+ - @passwords.manager

+ - @passwords.manager

+ - @passwords.manager

+parameters:

+ passwords.algorithms:

+ - passwords.driver.bcrypt_2y

+ - passwords.driver.bcrypt

+ - passwords.driver.salted_md5

+ - passwords.driver.phpass

+

+services:

+ passwords.driver.bcrypt:

+ class: phpbb\passwords\driver\bcrypt

+ arguments:

+ - @config

+ - @passwords.driver_helper

+ tags:

+ - { name: passwords.driver }

+

+ passwords.driver.bcrypt_2y:

+ class: phpbb\passwords\driver\bcrypt_2y

+ arguments:

+ - @config

+ - @passwords.driver_helper

+ tags:

+ - { name: passwords.driver }

+

+ passwords.driver.salted_md5:

+ class: phpbb\passwords\driver\salted_md5

+ arguments:

+ - @config

+ - @passwords.driver_helper

+ tags:

+ - { name: passwords.driver }

+

+ passwords.driver.phpass:

+ class: phpbb\passwords\driver\phpass

+ arguments:

+ - @config

+ - @passwords.driver_helper

+ tags:

+ - { name: passwords.driver }

+

+ passwords.driver_collection:

+ class: phpbb\di\service_collection

+ arguments:

+ - @service_container

+ tags:

+ - { name: service_collection, tag: passwords.driver }

+

+ passwords.driver_helper:

+ class: phpbb\passwords\driver\helper

+ arguments:

+ - @config

+

+ passwords.manager:

+ class: phpbb\passwords\manager

+ arguments:

+ - @config

+ - @passwords.driver_collection

+ - @passwords.helper

+ - %passwords.algorithms%

+

+ passwords.helper:

+ class: phpbb\passwords\helper

+ - { resource: passwords.yml }

+ global $db, $user, $cache, $phpbb_root_path, $phpbb_container, $phpbb_dispatcher;

+ // Instantiate passwords manager

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+

+ $forum_data_sql['forum_password'] = $passwords_manager->hash($forum_data_sql['forum_password']);

+ // Instantiate passwords manager

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+

+ $update_password = $data['new_password'] && !$passwords_manager->check($data['new_password'], $user_row['user_password']);

+ 'user_password' => $passwords_manager->hash($data['new_password']),

+ 'forum_password' => array('VCHAR_UNI', ''),

+ 'user_password' => array('VCHAR_UNI', ''),

+* Hash the password

+* @deprecated 3.1.0-a2 (To be removed: 3.3.0)

+* @param string $password Password to be hashed

+* @return string|bool Password hash or false if something went wrong during hashing

+ global $phpbb_container;

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+ return $passwords_manager->hash($password);

+* @deprecated 3.1.0-a2 (To be removed: 3.3.0)

+*

+ global $phpbb_container;

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+ return $passwords_manager->check($password, $hash);

+ global $db, $phpbb_container, $request, $template, $user;

+ $password = $request->variable('password', '', true);

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+

+ if ($passwords_manager->check($password, $forum_data['forum_password']))

+ // Instantiate passwords manager

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+

+ if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && $passwords_manager->check($data['new_password'], $user->data['user_password']))

+ if (!$passwords_manager->check($data['cur_password'], $user->data['user_password']))

+ 'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? $passwords_manager->hash($data['new_password']) : $user->data['user_password'],

+ if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !$passwords_manager->check($data['new_password'], $user->data['user_password']))

+ // Instantiate passwords manager

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+

+ 'user_password' => $passwords_manager->hash($data['new_password']),

+ global $db, $user, $auth, $template, $phpbb_container;;

+ // Instantiate passwords manager

+ $passwords_manager = $phpbb_container->get('passwords.manager');

+

+ SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'

+ forum_password VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,

+ user_password VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE,

+ [forum_password] [varchar] (255) DEFAULT ('') NOT NULL ,

+ [user_password] [varchar] (255) DEFAULT ('') NOT NULL ,

+ forum_password blob DEFAULT '' NOT NULL,

+ user_password blob DEFAULT '' NOT NULL,

+ forum_password varchar(255) DEFAULT '' NOT NULL,

+ user_password varchar(255) DEFAULT '' NOT NULL,

+ forum_password varchar2(255) DEFAULT '' ,

+ vote_user_ip varchar2(40) DEFAULT ''

+ user_password varchar2(255) DEFAULT '' ,

+ forum_password varchar(255) DEFAULT '' NOT NULL,

+ user_password varchar(255) DEFAULT '' NOT NULL,

+ forum_password varchar(255) NOT NULL DEFAULT '',

+ user_password varchar(255) NOT NULL DEFAULT '',

+ * phpBB passwords manager

+ *

+ * @var \phpbb\passwords\manager

+ */

+ protected $passwords_manager;

+

+ /**

+ * @param \phpbb\passwords\manager $passwords_manager

+ public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)

+ $this->passwords_manager = $passwords_manager;

+ 'user_password' => $this->passwords_manager->hash($password),

+ /**

+ * phpBB passwords manager

+ *

+ * @var \phpbb\passwords\manager

+ */

+ protected $passwords_manager;

