From 19512b2595cef521099a95b1ab8c24dbe51c5b2f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 14 Sep 2013 14:04:48 +0200 Subject: [feature/passwords] Rename "crypto" files to "passwords" files PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 210 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 210 insertions(+) create mode 100644 phpBB/phpbb/passwords/manager.php (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php new file mode 100644 index 0000000000..9477ef5c2b --- /dev/null +++ b/phpBB/phpbb/passwords/manager.php @@ -0,0 +1,210 @@ +config = $config; + $this->container = $container; + $this->type = $default; + + $this->fill_type_map($hashing_algorithms); + $this->load_passwords_helper(); + } + + /** + * Fill algorithm type map + * + * @param phpbb_di_service_collection $hashing_algorithms + */ + protected function fill_type_map($hashing_algorithms) + { + foreach ($hashing_algorithms as $algorithm) + { + if (!isset($this->type_map[$algorithm->get_prefix()])) + { + $this->type_map[$algorithm->get_prefix()] = $algorithm; + } + } + } + + /** + * Load passwords helper class + */ + protected function load_passwords_helper() + { + if ($this->helper === null) + { + $this->helper = new phpbb_passwords_helper($this, $this->container); + } + } + + /** + * Get the hash type from the supplied hash + * + * @param string $hash Password hash that should be checked + * + * @return object The hash type object + */ + public function get_hashing_algorithm($hash) + { + /* + * preg_match() will also show hashing algos like $2a\H$, which + * is a combination of bcrypt and phpass. Legacy algorithms + * like md5 will not be matched by this and need to be treated + * differently. + */ + if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) + { + return $this->type_map['$H$']; + } + + // Be on the lookout for multiple hashing algorithms + // 2 is correct: H\2a > 2, H\P > 2 + if (strlen($match[1]) > 2) + { + $hash_types = explode('\\', $match[1]); + $return_ary = array(); + foreach ($hash_types as $type) + { + if (isset($this->type_map["\${$type}\$"])) + { + // we do not support the same hashing + // algorithm more than once + if (isset($return_ary[$type])) + { + return false; + } + $return_ary[$type] = $this->type_map["\${$type}\$"]; + } + else + { + return false; + } + } + return $return_ary; + } + if (isset($this->type_map[$match[0]])) + { + return $this->type_map[$match[0]]; + } + else + { + return false; + } + } + + /** + * Hash supplied password + * + * @param string $password Password that should be hashed + * @param string $type Hash type. Will default to standard hash type if + * none is supplied + * @return string|bool Password hash of supplied password or false if + * if something went wrong during hashing + */ + public function hash_password($password, $type = '') + { + $type = ($type === '') ? $this->type : $type; + + if (is_array($type)) + { + return $this->helper->combined_hash_password($password, $type); + } + + $hashing_algorithm = $this->container->get($type); + // Do not support 8-bit characters with $2a$ bcrypt + if ($type === 'passwords.driver.bcrypt' || ($type === 'passwords.driver.bcrypt_2y' && !$hashing_algorithm->is_supported())) + { + if (ord($password[strlen($password)-1]) & 128) + { + return false; + } + } + + return $this->container->get($type)->hash($password); + } + + public function check_hash($password, $hash) + { + // First find out what kind of hash we're dealing with + $stored_hash_type = $this->get_hashing_algorithm($hash); + if ($stored_hash_type == false) + { + return false; + } + + // Multiple hash passes needed + if (is_array($stored_hash_type)) + { + return $this->helper->check_combined_hash($password, $stored_hash_type, $hash); + } + + if ($stored_hash_type->get_name() !== $this->type) + { + $this->convert_flag = true; + } + else + { + $this->convert_flag = false; + } + + return $stored_hash_type->check($password, $hash); + } +} -- cgit v1.2.1 From beafef00004007024d3c8c769d630d7d5ec9b698 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 14 Sep 2013 14:17:14 +0200 Subject: [feature/passwords] Add missing function documentation Additionally, a new line has been added to make the code look nicer. PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 9477ef5c2b..da6d65c487 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -140,6 +140,7 @@ class phpbb_passwords_manager } return $return_ary; } + if (isset($this->type_map[$match[0]])) { return $this->type_map[$match[0]]; @@ -169,7 +170,9 @@ class phpbb_passwords_manager } $hashing_algorithm = $this->container->get($type); + // Do not support 8-bit characters with $2a$ bcrypt + // Also see http://www.php.net/security/crypt_blowfish.php if ($type === 'passwords.driver.bcrypt' || ($type === 'passwords.driver.bcrypt_2y' && !