mirror of
https://github.com/phpbb/phpbb.git
synced 2025-03-14 12:40:13 +01:00
Merge pull request #1716 from marc1706/feature/passwords
[feature/passwords] Add password hashing manager with support for newer hashing algorithms
This commit is contained in:
commit
f8d6a07392
@ -10,6 +10,7 @@ services:
|
||||
arguments:
|
||||
- @dbal.conn
|
||||
- @config
|
||||
- @passwords.manager
|
||||
- @request
|
||||
- @user
|
||||
- %core.root_path%
|
||||
@ -21,6 +22,7 @@ services:
|
||||
arguments:
|
||||
- @dbal.conn
|
||||
- @config
|
||||
- @passwords.manager
|
||||
- @request
|
||||
- @user
|
||||
- %core.root_path%
|
||||
@ -32,6 +34,7 @@ services:
|
||||
arguments:
|
||||
- @dbal.conn
|
||||
- @config
|
||||
- @passwords.manager
|
||||
- @user
|
||||
tags:
|
||||
- { name: auth.provider }
|
||||
|
62
phpBB/config/passwords.yml
Normal file
62
phpBB/config/passwords.yml
Normal file
@ -0,0 +1,62 @@
|
||||
parameters:
|
||||
passwords.algorithms:
|
||||
- passwords.driver.bcrypt_2y
|
||||
- passwords.driver.bcrypt
|
||||
- passwords.driver.salted_md5
|
||||
- passwords.driver.phpass
|
||||
|
||||
services:
|
||||
passwords.driver.bcrypt:
|
||||
class: phpbb\passwords\driver\bcrypt
|
||||
arguments:
|
||||
- @config
|
||||
- @passwords.driver_helper
|
||||
tags:
|
||||
- { name: passwords.driver }
|
||||
|
||||
passwords.driver.bcrypt_2y:
|
||||
class: phpbb\passwords\driver\bcrypt_2y
|
||||
arguments:
|
||||
- @config
|
||||
- @passwords.driver_helper
|
||||
tags:
|
||||
- { name: passwords.driver }
|
||||
|
||||
passwords.driver.salted_md5:
|
||||
class: phpbb\passwords\driver\salted_md5
|
||||
arguments:
|
||||
- @config
|
||||
- @passwords.driver_helper
|
||||
tags:
|
||||
- { name: passwords.driver }
|
||||
|
||||
passwords.driver.phpass:
|
||||
class: phpbb\passwords\driver\phpass
|
||||
arguments:
|
||||
- @config
|
||||
- @passwords.driver_helper
|
||||
tags:
|
||||
- { name: passwords.driver }
|
||||
|
||||
passwords.driver_collection:
|
||||
class: phpbb\di\service_collection
|
||||
arguments:
|
||||
- @service_container
|
||||
tags:
|
||||
- { name: service_collection, tag: passwords.driver }
|
||||
|
||||
passwords.driver_helper:
|
||||
class: phpbb\passwords\driver\helper
|
||||
arguments:
|
||||
- @config
|
||||
|
||||
passwords.manager:
|
||||
class: phpbb\passwords\manager
|
||||
arguments:
|
||||
- @config
|
||||
- @passwords.driver_collection
|
||||
- @passwords.helper
|
||||
- %passwords.algorithms%
|
||||
|
||||
passwords.helper:
|
||||
class: phpbb\passwords\helper
|
@ -8,6 +8,7 @@ imports:
|
||||
- { resource: auth_providers.yml }
|
||||
- { resource: console.yml }
|
||||
- { resource: mimetype_guessers.yml }
|
||||
- { resource: passwords.yml }
|
||||
|
||||
services:
|
||||
acl.permissions:
|
||||
|
@ -926,7 +926,7 @@ class acp_forums
|
||||
*/
|
||||
function update_forum_data(&$forum_data)
|
||||
{
|
||||
global $db, $user, $cache, $phpbb_root_path, $phpbb_dispatcher;
|
||||
global $db, $user, $cache, $phpbb_root_path, $phpbb_container, $phpbb_dispatcher;
|
||||
|
||||
$errors = array();
|
||||
|
||||
@ -1030,7 +1030,10 @@ class acp_forums
|
||||
}
|
||||
else
|
||||
{
|
||||
$forum_data_sql['forum_password'] = phpbb_hash($forum_data_sql['forum_password']);
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
$forum_data_sql['forum_password'] = $passwords_manager->hash($forum_data_sql['forum_password']);
|
||||
}
|
||||
unset($forum_data_sql['forum_password_unset']);
|
||||
|
||||
|
@ -824,9 +824,12 @@ class acp_users
|
||||
$error[] = 'FORM_INVALID';
|
||||
}
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
// Which updates do we need to do?
|
||||
$update_username = ($user_row['username'] != $data['username']) ? $data['username'] : false;
|
||||
$update_password = ($data['new_password'] && !phpbb_check_hash($data['new_password'], $user_row['user_password'])) ? true : false;
|
||||
$update_password = $data['new_password'] && !$passwords_manager->check($data['new_password'], $user_row['user_password']);
|
||||
$update_email = ($data['email'] != $user_row['user_email']) ? $data['email'] : false;
|
||||
|
||||
if (!sizeof($error))
|
||||
@ -910,7 +913,7 @@ class acp_users
|
||||
if ($update_password)
|
||||
{
|
||||
$sql_ary += array(
|
||||
'user_password' => phpbb_hash($data['new_password']),
|
||||
'user_password' => $passwords_manager->hash($data['new_password']),
|
||||
'user_passchg' => time(),
|
||||
'user_pass_convert' => 0,
|
||||
);
|
||||
|
@ -318,7 +318,7 @@ $schema_data['phpbb_forums'] = array(
|
||||
'forum_desc_options' => array('UINT:11', 7),
|
||||
'forum_desc_uid' => array('VCHAR:8', ''),
|
||||
'forum_link' => array('VCHAR_UNI', ''),
|
||||
'forum_password' => array('VCHAR_UNI:40', ''),
|
||||
'forum_password' => array('VCHAR_UNI', ''),
|
||||
'forum_style' => array('UINT', 0),
|
||||
'forum_image' => array('VCHAR', ''),
|
||||
'forum_rules' => array('TEXT_UNI', ''),
|
||||
@ -1112,7 +1112,7 @@ $schema_data['phpbb_users'] = array(
|
||||
'user_regdate' => array('TIMESTAMP', 0),
|
||||
'username' => array('VCHAR_CI', ''),
|
||||
'username_clean' => array('VCHAR_CI', ''),
|
||||
'user_password' => array('VCHAR_UNI:40', ''),
|
||||
'user_password' => array('VCHAR_UNI', ''),
|
||||
'user_passchg' => array('TIMESTAMP', 0),
|
||||
'user_pass_convert' => array('BOOL', 0),
|
||||
'user_email' => array('VCHAR_UNI:100', ''),
|
||||
|
@ -368,73 +368,27 @@ function still_on_time($extra_time = 15)
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier)
|
||||
*
|
||||
* Portable PHP password hashing framework.
|
||||
*
|
||||
* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
|
||||
* the public domain.
|
||||
*
|
||||
* There's absolutely no warranty.
|
||||
*
|
||||
* The homepage URL for this framework is:
|
||||
*
|
||||
* http://www.openwall.com/phpass/
|
||||
*
|
||||
* Please be sure to update the Version line if you edit this file in any way.
|
||||
* It is suggested that you leave the main version number intact, but indicate
|
||||
* your project name (after the slash) and add your own revision information.
|
||||
*
|
||||
* Please do not change the "private" password hashing method implemented in
|
||||
* here, thereby making your hashes incompatible. However, if you must, please
|
||||
* change the hash type identifier (the "$P$") to something different.
|
||||
*
|
||||
* Obviously, since this code is in the public domain, the above are not
|
||||
* requirements (there can be none), but merely suggestions.
|
||||
*
|
||||
*
|
||||
* Hash the password
|
||||
*
|
||||
* @deprecated 3.1.0-a2 (To be removed: 3.3.0)
|
||||
*
|
||||
* @param string $password Password to be hashed
|
||||
*
|
||||
* @return string|bool Password hash or false if something went wrong during hashing
|
||||
*/
|
||||
function phpbb_hash($password)
|
||||
{
|
||||
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
||||
global $phpbb_container;
|
||||
|
||||
$random_state = unique_id();
|
||||
$random = '';
|
||||
$count = 6;
|
||||
|
||||
if (($fh = @fopen('/dev/urandom', 'rb')))
|
||||
{
|
||||
$random = fread($fh, $count);
|
||||
fclose($fh);
|
||||
}
|
||||
|
||||
if (strlen($random) < $count)
|
||||
{
|
||||
$random = '';
|
||||
|
||||
for ($i = 0; $i < $count; $i += 16)
|
||||
{
|
||||
$random_state = md5(unique_id() . $random_state);
|
||||
$random .= pack('H*', md5($random_state));
|
||||
}
|
||||
$random = substr($random, 0, $count);
|
||||
}
|
||||
|
||||
$hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64);
|
||||
|
||||
if (strlen($hash) == 34)
|
||||
{
|
||||
return $hash;
|
||||
}
|
||||
|
||||
return md5($password);
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
return $passwords_manager->hash($password);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check for correct password
|
||||
*
|
||||
* @deprecated 3.1.0-a2 (To be removed: 3.3.0)
|
||||
*
|
||||
* @param string $password The password in plain text
|
||||
* @param string $hash The stored password hash
|
||||
*
|
||||
@ -442,130 +396,10 @@ function phpbb_hash($password)
|
||||
*/
|
||||
function phpbb_check_hash($password, $hash)
|
||||
{
|
||||
if (strlen($password) > 4096)
|
||||
{
|
||||
// If the password is too huge, we will simply reject it
|
||||
// and not let the server try to hash it.
