diff --git a/main/auth/profile.php b/main/auth/profile.php index 393ee9eb4d..3de0505f87 100755 --- a/main/auth/profile.php +++ b/main/auth/profile.php @@ -426,10 +426,11 @@ if ($form->validate()) { api_get_setting('profile', 'email') == 'true') ) { $passwordWasChecked = true; - $validPassword = UserManager::isPasswordValid( + $validPassword = UserManager::checkPassword( $user->getPassword(), $user_data['password0'], - $user->getSalt() + $user->getSalt(), + $user->getId() ); if ($validPassword) { diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php index 00e1d43f02..9774f91285 100755 --- a/main/inc/lib/usermanager.lib.php +++ b/main/inc/lib/usermanager.lib.php @@ -127,11 +127,77 @@ class UserManager } /** - * @param string $raw + * Detects and returns the type of encryption of the given encrypted + * password. * - * @return string + * @param string $encoded The encrypted password + * @param string $salt The user salt, if any + */ + public static function detectPasswordEncryption(string $encoded, string $salt): bool + { + + $encryption = false; + + $length = strlen($encoded); + + $pattern = '/^\$2y\$04\$[A-Za-z0-9\.\/]{53}$/'; + + if ( $length == 60 && preg_match($pattern, $encoded)) { + $encryption = 'bcrypt'; + } + elseif ( $length == 32 && ctype_xdigit($encoded) ) { + $encryption = 'md5'; + } + elseif ( $length == 40 && ctype_xdigit($encoded) ) { + $encryption = 'sha1'; + } + else { + $start = strpos($encoded, '{'); + if ($start !== false && substr($encoded, -1, 1) == '}') { + if (substr($encoded,$start + 1,-1) == $salt) { + $encryption = 'none'; + } + } + } + + return $encryption; + } + + /** + * Checks if the password is correct for this user. + * If the password_conversion setting is true, also update the password + * in the database to a new encryption method. + * + * @param string $encoded Encrypted password + * @param string $raw Clear password given through login form + * @param string $salt User salt, if any + * @param int $userId The user's internal ID + */ + public static function checkPassword(string $encoded, string $raw, string $salt, int $userId): bool + { + $result = false; + + if (true === api_get_configuration_value('password_conversion')) { + $detectedEncryption = self::detectPasswordEncryption($encoded, $salt); + if (self::getPasswordEncryption() != $detectedEncryption) { + $encoder = new \Chamilo\UserBundle\Security\Encoder($detectedEncryption); + $result = $encoder->isPasswordValid($encoded, $raw, $salt); + if ($result) { + self::updatePassword($userId, $raw); + } + } + } else { + return self::isPasswordValid($encoded, $raw, $salt); + } + + return $result; + } + /** + * Encrypt the password using the current encoder + * + * @param string $raw The clear password */ - public static function encryptPassword($raw, User $user) + public static function encryptPassword(string $raw, User $user): string { $encoder = self::getEncoder($user); @@ -142,10 +208,11 @@ class UserManager } /** - * @param int $userId - * @param string $password + * Update the password of the given user to the given (in-clear) password + * @param int $userId Internal user ID + * @param string $password Password in clear */ - public static function updatePassword($userId, $password) + public static function updatePassword(int $userId, string $password): void { $repository = self::getRepository(); /** @var User $user */ diff --git a/main/inc/lib/webservices/WebService.class.php b/main/inc/lib/webservices/WebService.class.php index 3347523ae8..39c740669f 100644 --- a/main/inc/lib/webservices/WebService.class.php +++ b/main/inc/lib/webservices/WebService.class.php @@ -103,10 +103,11 @@ class WebService return false; } - return UserManager::isPasswordValid( + return UserManager::checkPassword( $user->getPassword(), $password, - $user->getSalt() + $user->getSalt(), + $user->getId() ); } diff --git a/main/inc/local.inc.php b/main/inc/local.inc.php index ed086f6858..abb5deb32a 100755 --- a/main/inc/local.inc.php +++ b/main/inc/local.inc.php @@ -511,11 +511,12 @@ if (!empty($_SESSION['_user']['user_id']) && !($login || $logout)) { if ($uData['auth_source'] == PLATFORM_AUTH_SOURCE || $uData['auth_source'] == CAS_AUTH_SOURCE ) { - $validPassword = isset($password) && UserManager::isPasswordValid( - $uData['password'], - $password, - $uData['salt'] - ); + $validPassword = isset($password) && UserManager::checkPassword( + $uData['password'], + $password, + $uData['salt'], + $uData['id'] + ); $checkUserFromExternalWebservice = false; // If user can't connect directly to chamilo then check the webservice setting diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php index b7c067608a..0ffdf1a913 100755 --- a/main/install/configuration.dist.php +++ b/main/install/configuration.dist.php @@ -163,6 +163,9 @@ $_configuration['cdn'] = [ $_configuration['security_key'] = '{SECURITY_KEY}'; // Hash function method $_configuration['password_encryption'] = '{ENCRYPT_PASSWORD}'; +// Set to true to allow automated password conversion after login if +// password_encryption has changed since last login. See GH#4063 for details. +//$_configuration['password_conversion'] = false; // You may have to restart your web server if you change this $_configuration['session_stored_in_db'] = false; // Session lifetime diff --git a/plugin/whispeakauth/ajax/authentify_password.php b/plugin/whispeakauth/ajax/authentify_password.php index ef75d7b675..1e583ea361 100644 --- a/plugin/whispeakauth/ajax/authentify_password.php +++ b/plugin/whispeakauth/ajax/authentify_password.php @@ -42,7 +42,7 @@ $lpItemInfo = ChamiloSession::read(WhispeakAuthPlugin::SESSION_LP_ITEM, []); /** @var array $quizQuestionInfo */ $quizQuestionInfo = ChamiloSession::read(WhispeakAuthPlugin::SESSION_QUIZ_QUESTION, []); -$isValidPassword = UserManager::isPasswordValid($user->getPassword(), $password, $user->getSalt()); +$isValidPassword = UserManager::checkPassword($user->getPassword(), $password, $user->getSalt(), $user->getId()); $isActive = $user->isActive(); $isExpired = empty($user->getExpirationDate()) || $user->getExpirationDate() > api_get_utc_datetime(null, false, true);