mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-23 19:45:10 +01:00
Code Issues Releases Wiki Activity
php-phpbb/phpBB/phpbb/passwords/helper.php

105 lines
2.7 KiB
PHP
Raw Normal View History

[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
<?php
/**
*
[ticket/12594] Remove @package tags and update file headers PHPBB3-12594
2014-05-27 20:18:06 +02:00
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
*
*/
[feature/passwords] Modify passwords files for namespacing changes PHPBB3-11610
2013-09-27 11:16:47 +02:00
namespace phpbb\passwords;
class helper
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
{
/**
* Get hash settings from combined hash
*
* @param string $hash Password hash of combined hash
*
* @return array An array containing the hash settings for the hash
[feature/passwords] Add missing documentation to docblocks Also contains some minor spacing changes. PHPBB3-11610
2013-12-29 17:55:00 +01:00
* types in successive order as described by the combined
* password hash or an empty array if hash does not
* properly fit the combined hash format
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
*/
[feature/passwords] Move combined hashing methods to manager This will get rid of the circular dependency between the passwords manager and the passwords helper. The combined_hash_password() method was also slightly changed to allow both the definitions of service names or prefixes for the hash types. PHPBB3-11610
2014-02-02 14:57:43 +01:00
public function get_combined_hash_settings($hash)
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
{
[feature/passwords] Intialize output array before usage in passwords helper PHPBB3-11610
2013-12-29 17:57:17 +01:00
$output = array();
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);
$hash_settings = substr($hash, strpos($hash, $match[1]) + strlen($match[1]) + 1);
[feature/passwords] Fix minor code limitations in helper These limitations caused it to only allow a specific input to combined hashes. PHPBB3-11610
2013-06-27 14:25:50 +02:00
$matches = explode('\\', $match[1]);
foreach ($matches as $cur_type)
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
{
$dollar_position = strpos($hash_settings, '$');
$output[] = substr($hash_settings, 0, ($dollar_position != false) ? $dollar_position : strlen($hash_settings));
$hash_settings = substr($hash_settings, $dollar_position + 1);
}
return $output;
}
/**
* Combine hash prefixes, settings, and actual hash
*
* @param array $data Array containing the keys 'prefix' and 'settings'.
* It will hold the prefixes and settings
* @param string $type Data type of the supplied value
* @param string $value Value that should be put into the data array
*
[feature/passwords] Add missing documentation to docblocks Also contains some minor spacing changes. PHPBB3-11610
2013-12-29 17:55:00 +01:00
* @return string|null Return complete combined hash if type is neither
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
* 'prefix' nor 'settings', nothing if it is
*/
[feature/passwords] Move combined hashing methods to manager This will get rid of the circular dependency between the passwords manager and the passwords helper. The combined_hash_password() method was also slightly changed to allow both the definitions of service names or prefixes for the hash types. PHPBB3-11610
2014-02-02 14:57:43 +01:00
public function combine_hash_output(&$data, $type, $value)
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
{
if ($type == 'prefix')
{
$data[$type] .= ($data[$type] !== '$') ? '\\' : '';
[feature/passwords] Fix minor code limitations in helper These limitations caused it to only allow a specific input to combined hashes. PHPBB3-11610
2013-06-27 14:25:50 +02:00
$data[$type] .= str_replace('$', '', $value);
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
}
[ticket/12721] Add Squiz.ControlStructures.ElseIfDeclaration in legacy PHPBB3-12721
2014-06-15 21:34:02 +02:00
else if ($type == 'settings')
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
{
$data[$type] .= ($data[$type] !== '$') ? '$' : '';
$data[$type] .= $value;
}
else
{
// Return full hash
return $data['prefix'] . $data['settings'] . '$' . $value;
}
}
/**
* Rebuild hash for hashing functions
*
* @param string $prefix Hash prefix
* @param string $settings Hash settings
*
* @return string Rebuilt hash for hashing functions
*/
[feature/passwords] Move combined hashing methods to manager This will get rid of the circular dependency between the passwords manager and the passwords helper. The combined_hash_password() method was also slightly changed to allow both the definitions of service names or prefixes for the hash types. PHPBB3-11610
2014-02-02 14:57:43 +01:00
public function rebuild_hash($prefix, $settings)
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
{
$rebuilt_hash = $prefix;
if (strpos($settings, '\\') !== false)
{
$settings = str_replace('\\', '$', $settings);
}
$rebuilt_hash .= $settings;
return $rebuilt_hash;
}
[feature/passwords] Add function for obtaining only the hash to helper This is also needed for combined hashing of passwords. PHPBB3-11610
2013-06-27 14:27:11 +02:00
/**
* Obtain only the actual hash after the prefixes
*
* @param string $hash The full password hash
* @return string Actual hash (incl. settings)
*/
[feature/passwords] Move combined hashing methods to manager This will get rid of the circular dependency between the passwords manager and the passwords helper. The combined_hash_password() method was also slightly changed to allow both the definitions of service names or prefixes for the hash types. PHPBB3-11610
2014-02-02 14:57:43 +01:00
public function obtain_hash_only($hash)
[feature/passwords] Add function for obtaining only the hash to helper This is also needed for combined hashing of passwords. PHPBB3-11610
2013-06-27 14:27:11 +02:00
{
return substr($hash, strripos($hash, '$') + 1);
}
[feature/passwords] Add helper functions, i.e. for combined hashes Combined hashes can be used for i.e. converting already existing password hashes to bcrypt. While this will not provide the same security a pure bcrypt hash provides, it will still be significantly more secure than a standard salted md5. A combined hash will look as follows: $H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash} The prefixes are seperated by a backslash. Individual settings (which can include either just the salt or a salt and possible additional settings) are seperated by dollar signs. As backslashes and dollar signs are not allowed in hashes or salts, they will be used for seperating the settings from the salt. Here is an example of a password hash: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC The 'H' prefix stands for the salted md5 implementation of phpBB 3.0. Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check as follows: $H$9zv1uIaq1{hash} Since the password is used for hashing, the {hash} can be left blank and will basically be filled by the hashing algorithm. The {hash} will then be used as password for the next hashing algorithm. In this case that would be the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like this for the bcrypt hashing function: $2a$10$1ff4640409fb96a449c1fO{hash} The {hash} will again be basically filled by the hashing algorithm. Afterwards, the {hash} will be extracted from the returned hash and put at the end of the already known hash settings: $H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$ If the password is correct, the combined hash will of course be the same as the stored one. PHPBB3-11610
2013-06-15 10:04:10 +02:00
}
Reference in New Issue Copy Permalink