|
||||
return false;
|
||||
}
|
||||
global $phpbb_container;
|
||||
|
||||
$itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
||||
if (strlen($hash) == 34)
|
||||
{
|
||||
return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
|
||||
}
|
||||
|
||||
return (md5($password) === $hash) ? true : false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate salt for hash generation
|
||||
*/
|
||||
function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
|
||||
{
|
||||
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
|
||||
{
|
||||
$iteration_count_log2 = 8;
|
||||
}
|
||||
|
||||
$output = '$H$';
|
||||
$output .= $itoa64[min($iteration_count_log2 + 5, 30)];
|
||||
$output .= _hash_encode64($input, 6, $itoa64);
|
||||
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* Encode hash
|
||||
*/
|
||||
function _hash_encode64($input, $count, &$itoa64)
|
||||
{
|
||||
$output = '';
|
||||
$i = 0;
|
||||
|
||||
do
|
||||
{
|
||||
$value = ord($input[$i++]);
|
||||
$output .= $itoa64[$value & 0x3f];
|
||||
|
||||
if ($i < $count)
|
||||
{
|
||||
$value |= ord($input[$i]) << 8;
|
||||
}
|
||||
|
||||
$output .= $itoa64[($value >> 6) & 0x3f];
|
||||
|
||||
if ($i++ >= $count)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
if ($i < $count)
|
||||
{
|
||||
$value |= ord($input[$i]) << 16;
|
||||
}
|
||||
|
||||
$output .= $itoa64[($value >> 12) & 0x3f];
|
||||
|
||||
if ($i++ >= $count)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
$output .= $itoa64[($value >> 18) & 0x3f];
|
||||
}
|
||||
while ($i < $count);
|
||||
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* The crypt function/replacement
|
||||
*/
|
||||
function _hash_crypt_private($password, $setting, &$itoa64)
|
||||
{
|
||||
$output = '*';
|
||||
|
||||
// Check for correct hash
|
||||
if (substr($setting, 0, 3) != '$H$' && substr($setting, 0, 3) != '$P$')
|
||||
{
|
||||
return $output;
|
||||
}
|
||||
|
||||
$count_log2 = strpos($itoa64, $setting[3]);
|
||||
|
||||
if ($count_log2 < 7 || $count_log2 > 30)
|
||||
{
|
||||
return $output;
|
||||
}
|
||||
|
||||
$count = 1 << $count_log2;
|
||||
$salt = substr($setting, 4, 8);
|
||||
|
||||
if (strlen($salt) != 8)
|
||||
{
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* We're kind of forced to use MD5 here since it's the only
|
||||
* cryptographic primitive available in all versions of PHP
|
||||
* currently in use. To implement our own low-level crypto
|
||||
* in PHP would result in much worse performance and
|
||||
* consequently in lower iteration counts and hashes that are
|
||||
* quicker to crack (by non-PHP code).
|
||||
*/
|
||||
$hash = md5($salt . $password, true);
|
||||
do
|
||||
{
|
||||
$hash = md5($hash . $password, true);
|
||||
}
|
||||
while (--$count);
|
||||
|
||||
$output = substr($setting, 0, 12);
|
||||
$output .= _hash_encode64($hash, 16, $itoa64);
|
||||
|
||||
return $output;
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
return $passwords_manager->check($password, $hash);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -3206,9 +3040,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
|
||||
*/
|
||||
function login_forum_box($forum_data)
|
||||
{
|
||||
global $db, $config, $user, $template, $phpEx;
|
||||
global $db, $phpbb_container, $request, $template, $user;
|
||||
|
||||
$password = request_var('password', '', true);
|
||||
$password = $request->variable('password', '', true);
|
||||
|
||||
$sql = 'SELECT forum_id
|
||||
FROM ' . FORUMS_ACCESS_TABLE . '
|
||||
@ -3249,7 +3083,9 @@ function login_forum_box($forum_data)
|
||||
}
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
if (phpbb_check_hash($password, $forum_data['forum_password']))
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
if ($passwords_manager->check($password, $forum_data['forum_password']))
|
||||
{
|
||||
$sql_ary = array(
|
||||
'forum_id' => (int) $forum_data['forum_id'],
|
||||
|
@ -82,13 +82,16 @@ class ucp_profile
|
||||
$error[] = ($data['password_confirm']) ? 'NEW_PASSWORD_ERROR' : 'NEW_PASSWORD_CONFIRM_EMPTY';
|
||||
}
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
// Only check the new password against the previous password if there have been no errors
|
||||
if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && phpbb_check_hash($data['new_password'], $user->data['user_password']))
|
||||
if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && $passwords_manager->check($data['new_password'], $user->data['user_password']))
|
||||
{
|
||||
$error[] = 'SAME_PASSWORD_ERROR';
|
||||
}
|
||||
|
||||
if (!phpbb_check_hash($data['cur_password'], $user->data['user_password']))
|
||||
if (!$passwords_manager->check($data['cur_password'], $user->data['user_password']))
|
||||
{
|
||||
$error[] = ($data['cur_password']) ? 'CUR_PASSWORD_ERROR' : 'CUR_PASSWORD_EMPTY';
|
||||
}
|
||||
@ -105,7 +108,7 @@ class ucp_profile
|
||||
'username_clean' => ($auth->acl_get('u_chgname') && $config['allow_namechange']) ? utf8_clean_string($data['username']) : $user->data['username_clean'],
|
||||
'user_email' => ($auth->acl_get('u_chgemail')) ? $data['email'] : $user->data['user_email'],
|
||||
'user_email_hash' => ($auth->acl_get('u_chgemail')) ? phpbb_email_hash($data['email']) : $user->data['user_email_hash'],
|
||||
'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? phpbb_hash($data['new_password']) : $user->data['user_password'],
|
||||
'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? $passwords_manager->hash($data['new_password']) : $user->data['user_password'],
|
||||
'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,
|
||||
);
|
||||
|
||||
@ -114,7 +117,7 @@ class ucp_profile
|
||||
add_log('user', $user->data['user_id'], 'LOG_USER_UPDATE_NAME', $user->data['username'], $data['username']);
|
||||
}
|
||||
|
||||
if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !phpbb_check_hash($data['new_password'], $user->data['user_password']))
|
||||
if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !$passwords_manager->check($data['new_password'], $user->data['user_password']))
|
||||
{
|
||||
$user->reset_login_keys();
|
||||
add_log('user', $user->data['user_id'], 'LOG_USER_NEW_PASSWORD', $data['username']);
|
||||
|
@ -294,9 +294,12 @@ class ucp_register
|
||||
$user_inactive_time = 0;
|
||||
}
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
$user_row = array(
|
||||
'username' => $data['username'],
|
||||
'user_password' => phpbb_hash($data['new_password']),
|
||||
'user_password' => $passwords_manager->hash($data['new_password']),
|
||||
'user_email' => $data['email'],
|
||||
'group_id' => (int) $group_id,
|
||||
'user_timezone' => $data['tz'],
|
||||
|
@ -27,7 +27,7 @@ class ucp_remind
|
||||
function main($id, $mode)
|
||||
{
|
||||
global $config, $phpbb_root_path, $phpEx;
|
||||
global $db, $user, $auth, $template;
|
||||
global $db, $user, $auth, $template, $phpbb_container;;
|
||||
|
||||
if (!$config['allow_password_reset'])
|
||||
{
|
||||
@ -88,8 +88,11 @@ class ucp_remind
|
||||
// For the activation key a random length between 6 and 10 will do.
|
||||
$user_actkey = gen_rand_string(mt_rand(6, 10));
|
||||
|
||||
// Instantiate passwords manager
|
||||
$passwords_manager = $phpbb_container->get('passwords.manager');
|
||||
|
||||
$sql = 'UPDATE ' . USERS_TABLE . "
|
||||
SET user_newpasswd = '" . $db->sql_escape(phpbb_hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
|
||||
SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
|
||||
WHERE user_id = " . $user_row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
|
@ -361,7 +361,7 @@ CREATE TABLE phpbb_forums (
|
||||
forum_desc_options INTEGER DEFAULT 7 NOT NULL,
|
||||
forum_desc_uid VARCHAR(8) CHARACTER SET NONE DEFAULT '' NOT NULL,
|
||||
forum_link VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
forum_password VARCHAR(40) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
forum_password VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
forum_style INTEGER DEFAULT 0 NOT NULL,
|
||||
forum_image VARCHAR(255) CHARACTER SET NONE DEFAULT '' NOT NULL,
|
||||
forum_rules BLOB SUB_TYPE TEXT CHARACTER SET UTF8 DEFAULT '' NOT NULL,
|
||||
@ -1365,7 +1365,7 @@ CREATE TABLE phpbb_users (
|
||||
user_regdate INTEGER DEFAULT 0 NOT NULL,
|
||||
username VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
username_clean VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
user_password VARCHAR(40) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
user_password VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
user_passchg INTEGER DEFAULT 0 NOT NULL,
|
||||
user_pass_convert INTEGER DEFAULT 0 NOT NULL,
|
||||
user_email VARCHAR(100) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,
|
||||
|
@ -448,7 +448,7 @@ CREATE TABLE [phpbb_forums] (
|
||||
[forum_desc_options] [int] DEFAULT (7) NOT NULL ,
|
||||
[forum_desc_uid] [varchar] (8) DEFAULT ('') NOT NULL ,
|
||||
[forum_link] [varchar] (255) DEFAULT ('') NOT NULL ,
|
||||
[forum_password] [varchar] (40) DEFAULT ('') NOT NULL ,
|
||||
[forum_password] [varchar] (255) DEFAULT ('') NOT NULL ,
|
||||
[forum_style] [int] DEFAULT (0) NOT NULL ,
|
||||
[forum_image] [varchar] (255) DEFAULT ('') NOT NULL ,
|
||||
[forum_rules] [varchar] (4000) DEFAULT ('') NOT NULL ,
|
||||
@ -1681,7 +1681,7 @@ CREATE TABLE [phpbb_users] (
|
||||
[user_regdate] [int] DEFAULT (0) NOT NULL ,
