mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-08-09 02:06:32 +02:00
Code Issues Releases Wiki Activity

Merge pull request #1716 from marc1706/feature/passwords

Browse Source 
[feature/passwords] Add password hashing manager with support for newer hashing algorithms
This commit is contained in:
Nils Adermann
2014-02-02 06:26:35 -08:00
parent cb04252fbd b094c79996
commit f8d6a07392
39 changed files with 1848 additions and 238 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
phpBB/phpbb/auth/provider/apache.php
View File

@@ -16,20 +16,29 @@ namespace phpbb\auth\provider;
*/
class apache extends \phpbb\auth\provider\base
{
/**
* phpBB passwords manager
*
* @var \phpbb\passwords\manager
*/
protected $passwords_manager;
/**
* Apache Authentication Constructor
*
* @param \phpbb\db\driver\driver $db
* @param \phpbb\config\config $config
* @param \phpbb\passwords\manager $passwords_manager
* @param \phpbb\request\request $request
* @param \phpbb\user $user
* @param string $phpbb_root_path
* @param string $php_ext
*/
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
{
$this->db = $db;
$this->config = $config;
$this->passwords_manager = $passwords_manager;
$this->request = $request;
$this->user = $user;
$this->phpbb_root_path = $phpbb_root_path;
@@ -220,7 +229,7 @@ class apache extends \phpbb\auth\provider\base
// generate user account data
return array(
'username' => $username,
'user_password' => phpbb_hash($password),
'user_password' => $this->passwords_manager->hash($password),
'user_email' => '',
'group_id' => (int) $row['group_id'],
'user_type' => USER_NORMAL,

32
phpBB/phpbb/auth/provider/db.php
View File

@@ -18,21 +18,29 @@ namespace phpbb\auth\provider;
*/
class db extends \phpbb\auth\provider\base
{
/**
* phpBB passwords manager
*
* @var \phpbb\passwords\manager
*/
protected $passwords_manager;
/**
* Database Authentication Constructor
*
* @param \phpbb\db\driver\driver $db
* @param \phpbb\config\config $config
* @param \phpbb\request\request $request
* @param \phpbb\user $user
* @param string $phpbb_root_path
* @param string $php_ext
* @param \phpbb\db\driver\driver $db
* @param \phpbb\config\config $config
* @param \phpbb\passwords\manager $passwords_manager
* @param \phpbb\request\request $request
* @param \phpbb\user $user
* @param string $phpbb_root_path
* @param string $php_ext
*/
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
{
$this->db = $db;
$this->config = $config;
$this->passwords_manager = $passwords_manager;
$this->request = $request;
$this->user = $user;
$this->phpbb_root_path = $phpbb_root_path;
@@ -191,10 +199,10 @@ class db extends \phpbb\auth\provider\base
// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
// plain md5 support left in for conversions from other systems.
if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
|| (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])))
{
$hash = phpbb_hash($password_new_format);
$hash = $this->passwords_manager->hash($password_new_format);
// Update the password in the users table to the new format and remove user_pass_convert flag
$sql = 'UPDATE ' . USERS_TABLE . '
@@ -226,12 +234,12 @@ class db extends \phpbb\auth\provider\base
}
// Check password ...
if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password']))
{
// Check for old password hash...
if (strlen($row['user_password']) == 32)
if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)
{
$hash = phpbb_hash($password);
$hash = $this->passwords_manager->hash($password);
// Update the password in the users table to the new format
$sql = 'UPDATE ' . USERS_TABLE . "

