "CRYPT_SHA256":
+			$salt = $elements[3];
+			break;
+		case "CRYPT_SHA512":
+			$salt = $elements[3];
+			break;
+	}
+	return $salt;
+}
+
 ?>
--- a/userspace/rootfs_override/var/www/login.php
+++ b/userspace/rootfs_override/var/www/login.php
@@ -32,7 +32,10 @@
 			if(!empty($_SESSION['KCONFIG']['CONFIG_ROOT_PWD_IS_ENCRYPTED'])){
 				/* password is here: ROOT_PWD_CYPHER */
 				$dotconfig_passwd = $_SESSION['KCONFIG']['CONFIG_ROOT_PWD_CYPHER'];
-				$password = shell_exec('/usr/bin/mkpasswd --method=md5 "'.$password.'"');
+				$salt = get_encrypt_salt($dotconfig_passwd);
+				$method = get_encrypt_method($dotconfig_passwd);
+				$rounds = get_encrypt_rounds($dotconfig_passwd);
+				$password = encrypt_password($password, $salt, $rounds, $method);
 			}else{ /* password is here: ROOT_PWD_CLEAR */
 				$dotconfig_passwd = $_SESSION['KCONFIG']['CONFIG_ROOT_PWD_CLEAR'];
 			}