From: Fabii547 Date: Mon, 22 Aug 2016 10:11:57 +0000 (+0200) Subject: Use 'CryptoUtil::secureCompare()' instead of 'PasswordUtil::secureCompare()' X-Git-Tag: 3.0.0_Beta_1~592^2 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=4aff3083ca92973816faa2de41bc439079db3df3;p=GitHub%2FWoltLab%2FWCF.git Use 'CryptoUtil::secureCompare()' instead of 'PasswordUtil::secureCompare()' --- diff --git a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php index b9a90dd9c8..7f8a3808c2 100644 --- a/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php +++ b/wcfsetup/install/files/lib/action/NotificationDisableAction.class.php @@ -5,8 +5,8 @@ use wcf\data\user\User; use wcf\system\exception\IllegalLinkException; use wcf\system\request\LinkHandler; use wcf\system\WCF; +use wcf\util\CryptoUtil; use wcf\util\HeaderUtil; -use wcf\util\PasswordUtil; use wcf\util\StringUtil; /** @@ -70,7 +70,7 @@ class NotificationDisableAction extends AbstractAction { } if (isset($_REQUEST['token'])) $this->token = StringUtil::trim($_REQUEST['token']); - if (empty($this->token) || !PasswordUtil::secureCompare($this->user->notificationMailToken, $this->token)) { + if (empty($this->token) || !CryptoUtil::secureCompare($this->user->notificationMailToken, $this->token)) { throw new IllegalLinkException(); } } diff --git a/wcfsetup/install/files/lib/data/user/User.class.php b/wcfsetup/install/files/lib/data/user/User.class.php index bda8c3c104..dc4b3d00d5 100644 --- a/wcfsetup/install/files/lib/data/user/User.class.php +++ b/wcfsetup/install/files/lib/data/user/User.class.php @@ -10,6 +10,7 @@ use wcf\system\request\IRouteController; use wcf\system\request\LinkHandler; use wcf\system\user\storage\UserStorageHandler; use wcf\system\WCF; +use wcf\util\CryptoUtil; use wcf\util\PasswordUtil; /** @@ -136,7 +137,7 @@ final class User extends DatabaseObject implements IRouteController, IUserConten } // password is correct - if (PasswordUtil::secureCompare($this->password, PasswordUtil::getDoubleSaltedHash($password, $this->password))) { + if (CryptoUtil::secureCompare($this->password, PasswordUtil::getDoubleSaltedHash($password, $this->password))) { $isValid = true; } } @@ -166,7 +167,7 @@ final class User extends DatabaseObject implements IRouteController, IUserConten * @return boolean password correct */ public function checkCookiePassword($passwordHash) { - if (PasswordUtil::isBlowfish($this->password) && PasswordUtil::secureCompare($this->password, PasswordUtil::getSaltedHash($passwordHash, $this->password))) { + if (PasswordUtil::isBlowfish($this->password) && CryptoUtil::secureCompare($this->password, PasswordUtil::getSaltedHash($passwordHash, $this->password))) { return true; } diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php index c42b01e846..add0efd4a2 100644 --- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php +++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php @@ -4,7 +4,7 @@ use wcf\data\user\User; use wcf\system\exception\IllegalLinkException; use wcf\system\session\SessionHandler; use wcf\system\WCF; -use wcf\util\PasswordUtil; +use wcf\util\CryptoUtil; use wcf\util\StringUtil; /** @@ -35,7 +35,7 @@ abstract class AbstractAuthedPage extends AbstractPage { list($userID, $token) = array_pad(explode('-', StringUtil::trim($_REQUEST['at']), 2), 2, null); if (WCF::getUser()->userID) { - if ($userID == WCF::getUser()->userID && PasswordUtil::secureCompare(WCF::getUser()->accessToken, $token)) { + if ($userID == WCF::getUser()->userID && CryptoUtil::secureCompare(WCF::getUser()->accessToken, $token)) { // everything is fine, but we are already logged in return; } @@ -46,7 +46,7 @@ abstract class AbstractAuthedPage extends AbstractPage { } else { $user = new User($userID); - if (PasswordUtil::secureCompare($user->accessToken, $token)) { + if (CryptoUtil::secureCompare($user->accessToken, $token)) { // token is valid -> change user SessionHandler::getInstance()->changeUser($user, true); } diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php index 68f97c823b..e834a41983 100644 --- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php +++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php @@ -21,8 +21,8 @@ use wcf\system\user\storage\UserStorageHandler; use wcf\system\SingletonFactory; use wcf\system\WCF; use wcf\system\WCFACP; +use wcf\util\CryptoUtil; use wcf\util\HeaderUtil; -use wcf\util\PasswordUtil; use wcf\util\StringUtil; use wcf\util\UserUtil; @@ -357,7 +357,7 @@ class SessionHandler extends SingletonFactory { * @return boolean */ public function checkSecurityToken($token) { - return PasswordUtil::secureCompare($this->getSecurityToken(), $token); + return CryptoUtil::secureCompare($this->getSecurityToken(), $token); } /** diff --git a/wcfsetup/install/files/lib/util/PasswordUtil.class.php b/wcfsetup/install/files/lib/util/PasswordUtil.class.php index 4a55305163..426f8404c1 100644 --- a/wcfsetup/install/files/lib/util/PasswordUtil.class.php +++ b/wcfsetup/install/files/lib/util/PasswordUtil.class.php @@ -308,7 +308,7 @@ final class PasswordUtil { * @return boolean */ protected static function ipb3($username, $password, $salt, $dbHash) { - return self::secureCompare($dbHash, md5(md5($salt) . md5($password))); + return CryptoUtil::secureCompare($dbHash, md5(md5($salt) . md5($password))); } /** @@ -321,7 +321,7 @@ final class PasswordUtil { * @return boolean */ protected static function mybb1($username, $password, $salt, $dbHash) { - return self::secureCompare($dbHash, md5(md5($salt) . md5($password))); + return CryptoUtil::secureCompare($dbHash, md5(md5($salt) . md5($password))); } /** * Validates the password hash for phpBB 3.x (phpbb3). @@ -347,7 +347,7 @@ final class PasswordUtil { */ protected static function phpass($username, $password, $salt, $dbHash) { if (mb_strlen($dbHash) !== 34) { - return self::secureCompare(md5($password), $dbHash); + return CryptoUtil::secureCompare(md5($password), $dbHash); } $hash_crypt_private = function ($password, $setting) { @@ -420,7 +420,7 @@ final class PasswordUtil { return $output; }; - return self::secureCompare($hash_crypt_private($password, $dbHash), $dbHash); + return CryptoUtil::secureCompare($hash_crypt_private($password, $dbHash), $dbHash); } /** @@ -433,7 +433,7 @@ final class PasswordUtil { * @return boolean */ protected static function smf1($username, $password, $salt, $dbHash) { - return self::secureCompare($dbHash, sha1(mb_strtolower($username) . $password)); + return CryptoUtil::secureCompare($dbHash, sha1(mb_strtolower($username) . $password)); } /** @@ -459,7 +459,7 @@ final class PasswordUtil { * @return boolean */ protected static function vb3($username, $password, $salt, $dbHash) { - return self::secureCompare($dbHash, md5(md5($password) . $salt)); + return CryptoUtil::secureCompare($dbHash, md5(md5($password) . $salt)); } /** @@ -498,10 +498,10 @@ final class PasswordUtil { * @return boolean */ protected static function wbb2($username, $password, $salt, $dbHash) { - if (self::secureCompare($dbHash, md5($password))) { + if (CryptoUtil::secureCompare($dbHash, md5($password))) { return true; } - else if (self::secureCompare($dbHash, sha1($password))) { + else if (CryptoUtil::secureCompare($dbHash, sha1($password))) { return true; } @@ -518,7 +518,7 @@ final class PasswordUtil { * @return boolean */ protected static function wcf1($username, $password, $salt, $dbHash) { - return self::secureCompare($dbHash, sha1($salt . sha1($salt . sha1($password)))); + return CryptoUtil::secureCompare($dbHash, sha1($salt . sha1($salt . sha1($password)))); } /** @@ -575,7 +575,7 @@ final class PasswordUtil { } $hash = $encryptionMethod($salt . $hash); - return self::secureCompare($dbHash, $hash); + return CryptoUtil::secureCompare($dbHash, $hash); } /** @@ -588,7 +588,7 @@ final class PasswordUtil { * @return boolean */ protected static function wcf2($username, $password, $salt, $dbHash) { - return self::secureCompare($dbHash, self::getDoubleSaltedHash($password, $salt)); + return CryptoUtil::secureCompare($dbHash, self::getDoubleSaltedHash($password, $salt)); } /** @@ -601,11 +601,11 @@ final class PasswordUtil { * @return boolean */ protected static function xf1($username, $password, $salt, $dbHash) { - if (self::secureCompare($dbHash, sha1(sha1($password) . $salt))) { + if (CryptoUtil::secureCompare($dbHash, sha1(sha1($password) . $salt))) { return true; } - return self::secureCompare($dbHash, hash('sha256', hash('sha256', $password) . $salt)); + return CryptoUtil::secureCompare($dbHash, hash('sha256', hash('sha256', $password) . $salt)); } /** @@ -618,7 +618,7 @@ final class PasswordUtil { * @return boolean */ protected static function xf12($username, $password, $salt, $dbHash) { - if (self::secureCompare($dbHash, self::getSaltedHash($password, $dbHash))) { + if (CryptoUtil::secureCompare($dbHash, self::getSaltedHash($password, $dbHash))) { return true; } @@ -635,7 +635,7 @@ final class PasswordUtil { * @return boolean */ protected static function joomla1($username, $password, $salt, $dbHash) { - if (self::secureCompare($dbHash, md5($password . $salt))) { + if (CryptoUtil::secureCompare($dbHash, md5($password . $salt))) { return true; } @@ -680,7 +680,7 @@ final class PasswordUtil { * @return boolean */ protected static function phpfox3($username, $password, $salt, $dbHash) { - if (self::secureCompare($dbHash, md5(md5($password) . md5($salt)))) { + if (CryptoUtil::secureCompare($dbHash, md5(md5($password) . md5($salt)))) { return true; } @@ -697,7 +697,7 @@ final class PasswordUtil { * @return boolean */ protected static function cryptMD5($username, $password, $salt, $dbHash) { - if (self::secureCompare($dbHash, self::getSaltedHash($password, $dbHash))) { + if (CryptoUtil::secureCompare($dbHash, self::getSaltedHash($password, $dbHash))) { return true; }