19
phpBB/phpbb/auth/provider/ldap.php
View File

@@ -18,17 +18,26 @@ namespace phpbb\auth\provider;
*/
class ldap extends \phpbb\auth\provider\base
{
/**
* phpBB passwords manager
*
* @var \phpbb\passwords\manager
*/
protected $passwords_manager;
/**
* LDAP Authentication Constructor
*
* @param \phpbb\db\driver\driver $db
* @param \phpbb\config\config $config
* @param \phpbb\user $user
* @param \phpbb\db\driver\driver $db
* @param \phpbb\config\config $config
* @param \phpbb\passwords\manager $passwords_manager
* @param \phpbb\user $user
*/
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\user $user)
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\user $user)
{
$this->db = $db;
$this->config = $config;
$this->passwords_manager = $passwords_manager;
$this->user = $user;
}
@@ -235,7 +244,7 @@ class ldap extends \phpbb\auth\provider\base
// generate user account data
$ldap_user_row = array(
'username' => $username,
'user_password' => phpbb_hash($password),
'user_password' => $this->passwords_manager->hash($password),
'user_email' => (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($this->config['ldap_email'])][0]) : '',
'group_id' => (int) $row['group_id'],
'user_type' => USER_NORMAL,

46
phpBB/phpbb/db/migration/data/v310/passwords.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
/**
*
* @package migration
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-license.php GNU Public License v2
*
*/
namespace phpbb\db\migration\data\v310;
class passwords extends \phpbb\db\migration\migration
{
static public function depends_on()
{
return array('\phpbb\db\migration\data\v30x\release_3_0_11');
}
public function update_schema()
{
return array(
'change_columns' => array(
$this->table_prefix . 'users' => array(
'user_password' => array('VCHAR:255', ''),
),
$this->table_prefix . 'forums' => array(
'forum_password' => array('VCHAR:255', ''),
),
),
);
}
public function revert_schema()
{
return array(
'change_columns' => array(
$this->table_prefix . 'users' => array(
'user_password' => array('VCHAR:40', ''),
),
$this->table_prefix . 'forums' => array(
'forum_password' => array('VCHAR:40', ''),
),
),
);
}
}

45
phpBB/phpbb/passwords/driver/base.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords\driver;
/**
* @package passwords
*/
abstract class base implements driver_interface
{
/** @var phpbb\config\config */
protected $config;
/** @var phpbb\passwords\driver\helper */
protected $helper;
/** @var driver name */
protected $name;
/**
* Constructor of passwords driver object
*
* @param \phpbb\config\config $config phpBB config
* @param \phpbb\passwords\driver\helper $helper Password driver helper
*/
public function __construct(\phpbb\config\config $config, helper $helper)
{
$this->config = $config;
$this->helper = $helper;
}
/**
* @inheritdoc
*/
public function is_supported()
{
return true;
}
}

104
phpBB/phpbb/passwords/driver/bcrypt.php Normal file
View File

@@ -0,0 +1,104 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords\driver;
/**
* @package passwords
*/
class bcrypt extends base
{
const PREFIX = '$2a$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function hash($password, $salt = '')
{
// The 2x and 2y prefixes of bcrypt might not be supported
// Revert to 2a if this is the case
$prefix = (!$this->is_supported()) ? '$2a$' : $this->get_prefix();
// Do not support 8-bit characters with $2a$ bcrypt
// Also see http://www.php.net/security/crypt_blowfish.php
if ($prefix === self::PREFIX)
{
if (ord($password[strlen($password)-1]) & 128)
{
return false;
}
}
if ($salt == '')
{
$salt = $prefix . '10$' . $this->get_random_salt();
}
$hash = crypt($password, $salt);
if (strlen($hash) < 60)
{
return false;
}
return $hash;
}
/**
* @inheritdoc
*/
public function check($password, $hash)
{
$salt = substr($hash, 0, 29);
if (strlen($salt) != 29)
{
return false;
}
if ($hash == $this->hash($password, $salt))
{
return true;
}
return false;
}
/**
* Get a random salt value with a length of 22 characters
*
* @return string Salt for password hashing
*/
protected function get_random_salt()
{
return $this->helper->hash_encode64($this->helper->get_random_salt(22), 22);
}
/**
* @inheritdoc
*/
public function get_settings_only($hash, $full = false)
{
if ($full)
{
$pos = stripos($hash, '$', 1) + 1;
$length = 22 + (strripos($hash, '$') + 1 - $pos);
}
else
{
$pos = strripos($hash, '$') + 1;
$length = 22;
}
return substr($hash, $pos, $length);
}
}