|
||||
[username] [varchar] (255) DEFAULT ('') NOT NULL ,
|
||||
[username_clean] [varchar] (255) DEFAULT ('') NOT NULL ,
|
||||
[user_password] [varchar] (40) DEFAULT ('') NOT NULL ,
|
||||
[user_password] [varchar] (255) DEFAULT ('') NOT NULL ,
|
||||
[user_passchg] [int] DEFAULT (0) NOT NULL ,
|
||||
[user_pass_convert] [int] DEFAULT (0) NOT NULL ,
|
||||
[user_email] [varchar] (100) DEFAULT ('') NOT NULL ,
|
||||
|
@ -246,7 +246,7 @@ CREATE TABLE phpbb_forums (
|
||||
forum_desc_options int(11) UNSIGNED DEFAULT '7' NOT NULL,
|
||||
forum_desc_uid varbinary(8) DEFAULT '' NOT NULL,
|
||||
forum_link blob NOT NULL,
|
||||
forum_password varbinary(120) DEFAULT '' NOT NULL,
|
||||
forum_password blob DEFAULT '' NOT NULL,
|
||||
forum_style mediumint(8) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
forum_image varbinary(255) DEFAULT '' NOT NULL,
|
||||
forum_rules blob NOT NULL,
|
||||
@ -974,7 +974,7 @@ CREATE TABLE phpbb_users (
|
||||
user_regdate int(11) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
username blob NOT NULL,
|
||||
username_clean blob NOT NULL,
|
||||
user_password varbinary(120) DEFAULT '' NOT NULL,
|
||||
user_password blob DEFAULT '' NOT NULL,
|
||||
user_passchg int(11) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
user_pass_convert tinyint(1) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
user_email blob NOT NULL,
|
||||
|
@ -246,7 +246,7 @@ CREATE TABLE phpbb_forums (
|
||||
forum_desc_options int(11) UNSIGNED DEFAULT '7' NOT NULL,
|
||||
forum_desc_uid varchar(8) DEFAULT '' NOT NULL,
|
||||
forum_link varchar(255) DEFAULT '' NOT NULL,
|
||||
forum_password varchar(40) DEFAULT '' NOT NULL,
|
||||
forum_password varchar(255) DEFAULT '' NOT NULL,
|
||||
forum_style mediumint(8) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
forum_image varchar(255) DEFAULT '' NOT NULL,
|
||||
forum_rules text NOT NULL,
|
||||
@ -974,7 +974,7 @@ CREATE TABLE phpbb_users (
|
||||
user_regdate int(11) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
username varchar(255) DEFAULT '' NOT NULL,
|
||||
username_clean varchar(255) DEFAULT '' NOT NULL,
|
||||
user_password varchar(40) DEFAULT '' NOT NULL,
|
||||
user_password varchar(255) DEFAULT '' NOT NULL,
|
||||
user_passchg int(11) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
user_pass_convert tinyint(1) UNSIGNED DEFAULT '0' NOT NULL,
|
||||
user_email varchar(100) DEFAULT '' NOT NULL,
|
||||
|
@ -509,7 +509,7 @@ CREATE TABLE phpbb_forums (
|
||||
forum_desc_options number(11) DEFAULT '7' NOT NULL,
|
||||
forum_desc_uid varchar2(8) DEFAULT '' ,
|
||||
forum_link varchar2(765) DEFAULT '' ,
|
||||
forum_password varchar2(120) DEFAULT '' ,
|
||||
forum_password varchar2(255) DEFAULT '' ,
|
||||
forum_style number(8) DEFAULT '0' NOT NULL,
|
||||
forum_image varchar2(255) DEFAULT '' ,
|
||||
forum_rules clob DEFAULT '' ,
|
||||
@ -986,7 +986,7 @@ CREATE TABLE phpbb_poll_votes (
|
||||
topic_id number(8) DEFAULT '0' NOT NULL,
|
||||
poll_option_id number(4) DEFAULT '0' NOT NULL,
|
||||
vote_user_id number(8) DEFAULT '0' NOT NULL,
|
||||
vote_user_ip varchar2(40) DEFAULT ''
|
||||
vote_user_ip varchar2(40) DEFAULT ''
|
||||
)
|
||||
/
|
||||
|
||||
@ -1798,7 +1798,7 @@ CREATE TABLE phpbb_users (
|
||||
user_regdate number(11) DEFAULT '0' NOT NULL,
|
||||
username varchar2(255) DEFAULT '' ,
|
||||
username_clean varchar2(255) DEFAULT '' ,
|
||||
user_password varchar2(120) DEFAULT '' ,
|
||||
user_password varchar2(255) DEFAULT '' ,
|
||||
user_passchg number(11) DEFAULT '0' NOT NULL,
|
||||
user_pass_convert number(1) DEFAULT '0' NOT NULL,
|
||||
user_email varchar2(300) DEFAULT '' ,
|
||||
|
@ -384,7 +384,7 @@ CREATE TABLE phpbb_forums (
|
||||
forum_desc_options INT4 DEFAULT '7' NOT NULL CHECK (forum_desc_options >= 0),
|
||||
forum_desc_uid varchar(8) DEFAULT '' NOT NULL,
|
||||
forum_link varchar(255) DEFAULT '' NOT NULL,
|
||||
forum_password varchar(40) DEFAULT '' NOT NULL,
|
||||
forum_password varchar(255) DEFAULT '' NOT NULL,
|
||||
forum_style INT4 DEFAULT '0' NOT NULL CHECK (forum_style >= 0),
|
||||
forum_image varchar(255) DEFAULT '' NOT NULL,
|
||||
forum_rules varchar(4000) DEFAULT '' NOT NULL,
|
||||
@ -1246,7 +1246,7 @@ CREATE TABLE phpbb_users (
|
||||
user_regdate INT4 DEFAULT '0' NOT NULL CHECK (user_regdate >= 0),
|
||||
username varchar_ci DEFAULT '' NOT NULL,
|
||||
username_clean varchar_ci DEFAULT '' NOT NULL,
|
||||
user_password varchar(40) DEFAULT '' NOT NULL,
|
||||
user_password varchar(255) DEFAULT '' NOT NULL,
|
||||
user_passchg INT4 DEFAULT '0' NOT NULL CHECK (user_passchg >= 0),
|
||||
user_pass_convert INT2 DEFAULT '0' NOT NULL CHECK (user_pass_convert >= 0),
|
||||
user_email varchar(100) DEFAULT '' NOT NULL,
|
||||
|
@ -239,7 +239,7 @@ CREATE TABLE phpbb_forums (
|
||||
forum_desc_options INTEGER UNSIGNED NOT NULL DEFAULT '7',
|
||||
forum_desc_uid varchar(8) NOT NULL DEFAULT '',
|
||||
forum_link varchar(255) NOT NULL DEFAULT '',
|
||||
forum_password varchar(40) NOT NULL DEFAULT '',
|
||||
forum_password varchar(255) NOT NULL DEFAULT '',
|
||||
forum_style INTEGER UNSIGNED NOT NULL DEFAULT '0',
|
||||
forum_image varchar(255) NOT NULL DEFAULT '',
|
||||
forum_rules text(65535) NOT NULL DEFAULT '',
|
||||
@ -945,7 +945,7 @@ CREATE TABLE phpbb_users (
|
||||
user_regdate INTEGER UNSIGNED NOT NULL DEFAULT '0',
|
||||
username varchar(255) NOT NULL DEFAULT '',
|
||||
username_clean varchar(255) NOT NULL DEFAULT '',
|
||||
user_password varchar(40) NOT NULL DEFAULT '',
|
||||
user_password varchar(255) NOT NULL DEFAULT '',
|
||||
user_passchg INTEGER UNSIGNED NOT NULL DEFAULT '0',
|
||||
user_pass_convert INTEGER UNSIGNED NOT NULL DEFAULT '0',
|
||||
user_email varchar(100) NOT NULL DEFAULT '',
|
||||
|
@ -16,20 +16,29 @@ namespace phpbb\auth\provider;
|
||||
*/
|
||||
class apache extends \phpbb\auth\provider\base
|
||||
{
|
||||
/**
|
||||
* phpBB passwords manager
|
||||
*
|
||||
* @var \phpbb\passwords\manager
|
||||
*/
|
||||
protected $passwords_manager;
|
||||
|
||||
/**
|
||||
* Apache Authentication Constructor
|
||||
*
|
||||
* @param \phpbb\db\driver\driver $db
|
||||
* @param \phpbb\config\config $config
|
||||
* @param \phpbb\passwords\manager $passwords_manager
|
||||
* @param \phpbb\request\request $request
|
||||
* @param \phpbb\user $user
|
||||
* @param string $phpbb_root_path
|
||||
* @param string $php_ext
|
||||
*/
|
||||
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
|
||||
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
|
||||
{
|
||||
$this->db = $db;
|
||||
$this->config = $config;
|
||||
$this->passwords_manager = $passwords_manager;
|
||||
$this->request = $request;
|
||||
$this->user = $user;
|
||||
$this->phpbb_root_path = $phpbb_root_path;
|
||||
@ -220,7 +229,7 @@ class apache extends \phpbb\auth\provider\base
|
||||
// generate user account data
|
||||
return array(
|
||||
'username' => $username,
|
||||
'user_password' => phpbb_hash($password),
|
||||
'user_password' => $this->passwords_manager->hash($password),
|
||||
'user_email' => '',
|
||||
'group_id' => (int) $row['group_id'],
|
||||
'user_type' => USER_NORMAL,
|
||||
|
@ -18,21 +18,29 @@ namespace phpbb\auth\provider;
|
||||
*/
|
||||
class db extends \phpbb\auth\provider\base
|
||||
{
|
||||
/**
|
||||
* phpBB passwords manager
|
||||
*
|
||||
* @var \phpbb\passwords\manager
|
||||
*/
|
||||
protected $passwords_manager;
|
||||
|
||||
/**
|
||||
* Database Authentication Constructor
|
||||
*
|
||||
* @param \phpbb\db\driver\driver $db
|
||||
* @param \phpbb\config\config $config
|
||||
* @param \phpbb\request\request $request
|
||||
* @param \phpbb\user $user
|
||||
* @param string $phpbb_root_path
|
||||
* @param string $php_ext
|
||||
* @param \phpbb\db\driver\driver $db
|
||||
* @param \phpbb\config\config $config
|
||||
* @param \phpbb\passwords\manager $passwords_manager
|
||||
* @param \phpbb\request\request $request
|
||||
* @param \phpbb\user $user
|
||||
* @param string $phpbb_root_path
|
||||
* @param string $php_ext
|
||||
*/
|
||||
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
|
||||
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)
|
||||
{
|
||||
$this->db = $db;
|
||||
$this->config = $config;
|
||||
$this->passwords_manager = $passwords_manager;
|
||||
$this->request = $request;
|
||||
$this->user = $user;
|
||||
$this->phpbb_root_path = $phpbb_root_path;
|
||||
@ -191,10 +199,10 @@ class db extends \phpbb\auth\provider\base
|
||||
|
||||
// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
|
||||
// plain md5 support left in for conversions from other systems.
|
||||
if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
|
||||
if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
|
||||
|| (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])))
|
||||
{
|
||||
$hash = phpbb_hash($password_new_format);
|
||||
$hash = $this->passwords_manager->hash($password_new_format);
|
||||
|
||||
// Update the password in the users table to the new format and remove user_pass_convert flag
|
||||
$sql = 'UPDATE ' . USERS_TABLE . '
|
||||
@ -226,12 +234,12 @@ class db extends \phpbb\auth\provider\base
|
||||
}
|
||||
|
||||
// Check password ...
|
||||
if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
|
||||
if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password']))
|
||||
{
|
||||
// Check for old password hash...