+ * @param \phpbb\db\driver\driver $db

+ * @param \phpbb\config\config $config

+ * @param \phpbb\passwords\manager $passwords_manager

+ * @param \phpbb\request\request $request

+ * @param \phpbb\user $user

+ * @param string $phpbb_root_path

+ * @param string $php_ext

+ public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext)

+ $this->passwords_manager = $passwords_manager;

+ if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))

+ $hash = $this->passwords_manager->hash($password_new_format);

+ if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password']))

+ if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)

+ $hash = $this->passwords_manager->hash($password);

+ * phpBB passwords manager

+ *

+ * @var \phpbb\passwords\manager

+ */

+ protected $passwords_manager;

+

+ /**

+ * @param \phpbb\db\driver\driver $db

+ * @param \phpbb\config\config $config

+ * @param \phpbb\passwords\manager $passwords_manager

+ * @param \phpbb\user $user

+ public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\user $user)

+ $this->passwords_manager = $passwords_manager;

+ 'user_password' => $this->passwords_manager->hash($password),

+<?php

+/**

+*

+* @package migration

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-license.php GNU Public License v2

+*

+*/

+

+namespace phpbb\db\migration\data\v310;

+

+class passwords extends \phpbb\db\migration\migration

+{

+ static public function depends_on()

+ {

+ return array('\phpbb\db\migration\data\v30x\release_3_0_11');

+ }

+

+ public function update_schema()

+ {

+ return array(

+ 'change_columns' => array(

+ $this->table_prefix . 'users' => array(

+ 'user_password' => array('VCHAR:255', ''),

+ ),

+ $this->table_prefix . 'forums' => array(

+ 'forum_password' => array('VCHAR:255', ''),

+ ),

+ ),

+ );

+ }

+

+ public function revert_schema()

+ {

+ return array(

+ 'change_columns' => array(

+ $this->table_prefix . 'users' => array(

+ 'user_password' => array('VCHAR:40', ''),

+ ),

+ $this->table_prefix . 'forums' => array(

+ 'forum_password' => array('VCHAR:40', ''),

+ ),

+ ),

+ );

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords\driver;

+

+/**

+* @package passwords

+*/

+abstract class base implements driver_interface

+{

+ /** @var phpbb\config\config */

+ protected $config;

+

+ /** @var phpbb\passwords\driver\helper */

+ protected $helper;

+

+ /** @var driver name */

+ protected $name;

+

+ /**

+ * Constructor of passwords driver object

+ *

+ * @param \phpbb\config\config $config phpBB config

+ * @param \phpbb\passwords\driver\helper $helper Password driver helper

+ */

+ public function __construct(\phpbb\config\config $config, helper $helper)

+ {

+ $this->config = $config;

+ $this->helper = $helper;

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function is_supported()

+ {

+ return true;

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords\driver;

+

+/**

+* @package passwords

+*/

+class bcrypt extends base

+{

+ const PREFIX = '$2a$';

+

+ /**

+ * @inheritdoc

+ */

+ public function get_prefix()

+ {

+ return self::PREFIX;

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function hash($password, $salt = '')

+ {

+ // The 2x and 2y prefixes of bcrypt might not be supported

+ // Revert to 2a if this is the case

+ $prefix = (!$this->is_supported()) ? '$2a$' : $this->get_prefix();

+

+ // Do not support 8-bit characters with $2a$ bcrypt

+ // Also see http://www.php.net/security/crypt_blowfish.php

+ if ($prefix === self::PREFIX)

+ {

+ if (ord($password[strlen($password)-1]) & 128)

+ {

+ return false;

+ }

+ }

+

+ if ($salt == '')

+ {

+ $salt = $prefix . '10$' . $this->get_random_salt();

+ }

+

+ $hash = crypt($password, $salt);

+ if (strlen($hash) < 60)

+ {

+ return false;

+ }

+ return $hash;

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function check($password, $hash)

+ {

+ $salt = substr($hash, 0, 29);

+ if (strlen($salt) != 29)

+ {

+ return false;

+ }

+

+ if ($hash == $this->hash($password, $salt))

+ {

+ return true;

+ }

+ return false;

+ }

+

+ /**

+ * Get a random salt value with a length of 22 characters

+ *

+ * @return string Salt for password hashing

+ */

+ protected function get_random_salt()

+ {

+ return $this->helper->hash_encode64($this->helper->get_random_salt(22), 22);

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function get_settings_only($hash, $full = false)

+ {

+ if ($full)

+ {

+ $pos = stripos($hash, '$', 1) + 1;

+ $length = 22 + (strripos($hash, '$') + 1 - $pos);

+ }

+ else

+ {

+ $pos = strripos($hash, '$') + 1;

+ $length = 22;

+ }

+ return substr($hash, $pos, $length);

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords\driver;

+

+/**

+* @package passwords

+*/

+class bcrypt_2y extends bcrypt

+{

+ const PREFIX = '$2y$';

