Add use_sha3 option to settings in light of recent developments with sha256

module_index.json

@@ -5,7 +5,7 @@
         "author": "Starbeamrainbowlabs",
         "description": "Adds a utility action (that anyone can use) called hash that hashes a given string. Useful when changing a user's password.",
         "id": "action-hash",
-        "lastupdate": 1432497591,
+        "lastupdate": 1444478036,
         "optional": false
     },
     {
@@ -100,11 +100,11 @@
     },
     {
         "name": "Login",
-        "version": "0.6",
+        "version": "0.7",
         "author": "Starbeamrainbowlabs",
         "description": "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
         "id": "page-login",
-        "lastupdate": 1442928221,
+        "lastupdate": 1444477827,
         "optional": false
     },
     {

modules/action-hash.php

@@ -7,6 +7,8 @@ register_module([
 	"id" => "action-hash",
 	"code" => function() {
 		add_action("hash", function() {
+			global $settings;
+			
 			if(!isset($_GET["string"]))
 			{
 				http_response_code(422);
@@ -15,7 +17,7 @@ register_module([
 			}
 			else
 			{
-				exit(page_renderer::render_main("Hashed string", "<p><code>" . $_GET["string"] . "</code> → <code>" . hash("sha256", $_GET["string"]) . "</code></p>"));
+				exit(page_renderer::render_main("Hashed string", "<p>Algorithm: " . ($settings->use_sha3 ? "sha3" : "sha256") . "</p>\n<p><code>" . $_GET["string"] . "</code> → <code>" . hash_password($_GET["string"]) . "</code></p>"));
 			}
 		});
 	}

modules/page-login.php

@@ -1,7 +1,7 @@
 <?php
 register_module([
 	"name" => "Login",
-	"version" => "0.6",
+	"version" => "0.7",
 	"author" => "Starbeamrainbowlabs",
 	"description" => "Adds a pair of actions (login and checklogin) that allow users to login. You need this one if you want your users to be able to login.",
 	"id" => "page-login",
@@ -49,12 +49,12 @@ register_module([
 				//the user wants to log in
 				$user = $_POST["user"];
 				$pass = $_POST["pass"];
-				if($settings->users[$user] == hash("sha256", $pass))
+				if($settings->users[$user] == hash_password($pass))
 				{
 					$env->is_logged_in = true;
 					$expiretime = time() + 60*60*24*30; //30 days from now
 					$_SESSION["$settings->sessionprefix-user"] = $user;
-					$_SESSION["$settings->sessionprefix-pass"] = hash("sha256", $pass);
+					$_SESSION["$settings->sessionprefix-pass"] = hash_password($pass);
 					$_SESSION["$settings->sessionprefix-expiretime"] = $expiretime;
 					//redirect to wherever the user was going
 					http_response_code(302);
@@ -80,4 +80,27 @@ register_module([
 		});
 	}
 ]);
+
+/*
+ * @summary Hashes the given password according to the current settings defined
+ * 			in $settings.
+ * 
+ * @param $pass {string} The password to hash.
+ * 
+ * @returns {string} The hashed password. Uses sha3 if $settings->use_sha3 is
+ * 					 enabled, or sha256 otherwise.
+ */
+function hash_password($pass)
+{
+	global $settings;
+	if($settings->use_sha3)
+	{
+		return sha3($pass, 256);
+	}
+	else
+	{
+		return hash("sha256", $pass);
+	}
+}
+
 ?>

settings.fragment.php

@@ -90,6 +90,11 @@ $settings->users = [
 	"user" => "873ac9ffea4dd04fa719e8920cd6938f0c23cd678af330939cff53c3d2855f34" //cheese
 ];
 
+// Whether to use the new sha3 hashing algorithm that was standardised on the
+// 8th August 2015. Only works if you have strawbrary's sha3 extension
+// installed. Get it here: https://github.com/strawbrary/php-sha3
+$settings->use_sha3 = false;
+
 // An array of usernames that are administrators. Administrators can delete and
 // move pages.
 $settings->admins = [ "admin" ];

start-server.sh

@@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 php -S [::]:35623 -t build &
 
-sensible-browser [::]:35623
+sensible-browser [::]:35623