|
||||
if (strlen($row['user_password']) == 32)
|
||||
if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)
|
||||
{
|
||||
$hash = phpbb_hash($password);
|
||||
$hash = $this->passwords_manager->hash($password);
|
||||
|
||||
// Update the password in the users table to the new format
|
||||
$sql = 'UPDATE ' . USERS_TABLE . "
|
||||
|
@ -18,17 +18,26 @@ namespace phpbb\auth\provider;
|
||||
*/
|
||||
class ldap extends \phpbb\auth\provider\base
|
||||
{
|
||||
/**
|
||||
* phpBB passwords manager
|
||||
*
|
||||
* @var \phpbb\passwords\manager
|
||||
*/
|
||||
protected $passwords_manager;
|
||||
|
||||
/**
|
||||
* LDAP Authentication Constructor
|
||||
*
|
||||
* @param \phpbb\db\driver\driver $db
|
||||
* @param \phpbb\config\config $config
|
||||
* @param \phpbb\user $user
|
||||
* @param \phpbb\db\driver\driver $db
|
||||
* @param \phpbb\config\config $config
|
||||
* @param \phpbb\passwords\manager $passwords_manager
|
||||
* @param \phpbb\user $user
|
||||
*/
|
||||
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\user $user)
|
||||
public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\user $user)
|
||||
{
|
||||
$this->db = $db;
|
||||
$this->config = $config;
|
||||
$this->passwords_manager = $passwords_manager;
|
||||
$this->user = $user;
|
||||
}
|
||||
|
||||
@ -235,7 +244,7 @@ class ldap extends \phpbb\auth\provider\base
|
||||
// generate user account data
|
||||
$ldap_user_row = array(
|
||||
'username' => $username,
|
||||
'user_password' => phpbb_hash($password),
|
||||
'user_password' => $this->passwords_manager->hash($password),
|
||||
'user_email' => (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($this->config['ldap_email'])][0]) : '',
|
||||
'group_id' => (int) $row['group_id'],
|
||||
'user_type' => USER_NORMAL,
|
||||
|
46
phpBB/phpbb/db/migration/data/v310/passwords.php
Normal file
46
phpBB/phpbb/db/migration/data/v310/passwords.php
Normal file
@ -0,0 +1,46 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package migration
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-license.php GNU Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\db\migration\data\v310;
|
||||
|
||||
class passwords extends \phpbb\db\migration\migration
|
||||
{
|
||||
static public function depends_on()
|
||||
{
|
||||
return array('\phpbb\db\migration\data\v30x\release_3_0_11');
|
||||
}
|
||||
|
||||
public function update_schema()
|
||||
{
|
||||
return array(
|
||||
'change_columns' => array(
|
||||
$this->table_prefix . 'users' => array(
|
||||
'user_password' => array('VCHAR:255', ''),
|
||||
),
|
||||
$this->table_prefix . 'forums' => array(
|
||||
'forum_password' => array('VCHAR:255', ''),
|
||||
),
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
public function revert_schema()
|
||||
{
|
||||
return array(
|
||||
'change_columns' => array(
|
||||
$this->table_prefix . 'users' => array(
|
||||
'user_password' => array('VCHAR:40', ''),
|
||||
),
|
||||
$this->table_prefix . 'forums' => array(
|
||||
'forum_password' => array('VCHAR:40', ''),
|
||||
),
|
||||
),
|
||||
);
|
||||
}
|
||||
}
|
45
phpBB/phpbb/passwords/driver/base.php
Normal file
45
phpBB/phpbb/passwords/driver/base.php
Normal file
@ -0,0 +1,45 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords\driver;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
abstract class base implements driver_interface
|
||||
{
|
||||
/** @var phpbb\config\config */
|
||||
protected $config;
|
||||
|
||||
/** @var phpbb\passwords\driver\helper */
|
||||
protected $helper;
|
||||
|
||||
/** @var driver name */
|
||||
protected $name;
|
||||
|
||||
/**
|
||||
* Constructor of passwords driver object
|
||||
*
|
||||
* @param \phpbb\config\config $config phpBB config
|
||||
* @param \phpbb\passwords\driver\helper $helper Password driver helper
|
||||
*/
|
||||
public function __construct(\phpbb\config\config $config, helper $helper)
|
||||
{
|
||||
$this->config = $config;
|
||||
$this->helper = $helper;
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function is_supported()
|
||||
{
|
||||
return true;
|
||||
}
|
||||
}
|
104
phpBB/phpbb/passwords/driver/bcrypt.php
Normal file
104
phpBB/phpbb/passwords/driver/bcrypt.php
Normal file
@ -0,0 +1,104 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords\driver;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
class bcrypt extends base
|
||||
{
|
||||
const PREFIX = '$2a$';
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function get_prefix()
|
||||
{
|
||||
return self::PREFIX;
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function hash($password, $salt = '')
|
||||
{
|
||||
// The 2x and 2y prefixes of bcrypt might not be supported
|
||||
// Revert to 2a if this is the case
|
||||
$prefix = (!$this->is_supported()) ? '$2a$' : $this->get_prefix();
|
||||
|
||||
// Do not support 8-bit characters with $2a$ bcrypt
|
||||
// Also see http://www.php.net/security/crypt_blowfish.php
|
||||
if ($prefix === self::PREFIX)
|
||||
{
|
||||
if (ord($password[strlen($password)-1]) & 128)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if ($salt == '')
|
||||
{
|
||||
$salt = $prefix . '10$' . $this->get_random_salt();
|
||||
}
|
||||
|
||||
$hash = crypt($password, $salt);
|
||||
if (strlen($hash) < 60)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return $hash;
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function check($password, $hash)
|
||||
{
|
||||
$salt = substr($hash, 0, 29);
|
||||
if (strlen($salt) != 29)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($hash == $this->hash($password, $salt))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a random salt value with a length of 22 characters
|
||||
*
|
||||
* @return string Salt for password hashing
|
||||
*/
|
||||
protected function get_random_salt()
|
||||
{
|
||||
return $this->helper->hash_encode64($this->helper->get_random_salt(22), 22);
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function get_settings_only($hash, $full = false)
|
||||
{
|
||||
if ($full)
|
||||
{
|
||||
$pos = stripos($hash, '$', 1) + 1;
|
||||
$length = 22 + (strripos($hash, '$') + 1 - $pos);
|
||||
}
|
||||
else
|
||||
{
|
||||
$pos = strripos($hash, '$') + 1;
|
||||
$length = 22;
|
||||
}
|
||||
return substr($hash, $pos, $length);
|
||||
}
|
||||
}
|
34
phpBB/phpbb/passwords/driver/bcrypt_2y.php
Normal file
34
phpBB/phpbb/passwords/driver/bcrypt_2y.php
Normal file
@ -0,0 +1,34 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords\driver;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
class bcrypt_2y extends bcrypt
|
||||
{
|
||||
const PREFIX = '$2y$';
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function get_prefix()
|
||||
{
|
||||
return self::PREFIX;
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function is_supported()
|
||||
{
|
||||
return (version_compare(PHP_VERSION, '5.3.7', '<')) ? false : true;
|
||||
}
|
||||
}
|
60
phpBB/phpbb/passwords/driver/driver_interface.php
Normal file
60
phpBB/phpbb/passwords/driver/driver_interface.php
Normal file
@ -0,0 +1,60 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords\driver;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
interface driver_interface
|
||||
{
|
||||
/**
|
||||
* Check if hash type is supported
|
||||
*
|
||||
* @return bool True if supported, false if not
|
||||
*/
|
||||
public function is_supported();
|
||||
|
||||
/**
|
||||
* Returns the hash prefix
|
||||
*
|
||||
* @return string Hash prefix
|
||||
*/
|
||||
public function get_prefix();
|
||||
|
||||
/**
|
||||
* Hash the password
|
||||
*
|
||||
* @param string $password The password that should be hashed
|
||||
*
|
||||
* @return bool|string Password hash or false if something went wrong
|
||||
* during hashing
|
||||
*/
|
||||
public function hash($password);
|
||||
|
||||
/**
|
||||
* Check the password against the supplied hash
|
||||
*
|
||||
* @param string $password The password to check
|
||||
* @param string $hash The password hash to check against
|
||||
*
|
||||
* @return bool True if password is correct, else false
|
||||
*/
|
||||
public function check($password, $hash);
|
||||
|
||||
/**
|
||||
* Get only the settings of the specified hash
|
||||
*
|
||||
* @param string $hash Password hash
|
||||
* @param bool $full Return full settings or only settings
|
||||
* related to the salt
|
||||
* @return string String containing the hash settings
|
||||
*/
|
||||
public function get_settings_only($hash, $full = false);
|
||||
}
|
144
phpBB/phpbb/passwords/driver/helper.php
Normal file
144
phpBB/phpbb/passwords/driver/helper.php
Normal file
@ -0,0 +1,144 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords\driver;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
class helper
|
||||
{
|
||||
/**
|
||||
* @var phpbb\config\config
|
||||
*/
|
||||
protected $config;
|
||||
|
||||
/**
|
||||
* base64 alphabet
|
||||
* @var string
|
||||
*/
|
||||
public $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
||||
|
||||
/**
|
||||
* Construct a driver helper object
|
||||
*
|
||||
* @param phpbb\config\config $config phpBB configuration
|
||||
*/
|
||||
public function __construct(\phpbb\config\config $config)
|
||||
{
|
||||
$this->config = $config;
|
||||
}
|
||||
|
||||
/**
|
||||
* Base64 encode hash
|
||||
*
|
||||
* @param string $input Input string
|
||||
* @param int $count Input string length
|
||||
*
|
||||
* @return string base64 encoded string
|
||||
*/
|
||||
public function hash_encode64($input, $count)
|
||||
{
|
||||
$output = '';
|
||||
$i = 0;
|
||||
|
||||
do
|
||||
{
|
||||
$value = ord($input[$i++]);
|
||||
$output .= $this->itoa64[$value & 0x3f];
|
||||
|
||||
if ($i < $count)
|
||||
{
|
||||
$value |= ord($input[$i]) << 8;
|
||||
}
|
||||
|
||||
$output .= $this->itoa64[($value >> 6) & 0x3f];
|
||||
|
||||
if ($i++ >= $count)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
if ($i < $count)
|
||||
{
|
||||
$value |= ord($input[$i]) << 16;
|
||||
}
|
||||
|
||||
$output .= $this->itoa64[($value >> 12) & 0x3f];
|
||||
|
||||
if ($i++ >= $count)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
$output .= $this->itoa64[($value >> 18) & 0x3f];
|
||||
}
|
||||
while ($i < $count);
|
||||
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return unique id
|
||||
*
|
||||
* @param string $extra Additional entropy
|
||||
*
|
||||
* @return string Unique id
|
||||
*/
|
||||
public function unique_id($extra = 'c')
|
||||
{
|
||||
static $dss_seeded = false;
|
||||
|
||||
$val = $this->config['rand_seed'] . microtime();
|
||||
$val = md5($val);
|
||||
$this->config['rand_seed'] = md5($this->config['rand_seed'] . $val . $extra);
|
||||
|
||||
if ($dss_seeded !== true && ($this->config['rand_seed_last_update'] < time() - rand(1,10)))
|
||||
{
|
||||
$this->config->set('rand_seed_last_update', time(), true);
|
||||
$this->config->set('rand_seed', $this->config['rand_seed'], true);
|
||||
$dss_seeded = true;
|
||||
}
|
||||
|
||||
return substr($val, 4, 16);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get random salt with specified length
|
||||
*
|
||||
* @param int $length Salt length
|
||||
* @param string $rand_seed Seed for random data (optional). For tests.