+

+ /**

+ * @inheritdoc

+ */

+ public function get_prefix()

+ {

+ return self::PREFIX;

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function is_supported()

+ {

+ return (version_compare(PHP_VERSION, '5.3.7', '<')) ? false : true;

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords\driver;

+

+/**

+* @package passwords

+*/

+interface driver_interface

+{

+ /**

+ * Check if hash type is supported

+ *

+ * @return bool True if supported, false if not

+ */

+ public function is_supported();

+

+ /**

+ * Returns the hash prefix

+ *

+ * @return string Hash prefix

+ */

+ public function get_prefix();

+

+ /**

+ * Hash the password

+ *

+ * @param string $password The password that should be hashed

+ *

+ * @return bool|string Password hash or false if something went wrong

+ * during hashing

+ */

+ public function hash($password);

+

+ /**

+ * Check the password against the supplied hash

+ *

+ * @param string $password The password to check

+ * @param string $hash The password hash to check against

+ *

+ * @return bool True if password is correct, else false

+ */

+ public function check($password, $hash);

+

+ /**

+ * Get only the settings of the specified hash

+ *

+ * @param string $hash Password hash

+ * @param bool $full Return full settings or only settings

+ * related to the salt

+ * @return string String containing the hash settings

+ */

+ public function get_settings_only($hash, $full = false);

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords\driver;

+

+/**

+* @package passwords

+*/

+class helper

+{

+ /**

+ * @var phpbb\config\config

+ */

+ protected $config;

+

+ /**

+ * base64 alphabet

+ * @var string

+ */

+ public $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

+

+ /**

+ * Construct a driver helper object

+ *

+ * @param phpbb\config\config $config phpBB configuration

+ */

+ public function __construct(\phpbb\config\config $config)

+ {

+ $this->config = $config;

+ }

+

+ /**

+ * Base64 encode hash

+ *

+ * @param string $input Input string

+ * @param int $count Input string length

+ *

+ * @return string base64 encoded string

+ */

+ public function hash_encode64($input, $count)

+ {

+ $output = '';

+ $i = 0;

+

+ do

+ {

+ $value = ord($input[$i++]);

+ $output .= $this->itoa64[$value & 0x3f];

+

+ if ($i < $count)

+ {

+ $value |= ord($input[$i]) << 8;

+ }

+

+ $output .= $this->itoa64[($value >> 6) & 0x3f];

+

+ if ($i++ >= $count)

+ {

+ break;

+ }

+

+ if ($i < $count)

+ {

+ $value |= ord($input[$i]) << 16;

+ }

+

+ $output .= $this->itoa64[($value >> 12) & 0x3f];

+

+ if ($i++ >= $count)

+ {

+ break;

+ }

+

+ $output .= $this->itoa64[($value >> 18) & 0x3f];

+ }

+ while ($i < $count);

+

+ return $output;

+ }

+

+ /**

+ * Return unique id

+ *

+ * @param string $extra Additional entropy

+ *

+ * @return string Unique id

+ */

+ public function unique_id($extra = 'c')

+ {

+ static $dss_seeded = false;

+

+ $val = $this->config['rand_seed'] . microtime();

+ $val = md5($val);

+ $this->config['rand_seed'] = md5($this->config['rand_seed'] . $val . $extra);

+

+ if ($dss_seeded !== true && ($this->config['rand_seed_last_update'] < time() - rand(1,10)))

+ {

+ $this->config->set('rand_seed_last_update', time(), true);

+ $this->config->set('rand_seed', $this->config['rand_seed'], true);

+ $dss_seeded = true;

+ }

+

+ return substr($val, 4, 16);

+ }

+

+ /**

+ * Get random salt with specified length

+ *

+ * @param int $length Salt length

+ * @param string $rand_seed Seed for random data (optional). For tests.

+ *

+ * @return string Random salt with specified length

+ */

+ public function get_random_salt($length, $rand_seed = '/dev/urandom')

+ {

+ $random = '';

+

+ if (($fh = @fopen($rand_seed, 'rb')))

+ {

+ $random = fread($fh, $length);

+ fclose($fh);

+ }

+

+ if (strlen($random) < $length)

+ {

+ $random = '';

+ $random_state = $this->unique_id();

+

+ for ($i = 0; $i < $length; $i += 16)

+ {

+ $random_state = md5($this->unique_id() . $random_state);

+ $random .= pack('H*', md5($random_state));

+ }

+ $random = substr($random, 0, $length);

+ }

+ return $random;

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords\driver;

+

+/**

+* @package passwords

+*/

+class phpass extends salted_md5

+{

+ const PREFIX = '$P$';

+

+ /**

+ * @inheritdoc

+ */

+ public function get_prefix()

+ {

+ return self::PREFIX;

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords\driver;

+

+/**

+*

+* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier)

+*

+* Portable PHP password hashing framework.

+*

+* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in

+* the public domain.

+*

+* There's absolutely no warranty.

+*

+* The homepage URL for this framework is:

+*

+* http://www.openwall.com/phpass/

+*

+* Please be sure to update the Version line if you edit this file in any way.