$hashing_algorithm->is_supported())) { if (ord($password[strlen($password)-1]) & 128) @@ -181,6 +184,14 @@ class phpbb_passwords_manager return $this->container->get($type)->hash($password); } + /** + * Check supplied password against hash and set convert_flag if password + * needs to be converted to different format (preferrably newer one) + * + * @param string $password Password that should be checked + * @param string $hash Stored hash + * @return string|bool True if password is correct, false if not + */ public function check_hash($password, $hash) { // First find out what kind of hash we're dealing with -- cgit v1.2.1 From a00854c406215d787465422d7ea7def8c24180f5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 20 Sep 2013 17:31:32 +0200 Subject: [feature/passwords] Do not pass phpbb_container to passwords manager PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 102 ++++++++++++++++++++++++-------------- 1 file changed, 66 insertions(+), 36 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index da6d65c487..cf6eddd135 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -26,12 +26,19 @@ class phpbb_passwords_manager protected $type = false; /** - * Hashing algorithm types + * Hashing algorithm type map + * Will be used to map hash prefix to type */ protected $type_map = false; /** - * Password convert flag. Password should be converted + * Service collection of hashing algorithms + * Needs to be public for passwords helper + */ + public $algorithms = false; + + /** + * Password convert flag. Signals that password should be converted */ public $convert_flag = false; @@ -47,21 +54,17 @@ class phpbb_passwords_manager */ protected $config; - /** - * phpBB compiled container - * @var service_container - */ - protected $container; - /** * Construct a passwords object * * @param phpbb_config $config phpBB configuration + * @param phpbb_di_service_collection $hashing_algorithms Hashing driver + * service collection + * @param string $default Default driver name */ - public function __construct($config, $container, $hashing_algorithms, $default) + public function __construct($config, $hashing_algorithms, $default) { $this->config = $config; - $this->container = $container; $this->type = $default; $this->fill_type_map($hashing_algorithms); @@ -77,9 +80,14 @@ class phpbb_passwords_manager { foreach ($hashing_algorithms as $algorithm) { + if (!isset($this->algorithms[$algorithm->get_name()])) + { + $this->algorithms[$algorithm->get_name()] = $algorithm; + } + if (!isset($this->type_map[$algorithm->get_prefix()])) { - $this->type_map[$algorithm->get_prefix()] = $algorithm; + $this->type_map[$algorithm->get_prefix()] = $algorithm->get_name(); } } } @@ -91,18 +99,38 @@ class phpbb_passwords_manager { if ($this->helper === null) { - $this->helper = new phpbb_passwords_helper($this, $this->container); + $this->helper = new phpbb_passwords_helper($this); } } /** - * Get the hash type from the supplied hash + * Get the algorithm specified by a specific prefix * - * @param string $hash Password hash that should be checked + * @param string $prefix Password hash prefix * * @return object The hash type object */ - public function get_hashing_algorithm($hash) + protected function get_algorithm($prefix) + { + if (isset($this->type_map[$prefix]) && isset($this->algorithms[$this->type_map[$prefix]])) + { + return $this->algorithms[$this->type_map[$prefix]]; + } + else + { + return false; + } + } + + /** + * Detect the hash type of the supplied hash + * + * @param string $hash Password hash that should be checked + * + * @return object|bool The hash type object or false if the specified + * type is not supported + */ + public function detect_algorithm($hash) { /* * preg_match() will also show hashing algos like $2a\H$, which @@ -112,7 +140,7 @@ class phpbb_passwords_manager */ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) { - return $this->type_map['$H$']; + return $this->get_algorithm('$H$'); } // Be on the lookout for multiple hashing algorithms @@ -123,32 +151,27 @@ class phpbb_passwords_manager $return_ary = array(); foreach ($hash_types as $type) { - if (isset($this->type_map["\${$type}\$"])) + // we do not support the same hashing + // algorithm more than once + if (isset($return_ary[$type])) { - // we do not support the same hashing - // algorithm more than once - if (isset($return_ary[$type])) - { - return false; - } - $return_ary[$type] = $this->type_map["\${$type}\$"]; + return false; } - else + + $return_ary[$type] = $this->get_algorithm("\${$type}\$"); + + if (empty($return_ary[$type])) { + return false; } } return $return_ary; } - if (isset($this->type_map[$match[0]])) - { - return $this->type_map[$match[0]]; - } - else - { - return false; - } + // get_algorithm() will automatically return false if prefix + // is not supported + return $this->get_algorithm($match[0]); } /** @@ -169,7 +192,14 @@ class phpbb_passwords_manager return $this->helper->combined_hash_password($password, $type); } - $hashing_algorithm = $this->container->get($type); + if (isset($this->algorithms[$type])) + { + $hashing_algorithm = $this->algorithms[$type]; + } + else + { + return false; + } // Do not support 8-bit characters with $2a$ bcrypt // Also see http://www.php.net/security/crypt_blowfish.php @@ -181,7 +211,7 @@ class phpbb_passwords_manager } } - return $this->container->get($type)->hash($password); + return $hashing_algorithm->hash($password); } /** @@ -195,7 +225,7 @@ class phpbb_passwords_manager public function check_hash($password, $hash) { // First find out what kind of hash we're dealing with - $stored_hash_type = $this->get_hashing_algorithm($hash); + $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { return false; -- cgit v1.2.1 From f5eb0d744e46a2931aa667dbc7a8a4d9ea0229e6 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 22 Sep 2013 21:17:30 +0200 Subject: [feature/passwords] Use dependency injection for helper This will now be used instead of manually loading the passwords helper instance in the passwords manager. PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index cf6eddd135..6cc3510f8e 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -60,15 +60,16 @@ class phpbb_passwords_manager * @param phpbb_config $config phpBB configuration * @param phpbb_di_service_collection $hashing_algorithms Hashing driver * service collection + * @param phpbb_passwords_helper $helper Passwords helper object * @param string $default Default driver name */ - public function __construct($config, $hashing_algorithms, $default) + public function __construct($config, $hashing_algorithms, $helper, $default) { $this->config = $config; $this->type = $default; $this->fill_type_map($hashing_algorithms); - $this->load_passwords_helper(); + $this->load_passwords_helper($helper); } /** @@ -94,12 +95,15 @@ class phpbb_passwords_manager /** * Load passwords helper class + * + * @param phpbb_passwords_helper $helper Passwords helper object */ - protected function load_passwords_helper() + protected function load_passwords_helper($helper) { if ($this->helper === null) { - $this->helper = new phpbb_passwords_helper($this); + $this->helper = $helper; + $this->helper->set_manager($this); } } -- cgit v1.2.1 From 3f63b9b470b2848abdd6288a45ca56331a3bb77c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 27 Sep 2013 11:16:47 +0200 Subject: [feature/passwords] Modify passwords files for namespacing changes PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 6cc3510f8e..3aaacbee35 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -7,6 +7,8 @@ * */ +namespace phpbb\passwords; + /** * @ignore */ @@ -18,7 +20,7 @@ if (!defined('IN_PHPBB')) /** * @package passwords */ -class phpbb_passwords_manager +class manager { /** * Default hashing method @@ -57,10 +59,10 @@ class phpbb_passwords_manager /** * Construct a passwords object * - * @param phpbb_config $config phpBB configuration - * @param phpbb_di_service_collection $hashing_algorithms Hashing driver + * @param phpbb\config\config $config phpBB configuration + * @param phpbb\di\service_collection $hashing_algorithms Hashing driver * service collection - * @param phpbb_passwords_helper $helper Passwords helper object + * @param phpbb\passwords\helper $helper Passwords helper object * @param string $default Default driver name */ public function __construct($config, $hashing_algorithms, $helper, $default) @@ -75,7 +77,7 @@ class phpbb_passwords_manager /** * Fill algorithm type map * - * @param phpbb_di_service_collection $hashing_algorithms + * @param phpbb\di\service_collection $hashing_algorithms */ protected function fill_type_map($hashing_algorithms) { @@ -96,7 +98,7 @@ class phpbb_passwords_manager /** * Load passwords helper class * - * @param phpbb_passwords_helper $helper