|
||||
*
|
||||
* @return string Random salt with specified length
|
||||
*/
|
||||
public function get_random_salt($length, $rand_seed = '/dev/urandom')
|
||||
{
|
||||
$random = '';
|
||||
|
||||
if (($fh = @fopen($rand_seed, 'rb')))
|
||||
{
|
||||
$random = fread($fh, $length);
|
||||
fclose($fh);
|
||||
}
|
||||
|
||||
if (strlen($random) < $length)
|
||||
{
|
||||
$random = '';
|
||||
$random_state = $this->unique_id();
|
||||
|
||||
for ($i = 0; $i < $length; $i += 16)
|
||||
{
|
||||
$random_state = md5($this->unique_id() . $random_state);
|
||||
$random .= pack('H*', md5($random_state));
|
||||
}
|
||||
$random = substr($random, 0, $length);
|
||||
}
|
||||
return $random;
|
||||
}
|
||||
}
|
26
phpBB/phpbb/passwords/driver/phpass.php
Normal file
26
phpBB/phpbb/passwords/driver/phpass.php
Normal file
@ -0,0 +1,26 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords\driver;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
class phpass extends salted_md5
|
||||
{
|
||||
const PREFIX = '$P$';
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function get_prefix()
|
||||
{
|
||||
return self::PREFIX;
|
||||
}
|
||||
}
|
160
phpBB/phpbb/passwords/driver/salted_md5.php
Normal file
160
phpBB/phpbb/passwords/driver/salted_md5.php
Normal file
@ -0,0 +1,160 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords\driver;
|
||||
|
||||
/**
|
||||
*
|
||||
* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier)
|
||||
*
|
||||
* Portable PHP password hashing framework.
|
||||
*
|
||||
* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
|
||||
* the public domain.
|
||||
*
|
||||
* There's absolutely no warranty.
|
||||
*
|
||||
* The homepage URL for this framework is:
|
||||
*
|
||||
* http://www.openwall.com/phpass/
|
||||
*
|
||||
* Please be sure to update the Version line if you edit this file in any way.
|
||||
* It is suggested that you leave the main version number intact, but indicate
|
||||
* your project name (after the slash) and add your own revision information.
|
||||
*
|
||||
* Please do not change the "private" password hashing method implemented in
|
||||
* here, thereby making your hashes incompatible. However, if you must, please
|
||||
* change the hash type identifier (the "$P$") to something different.
|
||||
*
|
||||
* Obviously, since this code is in the public domain, the above are not
|
||||
* requirements (there can be none), but merely suggestions.
|
||||
*
|
||||
*/
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
class salted_md5 extends base
|
||||
{
|
||||
const PREFIX = '$H$';
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function get_prefix()
|
||||
{
|
||||
return self::PREFIX;
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function hash($password, $setting = '')
|
||||
{
|
||||
if ($setting)
|
||||
{
|
||||
if (($settings = $this->get_hash_settings($setting)) === false)
|
||||
{
|
||||
// Return md5 of password if settings do not
|
||||
// comply with our standards. This will only
|
||||
// happen if pre-determined settings are
|
||||
// directly passed to the driver. The manager
|
||||
// will not do this. Same as the old hashing
|
||||
// implementatio in phpBB 3.0
|
||||
return md5($password);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$settings = $this->get_hash_settings($this->generate_salt());
|
||||
}
|
||||
|
||||
$hash = md5($settings['salt'] . $password, true);
|
||||
do
|
||||
{
|
||||
$hash = md5($hash . $password, true);
|
||||
}
|
||||
while (--$settings['count']);
|
||||
|
||||
$output = $settings['full'];
|
||||
$output .= $this->helper->hash_encode64($hash, 16);
|
||||
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function check($password, $hash)
|
||||
{
|
||||
if (strlen($hash) !== 34)
|
||||
{
|
||||
return md5($password) === $hash;
|
||||
}
|
||||
|
||||
return $hash === $this->hash($password, $hash);
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate salt for hashing method
|
||||
*
|
||||
* @return string Salt for hashing method
|
||||
*/
|
||||
protected function generate_salt()
|
||||
{
|
||||
$count = 6;
|
||||
|
||||
$random = $this->helper->get_random_salt($count);
|
||||
|
||||
$salt = $this->get_prefix();
|
||||
$salt .= $this->helper->itoa64[min($count + 5, 30)];
|
||||
$salt .= $this->helper->hash_encode64($random, $count);
|
||||
|
||||
return $salt;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get hash settings
|
||||
*
|
||||
* @param string $hash The hash that contains the settings
|
||||
*
|
||||
* @return bool|array Array containing the count_log2, salt, and full
|
||||
* hash settings string or false if supplied hash is empty
|
||||
* or contains incorrect settings
|
||||
*/
|
||||
public function get_hash_settings($hash)
|
||||
{
|
||||
if (empty($hash))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
$count_log2 = strpos($this->helper->itoa64, $hash[3]);
|
||||
$salt = substr($hash, 4, 8);
|
||||
|
||||
if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return array(
|
||||
'count' => 1 << $count_log2,
|
||||
'salt' => $salt,
|
||||
'full' => substr($hash, 0, 12),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @inheritdoc
|
||||
*/
|
||||
public function get_settings_only($hash, $full = false)
|
||||
{
|
||||
return substr($hash, 3, 9);
|
||||
}
|
||||
}
|
103
phpBB/phpbb/passwords/helper.php
Normal file
103
phpBB/phpbb/passwords/helper.php
Normal file
@ -0,0 +1,103 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
class helper
|
||||
{
|
||||
/**
|
||||
* Get hash settings from combined hash
|
||||
*
|
||||
* @param string $hash Password hash of combined hash
|
||||
*
|
||||
* @return array An array containing the hash settings for the hash
|
||||
* types in successive order as described by the combined
|
||||
* password hash or an empty array if hash does not
|
||||
* properly fit the combined hash format
|
||||
*/
|
||||
public function get_combined_hash_settings($hash)
|
||||
{
|
||||
$output = array();
|
||||
|
||||
preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);
|
||||
$hash_settings = substr($hash, strpos($hash, $match[1]) + strlen($match[1]) + 1);
|
||||
$matches = explode('\\', $match[1]);
|
||||
foreach ($matches as $cur_type)
|
||||
{
|
||||
$dollar_position = strpos($hash_settings, '$');
|
||||
$output[] = substr($hash_settings, 0, ($dollar_position != false) ? $dollar_position : strlen($hash_settings));
|
||||
$hash_settings = substr($hash_settings, $dollar_position + 1);
|
||||
}
|
||||
|
||||
return $output;
|
||||
}
|
||||
|
||||
/**
|
||||
* Combine hash prefixes, settings, and actual hash
|
||||
*
|
||||
* @param array $data Array containing the keys 'prefix' and 'settings'.
|
||||
* It will hold the prefixes and settings
|
||||
* @param string $type Data type of the supplied value
|
||||
* @param string $value Value that should be put into the data array
|
||||
*
|
||||
* @return string|null Return complete combined hash if type is neither
|
||||
* 'prefix' nor 'settings', nothing if it is
|
||||
*/
|
||||
public function combine_hash_output(&$data, $type, $value)
|
||||
{
|
||||
if ($type == 'prefix')
|
||||
{
|
||||
$data[$type] .= ($data[$type] !== '$') ? '\\' : '';
|
||||
$data[$type] .= str_replace('$', '', $value);
|
||||
}
|
||||
elseif ($type == 'settings')
|
||||
{
|
||||
$data[$type] .= ($data[$type] !== '$') ? '$' : '';
|
||||
$data[$type] .= $value;
|
||||
}
|
||||
else
|
||||
{
|
||||
// Return full hash
|
||||
return $data['prefix'] . $data['settings'] . '$' . $value;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Rebuild hash for hashing functions
|
||||
*
|
||||
* @param string $prefix Hash prefix
|
||||
* @param string $settings Hash settings
|
||||
*
|
||||
* @return string Rebuilt hash for hashing functions
|
||||
*/
|
||||
public function rebuild_hash($prefix, $settings)
|
||||
{
|
||||
$rebuilt_hash = $prefix;
|
||||
if (strpos($settings, '\\') !== false)
|
||||
{
|
||||
$settings = str_replace('\\', '$', $settings);
|
||||
}
|
||||
$rebuilt_hash .= $settings;
|
||||
return $rebuilt_hash;
|
||||
}
|
||||
|
||||
/**
|
||||
* Obtain only the actual hash after the prefixes
|
||||
*
|
||||
* @param string $hash The full password hash
|
||||
* @return string Actual hash (incl. settings)
|
||||
*/
|
||||
public function obtain_hash_only($hash)
|
||||
{
|
||||
return substr($hash, strripos($hash, '$') + 1);
|
||||
}
|
||||
}
|
341
phpBB/phpbb/passwords/manager.php
Normal file
341
phpBB/phpbb/passwords/manager.php
Normal file
@ -0,0 +1,341 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package phpBB3
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
namespace phpbb\passwords;
|
||||
|
||||
/**
|
||||
* @package passwords
|
||||
*/
|
||||
class manager
|
||||
{
|
||||
/**
|
||||
* Default hashing method
|
||||
*/
|
||||
protected $type = false;
|
||||
|
||||
/**
|
||||
* Hashing algorithm type map
|
||||
* Will be used to map hash prefix to type
|
||||
*/
|
||||
protected $type_map = false;
|
||||
|
||||
/**
|
||||
* Service collection of hashing algorithms
|
||||
* Needs to be public for passwords helper
|
||||
*/
|
||||
public $algorithms = false;
|
||||
|
||||
/**
|
||||
* Password convert flag. Signals that password should be converted
|
||||
*/
|
||||
public $convert_flag = false;
|
||||
|
||||
/**
|
||||
* Passwords helper
|
||||
* @var phpbb\passwords\helper
|
||||
*/
|
||||
protected $helper;
|
||||
|
||||
/**
|
||||
* phpBB configuration
|
||||
* @var phpbb\config\config
|
||||
*/
|
||||
protected $config;
|
||||
|
||||
/**
|
||||
* Construct a passwords object
|
||||
*
|
||||
* @param phpbb\config\config $config phpBB configuration
|
||||
* @param array $hashing_algorithms Hashing driver
|
||||
* service collection
|
||||
* @param phpbb\passwords\helper $helper Passwords helper object
|
||||
* @param string $defaults List of default driver types
|
||||
*/
|
||||
public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults)
|
||||
{
|
||||
$this->config = $config;
|
||||
$this->helper = $helper;
|
||||
|
||||
$this->fill_type_map($hashing_algorithms);
|
||||
$this->register_default_type($defaults);
|
||||
}
|
||||
|
||||
/**
|
||||
* Register default type
|
||||
* Will register the first supported type from the list of default types
|
||||
*
|
||||
* @param array $defaults List of default types in order from first to
|
||||
* use to last to use
|
||||
*/
|
||||
protected function register_default_type($defaults)
|
||||
{
|
||||
foreach ($defaults as $type)
|
||||
{
|
||||
if ($this->algorithms[$type]->is_supported())
|
||||
{
|
||||
$this->type = $this->algorithms[$type]->get_prefix();
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Fill algorithm type map
|
||||
*
|
||||
* @param phpbb\di\service_collection $hashing_algorithms
|
||||
*/
|
||||
protected function fill_type_map($hashing_algorithms)
|
||||
{
|
||||
foreach ($hashing_algorithms as $algorithm)
|
||||
{
|
||||
if (!isset($this->type_map[$algorithm->get_prefix()]))
|
||||
{
|
||||
$this->type_map[$algorithm->get_prefix()] = $algorithm;
|
||||
}
|
||||
}
|
||||
$this->algorithms = $hashing_algorithms;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the algorithm specified by a specific prefix
|
||||
*
|
||||
* @param string $prefix Password hash prefix
|
||||
*
|
||||
* @return object|bool The hash type object or false if prefix is not
|
||||
* supported
|
||||
*/
|
||||
protected function get_algorithm($prefix)
|
||||
{
|
||||
if (isset($this->type_map[$prefix]))
|
||||
{
|
||||
return $this->type_map[$prefix];
|
||||
}
|
||||
else
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Detect the hash type of the supplied hash
|
||||
*
|
||||
* @param string $hash Password hash that should be checked
|
||||
*
|
||||
* @return object|bool The hash type object or false if the specified
|
||||
* type is not supported
|
||||
*/
|
||||
public function detect_algorithm($hash)
|
||||
{
|
||||
/*
|
||||
* preg_match() will also show hashing algos like $2a\H$, which
|
||||
* is a combination of bcrypt and phpass. Legacy algorithms
|
||||
* like md5 will not be matched by this and need to be treated
|
||||
* differently.