+* It is suggested that you leave the main version number intact, but indicate

+* your project name (after the slash) and add your own revision information.

+*

+* Please do not change the "private" password hashing method implemented in

+* here, thereby making your hashes incompatible. However, if you must, please

+* change the hash type identifier (the "$P$") to something different.

+*

+* Obviously, since this code is in the public domain, the above are not

+* requirements (there can be none), but merely suggestions.

+*

+*/

+

+/**

+* @package passwords

+*/

+class salted_md5 extends base

+{

+ const PREFIX = '$H$';

+

+ /**

+ * @inheritdoc

+ */

+ public function get_prefix()

+ {

+ return self::PREFIX;

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function hash($password, $setting = '')

+ {

+ if ($setting)

+ {

+ if (($settings = $this->get_hash_settings($setting)) === false)

+ {

+ // Return md5 of password if settings do not

+ // comply with our standards. This will only

+ // happen if pre-determined settings are

+ // directly passed to the driver. The manager

+ // will not do this. Same as the old hashing

+ // implementatio in phpBB 3.0

+ return md5($password);

+ }

+ }

+ else

+ {

+ $settings = $this->get_hash_settings($this->generate_salt());

+ }

+

+ $hash = md5($settings['salt'] . $password, true);

+ do

+ {

+ $hash = md5($hash . $password, true);

+ }

+ while (--$settings['count']);

+

+ $output = $settings['full'];

+ $output .= $this->helper->hash_encode64($hash, 16);

+

+ return $output;

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function check($password, $hash)

+ {

+ if (strlen($hash) !== 34)

+ {

+ return md5($password) === $hash;

+ }

+

+ return $hash === $this->hash($password, $hash);

+ }

+

+ /**

+ * Generate salt for hashing method

+ *

+ * @return string Salt for hashing method

+ */

+ protected function generate_salt()

+ {

+ $count = 6;

+

+ $random = $this->helper->get_random_salt($count);

+

+ $salt = $this->get_prefix();

+ $salt .= $this->helper->itoa64[min($count + 5, 30)];

+ $salt .= $this->helper->hash_encode64($random, $count);

+

+ return $salt;

+ }

+

+ /**

+ * Get hash settings

+ *

+ * @param string $hash The hash that contains the settings

+ *

+ * @return bool|array Array containing the count_log2, salt, and full

+ * hash settings string or false if supplied hash is empty

+ * or contains incorrect settings

+ */

+ public function get_hash_settings($hash)

+ {

+ if (empty($hash))

+ {

+ return false;

+ }

+

+ $count_log2 = strpos($this->helper->itoa64, $hash[3]);

+ $salt = substr($hash, 4, 8);

+

+ if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8)

+ {

+ return false;

+ }

+

+ return array(

+ 'count' => 1 << $count_log2,

+ 'salt' => $salt,

+ 'full' => substr($hash, 0, 12),

+ );

+ }

+

+ /**

+ * @inheritdoc

+ */

+ public function get_settings_only($hash, $full = false)

+ {

+ return substr($hash, 3, 9);

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords;

+

+/**

+* @package passwords

+*/

+class helper

+{

+ /**

+ * Get hash settings from combined hash

+ *

+ * @param string $hash Password hash of combined hash

+ *

+ * @return array An array containing the hash settings for the hash

+ * types in successive order as described by the combined

+ * password hash or an empty array if hash does not

+ * properly fit the combined hash format

+ */

+ public function get_combined_hash_settings($hash)

+ {

+ $output = array();

+

+ preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);

+ $hash_settings = substr($hash, strpos($hash, $match[1]) + strlen($match[1]) + 1);

+ $matches = explode('\\', $match[1]);

+ foreach ($matches as $cur_type)

+ {

+ $dollar_position = strpos($hash_settings, '$');

+ $output[] = substr($hash_settings, 0, ($dollar_position != false) ? $dollar_position : strlen($hash_settings));

+ $hash_settings = substr($hash_settings, $dollar_position + 1);

+ }

+

+ return $output;

+ }

+

+ /**

+ * Combine hash prefixes, settings, and actual hash

+ *

+ * @param array $data Array containing the keys 'prefix' and 'settings'.

+ * It will hold the prefixes and settings

+ * @param string $type Data type of the supplied value

+ * @param string $value Value that should be put into the data array

+ *

+ * @return string|null Return complete combined hash if type is neither

+ * 'prefix' nor 'settings', nothing if it is

+ */

+ public function combine_hash_output(&$data, $type, $value)

+ {

+ if ($type == 'prefix')

+ {

+ $data[$type] .= ($data[$type] !== '$') ? '\\' : '';

+ $data[$type] .= str_replace('$', '', $value);

+ }

+ elseif ($type == 'settings')

+ {

+ $data[$type] .= ($data[$type] !== '$') ? '$' : '';

+ $data[$type] .= $value;

+ }

+ else

+ {

+ // Return full hash

+ return $data['prefix'] . $data['settings'] . '$' . $value;

