Erroneous password migration md5 to bcrypt
Posted: Sun Mar 08, 2020 1:21 pm
Recently, I upgraded a fairly old version (1.4.1) of Serendipity to the latest version (2.3.2).
Congratulations to the S9Y team, as the upgrade worked almost flawlessly. Quite a nice job for two versions that are ten years apart!
However, I did encounter an issue with the automatic password migration.
I found that serendipity automatically converts the old (md5) passwords - but sets an incorrect hash type!
My assumption is that the original conversion routine was written for version 1.5 when MD5 hashes were converted to salted SHA1 hashes (hashtype=1).
When bcrypted passwords were introduced with version 2.2.1 the conversion routing was modified to convert the SHA1 hashes (hashtype=1) to bcrypt hashes (hashtype=2).
However, the older code - which takes care of converting the even older MD5 hashes - wasn't changed. As a result it converts the passwords (with the 'serendipity_hash' function) to the latest version (bcrypt) but still sets the hashtype to '1'.
This renders the password unusable as serendipity tries to authenticate using the SHA1 hashed password against the stored bcrypt hashed password.
As a fix, I suggest the following change to the 'include/functions_config.inc.php' file:
575c575
< hashtype = 2
---
> hashtype = 1
With this change, serendipity will set the right hash type (2) when migrating an MD5 hashed password to the currently used hash version.
Congratulations to the S9Y team, as the upgrade worked almost flawlessly. Quite a nice job for two versions that are ten years apart!
However, I did encounter an issue with the automatic password migration.
I found that serendipity automatically converts the old (md5) passwords - but sets an incorrect hash type!
My assumption is that the original conversion routine was written for version 1.5 when MD5 hashes were converted to salted SHA1 hashes (hashtype=1).
When bcrypted passwords were introduced with version 2.2.1 the conversion routing was modified to convert the SHA1 hashes (hashtype=1) to bcrypt hashes (hashtype=2).
However, the older code - which takes care of converting the even older MD5 hashes - wasn't changed. As a result it converts the passwords (with the 'serendipity_hash' function) to the latest version (bcrypt) but still sets the hashtype to '1'.
This renders the password unusable as serendipity tries to authenticate using the SHA1 hashed password against the stored bcrypt hashed password.
As a fix, I suggest the following change to the 'include/functions_config.inc.php' file:
575c575
< hashtype = 2
---
> hashtype = 1
With this change, serendipity will set the right hash type (2) when migrating an MD5 hashed password to the currently used hash version.