Passwords helper object + * @param phpbb\passwords\helper $helper Passwords helper object */ protected function load_passwords_helper($helper) { -- cgit v1.2.1 From de087d537e781741a0137e8ba9162d5baf3f37bb Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 28 Sep 2013 12:41:02 +0200 Subject: [feature/passwords] A few more corrections in methods due to namespacing PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 3aaacbee35..52644b05ac 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -46,13 +46,13 @@ class manager /** * Crypto helper - * @var phpbb_passwords_helper + * @var phpbb\passwords\helper */ protected $helper; /** * phpBB configuration - * @var phpbb_config + * @var phpbb\config\config */ protected $config; @@ -60,12 +60,12 @@ class manager * Construct a passwords object * * @param phpbb\config\config $config phpBB configuration - * @param phpbb\di\service_collection $hashing_algorithms Hashing driver + * @param array $hashing_algorithms Hashing driver * service collection * @param phpbb\passwords\helper $helper Passwords helper object * @param string $default Default driver name */ - public function __construct($config, $hashing_algorithms, $helper, $default) + public function __construct(\phpbb\config\config $config, $hashing_algorithms, \phpbb\passwords\helper $helper, $default) { $this->config = $config; $this->type = $default; @@ -100,7 +100,7 @@ class manager * * @param phpbb\passwords\helper $helper Passwords helper object */ - protected function load_passwords_helper($helper) + protected function load_passwords_helper(\phpbb\passwords\helper $helper) { if ($this->helper === null) { -- cgit v1.2.1 From 61e4c0f25172231d203799e4c3c5920e665ab4fa Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 1 Oct 2013 17:38:52 +0200 Subject: [feature/passwords] Do not hash passwords longer than 4096 bytes PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 52644b05ac..b90775126c 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -191,6 +191,13 @@ class manager */ public function hash_password($password, $type = '') { + if (strlen($password) > 4096) + { + // If the password is too huge, we will simply reject it + // and not let the server try to hash it. + return false; + } + $type = ($type === '') ? $this->type : $type; if (is_array($type)) @@ -230,6 +237,13 @@ class manager */ public function check_hash($password, $hash) { + if (strlen($password) > 4096) + { + // If the password is too huge, we will simply reject it + // and not let the server try to hash it. + return false; + } + // First find out what kind of hash we're dealing with $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) -- cgit v1.2.1 From afb7d2e616db95add3c6ad9cc908df4218c6f3b7 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 2 Oct 2013 13:30:36 +0200 Subject: [feature/passwords] Rename manager methods to check() and hash() These method names are more straightforward than the previous ones. PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index b90775126c..6ec9eefaed 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -189,7 +189,7 @@ class manager * @return string|bool Password hash of supplied password or false if * if something went wrong during hashing */ - public function hash_password($password, $type = '') + public function hash($password, $type = '') { if (strlen($password) > 4096) { @@ -235,7 +235,7 @@ class manager * @param string $hash Stored hash * @return string|bool True if password is correct, false if not */ - public function check_hash($password, $hash) + public function check($password, $hash) { if (strlen($password) > 4096) { -- cgit v1.2.1 From f1d29499859a060b8c59a9efbeada74958eee720 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 7 Oct 2013 16:00:52 +0200 Subject: [feature/passwords] Move check for 8-bit characters to bcrypt driver PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 6ec9eefaed..0b41d3a8c3 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -214,16 +214,6 @@ class manager return false; } - // Do not support 8-bit characters with $2a$ bcrypt - // Also see http://www.php.net/security/crypt_blowfish.php - if ($type === 'passwords.driver.bcrypt' || ($type === 'passwords.driver.bcrypt_2y' && !