34
phpBB/phpbb/passwords/driver/bcrypt_2y.php Normal file
View File

@@ -0,0 +1,34 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords\driver;
/**
* @package passwords
*/
class bcrypt_2y extends bcrypt
{
const PREFIX = '$2y$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_supported()
{
return (version_compare(PHP_VERSION, '5.3.7', '<')) ? false : true;
}
}

60
phpBB/phpbb/passwords/driver/driver_interface.php Normal file
View File

@@ -0,0 +1,60 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords\driver;
/**
* @package passwords
*/
interface driver_interface
{
/**
* Check if hash type is supported
*
* @return bool True if supported, false if not
*/
public function is_supported();
/**
* Returns the hash prefix
*
* @return string Hash prefix
*/
public function get_prefix();
/**
* Hash the password
*
* @param string $password The password that should be hashed
*
* @return bool|string Password hash or false if something went wrong
* during hashing
*/
public function hash($password);
/**
* Check the password against the supplied hash
*
* @param string $password The password to check
* @param string $hash The password hash to check against
*
* @return bool True if password is correct, else false
*/
public function check($password, $hash);
/**
* Get only the settings of the specified hash
*
* @param string $hash Password hash
* @param bool $full Return full settings or only settings
* related to the salt
* @return string String containing the hash settings
*/
public function get_settings_only($hash, $full = false);
}

144
phpBB/phpbb/passwords/driver/helper.php Normal file
View File

@@ -0,0 +1,144 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords\driver;
/**
* @package passwords
*/
class helper
{
/**
* @var phpbb\config\config
*/
protected $config;
/**
* base64 alphabet
* @var string
*/
public $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
/**
* Construct a driver helper object
*
* @param phpbb\config\config $config phpBB configuration
*/
public function __construct(\phpbb\config\config $config)
{
$this->config = $config;
}
/**
* Base64 encode hash
*
* @param string $input Input string
* @param int $count Input string length
*
* @return string base64 encoded string
*/
public function hash_encode64($input, $count)
{
$output = '';
$i = 0;
do
{
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
{
$value |= ord($input[$i]) << 8;
}
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
{
break;
}
if ($i < $count)
{
$value |= ord($input[$i]) << 16;
}
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
{
break;
}
$output .= $this->itoa64[($value >> 18) & 0x3f];
}
while ($i < $count);
return $output;
}
/**
* Return unique id
*
* @param string $extra Additional entropy
*
* @return string Unique id
*/
public function unique_id($extra = 'c')
{
static $dss_seeded = false;
$val = $this->config['rand_seed'] . microtime();
$val = md5($val);
$this->config['rand_seed'] = md5($this->config['rand_seed'] . $val . $extra);
if ($dss_seeded !== true && ($this->config['rand_seed_last_update'] < time() - rand(1,10)))
{
$this->config->set('rand_seed_last_update', time(), true);
$this->config->set('rand_seed', $this->config['rand_seed'], true);
$dss_seeded = true;
}
return substr($val, 4, 16);
}
/**
* Get random salt with specified length
*
* @param int $length Salt length
* @param string $rand_seed Seed for random data (optional). For tests.
*
* @return string Random salt with specified length
*/
public function get_random_salt($length, $rand_seed = '/dev/urandom')
{
$random = '';
if (($fh = @fopen($rand_seed, 'rb')))
{
$random = fread($fh, $length);
fclose($fh);
}
if (strlen($random) < $length)
{
$random = '';
$random_state = $this->unique_id();
for ($i = 0; $i < $length; $i += 16)
{
$random_state = md5($this->unique_id() . $random_state);
$random .= pack('H*', md5($random_state));
}
$random = substr($random, 0, $length);
}
return $random;
}
}

26
phpBB/phpbb/passwords/driver/phpass.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords\driver;
/**
* @package passwords
*/
class phpass extends salted_md5
{
const PREFIX = '$P$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
}