|
||||
*/
|
||||
if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
|
||||
{
|
||||
return $this->get_algorithm('$H$');
|
||||
}
|
||||
|
||||
// Be on the lookout for multiple hashing algorithms
|
||||
// 2 is correct: H\2a > 2, H\P > 2
|
||||
if (strlen($match[1]) > 2)
|
||||
{
|
||||
$hash_types = explode('\\', $match[1]);
|
||||
$return_ary = array();
|
||||
foreach ($hash_types as $type)
|
||||
{
|
||||
// we do not support the same hashing
|
||||
// algorithm more than once
|
||||
if (isset($return_ary[$type]))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
$return_ary[$type] = $this->get_algorithm('$' . $type . '$');
|
||||
|
||||
if (empty($return_ary[$type]))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return $return_ary;
|
||||
}
|
||||
|
||||
// get_algorithm() will automatically return false if prefix
|
||||
// is not supported
|
||||
return $this->get_algorithm($match[0]);
|
||||
}
|
||||
|
||||
/**
|
||||
* Hash supplied password
|
||||
*
|
||||
* @param string $password Password that should be hashed
|
||||
* @param string $type Hash type. Will default to standard hash type if
|
||||
* none is supplied
|
||||
* @return string|bool Password hash of supplied password or false if
|
||||
* if something went wrong during hashing
|
||||
*/
|
||||
public function hash($password, $type = '')
|
||||
{
|
||||
if (strlen($password) > 4096)
|
||||
{
|
||||
// If the password is too huge, we will simply reject it
|
||||
// and not let the server try to hash it.
|
||||
return false;
|
||||
}
|
||||
|
||||
// Try to retrieve algorithm by service name if type doesn't
|
||||
// start with dollar sign
|
||||
if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type]))
|
||||
{
|
||||
$type = $this->algorithms[$type]->get_prefix();
|
||||
}
|
||||
|
||||
$type = ($type === '') ? $this->type : $type;
|
||||
|
||||
if (is_array($type))
|
||||
{
|
||||
return $this->combined_hash_password($password, $type);
|
||||
}
|
||||
|
||||
if (isset($this->type_map[$type]))
|
||||
{
|
||||
$hashing_algorithm = $this->type_map[$type];
|
||||
}
|
||||
else
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return $hashing_algorithm->hash($password);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check supplied password against hash and set convert_flag if password
|
||||
* needs to be converted to different format (preferrably newer one)
|
||||
*
|
||||
* @param string $password Password that should be checked
|
||||
* @param string $hash Stored hash
|
||||
* @return string|bool True if password is correct, false if not
|
||||
*/
|
||||
public function check($password, $hash)
|
||||
{
|
||||
if (strlen($password) > 4096)
|
||||
{
|
||||
// If the password is too huge, we will simply reject it
|
||||
// and not let the server try to hash it.
|
||||
return false;
|
||||
}
|
||||
|
||||
// First find out what kind of hash we're dealing with
|
||||
$stored_hash_type = $this->detect_algorithm($hash);
|
||||
if ($stored_hash_type == false)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
// Multiple hash passes needed
|
||||
if (is_array($stored_hash_type))
|
||||
{
|
||||
$correct = $this->check_combined_hash($password, $stored_hash_type, $hash);
|
||||
$this->convert_flag = ($correct === true) ? true : false;
|
||||
return $correct;
|
||||
}
|
||||
|
||||
if ($stored_hash_type->get_prefix() !== $this->type)
|
||||
{
|
||||
$this->convert_flag = true;
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->convert_flag = false;
|
||||
}
|
||||
|
||||
return $stored_hash_type->check($password, $hash);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create combined hash from already hashed password
|
||||
*
|
||||
* @param string $password_hash Complete current password hash
|
||||
* @param string $type Type of the hashing algorithm the password hash
|
||||
* should be combined with
|
||||
* @return string|bool Combined password hash if combined hashing was
|
||||
* successful, else false
|
||||
*/
|
||||
public function combined_hash_password($password_hash, $type)
|
||||
{
|
||||
$data = array(
|
||||
'prefix' => '$',
|
||||
'settings' => '$',
|
||||
);
|
||||
$hash_settings = $this->helper->get_combined_hash_settings($password_hash);
|
||||
$hash = $hash_settings[0];
|
||||
|
||||
// Put settings of current hash into data array
|
||||
$stored_hash_type = $this->detect_algorithm($password_hash);
|
||||
$this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix());
|
||||
$this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash));
|
||||
|
||||
// Hash current hash with the defined types
|
||||
foreach ($type as $cur_type)
|
||||
{
|
||||
if (isset($this->algorithms[$cur_type]))
|
||||
{
|
||||
$new_hash_type = $this->algorithms[$cur_type];
|
||||
}
|
||||
else
|
||||
{
|
||||
$new_hash_type = $this->get_algorithm($cur_type);
|
||||
}
|
||||
|
||||
if (!$new_hash_type)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
$new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash));
|
||||
$this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix());
|
||||
$this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0));
|
||||
$hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash));
|
||||
}
|
||||
return $this->helper->combine_hash_output($data, 'hash', $hash);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check combined password hash against the supplied password
|
||||
*
|
||||
* @param string $password Password entered by user
|
||||
* @param array $stored_hash_type An array containing the hash types
|
||||
* as described by stored password hash
|
||||
* @param string $hash Stored password hash
|
||||
*
|
||||
* @return bool True if password is correct, false if not
|
||||
*/
|
||||
public function check_combined_hash($password, $stored_hash_type, $hash)
|
||||
{
|
||||
$i = 0;
|
||||
$data = array(
|
||||
'prefix' => '$',
|
||||
'settings' => '$',
|
||||
);
|
||||
$hash_settings = $this->helper->get_combined_hash_settings($hash);
|
||||
foreach ($stored_hash_type as $key => $hash_type)
|
||||
{
|
||||
$rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]);
|
||||
$this->helper->combine_hash_output($data, 'prefix', $key);
|
||||
$this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]);
|
||||
$cur_hash = $hash_type->hash($password, $rebuilt_hash);
|
||||
$password = str_replace($rebuilt_hash, '', $cur_hash);
|
||||
$i++;
|
||||
}
|
||||
return ($hash === $this->helper->combine_hash_output($data, 'hash', $password));
|
||||
}
|
||||
}
|
@ -18,6 +18,21 @@
|
||||
<value>1</value>
|
||||
<value>foobar</value>
|
||||
<value>foobar</value>
|
||||
<value>$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i</value>
|
||||
<value>0</value>
|
||||
<value>0</value>
|
||||
<value>example@example.com</value>
|
||||
<value>0</value>
|
||||
<value>0</value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
</row>
|
||||
<row>
|
||||
<value>2</value>
|
||||
<value>foobar2</value>
|
||||
<value>foobar2</value>
|
||||
<value>$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/</value>
|
||||
<value>0</value>
|
||||
<value>0</value>
|
||||
|
48
tests/auth/fixtures/user_533.xml
Normal file
48
tests/auth/fixtures/user_533.xml
Normal file
@ -0,0 +1,48 @@
|
||||
<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<dataset>
|
||||
<table name="phpbb_users">
|
||||
<column>user_id</column>
|
||||
<column>username</column>
|
||||
<column>username_clean</column>
|
||||
<column>user_password</column>
|
||||
<column>user_passchg</column>
|
||||
<column>user_pass_convert</column>
|
||||
<column>user_email</column>
|
||||
<column>user_type</column>
|
||||
<column>user_login_attempts</column>
|
||||
<column>user_permissions</column>
|
||||
<column>user_sig</column>
|
||||
<column>user_occ</column>
|
||||
<column>user_interests</column>
|
||||
<row>
|
||||
<value>1</value>
|
||||
<value>foobar</value>
|
||||
<value>foobar</value>
|
||||
<value>$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi</value>
|
||||
<value>0</value>
|
||||
<value>0</value>
|
||||
<value>example@example.com</value>
|
||||
<value>0</value>
|
||||
<value>0</value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
</row>
|
||||
<row>
|
||||
<value>2</value>
|
||||
<value>foobar2</value>
|
||||
<value>foobar2</value>
|
||||
<value>$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/</value>
|
||||
<value>0</value>
|
||||
<value>0</value>
|
||||
<value>example@example.com</value>
|
||||
<value>0</value>
|
||||
<value>0</value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
<value></value>
|
||||
</row>
|
||||
</table>
|
||||
</dataset>
|
@ -26,13 +26,40 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case
|
||||
$config = new \phpbb\config\config(array());
|
||||
$this->request = $this->getMock('\phpbb\request\request');
|
||||
$this->user = $this->getMock('\phpbb\user');
|
||||
$driver_helper = new \phpbb\passwords\driver\helper($config);
|
||||
$passwords_drivers = array(
|
||||
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),
|
||||
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),
|
||||
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),
|
||||
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),
|
||||
);
|
||||
|
||||
$this->provider = new \phpbb\auth\provider\apache($db, $config, $this->request, $this->user, $phpbb_root_path, $phpEx);
|
||||
$passwords_helper = new \phpbb\passwords\helper;
|
||||
// Set up passwords manager
|
||||
$passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));
|
||||
|
||||
if (version_compare(PHP_VERSION, '5.3.7', '<'))
|
||||
{
|
||||
$this->password_hash = '$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi';
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->password_hash = '$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i';
|
||||
}
|
||||
|
||||
$this->provider = new \phpbb\auth\provider\apache($db, $config, $passwords_manager, $this->request, $this->user, $phpbb_root_path, $phpEx);
|
||||
}
|
||||
|
||||
public function getDataSet()
|
||||
{
|
||||
return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml');
|
||||
if ((version_compare(PHP_VERSION, '5.3.7', '<')))
|
||||
{
|
||||
return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user_533.xml');
|
||||
}
|
||||
else
|
||||
{
|
||||