$hashing_algorithm->is_supported())) - { - if (ord($password[strlen($password)-1]) & 128) - { - return false; - } - } - return $hashing_algorithm->hash($password); } -- cgit v1.2.1 From 87bd628241b002c866c0d425cd8c95a42d04f31a Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 14 Oct 2013 14:31:00 +0200 Subject: [feature/passwords] Minor cleanup in passwords files PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 0b41d3a8c3..dde81a9818 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -164,11 +164,10 @@ class manager return false; } - $return_ary[$type] = $this->get_algorithm("\${$type}\$"); + $return_ary[$type] = $this->get_algorithm('$' . $type . '$'); if (empty($return_ary[$type])) { - return false; } } -- cgit v1.2.1 From bb836b65e3c16fadf5c13510cce73daf432f7ad8 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 25 Oct 2013 15:21:09 +0200 Subject: [feature/passwords] Integrate convert_flag with db auth provider PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index dde81a9818..0c9eb4f067 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -243,7 +243,9 @@ class manager // Multiple hash passes needed if (is_array($stored_hash_type)) { - return $this->helper->check_combined_hash($password, $stored_hash_type, $hash); + $correct = $this->helper->check_combined_hash($password, $stored_hash_type, $hash); + $this->convert_flag = ($correct === true) ? true : false; + return $correct; } if ($stored_hash_type->get_name() !== $this->type) -- cgit v1.2.1 From 5193b3279cfcd4f7f5d656ec806b87e971c5523f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 27 Oct 2013 14:18:02 +0100 Subject: [feature/passwords] Pass list of default types to passwords manager This list is in the order of how the driver types would be used. If a driver is not supported we will try the subsequent one. PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 0c9eb4f067..8abe7b9f79 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -63,15 +63,34 @@ class manager * @param array $hashing_algorithms Hashing driver * service collection * @param phpbb\passwords\helper $helper Passwords helper object - * @param string $default Default driver name + * @param string $defaults List of default driver types */ - public function __construct(\phpbb\config\config $config, $hashing_algorithms, \phpbb\passwords\helper $helper, $default) + public function __construct(\phpbb\config\config $config, $hashing_algorithms, \phpbb\passwords\helper $helper, $defaults) { $this->config = $config; - $this->type = $default; $this->fill_type_map($hashing_algorithms); $this->load_passwords_helper($helper); + $this->register_default_type($defaults); + } + + /** + * Register default type + * Will register the first supported type from the list of default types + * + * @param array $defaults List of default types in order from first to + * use to last to use + */ + protected function register_default_type($defaults) + { + foreach ($defaults as $type) + { + if ($this->algorithms[$type]->is_supported()) + { + $this->type = $type; + break; + } + } } /** -- cgit v1.2.1 From b37549ce6343154abc603999e64a372ba7f2f902 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 29 Dec 2013 14:07:27 +0100 Subject: [feature/passwords] Remove IN_PHPBB check from passwords files PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 8 -------- 1 file changed, 8 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 8abe7b9f79..e792b2bdaa 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -9,14 +9,6 @@ namespace phpbb\passwords; -/** -* @ignore -*/ -if (!defined('IN_PHPBB')) -{ - exit; -} - /** * @package passwords */ -- cgit v1.2.1 From 8383d1f1d3b5f3ac12248920f7cf79d8aa6399fc Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 29 Dec 2013 17:55:00 +0100 Subject: [feature/passwords] Add missing documentation to docblocks Also contains some minor spacing changes. PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index e792b2bdaa..c208c59df7 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -37,7 +37,7 @@ class manager public $convert_flag = false; /** - * Crypto helper + * Passwords helper * @var phpbb\passwords\helper */ protected $helper; @@ -125,7 +125,8 @@ class manager * * @param string $prefix Password hash prefix * - * @return object The hash type object + * @return object|bool The hash type object or false if prefix is not + * supported */ protected function get_algorithm($prefix) { -- cgit v1.2.1 From 1465915830859a7c9664e477739df5f125cfcdff Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 29 Dec 2013 17:56:41 +0100 Subject: [feature/passwords] Remove unneeded definitions of full namespace PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index c208c59df7..539fdca954 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -57,7 +57,7 @@ class manager * @param phpbb\passwords\helper $helper Passwords