+ }

+ }

+

+ /**

+ * Rebuild hash for hashing functions

+ *

+ * @param string $prefix Hash prefix

+ * @param string $settings Hash settings

+ *

+ * @return string Rebuilt hash for hashing functions

+ */

+ public function rebuild_hash($prefix, $settings)

+ {

+ $rebuilt_hash = $prefix;

+ if (strpos($settings, '\\') !== false)

+ {

+ $settings = str_replace('\\', '$', $settings);

+ }

+ $rebuilt_hash .= $settings;

+ return $rebuilt_hash;

+ }

+

+ /**

+ * Obtain only the actual hash after the prefixes

+ *

+ * @param string $hash The full password hash

+ * @return string Actual hash (incl. settings)

+ */

+ public function obtain_hash_only($hash)

+ {

+ return substr($hash, strripos($hash, '$') + 1);

+ }

+}

+<?php

+/**

+*

+* @package phpBB3

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+namespace phpbb\passwords;

+

+/**

+* @package passwords

+*/

+class manager

+{

+ /**

+ * Default hashing method

+ */

+ protected $type = false;

+

+ /**

+ * Hashing algorithm type map

+ * Will be used to map hash prefix to type

+ */

+ protected $type_map = false;

+

+ /**

+ * Service collection of hashing algorithms

+ * Needs to be public for passwords helper

+ */

+ public $algorithms = false;

+

+ /**

+ * Password convert flag. Signals that password should be converted

+ */

+ public $convert_flag = false;

+

+ /**

+ * Passwords helper

+ * @var phpbb\passwords\helper

+ */

+ protected $helper;

+

+ /**

+ * phpBB configuration

+ * @var phpbb\config\config

+ */

+ protected $config;

+

+ /**

+ * Construct a passwords object

+ *

+ * @param phpbb\config\config $config phpBB configuration

+ * @param array $hashing_algorithms Hashing driver

+ * service collection

+ * @param phpbb\passwords\helper $helper Passwords helper object

+ * @param string $defaults List of default driver types

+ */

+ public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults)

+ {

+ $this->config = $config;

+ $this->helper = $helper;

+

+ $this->fill_type_map($hashing_algorithms);

+ $this->register_default_type($defaults);

+ }

+

+ /**

+ * Register default type

+ * Will register the first supported type from the list of default types

+ *

+ * @param array $defaults List of default types in order from first to

+ * use to last to use

+ */

+ protected function register_default_type($defaults)

+ {

+ foreach ($defaults as $type)

+ {

+ if ($this->algorithms[$type]->is_supported())

+ {

+ $this->type = $this->algorithms[$type]->get_prefix();

+ break;

+ }

+ }

+ }

+

+ /**

+ * Fill algorithm type map

+ *

+ * @param phpbb\di\service_collection $hashing_algorithms

+ */

+ protected function fill_type_map($hashing_algorithms)

+ {

+ foreach ($hashing_algorithms as $algorithm)

+ {

+ if (!isset($this->type_map[$algorithm->get_prefix()]))

+ {

+ $this->type_map[$algorithm->get_prefix()] = $algorithm;

+ }

+ }

+ $this->algorithms = $hashing_algorithms;

+ }

+

+ /**

+ * Get the algorithm specified by a specific prefix

+ *

+ * @param string $prefix Password hash prefix

+ *

+ * @return object|bool The hash type object or false if prefix is not

+ * supported

+ */

+ protected function get_algorithm($prefix)

+ {

+ if (isset($this->type_map[$prefix]))

+ {

+ return $this->type_map[$prefix];

+ }

+ else

+ {

+ return false;

+ }

+ }

+

+ /**

+ * Detect the hash type of the supplied hash

+ *

+ * @param string $hash Password hash that should be checked

+ *

+ * @return object|bool The hash type object or false if the specified

+ * type is not supported

+ */

+ public function detect_algorithm($hash)

+ {

+ /*

+ * preg_match() will also show hashing algos like $2a\H$, which

+ * is a combination of bcrypt and phpass. Legacy algorithms

+ * like md5 will not be matched by this and need to be treated

+ * differently.

+ */

+ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))

+ {

+ return $this->get_algorithm('$H$');

+ }

+

+ // Be on the lookout for multiple hashing algorithms

+ // 2 is correct: H\2a > 2, H\P > 2

+ if (strlen($match[1]) > 2)

+ {

+ $hash_types = explode('\\', $match[1]);

+ $return_ary = array();

+ foreach ($hash_types as $type)

+ {

+ // we do not support the same hashing

+ // algorithm more than once

+ if (isset($return_ary[$type]))

+ {

+ return false;

+ }

+

+ $return_ary[$type] = $this->get_algorithm('$' . $type . '$');

+

+ if (empty($return_ary[$type]))

+ {

+ return false;

+ }

+ }

+ return $return_ary;

+ }

+

+ // get_algorithm() will automatically return false if prefix

+ // is not supported

+ return $this->get_algorithm($match[0]);

+ }

+

+ /**

+ * Hash supplied password

+ *

+ * @param string $password Password that should be hashed

+ * @param string $type Hash type. Will default to standard hash type if

+ * none is supplied

+ * @return string|bool Password hash of supplied password or false if

+ * if something went wrong during hashing

+ */

+ public function hash($password, $type = '')

+ {

+ if (strlen($password) > 4096)

+ {

+ // If the password is too huge, we will simply reject it

+ // and not let the server try to hash it.

