From be1082a69cdf3dec7db4060198834dd43ae6290f Mon Sep 17 00:00:00 2001
From: Robert Kaiser <kairo@kairo.at>
Date: Thu, 27 Oct 2016 00:32:28 +0200
Subject: [PATCH] move password functions into utils class

---
 authsystem.inc.php  |  2 --
 authutils.php-class | 28 +++++++++++++++++++++++++++-
 index.php           | 10 +++++-----
 3 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/authsystem.inc.php b/authsystem.inc.php
index 62c6a80..53462c1 100644
--- a/authsystem.inc.php
+++ b/authsystem.inc.php
@@ -10,8 +10,6 @@ ini_set('display_errors', 1); error_reporting(E_ALL);
 $dbdata = json_decode(file_get_contents('/etc/kairo/auth_db.json'), true);
 if (!is_array($dbdata)) { trigger_error('DB configuration not found', E_USER_ERROR); }
 
-$pwd_options = array('cost' => 10);
-
 // Extended DOM document class
 require_once('../kairo/include/cbsm/util/document.php-class');
 // Class for sending emails
diff --git a/authutils.php-class b/authutils.php-class
index 6686f7b..dfb89a2 100755
--- a/authutils.php-class
+++ b/authutils.php-class
@@ -7,6 +7,9 @@ class AuthUtils {
   // KaiRo.at authentication utilities PHP class
   // This class contains helper functions for the authentication system.
   //
+  // private static $pwd_cost
+  //   Store cost parameter for use with PHP password_hash function.
+  //
   // static function checkPasswordConstraints($new_password, $user_email)
   //   Check password constraints and return an array of error messages (empty if all constraints are met).
   //
@@ -24,6 +27,17 @@ class AuthUtils {
   // static function verifyTimeCode($timecode_to_verify, $session, [$validity_minutes])
   //   Verify a given time-based code and return true if it's valid or false if it's not.
   //     See createTimeCode() documentation for the session and validity paramerters.
+  //
+  // static function pwdHash($new_password)
+  //   Return a hash for the given password.
+  //
+  // static function pwdVerify($password_to_verify, $user)
+  //   Return true if the password verifies against the pwdhash field of the user, false if not.
+  //
+  // static function pwdNeedsRehash($user)
+  //   Return true if the pwdhash field of the user uses an outdated standard and needs to be rehashed.
+
+  private static $pwd_cost = 10;
 
   static function checkPasswordConstraints($new_password, $user_email) {
     $errors = array();
@@ -73,9 +87,21 @@ class AuthUtils {
 
   static function verifyTimeCode($timecode_to_verify, $session, $validity_minutes = 10) {
     if (preg_match('/^(\d+)\.\d+$/', $timecode_to_verify, $regs)) {
-      return ($timecode_to_verify === AuthUtils::createTimeCode($session, $regs[1], $validity_minutes));
+      return ($timecode_to_verify === self::createTimeCode($session, $regs[1], $validity_minutes));
     }
     return false;
   }
+
+  static function pwdHash($new_password) {
+    return password_hash($new_password, PASSWORD_DEFAULT, array('cost' => self::$pwd_cost));
+  }
+
+  static function pwdVerify($password_to_verify, $userdata) {
+    return password_verify($password_to_verify, $userdata['pwdhash']));
+  }
+
+  static function pwdNeedsRehash($userdata) {
+    return password_needs_rehash($userdata['pwdhash'], PASSWORD_DEFAULT, array('cost' => self::$pwd_cost));
+  }
 }
 ?>
diff --git a/index.php b/index.php
index 2a560e8..3febbbf 100644
--- a/index.php
+++ b/index.php
@@ -59,12 +59,12 @@ if (!count($errors)) {
           $user = $result->fetch(PDO::FETCH_ASSOC);
           if ($user['id'] && array_key_exists('pwd', $_POST)) {
             // existing user, check password
-            if (($user['status'] == 'ok') && password_verify(@$_POST['pwd'], $user['pwdhash'])) {
+            if (($user['status'] == 'ok') && AuthUtils::pwdVerify(@$_POST['pwd'], $user)) {
               // Check if a newer hashing algorithm is available
               // or the cost has changed
-              if (password_needs_rehash($user['pwdhash'], PASSWORD_DEFAULT, $pwd_options)) {
+              if (AuthUtils::pwdNeedsRehash($user)) {
                 // If so, create a new hash, and replace the old one
-                $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options);
+                $newHash = AuthUtils::pwdHash($_POST['pwd']);
                 $result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash WHERE `id` = :userid;');
                 if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $user['id']))) {
                   // XXXlog: Failed to update user hash!
@@ -120,7 +120,7 @@ if (!count($errors)) {
             if (!count($errors)) {
               // Put user into the DB
               if (!$user['id']) {
-                $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options);
+                $newHash = AuthUtils::pwdHash($_POST['pwd']);
                 $vcode = AuthUtils::createVerificationCode();
                 $result = $db->prepare('INSERT INTO `auth_users` (`email`, `pwdhash`, `status`, `verify_hash`) VALUES (:email, :pwdhash, \'unverified\', :vcode);');
                 if (!$result->execute(array(':email' => $_POST['email'], ':pwdhash' => $newHash, ':vcode' => $vcode))) {
@@ -292,7 +292,7 @@ if (!count($errors)) {
           }
           $errors += AuthUtils::checkPasswordConstraints(strval($_POST['pwd']), $user['email']);
           if (!count($errors)) {
-            $newHash = password_hash($_POST['pwd'], PASSWORD_DEFAULT, $pwd_options);
+            $newHash = AuthUtils::pwdHash($_POST['pwd']);
             $result = $db->prepare('UPDATE `auth_users` SET `pwdhash` = :pwdhash, `verify_hash` = \'\' WHERE `id` = :userid;');
             if (!$result->execute(array(':pwdhash' => $newHash, ':userid' => $session['user']))) {
               // XXXlog: Password reset failure!
-- 
2.35.3