return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@ -79,7 +106,7 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case
|
||||
'user_row' => array(
|
||||
'user_id' => '1',
|
||||
'username' => 'foobar',
|
||||
'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/',
|
||||
'user_password' => $this->password_hash,
|
||||
'user_passchg' => '0',
|
||||
'user_email' => 'example@example.com',
|
||||
'user_type' => '0',
|
||||
@ -115,7 +142,7 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case
|
||||
'user_regdate' => '0',
|
||||
'username' => 'foobar',
|
||||
'username_clean' => 'foobar',
|
||||
'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/',
|
||||
'user_password' => $this->password_hash,
|
||||
'user_passchg' => '0',
|
||||
'user_pass_convert' => '0',
|
||||
'user_email' => 'example@example.com',
|
||||
|
@ -14,7 +14,14 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case
|
||||
{
|
||||
public function getDataSet()
|
||||
{
|
||||
return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml');
|
||||
if ((version_compare(PHP_VERSION, '5.3.7', '<')))
|
||||
{
|
||||
return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user_533.xml');
|
||||
}
|
||||
else
|
||||
{
|
||||
return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml');
|
||||
}
|
||||
}
|
||||
|
||||
public function test_login()
|
||||
@ -29,7 +36,27 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case
|
||||
));
|
||||
$request = $this->getMock('\phpbb\request\request');
|
||||
$user = $this->getMock('\phpbb\user');
|
||||
$provider = new \phpbb\auth\provider\db($db, $config, $request, $user, $phpbb_root_path, $phpEx);
|
||||
$driver_helper = new \phpbb\passwords\driver\helper($config);
|
||||
$passwords_drivers = array(
|
||||
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),
|
||||
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),
|
||||
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),
|
||||
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),
|
||||
);
|
||||
|
||||
$passwords_helper = new \phpbb\passwords\helper;
|
||||
// Set up passwords manager
|
||||
$passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));
|
||||
|
||||
$provider = new \phpbb\auth\provider\db($db, $config, $passwords_manager, $request, $user, $phpbb_root_path, $phpEx);
|
||||
if (version_compare(PHP_VERSION, '5.3.7', '<'))
|
||||
{
|
||||
$password_hash = '$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi';
|
||||
}
|
||||
else
|
||||
{
|
||||
$password_hash = '$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i';
|
||||
}
|
||||
|
||||
$expected = array(
|
||||
'status' => LOGIN_SUCCESS,
|
||||
@ -37,7 +64,7 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case
|
||||
'user_row' => array(
|
||||
'user_id' => '1',
|
||||
'username' => 'foobar',
|
||||
'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/',
|
||||
'user_password' => $password_hash,
|
||||
'user_passchg' => '0',
|
||||
'user_pass_convert' => '0',
|
||||
'user_email' => 'example@example.com',
|
||||
@ -47,5 +74,10 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case
|
||||
);
|
||||
|
||||
$this->assertEquals($expected, $provider->login('foobar', 'example'));
|
||||
|
||||
// Check if convert works
|
||||
$login_return = $provider->login('foobar2', 'example');
|
||||
$password_start = (version_compare(PHP_VERSION, '5.3.7', '<')) ? '$2a$10$' : '$2y$10$';
|
||||
$this->assertStringStartsWith($password_start, $login_return['user_row']['user_password']);
|
||||
}
|
||||
}
|
||||
|
55
tests/functional/forum_password_test.php
Normal file
55
tests/functional/forum_password_test.php
Normal file
@ -0,0 +1,55 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package testing
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
/**
|
||||
* @group functional
|
||||
*/
|
||||
class phpbb_functional_forum_password_test extends phpbb_functional_test_case
|
||||
{
|
||||
public function test_setup_forum_with_password()
|
||||
{
|
||||
$this->login();
|
||||
$this->admin_login();
|
||||
|
||||
$crawler = self::request('GET', "adm/index.php?i=acp_forums&mode=manage&sid={$this->sid}");
|
||||
$form = $crawler->selectButton('addforum')->form(array(
|
||||
'forum_name' => 'Password protected',
|
||||
));
|
||||
$crawler = self::submit($form);
|
||||
$form = $crawler->selectButton('update')->form(array(
|
||||
'forum_perm_from' => 2,
|
||||
'forum_password' => 'foobar',
|
||||
'forum_password_confirm' => 'foobar',
|
||||
));
|
||||
$crawler = self::submit($form);
|
||||
}
|
||||
|
||||
public function data_enter_forum_with_password()
|
||||
{
|
||||
return array(
|
||||
array('foowrong', 'WRONG_PASSWORD'),
|
||||
array('foobar', 'NO_TOPICS'),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_enter_forum_with_password
|
||||
*/
|
||||
public function test_enter_forum_with_password($password, $message)
|
||||
{
|
||||
$crawler = self::request('GET', "index.php?sid={$this->sid}");
|
||||
preg_match('/.?f=([0-9])/', $crawler->selectLink('Password protected')->link()->getUri(), $match);
|
||||
$crawler = self::request('GET', "viewforum.php?f={$match[1]}&sid={$this->sid}");
|
||||
$form = $crawler->selectButton('login')->form(array(
|
||||
'password' => $password,
|
||||
));
|
||||
$crawler = self::submit($form);
|
||||
$this->assertContainsLang($message, $crawler->text());
|
||||
}
|
||||
}
|
81
tests/passwords/drivers_test.php
Normal file
81
tests/passwords/drivers_test.php
Normal file
@ -0,0 +1,81 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package testing
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
class phpbb_passwords_helper_test extends PHPUnit_Framework_TestCase
|
||||
{
|
||||
public function setUp()
|
||||
{
|
||||
// Prepare dependencies for drivers
|
||||
$config = new \phpbb\config\config(array());
|
||||
$this->driver_helper = new \phpbb\passwords\driver\helper($config);
|
||||
|
||||
$this->passwords_drivers = array(
|
||||
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper),
|
||||
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper),
|
||||
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper),
|
||||
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper),
|
||||
);
|
||||
}
|
||||
|
||||
public function data_helper_encode64()
|
||||
{
|
||||
return array(
|
||||
array('foobar', 6, 'axqPW3aQ'),
|
||||
array('foobar', 7, 'axqPW3aQ..'),
|
||||
array('foobar', 5, 'axqPW34'),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_helper_encode64
|
||||
*/
|
||||
public function test_helper_encode64($input, $length, $output)
|
||||
{
|
||||
$return = $this->driver_helper->hash_encode64($input, $length);
|
||||
$this->assertEquals($output, $return);
|
||||
}
|
||||
|
||||
public function data_get_random_salt()
|
||||
{
|
||||
return array(
|
||||
array(24, false),
|
||||
array(24, '/dev/foobar'),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_get_random_salt
|
||||
*/
|
||||
public function test_get_random_salt($length, $rand_seed)
|
||||
{
|
||||
$rand_string = (empty($rand_seed)) ? $this->driver_helper->get_random_salt($length) : $this->driver_helper->get_random_salt($length, $rand_seed);
|
||||
$start = microtime(true);
|
||||
|
||||
// Run each test for max. 1 second
|
||||
while ((microtime(true) - $start) < 1)
|
||||
{
|
||||
$urandom_string = (empty($rand_seed)) ? $this->driver_helper->get_random_salt($length) : $this->driver_helper->get_random_salt($length, $rand_seed);
|
||||
$this->assertEquals($length, strlen($urandom_string));
|
||||
$this->assertNotEquals($rand_string, $urandom_string);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_get_hash_settings_salted_md5()
|
||||
{
|
||||
$settings = $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings('$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1');
|
||||
$this->assertEquals(array(
|
||||
'count' => pow(2, 11),
|
||||
'salt' => 'isfrtKXW',
|
||||
'full' => '$H$9isfrtKXW',
|
||||
),
|
||||
$settings
|
||||
);
|
||||
$this->assertEquals(false, $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings(false));
|
||||
}
|
||||
}
|
295
tests/passwords/manager_test.php
Normal file
295
tests/passwords/manager_test.php
Normal file
@ -0,0 +1,295 @@
|
||||
<?php
|
||||
/**
|
||||
*
|
||||
* @package testing
|
||||
* @copyright (c) 2013 phpBB Group
|
||||
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
||||
*
|
||||
*/
|
||||
|
||||
class phpbb_passwords_manager_test extends PHPUnit_Framework_TestCase
|
||||
{
|
||||
protected $passwords_drivers;
|
||||
|
||||
protected $pw_characters = '0123456789abcdefghijklmnopqrstuvwyzABCDEFGHIJKLMNOPQRSTUVXYZ.,_!?/\\';
|
||||
|
||||
protected $default_pw = 'foobar';
|
||||
|
||||
public function setUp()
|
||||
{
|
||||
// Prepare dependencies for manager and driver
|
||||
$config = new \phpbb\config\config(array());
|
||||
$this->driver_helper = new \phpbb\passwords\driver\helper($config);
|
||||
|
||||
$this->passwords_drivers = array(
|
||||
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper),
|
||||
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper),
|
||||
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper),
|
||||
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper),
|
||||
);
|
||||
|
||||
$this->helper = new \phpbb\passwords\helper;
|
||||
// Set up passwords manager
|
||||
$this->manager = new \phpbb\passwords\manager($config, $this->passwords_drivers, $this->helper, array_keys($this->passwords_drivers));
|
||||
}
|
||||
|
||||
public function hash_password_data()
|
||||
{
|
||||
if (version_compare(PHP_VERSION, '5.3.7', '<'))
|
||||
{
|
||||
return array(
|
||||
array('', '2a', 60),
|
||||
array('passwords.driver.bcrypt_2y', '2a', 60),
|
||||
array('passwords.driver.bcrypt', '2a', 60),
|
||||
array('passwords.driver.salted_md5', 'H', 34),
|
||||
array('passwords.driver.foobar', '', false),
|
||||
);
|
||||
}
|
||||
else
|
||||
{
|
||||
return array(
|
||||
array('', '2y', 60),
|
||||
array('passwords.driver.bcrypt_2y', '2y', 60),
|
||||
array('passwords.driver.bcrypt', '2a', 60),
|
||||
array('passwords.driver.salted_md5', 'H', 34),
|
||||
array('passwords.driver.foobar', '', false),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider hash_password_data
|
||||
*/
|
||||
public function test_hash_password($type, $prefix, $length)
|
||||
{
|
||||