+ return false;

+ }

+

+ // Try to retrieve algorithm by service name if type doesn't

+ // start with dollar sign

+ if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type]))

+ {

+ $type = $this->algorithms[$type]->get_prefix();

+ }

+

+ $type = ($type === '') ? $this->type : $type;

+

+ if (is_array($type))

+ {

+ return $this->combined_hash_password($password, $type);

+ }

+

+ if (isset($this->type_map[$type]))

+ {

+ $hashing_algorithm = $this->type_map[$type];

+ }

+ else

+ {

+ return false;

+ }

+

+ return $hashing_algorithm->hash($password);

+ }

+

+ /**

+ * Check supplied password against hash and set convert_flag if password

+ * needs to be converted to different format (preferrably newer one)

+ *

+ * @param string $password Password that should be checked

+ * @param string $hash Stored hash

+ * @return string|bool True if password is correct, false if not

+ */

+ public function check($password, $hash)

+ {

+ if (strlen($password) > 4096)

+ {

+ // If the password is too huge, we will simply reject it

+ // and not let the server try to hash it.

+ return false;

+ }

+

+ // First find out what kind of hash we're dealing with

+ $stored_hash_type = $this->detect_algorithm($hash);

+ if ($stored_hash_type == false)

+ {

+ return false;

+ }

+

+ // Multiple hash passes needed

+ if (is_array($stored_hash_type))

+ {

+ $correct = $this->check_combined_hash($password, $stored_hash_type, $hash);

+ $this->convert_flag = ($correct === true) ? true : false;

+ return $correct;

+ }

+

+ if ($stored_hash_type->get_prefix() !== $this->type)

+ {

+ $this->convert_flag = true;

+ }

+ else

+ {

+ $this->convert_flag = false;

+ }

+

+ return $stored_hash_type->check($password, $hash);

+ }

+

+ /**

+ * Create combined hash from already hashed password

+ *

+ * @param string $password_hash Complete current password hash

+ * @param string $type Type of the hashing algorithm the password hash

+ * should be combined with

+ * @return string|bool Combined password hash if combined hashing was

+ * successful, else false

+ */

+ public function combined_hash_password($password_hash, $type)

+ {

+ $data = array(

+ 'prefix' => '$',

+ 'settings' => '$',

+ );

+ $hash_settings = $this->helper->get_combined_hash_settings($password_hash);

+ $hash = $hash_settings[0];

+

+ // Put settings of current hash into data array

+ $stored_hash_type = $this->detect_algorithm($password_hash);

+ $this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix());

+ $this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash));

+

+ // Hash current hash with the defined types

+ foreach ($type as $cur_type)

+ {

+ if (isset($this->algorithms[$cur_type]))

+ {

+ $new_hash_type = $this->algorithms[$cur_type];

+ }

+ else

+ {

+ $new_hash_type = $this->get_algorithm($cur_type);

+ }

+

+ if (!$new_hash_type)

+ {

+ return false;

+ }

+

+ $new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash));

+ $this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix());

+ $this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0));

+ $hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash));

+ }

+ return $this->helper->combine_hash_output($data, 'hash', $hash);

+ }

+

+ /**

+ * Check combined password hash against the supplied password

+ *

+ * @param string $password Password entered by user

+ * @param array $stored_hash_type An array containing the hash types

+ * as described by stored password hash

+ * @param string $hash Stored password hash

+ *

+ * @return bool True if password is correct, false if not

+ */

+ public function check_combined_hash($password, $stored_hash_type, $hash)

+ {

+ $i = 0;

+ $data = array(

+ 'prefix' => '$',

+ 'settings' => '$',

+ );

+ $hash_settings = $this->helper->get_combined_hash_settings($hash);

+ foreach ($stored_hash_type as $key => $hash_type)

+ {

+ $rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]);

+ $this->helper->combine_hash_output($data, 'prefix', $key);

+ $this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]);

+ $cur_hash = $hash_type->hash($password, $rebuilt_hash);

+ $password = str_replace($rebuilt_hash, '', $cur_hash);

+ $i++;

+ }

+ return ($hash === $this->helper->combine_hash_output($data, 'hash', $password));