160
phpBB/phpbb/passwords/driver/salted_md5.php Normal file
View File

@@ -0,0 +1,160 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords\driver;
/**
*
* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier)
*
* Portable PHP password hashing framework.
*
* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
* the public domain.
*
* There's absolutely no warranty.
*
* The homepage URL for this framework is:
*
* http://www.openwall.com/phpass/
*
* Please be sure to update the Version line if you edit this file in any way.
* It is suggested that you leave the main version number intact, but indicate
* your project name (after the slash) and add your own revision information.
*
* Please do not change the "private" password hashing method implemented in
* here, thereby making your hashes incompatible. However, if you must, please
* change the hash type identifier (the "$P$") to something different.
*
* Obviously, since this code is in the public domain, the above are not
* requirements (there can be none), but merely suggestions.
*
*/
/**
* @package passwords
*/
class salted_md5 extends base
{
const PREFIX = '$H$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function hash($password, $setting = '')
{
if ($setting)
{
if (($settings = $this->get_hash_settings($setting)) === false)
{
// Return md5 of password if settings do not
// comply with our standards. This will only
// happen if pre-determined settings are
// directly passed to the driver. The manager
// will not do this. Same as the old hashing
// implementatio in phpBB 3.0
return md5($password);
}
}
else
{
$settings = $this->get_hash_settings($this->generate_salt());
}
$hash = md5($settings['salt'] . $password, true);
do
{
$hash = md5($hash . $password, true);
}
while (--$settings['count']);
$output = $settings['full'];
$output .= $this->helper->hash_encode64($hash, 16);
return $output;
}
/**
* @inheritdoc
*/
public function check($password, $hash)
{
if (strlen($hash) !== 34)
{
return md5($password) === $hash;
}
return $hash === $this->hash($password, $hash);
}
/**
* Generate salt for hashing method
*
* @return string Salt for hashing method
*/
protected function generate_salt()
{
$count = 6;
$random = $this->helper->get_random_salt($count);
$salt = $this->get_prefix();
$salt .= $this->helper->itoa64[min($count + 5, 30)];
$salt .= $this->helper->hash_encode64($random, $count);
return $salt;
}
/**
* Get hash settings
*
* @param string $hash The hash that contains the settings
*
* @return bool|array Array containing the count_log2, salt, and full
* hash settings string or false if supplied hash is empty
* or contains incorrect settings
*/
public function get_hash_settings($hash)
{
if (empty($hash))
{
return false;
}
$count_log2 = strpos($this->helper->itoa64, $hash[3]);
$salt = substr($hash, 4, 8);
if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8)
{
return false;
}
return array(
'count' => 1 << $count_log2,
'salt' => $salt,
'full' => substr($hash, 0, 12),
);
}
/**
* @inheritdoc
*/
public function get_settings_only($hash, $full = false)
{
return substr($hash, 3, 9);
}
}

103
phpBB/phpbb/passwords/helper.php Normal file
View File

@@ -0,0 +1,103 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords;
/**
* @package passwords
*/
class helper
{
/**
* Get hash settings from combined hash
*
* @param string $hash Password hash of combined hash
*
* @return array An array containing the hash settings for the hash
* types in successive order as described by the combined
* password hash or an empty array if hash does not
* properly fit the combined hash format
*/
public function get_combined_hash_settings($hash)
{
$output = array();
preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);
$hash_settings = substr($hash, strpos($hash, $match[1]) + strlen($match[1]) + 1);
$matches = explode('\\', $match[1]);
foreach ($matches as $cur_type)
{
$dollar_position = strpos($hash_settings, '$');
$output[] = substr($hash_settings, 0, ($dollar_position != false) ? $dollar_position : strlen($hash_settings));
$hash_settings = substr($hash_settings, $dollar_position + 1);
}
return $output;
}
/**
* Combine hash prefixes, settings, and actual hash
*
* @param array $data Array containing the keys 'prefix' and 'settings'.
* It will hold the prefixes and settings
* @param string $type Data type of the supplied value
* @param string $value Value that should be put into the data array
*
* @return string|null Return complete combined hash if type is neither
* 'prefix' nor 'settings', nothing if it is
*/
public function combine_hash_output(&$data, $type, $value)
{
if ($type == 'prefix')
{
$data[$type] .= ($data[$type] !== '$') ? '\\' : '';
$data[$type] .= str_replace('$', '', $value);
}
elseif ($type == 'settings')
{
$data[$type] .= ($data[$type] !== '$') ? '$' : '';
$data[$type] .= $value;
}
else
{
// Return full hash
return $data['prefix'] . $data['settings'] . '$' . $value;
}
}
/**
* Rebuild hash for hashing functions
*
* @param string $prefix Hash prefix
* @param string $settings Hash settings
*
* @return string Rebuilt hash for hashing functions
*/
public function rebuild_hash($prefix, $settings)
{
$rebuilt_hash = $prefix;
if (strpos($settings, '\\') !== false)
{
$settings = str_replace('\\', '$', $settings);
}
$rebuilt_hash .= $settings;
return $rebuilt_hash;
}
/**
* Obtain only the actual hash after the prefixes
*
* @param string $hash The full password hash
* @return string Actual hash (incl. settings)
*/
public function obtain_hash_only($hash)
{
return substr($hash, strripos($hash, '$') + 1);
}
}