helper object * @param string $defaults List of default driver types */ - public function __construct(\phpbb\config\config $config, $hashing_algorithms, \phpbb\passwords\helper $helper, $defaults) + public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) { $this->config = $config; -- cgit v1.2.1 From 292961a2771c9237197b9770b23a2a14a981c329 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 2 Feb 2014 14:09:09 +0100 Subject: [feature/passwords] Get rid of set_name/get_name methods for passwords drivers PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 539fdca954..7aeb496eb5 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -79,7 +79,7 @@ class manager { if ($this->algorithms[$type]->is_supported()) { - $this->type = $type; + $this->type = $this->algorithms[$type]->get_prefix(); break; } } @@ -94,16 +94,12 @@ class manager { foreach ($hashing_algorithms as $algorithm) { - if (!isset($this->algorithms[$algorithm->get_name()])) - { - $this->algorithms[$algorithm->get_name()] = $algorithm; - } - if (!isset($this->type_map[$algorithm->get_prefix()])) { - $this->type_map[$algorithm->get_prefix()] = $algorithm->get_name(); + $this->type_map[$algorithm->get_prefix()] = $algorithm; } } + $this->algorithms = $hashing_algorithms; } /** @@ -130,9 +126,9 @@ class manager */ protected function get_algorithm($prefix) { - if (isset($this->type_map[$prefix]) && isset($this->algorithms[$this->type_map[$prefix]])) + if (isset($this->type_map[$prefix])) { - return $this->algorithms[$this->type_map[$prefix]]; + return $this->type_map[$prefix]; } else { @@ -216,9 +212,9 @@ class manager return $this->helper->combined_hash_password($password, $type); } - if (isset($this->algorithms[$type])) + if (isset($this->type_map[$type])) { - $hashing_algorithm = $this->algorithms[$type]; + $hashing_algorithm = $this->type_map[$type]; } else { @@ -260,7 +256,7 @@ class manager return $correct; } - if ($stored_hash_type->get_name() !== $this->type) + if ($stored_hash_type->get_prefix() !== $this->type) { $this->convert_flag = true; } -- cgit v1.2.1 From 08a8bd8e6f2ae339fbb29e01ffb002942e7a89f3 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 2 Feb 2014 14:11:32 +0100 Subject: [feature/passwords] Add support for passwords driver service name in hash() This will allow users to specify both the hash type by prefix and by its service name. PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 7aeb496eb5..7f886e3d7d 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -205,6 +205,13 @@ class manager return false; } + // Try to retrieve algorithm by service name if type doesn't + // start with dollar sign + if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type])) + { + $type = $this->algorithms[$type]->get_prefix(); + } + $type = ($type === '') ? $this->type : $type; if (is_array($type)) -- cgit v1.2.1 From b094c7999660703370566018bf449a9280148b8d Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 2 Feb 2014 14:57:43 +0100 Subject: [feature/passwords] Move combined hashing methods to manager This will get rid of the circular dependency between the passwords manager and the passwords helper. The combined_hash_password() method was also slightly changed to allow both the definitions of service names or prefixes for the hash types. PHPBB3-11610 --- phpBB/phpbb/passwords/manager.php | 98 ++++++++++++++++++++++++++++++++------- 1 file changed, 81 insertions(+), 17 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 7f886e3d7d..0ac6b05ec4 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -60,9 +60,9 @@ class manager public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) { $this->config = $config; + $this->helper = $helper; $this->fill_type_map($hashing_algorithms); - $this->load_passwords_helper($helper); $this->register_default_type($defaults); } @@ -102,20 +102,6 @@ class manager $this->algorithms = $hashing_algorithms; } - /** - * Load passwords helper class - * - * @param phpbb\passwords\helper $helper Passwords helper object - */ - protected function load_passwords_helper(\phpbb\passwords\helper $helper) - { - if ($this->helper === null) - { - $this->helper = $helper; - $this->helper->set_manager($this); - } - } - /** * Get the algorithm specified by a specific prefix * @@ -216,7 +202,7 @@ class manager if (is_array($type)) { - return $this->helper->combined_hash_password($password, $type); + return $this->combined_hash_password($password, $type); } if (isset($this->type_map[$type])) @@ -258,7 +244,7 @@ class manager // Multiple hash passes needed