+ }

+}

+ <value>$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i</value>

+ <value>0</value>

+ <value>0</value>

+ <value>example@example.com</value>

+ <value>0</value>

+ <value>0</value>

+ <value></value>

+ <value></value>

+ <value></value>

+ <value></value>

+ </row>

+ <row>

+ <value>2</value>

+ <value>foobar2</value>

+ <value>foobar2</value>

+<?xml version="1.0" encoding="UTF-8" ?>

+<dataset>

+ <table name="phpbb_users">

+ <column>user_id</column>

+ <column>username</column>

+ <column>username_clean</column>

+ <column>user_password</column>

+ <column>user_passchg</column>

+ <column>user_pass_convert</column>

+ <column>user_email</column>

+ <column>user_type</column>

+ <column>user_login_attempts</column>

+ <column>user_permissions</column>

+ <column>user_sig</column>

+ <column>user_occ</column>

+ <column>user_interests</column>

+ <row>

+ <value>1</value>

+ <value>foobar</value>

+ <value>foobar</value>

+ <value>$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi</value>

+ <value>0</value>

+ <value>0</value>

+ <value>example@example.com</value>

+ <value>0</value>

+ <value>0</value>

+ <value></value>

+ <value></value>

+ <value></value>

+ <value></value>

+ </row>

+ <row>

+ <value>2</value>

+ <value>foobar2</value>

+ <value>foobar2</value>

+ <value>$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/</value>

+ <value>0</value>

+ <value>0</value>

+ <value>example@example.com</value>

+ <value>0</value>

+ <value>0</value>

+ <value></value>

+ <value></value>

+ <value></value>

+ <value></value>

+ </row>

+ </table>

+</dataset>

+ $driver_helper = new \phpbb\passwords\driver\helper($config);

+ $passwords_drivers = array(

+ 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),

+ 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),

+ 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),

+ 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),

+ );

+

+ $passwords_helper = new \phpbb\passwords\helper;

+ // Set up passwords manager

+ $passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));

+

+ if (version_compare(PHP_VERSION, '5.3.7', '<'))

+ {

+ $this->password_hash = '$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi';

+ }

+ else

+ {

+ $this->password_hash = '$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i';

+ }

+ $this->provider = new \phpbb\auth\provider\apache($db, $config, $passwords_manager, $this->request, $this->user, $phpbb_root_path, $phpEx);

+ if ((version_compare(PHP_VERSION, '5.3.7', '<')))

+ {

+ return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user_533.xml');

+ }

+ else

+ {

+ return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml');

+ }

+ 'user_password' => $this->password_hash,

+ 'user_password' => $this->password_hash,

+ if ((version_compare(PHP_VERSION, '5.3.7', '<')))

+ {

+ return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user_533.xml');

+ }

+ else

+ {

+ return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml');

+ }

+ $driver_helper = new \phpbb\passwords\driver\helper($config);

+ $passwords_drivers = array(

+ 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),

+ 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),

+ 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),

+ 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),

+ );

+

+ $passwords_helper = new \phpbb\passwords\helper;

+ // Set up passwords manager

+ $passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));

+

+ $provider = new \phpbb\auth\provider\db($db, $config, $passwords_manager, $request, $user, $phpbb_root_path, $phpEx);

+ if (version_compare(PHP_VERSION, '5.3.7', '<'))

+ {

+ $password_hash = '$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi';

+ }

+ else

+ {

+ $password_hash = '$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i';

+ }

+ 'user_password' => $password_hash,

+

+ // Check if convert works

+ $login_return = $provider->login('foobar2', 'example');

+ $password_start = (version_compare(PHP_VERSION, '5.3.7', '<')) ? '$2a$10$' : '$2y$10$';

+ $this->assertStringStartsWith($password_start, $login_return['user_row']['user_password']);

+<?php

+/**

+*

+* @package testing

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+/**

+* @group functional

+*/

+class phpbb_functional_forum_password_test extends phpbb_functional_test_case

+{

+ public function test_setup_forum_with_password()

+ {

+ $this->login();

+ $this->admin_login();

+

+ $crawler = self::request('GET', "adm/index.php?i=acp_forums&mode=manage&sid={$this->sid}");

+ $form = $crawler->selectButton('addforum')->form(array(

+ 'forum_name' => 'Password protected',

+ ));

+ $crawler = self::submit($form);

+ $form = $crawler->selectButton('update')->form(array(

+ 'forum_perm_from' => 2,

+ 'forum_password' => 'foobar',

+ 'forum_password_confirm' => 'foobar',

+ ));

+ $crawler = self::submit($form);

+ }

+

+ public function data_enter_forum_with_password()

+ {

+ return array(

+ array('foowrong', 'WRONG_PASSWORD'),

+ array('foobar', 'NO_TOPICS'),

+ );

+ }

+

+ /**

+ * @dataProvider data_enter_forum_with_password

+ */

+ public function test_enter_forum_with_password($password, $message)

+ {

+ $crawler = self::request('GET', "index.php?sid={$this->sid}");

+ preg_match('/.?f=([0-9])/', $crawler->selectLink('Password protected')->link()->getUri(), $match);

+ $crawler = self::request('GET', "viewforum.php?f={$match[1]}&sid={$this->sid}");

+ $form = $crawler->selectButton('login')->form(array(

+ 'password' => $password,

+ ));

+ $crawler = self::submit($form);

+ $this->assertContainsLang($message, $crawler->text());

+ }

+}

+<?php

+/**

+*

+* @package testing

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+class phpbb_passwords_helper_test extends PHPUnit_Framework_TestCase

