From 05b1134b76e1b892a30137cda1bc20c7966f045b Mon Sep 17 00:00:00 2001
From: Leigh B Stoller <stoller@flux.utah.edu>
Date: Wed, 2 Dec 2015 16:29:16 -0700
Subject: [PATCH] Moving into the 2000's, lets stop using md5 password hashes.
 Change to use SHA265 ($5$) with a 16 character random salt from /dev/urandom.
 Enabled for Utah MS for now, will push out to other clusters if no problems
 over the next week.

---
 account/newuser.in       |  5 +++--
 db/User.pm.in            | 11 +++++------
 db/emutil.pm.in          | 18 +++++++++++++-----
 tbsetup/libtestbed.pm.in |  5 ++++-
 utils/firstuser.in       |  8 +++-----
 www/aptui/changepswd.php |  8 +++++++-
 www/chpasswd.php3        | 10 ++++++++--
 7 files changed, 43 insertions(+), 22 deletions(-)

diff --git a/account/newuser.in b/account/newuser.in
index 4cce49099..2701c8453 100644
--- a/account/newuser.in
+++ b/account/newuser.in
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2014 University of Utah and the Flux Group.
+# Copyright (c) 2000-2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -87,6 +87,7 @@ use libdb;
 use libtestbed;
 use User;
 use EmulabConstants();
+use emutil;
 
 # Protos
 sub fatal($);
@@ -360,7 +361,7 @@ else {
 	}
 	fatal("Checkpass failed with $?");
     }
-    $newuser_args{'usr_pswd'} = crypt($pswd, "\$1\$" . substr(time(), 0, 8));
+    $newuser_args{'usr_pswd'} = PassWordHash($pswd);    
 }
 
 #
diff --git a/db/User.pm.in b/db/User.pm.in
index 460a268c9..568c448f2 100644
--- a/db/User.pm.in
+++ b/db/User.pm.in
@@ -876,18 +876,17 @@ sub ModUserInfo($$$$)
 	#
 	# Compare. Must change it!
 	# 
-	if ($old_encoding eq $new_encoding) {
+	if (!$isadmin && $old_encoding eq $new_encoding) {
 	    $$usrerr_ref = "Error: " .
 		"New password same as old password";
 	    return undef;
 	}
 
 	#
-	# Do it again. This ensures we use the current algorithm, not whatever
-	# it was encoded with last time.
-	# XXX Perl crypt doesn't have this option!
-	# XXX $new_encoding  = crypt($argref->{"password1"});
-
+	# Do it again. This ensures we use the current algorithm with a
+	# new random salt, not whatever it was encoded with last time.
+	#
+	$new_encoding = PassWordHash($argref->{"password1"});
 	my $safe_encoding = escapeshellarg($new_encoding);
 
 	#
diff --git a/db/emutil.pm.in b/db/emutil.pm.in
index c52b1dcbf..33bb528ec 100644
--- a/db/emutil.pm.in
+++ b/db/emutil.pm.in
@@ -718,11 +718,19 @@ sub BackTraceOnWarning($)
 sub PassWordHash($)
 {
     my ($password) = @_;
-    
-    my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
-    my $salt = $salt_chars[rand(@salt_chars)] .
-	       $salt_chars[rand(@salt_chars)];
-    my $passhash = crypt($password, "\$1\$${salt}");
+    # Leave these here cause of SELFLOADER_DATA;
+    my $MAINSITE   = @TBMAINSITE@;
+    my $ELABINELAB = @ELABINELAB@;
+    my $salt;
+    require libtestbed;
+
+    if ($MAINSITE || $ELABINELAB) {
+	$salt = "\$5\$" . substr(libtestbed::TBGenSecretKey(), 0, 16) . "\$";
+    }
+    else {
+	$salt = "\$1\$" . substr(libtestbed::TBGenSecretKey(), 0, 8) . "\$";
+    }
+    my $passhash = crypt($password, $salt);
 
     return $passhash;
 }
diff --git a/tbsetup/libtestbed.pm.in b/tbsetup/libtestbed.pm.in
index 8fd11ed62..6b33b3889 100644
--- a/tbsetup/libtestbed.pm.in
+++ b/tbsetup/libtestbed.pm.in
@@ -457,7 +457,10 @@ sub TBGenSecretKey()
     my $key=`/bin/dd if=/dev/urandom count=128 bs=1 2> /dev/null | /sbin/md5`;
     return undef
 	if ($?);
-    chomp($key);
+    # Silly taint check for caller.
+    if ($key =~ /^(.*)$/) {
+	$key = $1;
+    }
     return $key;
 }
 
diff --git a/utils/firstuser.in b/utils/firstuser.in
index d2a34febe..41f42d6cc 100755
--- a/utils/firstuser.in
+++ b/utils/firstuser.in
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2012 University of Utah and the Flux Group.
+# Copyright (c) 2000-2012, 2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -32,6 +32,7 @@ use lib '@prefix@/lib';
 use libdb;
 use libtestbed;
 use User;
+use emutil;
 
 my $tbadmin    = '@TBADMINGROUP@';
 my $ELABINELAB = @ELABINELAB@;
@@ -128,10 +129,7 @@ if (!defined($password)) {
     }
 }
 if (!defined($encpass)) {
-    my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
-    my $salt = $salt_chars[rand(@salt_chars)] .
-	       $salt_chars[rand(@salt_chars)];
-    $encpass = crypt($password, "\$1\$${salt}");
+    $encpass = PassWordHash($password);
 }
 
 # Get uid for the user and a gid for the project
diff --git a/www/aptui/changepswd.php b/www/aptui/changepswd.php
index 59a69d88b..818684ea0 100644
--- a/www/aptui/changepswd.php
+++ b/www/aptui/changepswd.php
@@ -213,7 +213,13 @@ if (count($errors)) {
     SPITFORM($password1, $password2, $errors);
     return;
 }
-$encoding = crypt("$password1");
+if ($TBMAINSITE || $ELABINELAB) {
+    $salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
+}
+else {
+    $salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
+}
+$encoding = crypt("$password1", $salt);
 $safe_encoding = escapeshellarg($encoding);
 
 #
diff --git a/www/chpasswd.php3 b/www/chpasswd.php3
index c5dfa91aa..bf330fc85 100644
--- a/www/chpasswd.php3
+++ b/www/chpasswd.php3
@@ -1,6 +1,6 @@
 <?php
 #
-# Copyright (c) 2000-2007, 2012 University of Utah and the Flux Group.
+# Copyright (c) 2000-2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -212,7 +212,13 @@ setcookie($TBAUTHCOOKIE, "", time() - 1000000, "/", $TBAUTHDOMAIN, 0);
 # Okay to spit this now that the cookie has been sent (cleared).
 PAGEHEADER("Reset Your Password", $view);
 
-$encoding = crypt("$password1");
+if ($TBMAINSITE || $ELABINELAB) {
+    $salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
+}
+else {
+    $salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
+}
+$encoding = crypt("$password1", $salt);
 $safe_encoding = escapeshellarg($encoding);
 
 STARTBUSY("Resetting your password");
-- 
GitLab