Add use_sha3 option to settings in light of recent developments with sha256

5 years ago · 293f9e94f0
--- a/build/index.php
+++ b/build/index.php
--- a/module_index.json
+++ b/module_index.json
@ -5,7 +5,7 @@
        "author": "Starbeamrainbowlabs",
        "description": "Adds a utility action (that anyone can use) called hash that hashes a given string. Useful when changing a user's password.",
        "id": "action-hash",
        "lastupdate": 1432497591,
        "lastupdate": 1444478036,
        "optional": false
    },
    {
@ -100,11 +100,11 @@
    },
    {
        "name": "Login",
        "version": "0.6",
        "version": "0.7",
        "author": "Starbeamrainbowlabs",
        "description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
        "id": "page-login",
        "lastupdate": 1442928221,
        "lastupdate": 1444477827,
        "optional": false
    },
    {
--- a/modules/action-hash.php
+++ b/modules/action-hash.php
@ -7,6 +7,8 @@ register_module([
 	"id" => "action-hash",
 	"code" => function() {
 		add_action("hash", function() {
 			global $settings;
 			
 			if(!isset($_GET["string"]))
 			{
 				http_response_code(422);
@ -15,7 +17,7 @@ register_module([
 			}
 			else
 			{
 				exit(page_renderer::render_main("Hashed string", "<p><code>" . $_GET["string"] . "</code> → <code>" . hash("sha256", $_GET["string"]) . "</code></p>"));
 				exit(page_renderer::render_main("Hashed string", "<p>Algorithm: " . ($settings->use_sha3 ? "sha3" : "sha256") . "</p>\n<p><code>" . $_GET["string"] . "</code> → <code>" . hash_password($_GET["string"]) . "</code></p>"));
 			}
 		});
 	}
--- a/modules/page-login.php
+++ b/modules/page-login.php
@ -1,7 +1,7 @@
 <?php
 register_module([
 	"name" => "Login",
 	"version" => "0.6",
 	"version" => "0.7",
 	"author" => "Starbeamrainbowlabs",
 	"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
 	"id" => "page-login",
@ -49,12 +49,12 @@ register_module([
 				//the user wants to log in
 				$user = $_POST["user"];
 				$pass = $_POST["pass"];
 				if($settings->users[$user] == hash("sha256", $pass))
 				if($settings->users[$user] == hash_password($pass))
 				{
 					$env->is_logged_in = true;
 					$expiretime = time() + 60*60*24*30; //30 days from now
 					$_SESSION["$settings->sessionprefix-user"] = $user;
 					$_SESSION["$settings->sessionprefix-pass"] = hash("sha256", $pass);
 					$_SESSION["$settings->sessionprefix-pass"] = hash_password($pass);
 					$_SESSION["$settings->sessionprefix-expiretime"] = $expiretime;
 					//redirect to wherever the user was going
 					http_response_code(302);
@ -80,4 +80,27 @@ register_module([
 		});
 	}
 ]);

 /*
 * @summary Hashes the given password according to the current settings defined
 * 			in $settings.
 * 
 * @param $pass {string} The password to hash.
 * 
 * @returns {string} The hashed password. Uses sha3 if $settings->use_sha3 is
 * 					 enabled, or sha256 otherwise.
 */
 function hash_password($pass)
 {
 	global $settings;
 	if($settings->use_sha3)
 	{
 		return sha3($pass, 256);
 	}
 	else
 	{
 		return hash("sha256", $pass);
 	}
 }

 ?>
--- a/settings.fragment.php
+++ b/settings.fragment.php
@ -90,6 +90,11 @@ $settings->users = [
 	"user" => "873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34" //cheese
 ];

 // Whether to use the new sha3 hashing algorithm that was standardised on the
 // 8th August 2015. Only works if you have strawbrary's sha3 extension
 // installed. Get it here: https://github.com/strawbrary/php-sha3
 $settings->use_sha3 = false;

 // An array of usernames that are administrators. Administrators can delete and
 // move pages.
 $settings->admins = [ "admin" ];
--- a/start-server.sh
+++ b/start-server.sh
@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 php -S [::]:35623 -t build &

 sensible-browser [::]:35623
 sensible-browser [::]:35623