Switch to a properly hashed passwords

src/messenger/webim/libs/operator.php

@@ -15,6 +15,8 @@
  * limitations under the License.
  */
 
+$remember_cookie_name = 'mibew_operator';
+
 $can_administrate = 0;
 $can_takeover = 1;
 $can_viewthreads = 2;
@@ -34,7 +36,7 @@ function operator_by_login($login)
 	global $mysqlprefix;
 	$link = connect();
 	$operator = select_one_row(
-		"select * from ${mysqlprefix}chatoperator where vclogin = '" . mysql_real_escape_string($login) . "'", $link);
+		"select * from ${mysqlprefix}chatoperator where vclogin = '" . mysql_real_escape_string($login, $link) . "'", $link);
 	mysql_close($link);
 	return $operator;
 }
@@ -103,7 +105,7 @@ function update_operator($operatorid, $login, $email, $jabber, $password, $local
 		", vcemail = '%s', vcjabbername= '%s', inotify = %s" .
 		" where operatorid = %s",
 		mysql_real_escape_string($login, $link),
-		($password ? " vcpassword='" . md5($password) . "'," : ""),
+		($password ? " vcpassword='" . mysql_real_escape_string(calculate_password_hash($login, $password), $link) . "'," : ""),
 		mysql_real_escape_string($localename, $link),
 		mysql_real_escape_string($commonname, $link),
 		mysql_real_escape_string($email, $link),
@@ -133,7 +135,7 @@ function create_operator_($login, $email, $jabber, $password, $localename, $comm
 	$query = sprintf(
 		"insert into ${mysqlprefix}chatoperator (vclogin,vcpassword,vclocalename,vccommonname,vcavatar,vcemail,vcjabbername,inotify) values ('%s','%s','%s','%s','%s','%s','%s',%s)",
 		mysql_real_escape_string($login, $link),
-		md5($password),
+		mysql_real_escape_string(calculate_password_hash($login, $password), $link),
 		mysql_real_escape_string($localename, $link),
 		mysql_real_escape_string($commonname, $link),
 		mysql_real_escape_string($avatar, $link),
@@ -209,12 +211,12 @@ function append_query($link, $pv)
 
 function check_login($redirect = true)
 {
-	global $webimroot, $mysqlprefix;
+	global $webimroot, $mysqlprefix, $remember_cookie_name;
 	if (!isset($_SESSION["${mysqlprefix}operator"])) {
-		if (isset($_COOKIE['webim_lite'])) {
-			list($login, $pwd) = preg_split("/,/", $_COOKIE['webim_lite'], 2);
+		if (isset($_COOKIE[$remember_cookie_name])) {
+			list($login, $pwd) = preg_split('/\x0/', base64_decode($_COOKIE[$remember_cookie_name]), 2);
 			$op = operator_by_login($login);
-			if ($op && isset($pwd) && isset($op['vcpassword']) && md5($op['vcpassword']) == $pwd) {
+			if ($op && isset($pwd) && isset($op['vcpassword']) && calculate_password_hash($op['vclogin'], $op['vcpassword']) == $pwd) {
 				$_SESSION["${mysqlprefix}operator"] = $op;
 				return $op;
 			}
@@ -240,26 +242,26 @@ function get_logged_in()
 	return isset($_SESSION["${mysqlprefix}operator"]) ? $_SESSION["${mysqlprefix}operator"] : FALSE;
 }
 
-function login_operator($operator, $remember)
+function login_operator($operator, $remember, $https = FALSE)
 {
-	global $webimroot, $mysqlprefix;
+	global $webimroot, $mysqlprefix, $remember_cookie_name;
 	$_SESSION["${mysqlprefix}operator"] = $operator;
 	if ($remember) {
-		$value = $operator['vclogin'] . "," . md5($operator['vcpassword']);
-		setcookie('webim_lite', $value, time() + 60 * 60 * 24 * 1000, "$webimroot/");
+		$value = base64_encode($operator['vclogin'] . "\x0" . calculate_password_hash($operator['vclogin'], $operator['vcpassword']));
+		setcookie($remember_cookie_name, $value, time() + 60 * 60 * 24 * 1000, "$webimroot/", NULL, $https, TRUE);
 
-	} else if (isset($_COOKIE['webim_lite'])) {
-		setcookie('webim_lite', '', time() - 3600, "$webimroot/");
+	} else if (isset($_COOKIE[$remember_cookie_name])) {
+		setcookie($remember_cookie_name, '', time() - 3600, "$webimroot/");
 	}
 }
 
 function logout_operator()
 {
-	global $webimroot, $mysqlprefix;
+	global $webimroot, $mysqlprefix, $remember_cookie_name;
 	unset($_SESSION["${mysqlprefix}operator"]);
 	unset($_SESSION['backpath']);
-	if (isset($_COOKIE['webim_lite'])) {
-		setcookie('webim_lite', '', time() - 3600, "$webimroot/");
+	if (isset($_COOKIE[$remember_cookie_name])) {
+		setcookie($remember_cookie_name, '', time() - 3600, "$webimroot/");
 	}
 }
 