341
phpBB/phpbb/passwords/manager.php Normal file
View File

@@ -0,0 +1,341 @@
<?php
/**
*
* @package phpBB3
* @copyright (c) 2013 phpBB Group
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
*
*/
namespace phpbb\passwords;
/**
* @package passwords
*/
class manager
{
/**
* Default hashing method
*/
protected $type = false;
/**
* Hashing algorithm type map
* Will be used to map hash prefix to type
*/
protected $type_map = false;
/**
* Service collection of hashing algorithms
* Needs to be public for passwords helper
*/
public $algorithms = false;
/**
* Password convert flag. Signals that password should be converted
*/
public $convert_flag = false;
/**
* Passwords helper
* @var phpbb\passwords\helper
*/
protected $helper;
/**
* phpBB configuration
* @var phpbb\config\config
*/
protected $config;
/**
* Construct a passwords object
*
* @param phpbb\config\config $config phpBB configuration
* @param array $hashing_algorithms Hashing driver
* service collection
* @param phpbb\passwords\helper $helper Passwords helper object
* @param string $defaults List of default driver types
*/
public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults)
{
$this->config = $config;
$this->helper = $helper;
$this->fill_type_map($hashing_algorithms);
$this->register_default_type($defaults);
}
/**
* Register default type
* Will register the first supported type from the list of default types
*
* @param array $defaults List of default types in order from first to
* use to last to use
*/
protected function register_default_type($defaults)
{
foreach ($defaults as $type)
{
if ($this->algorithms[$type]->is_supported())
{
$this->type = $this->algorithms[$type]->get_prefix();
break;
}
}
}
/**
* Fill algorithm type map
*
* @param phpbb\di\service_collection $hashing_algorithms
*/
protected function fill_type_map($hashing_algorithms)
{
foreach ($hashing_algorithms as $algorithm)
{
if (!isset($this->type_map[$algorithm->get_prefix()]))
{
$this->type_map[$algorithm->get_prefix()] = $algorithm;
}
}
$this->algorithms = $hashing_algorithms;
}
/**
* Get the algorithm specified by a specific prefix
*
* @param string $prefix Password hash prefix
*
* @return object|bool The hash type object or false if prefix is not
* supported
*/
protected function get_algorithm($prefix)
{
if (isset($this->type_map[$prefix]))
{
return $this->type_map[$prefix];
}
else
{
return false;
}
}
/**
* Detect the hash type of the supplied hash
*
* @param string $hash Password hash that should be checked
*
* @return object|bool The hash type object or false if the specified
* type is not supported
*/
public function detect_algorithm($hash)
{
/*
* preg_match() will also show hashing algos like $2a\H$, which
* is a combination of bcrypt and phpass. Legacy algorithms
* like md5 will not be matched by this and need to be treated
* differently.
*/
if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
{
return $this->get_algorithm('$H$');
}
// Be on the lookout for multiple hashing algorithms
// 2 is correct: H\2a > 2, H\P > 2
if (strlen($match[1]) > 2)
{
$hash_types = explode('\\', $match[1]);
$return_ary = array();
foreach ($hash_types as $type)
{
// we do not support the same hashing
// algorithm more than once
if (isset($return_ary[$type]))
{
return false;
}
$return_ary[$type] = $this->get_algorithm('$' . $type . '$');
if (empty($return_ary[$type]))
{
return false;
}
}
return $return_ary;
}
// get_algorithm() will automatically return false if prefix
// is not supported
return $this->get_algorithm($match[0]);
}
/**
* Hash supplied password
*
* @param string $password Password that should be hashed
* @param string $type Hash type. Will default to standard hash type if
* none is supplied
* @return string|bool Password hash of supplied password or false if
* if something went wrong during hashing
*/
public function hash($password, $type = '')
{
if (strlen($password) > 4096)
{
// If the password is too huge, we will simply reject it