$password = $this->default_pw;
|
||||
|
||||
if (!$length)
|
||||
{
|
||||
$this->assertEquals(false, $hash = $this->manager->hash($password, $type));
|
||||
return;
|
||||
}
|
||||
$time = microtime(true);
|
||||
|
||||
// Limit each test to 1 second
|
||||
while ((microtime(true) - $time) < 1)
|
||||
{
|
||||
$hash = $this->manager->hash($password, $type);
|
||||
preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);
|
||||
$this->assertEquals($prefix, $match[1]);
|
||||
$this->assertEquals($length, strlen($hash));
|
||||
$password .= $this->pw_characters[mt_rand(0, 66)];
|
||||
}
|
||||
}
|
||||
|
||||
public function check_password_data()
|
||||
{
|
||||
if (version_compare(PHP_VERSION, '5.3.7', '<'))
|
||||
{
|
||||
return array(
|
||||
array('passwords.driver.bcrypt'),
|
||||
array('passwords.driver.salted_md5'),
|
||||
array('passwords.driver.phpass'),
|
||||
);
|
||||
}
|
||||
else
|
||||
{
|
||||
return array(
|
||||
array('passwords.driver.bcrypt_2y'),
|
||||
array('passwords.driver.bcrypt'),
|
||||
array('passwords.driver.salted_md5'),
|
||||
array('passwords.driver.phpass'),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider check_password_data
|
||||
*/
|
||||
public function test_check_password($hash_type)
|
||||
{
|
||||
$password = $this->default_pw;
|
||||
$time = microtime(true);
|
||||
// Limit each test to 1 second
|
||||
while ((microtime(true) - $time) < 1)
|
||||
{
|
||||
$hash = $this->manager->hash($password, $hash_type);
|
||||
$this->assertEquals(true, $this->manager->check($password, $hash));
|
||||
$password .= $this->pw_characters[mt_rand(0, 66)];
|
||||
$this->assertEquals(false, $this->manager->check($password, $hash));
|
||||
}
|
||||
|
||||
// Check if convert_flag is correctly set
|
||||
$default_type = (version_compare(PHP_VERSION, '5.3.7', '<')) ? 'passwords.driver.bcrypt' : 'passwords.driver.bcrypt_2y';
|
||||
$this->assertEquals(($hash_type !== $default_type), $this->manager->convert_flag);
|
||||
}
|
||||
|
||||
|
||||
public function check_hash_exceptions_data()
|
||||
{
|
||||
return array(
|
||||
array('foobar', '3858f62230ac3c915f300c664312c63f', true),
|
||||
array('foobar', '$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false),
|
||||
array('foobar', '$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false),
|
||||
array('foobar', '$H$kklk938d023k//k3023', false),
|
||||
array('foobar', '$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false),
|
||||
array('foobar', '$2a$kwiweorurlaeirw', false),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider check_hash_exceptions_data
|
||||
*/
|
||||
public function test_check_hash_exceptions($password, $hash, $expected)
|
||||
{
|
||||
$this->assertEquals($expected, $this->manager->check($password, $hash));
|
||||
}
|
||||
|
||||
public function data_hash_password_length()
|
||||
{
|
||||
return array(
|
||||
array('passwords.driver.bcrypt', false),
|
||||
array('passwords.driver.bcrypt_2y', false),
|
||||
array('passwords.driver.salted_md5', '3858f62230ac3c915f300c664312c63f'),
|
||||
array('passwords.driver.phpass', '3858f62230ac3c915f300c664312c63f'),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_hash_password_length
|
||||
*/
|
||||
public function test_hash_password_length($driver, $expected)
|
||||
{
|
||||
$this->assertEquals($expected, $this->passwords_drivers[$driver]->hash('foobar', 'foobar'));
|
||||
}
|
||||
|
||||
public function test_hash_password_8bit_bcrypt()
|
||||
{
|
||||
$this->assertEquals(false, $this->manager->hash('foobar𝄞', 'passwords.driver.bcrypt'));
|
||||
if (version_compare(PHP_VERSION, '5.3.7', '<'))
|
||||
{
|
||||
$this->assertEquals(false, $this->manager->hash('foobar𝄞', 'passwords.driver.bcrypt_2y'));
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->assertNotEquals(false, $this->manager->hash('foobar𝄞', 'passwords.driver.bcrypt_2y'));
|
||||
}
|
||||
}
|
||||
|
||||
public function test_combined_hash_data()
|
||||
{
|
||||
if (version_compare(PHP_VERSION, '5.3.7', '<'))
|
||||
{
|
||||
return array(
|
||||
array(
|
||||
'passwords.driver.salted_md5',
|
||||
array('passwords.driver.bcrypt'),
|
||||
),
|
||||
array(
|
||||
'passwords.driver.phpass',
|
||||
array('passwords.driver.salted_md5'),
|
||||
),
|
||||
array(
|
||||
'passwords.driver.salted_md5',
|
||||
array('passwords.driver.phpass', 'passwords.driver.bcrypt'),
|
||||
),
|
||||
array(
|
||||
'passwords.driver.salted_md5',
|
||||
array('passwords.driver.salted_md5'),
|
||||
false,
|
||||
),
|
||||
array(
|
||||
'$H$',
|
||||
array('$2a$'),
|
||||
),
|
||||
);
|
||||
}
|
||||
else
|
||||
{
|
||||
return array(
|
||||
array(
|
||||
'passwords.driver.salted_md5',
|
||||
array('passwords.driver.bcrypt_2y'),
|
||||
),
|
||||
array(
|
||||
'passwords.driver.salted_md5',
|
||||
array('passwords.driver.bcrypt'),
|
||||
),
|
||||
array(
|
||||
'passwords.driver.phpass',
|
||||
array('passwords.driver.salted_md5'),
|
||||
),
|
||||
array(
|
||||
'passwords.driver.salted_md5',
|
||||
array('passwords.driver.bcrypt_2y', 'passwords.driver.bcrypt'),
|
||||
),
|
||||
array(
|
||||
'passwords.driver.salted_md5',
|
||||
array('passwords.driver.salted_md5'),
|
||||
false,
|
||||
),
|
||||
array(
|
||||
'passwords.driver.bcrypt_2y',
|
||||
array('passwords.driver.salted_md4'),
|
||||
false,
|
||||
),
|
||||
array(
|
||||
'$H$',
|
||||
array('$2y$'),
|
||||
),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider test_combined_hash_data
|
||||
*/
|
||||
public function test_combined_hash_password($first_type, $second_type, $expected = true)
|
||||
{
|
||||
$password = $this->default_pw;
|
||||
$time = microtime(true);
|
||||
// Limit each test to 1 second
|
||||
while ((microtime(true) - $time) < 1)
|
||||
{
|
||||
$hash = $this->manager->hash($password, $first_type);
|
||||
$combined_hash = $this->manager->hash($hash, $second_type);
|
||||
$this->assertEquals($expected, $this->manager->check($password, $combined_hash));
|
||||
$password .= $this->pw_characters[mt_rand(0, 66)];
|
||||
$this->assertEquals(false, $this->manager->check($password, $combined_hash));
|
||||
|
||||
// If we are expecting the check to fail then there is
|
||||
// no need to run this more than once
|
||||
if (!$expected)
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public function test_unique_id()
|
||||
{
|
||||
$time = microtime(true);
|
||||
$first_id = $this->driver_helper->unique_id();
|
||||
// Limit test to 1 second
|
||||
while ((microtime(true) - $time) < 1)
|
||||
{
|
||||
$this->assertNotEquals($first_id, $this->driver_helper->unique_id());
|
||||
}
|
||||
}
|
||||
|
||||
public function test_check_hash_with_large_input()
|
||||
{
|
||||
// 16 MB password, should be rejected quite fast
|
||||
$start_time = time();
|
||||
$this->assertFalse($this->manager->check(str_repeat('a', 1024 * 1024 * 16), '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'));
|
||||
$this->assertLessThanOrEqual(5, time() - $start_time);
|
||||
}
|
||||
|
||||
public function test_hash_password_with_large_input()
|
||||
{
|
||||
// 16 MB password, should be rejected quite fast
|
||||
$start_time = time();
|
||||
$this->assertFalse($this->manager->hash(str_repeat('a', 1024 * 1024 * 16)));
|
||||
$this->assertLessThanOrEqual(5, time() - $start_time);
|
||||
}
|
||||
}
|
@ -11,6 +11,31 @@ require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php';
|
||||
|
||||
class phpbb_security_hash_test extends phpbb_test_case
|
||||
{
|
||||
public function setUp()
|
||||
{
|
||||
global $phpbb_container;
|
||||
|
||||
$config = new \phpbb\config\config(array());
|
||||
$phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface');
|
||||
$driver_helper = new \phpbb\passwords\driver\helper($config);
|
||||
$passwords_drivers = array(
|
||||
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),
|
||||
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),
|
||||
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),
|
||||
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),
|
||||
);
|
||||
|
||||
$passwords_helper = new \phpbb\passwords\helper;
|
||||
// Set up passwords manager
|
||||
$passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));
|
||||
|
||||
$phpbb_container
|
||||
->expects($this->any())
|
||||
->method('get')
|
||||
->with('passwords.manager')
|
||||
->will($this->returnValue($passwords_manager));
|
||||
}
|
||||
|
||||
public function test_check_hash_with_phpass()
|
||||
{
|
||||
$this->assertTrue(phpbb_check_hash('test', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'));
|
||||
|
@ -503,6 +503,7 @@ class phpbb_functional_test_case extends phpbb_test_case
|
||||
set_config(null, null, null, $config);
|
||||
set_config_count(null, null, null, $config);
|
||||
$phpbb_dispatcher = new phpbb_mock_event_dispatcher();
|
||||
$passwords_manager = $this->get_passwords_manager();
|
||||
|
||||
$user_row = array(
|
||||
'username' => $username,
|
||||
@ -512,7 +513,7 @@ class phpbb_functional_test_case extends phpbb_test_case
|
||||
'user_lang' => 'en',
|
||||
'user_timezone' => 0,
|
||||
'user_dateformat' => '',
|
||||
'user_password' => phpbb_hash($username . $username),
|
||||
'user_password' => $passwords_manager->hash($username . $username),
|
||||
);
|
||||
return user_add($user_row);
|
||||
}
|
||||
@ -997,4 +998,29 @@ class phpbb_functional_test_case extends phpbb_test_case
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return a passwords manager instance
|
||||
*
|
||||
* @return phpbb\passwords\manager
|
||||
*/
|
||||
public function get_passwords_manager()
|
||||
{
|
||||
// Prepare dependencies for manager and driver
|
||||
$config = new \phpbb\config\config(array());
|
||||
$driver_helper = new \phpbb\passwords\driver\helper($config);
|
||||
|
||||
$passwords_drivers = array(
|
||||
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),
|
||||
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),
|
||||
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),
|
||||
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),
|
||||
);
|
||||
|
||||
$passwords_helper = new \phpbb\passwords\helper;
|
||||
// Set up passwords manager
|
||||
$manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));
|
||||
|
||||
return $manager;
|
||||
}
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user