1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class bcrypt extends base
{
const PREFIX = '$2a$';
/** @var int Hashing cost factor */
protected $cost_factor;
/**
* Constructor of passwords driver object
*
* @param \phpbb\config\config $config phpBB config
* @param \phpbb\passwords\driver\helper $helper Password driver helper
* @param int $cost_factor Hashing cost factor (optional)
*/
public function __construct(\phpbb\config\config $config, helper $helper, $cost_factor = 10)
{
parent::__construct($config, $helper);
// Don't allow cost factor to be below default setting
$this->cost_factor = max(10, $cost_factor);
}
/**
* {@inheritdoc}
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* {@inheritdoc}
*/
public function needs_rehash($hash)
{
preg_match('/^' . preg_quote($this->get_prefix()) . '([0-9]+)\$/', $hash, $matches);
list(, $cost_factor) = $matches;
return empty($cost_factor) || $this->cost_factor !== intval($cost_factor);
}
/**
* {@inheritdoc}
*/
public function hash($password, $salt = '')
{
// The 2x and 2y prefixes of bcrypt might not be supported
// Revert to 2a if this is the case
$prefix = (!$this->is_supported()) ? '$2a$' : $this->get_prefix();
// Do not support 8-bit characters with $2a$ bcrypt
// Also see http://www.php.net/security/crypt_blowfish.php
if ($prefix === self::PREFIX)
{
if (ord($password[strlen($password)-1]) & 128)
{
return false;
}
}
if ($salt == '')
{
$salt = $prefix . $this->cost_factor . '$' . $this->get_random_salt();
}
$hash = crypt($password, $salt);
if (strlen($hash) < 60)
{
return false;
}
return $hash;
}
/**
* {@inheritdoc}
*/
public function check($password, $hash, $user_row = array())
{
$salt = substr($hash, 0, 29);
if (strlen($salt) != 29)
{
return false;
}
if ($this->helper->string_compare($hash, $this->hash($password, $salt)))
{
return true;
}
return false;
}
/**
* Get a random salt value with a length of 22 characters
*
* @return string Salt for password hashing
*/
protected function get_random_salt()
{
return $this->helper->hash_encode64($this->helper->get_random_salt(22), 22);
}
/**
* {@inheritdoc}
*/
public function get_settings_only($hash, $full = false)
{
if ($full)
{
$pos = stripos($hash, '$', 1) + 1;
$length = 22 + (strripos($hash, '$') + 1 - $pos);
}
else
{
$pos = strripos($hash, '$') + 1;
$length = 22;
}
return substr($hash, $pos, $length);
}
}
|