@@ -404,4 +406,33 @@ function get_operator_groupids($operatorid)
 	return $result;
 }
 
+function calculate_password_hash($login, $password)
+{
+
+	if (CRYPT_BLOWFISH == 1) {
+		if (defined('PHP_VERSION_ID') && (PHP_VERSION_ID > 50306)) {
+			return crypt($password, '$2y$08$' . $login);
+		}
+		else {
+			return crypt($password, '$2a$08$' . $login);
+		}
+        }
+	else if (CRYPT_MD5 == 1) {
+		return crypt($password, '$1$' . $login);
+	}
+
+	return md5($password);
+}
+
+function check_password_hash($login, $password, $hash)
+{
+	if (preg_match('/^\$/', $hash)) {
+		return (calculate_password_hash($login, $password) == $hash);
+	}
+	else {
+		return (md5($password) == $hash);
+	}
+
+}
+
 ?>

src/messenger/webim/operator/index.php

@@ -29,7 +29,7 @@ $page = array(
 	'version' => $version,
 	'localeLinks' => get_locale_links("$webimroot/operator/index.php"),
 	'needUpdate' => $settings['dbversion'] != $dbversion,
-	'needChangePassword' => $operator['vcpassword'] == md5(''),
+	'needChangePassword' => check_password_hash($operator['vclogin'], '', $operator['vcpassword']),
 	'profilePage' => "$webimroot/operator/operator.php?op=".safe_htmlspecialchars($operator['operatorid']),
 	'updateWizard' => "$webimroot/install/",
 	'newFeatures' => $settings['featuresversion'] != $featuresversion,

src/messenger/webim/operator/login.php

@@ -27,7 +27,7 @@ if (isset($_POST['login']) && isset($_POST['password'])) {
 	$remember = isset($_POST['isRemember']) && $_POST['isRemember'] == "on";
 
 	$operator = operator_by_login($login);
-	if ($operator && isset($operator['vcpassword']) && $operator['vcpassword'] == md5($password)) {
+	if ($operator && isset($operator['vcpassword']) && check_password_hash($login, $password, $operator['vcpassword'])) {
 
 		$target = $password == ''
 				? "$webimroot/operator/operator.php?op=" . intval($operator['operatorid'])
@@ -35,7 +35,7 @@ if (isset($_POST['login']) && isset($_POST['password'])) {
 					? $_SESSION['backpath']
 					: "$webimroot/operator/index.php");
 
-		login_operator($operator, $remember);
+		login_operator($operator, $remember, is_secure_request());
 		header("Location: $target");
 		exit;
 	} else {

src/messenger/webim/operator/operator.php

@@ -90,8 +90,8 @@ if (isset($_POST['login']) && isset($_POST['password'])) {
 			update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0);
 			// update the session password
 			if (!empty($password) && $opId == $operator['operatorid']) {
-				$toDashboard = $operator['vcpassword'] == md5('') && $password != '';
-				$_SESSION["${mysqlprefix}operator"]['vcpassword'] = md5($password);
+				$toDashboard = check_password_hash($login, '', $operator['vcpassword']) && $password != '';
+				$_SESSION["${mysqlprefix}operator"]['vcpassword'] = calculate_password_hash($login, $password);
 				if($toDashboard) {
 					header("Location: $webimroot/operator/index.php");
 					exit;
@@ -138,7 +138,7 @@ $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile,
 $page['stored'] = isset($_GET['stored']);
 $page['canmodify'] = $canmodify ? "1" : "";
 $page['showjabber'] = $settings['enablejabber'] == "1";
-$page['needChangePassword'] = $operator['vcpassword'] == md5('');
+$page['needChangePassword'] = check_password_hash($operator['vclogin'], '', $operator['vcpassword']);
 
 prepare_menu($operator);
 setup_operator_settings_tabs($opId, 0);

src/messenger/webim/operator/resetpwd.php

@@ -49,7 +49,7 @@ if (count($errors) == 0 && isset($_POST['password'])) {
 		$page['isdone'] = true;
 
 		$link = connect();
-		$query = "update ${mysqlprefix}chatoperator set vcpassword = '" . md5($password) . "', vcrestoretoken = '' where operatorid = " . intval($opId);
+		$query = "update ${mysqlprefix}chatoperator set vcpassword = '" . mysql_real_escape_string(calculate_password_hash($operator['vclogin'], $password), $link) . "', vcrestoretoken = '' where operatorid = " . intval($opId);
 		perform_query($query, $link);
 		mysql_close($link);