// and not let the server try to hash it.
return false;
}
// Try to retrieve algorithm by service name if type doesn't
// start with dollar sign
if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type]))
{
$type = $this->algorithms[$type]->get_prefix();
}
$type = ($type === '') ? $this->type : $type;
if (is_array($type))
{
return $this->combined_hash_password($password, $type);
}
if (isset($this->type_map[$type]))
{
$hashing_algorithm = $this->type_map[$type];
}
else
{
return false;
}
return $hashing_algorithm->hash($password);
}
/**
* Check supplied password against hash and set convert_flag if password
* needs to be converted to different format (preferrably newer one)
*
* @param string $password Password that should be checked
* @param string $hash Stored hash
* @return string|bool True if password is correct, false if not
*/
public function check($password, $hash)
{
if (strlen($password) > 4096)
{
// If the password is too huge, we will simply reject it
// and not let the server try to hash it.
return false;
}
// First find out what kind of hash we're dealing with
$stored_hash_type = $this->detect_algorithm($hash);
if ($stored_hash_type == false)
{
return false;
}
// Multiple hash passes needed
if (is_array($stored_hash_type))
{
$correct = $this->check_combined_hash($password, $stored_hash_type, $hash);
$this->convert_flag = ($correct === true) ? true : false;
return $correct;
}
if ($stored_hash_type->get_prefix() !== $this->type)
{
$this->convert_flag = true;
}
else
{
$this->convert_flag = false;
}
return $stored_hash_type->check($password, $hash);
}
/**
* Create combined hash from already hashed password
*
* @param string $password_hash Complete current password hash
* @param string $type Type of the hashing algorithm the password hash
* should be combined with
* @return string|bool Combined password hash if combined hashing was
* successful, else false
*/
public function combined_hash_password($password_hash, $type)
{
$data = array(
'prefix' => '$',
'settings' => '$',
);
$hash_settings = $this->helper->get_combined_hash_settings($password_hash);
$hash = $hash_settings[0];
// Put settings of current hash into data array
$stored_hash_type = $this->detect_algorithm($password_hash);
$this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix());
$this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash));
// Hash current hash with the defined types
foreach ($type as $cur_type)
{
if (isset($this->algorithms[$cur_type]))
{
$new_hash_type = $this->algorithms[$cur_type];
}
else
{
$new_hash_type = $this->get_algorithm($cur_type);
}
if (!$new_hash_type)
{
return false;
}
$new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash));
$this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix());
$this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0));
$hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash));
}
return $this->helper->combine_hash_output($data, 'hash', $hash);
}
/**
* Check combined password hash against the supplied password
*
* @param string $password Password entered by user
* @param array $stored_hash_type An array containing the hash types
* as described by stored password hash
* @param string $hash Stored password hash
*
* @return bool True if password is correct, false if not
*/
public function check_combined_hash($password, $stored_hash_type, $hash)
{
$i = 0;
$data = array(
'prefix' => '$',
'settings' => '$',
);
$hash_settings = $this->helper->get_combined_hash_settings($hash);
foreach ($stored_hash_type as $key => $hash_type)
{
$rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]);
$this->helper->combine_hash_output($data, 'prefix', $key);
$this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]);
$cur_hash = $hash_type->hash($password, $rebuilt_hash);
$password = str_replace($rebuilt_hash, '', $cur_hash);
$i++;
}
return ($hash === $this->helper->combine_hash_output($data, 'hash', $password));
}
}