mirror of
https://github.com/phpbb/phpbb.git
synced 2025-02-24 12:03:21 +01:00
fbdbf41dc8
Combined hashes can be used for i.e. converting already existing
password hashes to bcrypt. While this will not provide the same security
a pure bcrypt hash provides, it will still be significantly more secure
than a standard salted md5.
A combined hash will look as follows:
$H\2y${salted_for_H_prefix}${salt_+_settings_for_2y_prefix}${hash}
The prefixes are seperated by a backslash. Individual settings (which
can include either just the salt or a salt and possible additional settings)
are seperated by dollar signs. As backslashes and dollar signs are not
allowed in hashes or salts, they will be used for seperating the settings
from the salt.
Here is an example of a password hash:
$H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$/oN1O0cdUmFSMZT3UZKrgAyalhnt1LC
The 'H' prefix stands for the salted md5 implementation of phpBB 3.0.
Its settings will be parsed as 9zv1uIaq1 resulting in a hash for the check
as follows:
$H$9zv1uIaq1{hash}
Since the password is used for hashing, the {hash} can be left blank and
will basically be filled by the hashing algorithm. The {hash} will then be
used as password for the next hashing algorithm. In this case that would be
the bcrypt algorithm. The settings are set to 10\1ff4640409fb96a449c1fO which
will be transformed to 10$1ff4640409fb96a449c1fO resulting in a hash like
this for the bcrypt hashing function:
$2a$10$1ff4640409fb96a449c1fO{hash}
The {hash} will again be basically filled by the hashing algorithm.
Afterwards, the {hash} will be extracted from the returned hash and put at
the end of the already known hash settings:
$H\2a$9zv1uIaq1$10\1ff4640409fb96a449c1fO$
If the password is correct, the combined hash will of course be the same
as the stored one.
PHPBB3-11610
141 lines
3.5 KiB
PHP
141 lines
3.5 KiB
PHP
<?php
|
|
/**
|
|
*
|
|
* @package phpBB3
|
|
* @copyright (c) 2013 phpBB Group
|
|
* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* @ignore
|
|
*/
|
|
if (!defined('IN_PHPBB'))
|
|
{
|
|
exit;
|
|
}
|
|
|
|
/**
|
|
* @package crypto
|
|
*/
|
|
class phpbb_crypto_helper
|
|
{
|
|
/**
|
|
* @var phpbb_crypto_manager
|
|
*/
|
|
protected $manager;
|
|
|
|
/**
|
|
* Construct a phpbb_crypto_helper object
|
|
*
|
|
* @param phpbb_crypto_manager $manager Crypto manager object
|
|
*/
|
|
public function __construct($manager)
|
|
{
|
|
$this->manager = $manager;
|
|
}
|
|
|
|
/**
|
|
* Get hash settings from combined hash
|
|
*
|
|
* @param string $hash Password hash of combined hash
|
|
*
|
|
* @return array An array containing the hash settings for the hash
|
|
* types in successive order as described by the comined
|
|
* password hash
|
|
*/
|
|
protected function get_combined_hash_settings($hash)
|
|
{
|
|
preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);
|
|
$hash_settings = substr($hash, strpos($hash, $match[1]) + strlen($match[1]) + 1);
|
|
foreach ($match as $cur_type)
|
|
{
|
|
$dollar_position = strpos($hash_settings, '$');
|
|
$output[] = substr($hash_settings, 0, ($dollar_position != false) ? $dollar_position : strlen($hash_settings));
|
|
$hash_settings = substr($hash_settings, $dollar_position + 1);
|
|
}
|
|
|
|
return $output;
|
|
}
|
|
|
|
/**
|
|
* Check combined password hash against the supplied password
|
|
*
|
|
* @param string $password Password entered by user
|
|
* @param array $stored_hash_type An array containing the hash types
|
|
* as described by stored password hash
|
|
* @param string $hash Stored password hash
|
|
*
|
|
* @return bool True if password is correct, false if not
|
|
*/
|
|
public function check_combined_hash($password, $stored_hash_type, $hash)
|
|
{
|
|
$cur_hash = '';
|
|
$i = 0;
|
|
$data = array(
|
|
'prefix' => '$',
|
|
'settings' => '$',
|
|
);
|
|
$hash_settings = $this->get_combined_hash_settings($hash);
|
|
foreach ($stored_hash_type as $key => $hash_type)
|
|
{
|
|
$rebuilt_hash = $this->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]);
|
|
$this->combine_hash_output($data, 'prefix', $key);
|
|
$this->combine_hash_output($data, 'settings', $hash_settings[$i]);
|
|
$cur_hash = $hash_type->hash($password, $rebuilt_hash);
|
|
$password = str_replace($rebuilt_hash, '', $cur_hash);
|
|
$i++;
|
|
}
|
|
return ($hash === $this->combine_hash_output($data, 'hash', $password));
|
|
}
|
|
|
|
/**
|
|
* Combine hash prefixes, settings, and actual hash
|
|
*
|
|
* @param array $data Array containing the keys 'prefix' and 'settings'.
|
|
* It will hold the prefixes and settings
|
|
* @param string $type Data type of the supplied value
|
|
* @param string $value Value that should be put into the data array
|
|
*
|
|
* @return string|none Return complete combined hash if type is neither
|
|
* 'prefix' nor 'settings', nothing if it is
|
|
*/
|
|
protected function combine_hash_output(&$data, $type, $value)
|
|
{
|
|
if ($type == 'prefix')
|
|
{
|
|
$data[$type] .= ($data[$type] !== '$') ? '\\' : '';
|
|
$data[$type] .= $value;
|
|
}
|
|
elseif ($type == 'settings')
|
|
{
|
|
$data[$type] .= ($data[$type] !== '$') ? '$' : '';
|
|
$data[$type] .= $value;
|
|
}
|
|
else
|
|
{
|
|
// Return full hash
|
|
return $data['prefix'] . $data['settings'] . '$' . $value;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Rebuild hash for hashing functions
|
|
*
|
|
* @param string $prefix Hash prefix
|
|
* @param string $settings Hash settings
|
|
*
|
|
* @return string Rebuilt hash for hashing functions
|
|
*/
|
|
protected function rebuild_hash($prefix, $settings)
|
|
{
|
|
$rebuilt_hash = $prefix;
|
|
if (strpos($settings, '\\') !== false)
|
|
{
|
|
$settings = str_replace('\\', '$', $settings);
|
|
}
|
|
$rebuilt_hash .= $settings;
|
|
return $rebuilt_hash;
|
|
}
|
|
}
|