if (is_array($stored_hash_type)) { - $correct = $this->helper->check_combined_hash($password, $stored_hash_type, $hash); + $correct = $this->check_combined_hash($password, $stored_hash_type, $hash); $this->convert_flag = ($correct === true) ? true : false; return $correct; } @@ -274,4 +260,82 @@ class manager return $stored_hash_type->check($password, $hash); } + + /** + * Create combined hash from already hashed password + * + * @param string $password_hash Complete current password hash + * @param string $type Type of the hashing algorithm the password hash + * should be combined with + * @return string|bool Combined password hash if combined hashing was + * successful, else false + */ + public function combined_hash_password($password_hash, $type) + { + $data = array( + 'prefix' => '$', + 'settings' => '$', + ); + $hash_settings = $this->helper->get_combined_hash_settings($password_hash); + $hash = $hash_settings[0]; + + // Put settings of current hash into data array + $stored_hash_type = $this->detect_algorithm($password_hash); + $this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix()); + $this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash)); + + // Hash current hash with the defined types + foreach ($type as $cur_type) + { + if (isset($this->algorithms[$cur_type])) + { + $new_hash_type = $this->algorithms[$cur_type]; + } + else + { + $new_hash_type = $this->get_algorithm($cur_type); + } + + if (!$new_hash_type) + { + return false; + } + + $new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash)); + $this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix()); + $this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0)); + $hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash)); + } + return $this->helper->combine_hash_output($data, 'hash', $hash); + } + + /** + * Check combined password hash against the supplied password + * + * @param string $password Password entered by user + * @param array $stored_hash_type An array containing the hash types + * as described by stored password hash + * @param string $hash Stored password hash + * + * @return bool True if password is correct, false if not + */ + public function check_combined_hash($password, $stored_hash_type, $hash) + { + $i = 0; + $data = array( + 'prefix' => '$', + 'settings' => '$', + ); + $hash_settings = $this->helper->get_combined_hash_settings($hash); + foreach ($stored_hash_type as $key => $hash_type) + { + $rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]); + $this->helper->combine_hash_output($data, 'prefix', $key); + $this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]); + $cur_hash = $hash_type->hash($password, $rebuilt_hash); + $password = str_replace($rebuilt_hash, '', $cur_hash); + $i++; + } + return ($hash === $this->helper->combine_hash_output($data, 'hash', $password)); + } } -- cgit v1.2.1 From a759704b39fc1c1353f865a633759b1369589b67 Mon Sep 17 00:00:00 2001 From: Yuriy Rusko Date: Tue, 27 May 2014 20:18:06 +0200 Subject: [ticket/12594] Remove @package tags and update file headers PHPBB3-12594 --- phpBB/phpbb/passwords/manager.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 0ac6b05ec4..8b16cf55dd 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords; -/** -* @package passwords -*/ class manager { /** -- cgit v1.2.1 From ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 1 May 2014 14:21:24 +0200 Subject: [ticket/12352] Introduce user row to passwords check methods This will ensure that legacy hash types that might need the user row can properly check if the supplied password is correct. PHPBB3-12352 --- phpBB/phpbb/passwords/manager.php | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 8b16cf55dd..66ca335d45 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -141,7 +141,7 @@ class manager */ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) { - return $this->get_algorithm('$H$'); + return false; } // Be on the lookout for multiple hashing algorithms @@ -224,9 +224,10 @@ class manager * * @param string $password Password that should be checked * @param string $hash Stored hash + * @param array $user_row User's row in users table * @return string|bool True if password is correct, false if not */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($password) > 4096) { @@ -235,10 +236,27 @@ class manager return false; } + // Empty hashes can't be checked + if (empty($hash)) + { + return false; + } + // First find out what kind of hash we're dealing with $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { + // Might be a legacy hash type. Check all legacy + // hash types and set convert flag to true if password + // is correct + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + $this->convert_flag = true; + return true; + } + } return false; } -- cgit v1.2.1 From 2a96b9e285bfadee830fd57e770a210d72cd7610 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 11 May 2014 22:25:44 +0200 Subject: [ticket/12352] Use $CP$ prefix for converting passwords in manager PHPBB3-12352 --- phpBB/phpbb/passwords/manager.php | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 66ca335d45..7d46424e4d 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -246,18 +246,9 @@ class manager $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { - // Might be a legacy hash type. Check all legacy - // hash types and set convert flag to true if password - // is correct - foreach ($this->type_map as $algorithm) - { - if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) - { - $this->convert_flag = true; - return true; - } - } - return false; + // Still check MD5 hashes as that is what the installer + // will default to for the admin user + return $this->get_algorithm('$H$')->check($password, $hash); } // Multiple hash passes needed @@ -277,6 +268,21 @@ class manager $this->convert_flag = false; } + if ($stored_hash_type->get_prefix() === '$CP$') + { + // Check all legacy hash types for this hash. Remove + // $CP$ prefix from beginning for proper checking. + $hash = substr($hash, 4); + + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + return true; + } + } + } + return $stored_hash_type->check($password, $hash); } -- cgit v1.2.1 From 60cb648ab0bd3cba627f9f1c020ace613e18f3d5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 26 May 2014 13:26:46 +0200 Subject: [ticket/12352] Remove code for converting passwords in db auth provider PHPBB3-12352 --- phpBB/phpbb/passwords/manager.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 7d46424e4d..0a349c4a14 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -268,10 +268,10 @@ class manager $this->convert_flag = false; } + // Check all legacy hash types if prefix is $CP$ if ($stored_hash_type->get_prefix() === '$CP$') { - // Check all legacy hash types for this hash. Remove - // $CP$ prefix from beginning for proper checking. + // Remove $CP$ prefix for proper checking $hash = substr($hash, 4); foreach ($this->type_map as $algorithm) -- cgit v1.2.1 From 5dfb1cc66a9436151c85182547915f33a6f87a2c Mon Sep 17 00:00:00 2001 From: Tristan Darricau Date: Sun, 15 Jun 2014 14:46:18 +0200 Subject: [ticket/12715] Cleanup comments in \phpbb\passwords\* PHPBB3-12715 --- phpBB/phpbb/passwords/manager.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 0a349c4a14..fbb49d86a0 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -39,23 +39,23 @@ class manager /** * Passwords helper - * @var phpbb\passwords\helper + * @var \phpbb\passwords\helper */ protected $helper; /** * phpBB configuration - * @var phpbb\config\config + * @var \phpbb\config\config */ protected $config; /** * Construct a passwords object * - * @param phpbb\config\config $config phpBB configuration + * @param \phpbb\config\config $config phpBB configuration * @param array $hashing_algorithms Hashing driver * service collection - * @param phpbb\passwords\helper $helper Passwords helper object + * @param \phpbb\passwords\helper $helper Passwords helper object * @param string $defaults List of default driver types */ public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) @@ -89,7 +89,7 @@ class manager /** * Fill algorithm type map * - * @param phpbb\di\service_collection $hashing_algorithms + * @param \phpbb\di\service_collection $hashing_algorithms */ protected function fill_type_map($hashing_algorithms) { -- cgit v1.2.1 From 8769f185f5be6e8d4b517be67c4e0facfda06f68 Mon Sep 17 00:00:00 2001 From: brunoais Date: Tue, 21 Apr 2015 10:00:30 +0100 Subject: [ticket/13772] Fix typo in phpbb\passwords\manager::__construct() PHPBB3-13772 --- phpBB/phpbb/passwords/manager.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index fbb49d86a0..aa9147ecf4 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -56,7 +56,7 @@ class manager * @param array $hashing_algorithms Hashing driver * service collection * @param \phpbb\passwords\helper $helper Passwords helper object - * @param string $defaults List of default driver types + * @param array $defaults List of default driver types */ public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) { -- cgit v1.2.1