+{

+ public function setUp()

+ {

+ // Prepare dependencies for drivers

+ $config = new \phpbb\config\config(array());

+ $this->driver_helper = new \phpbb\passwords\driver\helper($config);

+

+ $this->passwords_drivers = array(

+ 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper),

+ 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper),

+ 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper),

+ 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper),

+ );

+ }

+

+ public function data_helper_encode64()

+ {

+ return array(

+ array('foobar', 6, 'axqPW3aQ'),

+ array('foobar', 7, 'axqPW3aQ..'),

+ array('foobar', 5, 'axqPW34'),

+ );

+ }

+

+ /**

+ * @dataProvider data_helper_encode64

+ */

+ public function test_helper_encode64($input, $length, $output)

+ {

+ $return = $this->driver_helper->hash_encode64($input, $length);

+ $this->assertEquals($output, $return);

+ }

+

+ public function data_get_random_salt()

+ {

+ return array(

+ array(24, false),

+ array(24, '/dev/foobar'),

+ );

+ }

+

+ /**

+ * @dataProvider data_get_random_salt

+ */

+ public function test_get_random_salt($length, $rand_seed)

+ {

+ $rand_string = (empty($rand_seed)) ? $this->driver_helper->get_random_salt($length) : $this->driver_helper->get_random_salt($length, $rand_seed);

+ $start = microtime(true);

+

+ // Run each test for max. 1 second

+ while ((microtime(true) - $start) < 1)

+ {

+ $urandom_string = (empty($rand_seed)) ? $this->driver_helper->get_random_salt($length) : $this->driver_helper->get_random_salt($length, $rand_seed);

+ $this->assertEquals($length, strlen($urandom_string));

+ $this->assertNotEquals($rand_string, $urandom_string);

+ }

+ }

+

+ public function test_get_hash_settings_salted_md5()

+ {

+ $settings = $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings('$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1');

+ $this->assertEquals(array(

+ 'count' => pow(2, 11),

+ 'salt' => 'isfrtKXW',

+ 'full' => '$H$9isfrtKXW',

+ ),

+ $settings

+ );

+ $this->assertEquals(false, $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings(false));

+ }

+}

+<?php

+/**

+*

+* @package testing

+* @copyright (c) 2013 phpBB Group

+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2

+*

+*/

+

+class phpbb_passwords_manager_test extends PHPUnit_Framework_TestCase

+{

+ protected $passwords_drivers;

+

+ protected $pw_characters = '0123456789abcdefghijklmnopqrstuvwyzABCDEFGHIJKLMNOPQRSTUVXYZ.,_!?/\\';

+

+ protected $default_pw = 'foobar';

+

+ public function setUp()

+ {

+ // Prepare dependencies for manager and driver

+ $config = new \phpbb\config\config(array());

+ $this->driver_helper = new \phpbb\passwords\driver\helper($config);

+

+ $this->passwords_drivers = array(

+ 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper),

+ 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper),

+ 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper),

+ 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper),

+ );

+

+ $this->helper = new \phpbb\passwords\helper;

+ // Set up passwords manager

+ $this->manager = new \phpbb\passwords\manager($config, $this->passwords_drivers, $this->helper, array_keys($this->passwords_drivers));

+ }

+

+ public function hash_password_data()

+ {

+ if (version_compare(PHP_VERSION, '5.3.7', '<'))

+ {

+ return array(

+ array('', '2a', 60),

+ array('passwords.driver.bcrypt_2y', '2a', 60),

+ array('passwords.driver.bcrypt', '2a', 60),

+ array('passwords.driver.salted_md5', 'H', 34),

+ array('passwords.driver.foobar', '', false),

+ );

+ }

+ else

+ {

+ return array(

+ array('', '2y', 60),

+ array('passwords.driver.bcrypt_2y', '2y', 60),

+ array('passwords.driver.bcrypt', '2a', 60),

+ array('passwords.driver.salted_md5', 'H', 34),

+ array('passwords.driver.foobar', '', false),

+ );

+ }

+ }

+

+ /**

+ * @dataProvider hash_password_data

+ */

+ public function test_hash_password($type, $prefix, $length)

+ {

+ $password = $this->default_pw;

+

+ if (!$length)

+ {

+ $this->assertEquals(false, $hash = $this->manager->hash($password, $type));

+ return;

+ }

+ $time = microtime(true);

+

+ // Limit each test to 1 second

+ while ((microtime(true) - $time) < 1)

+ {

+ $hash = $this->manager->hash($password, $type);

+ preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);

+ $this->assertEquals($prefix, $match[1]);

+ $this->assertEquals($length, strlen($hash));

+ $password .= $this->pw_characters[mt_rand(0, 66)];

+ }

+ }

+

+ public function check_password_data()

+ {

+ if (version_compare(PHP_VERSION, '5.3.7', '<'))

+ {

+ return array(

+ array('passwords.driver.bcrypt'),

+ array('passwords.driver.salted_md5'),

+ array('passwords.driver.phpass'),

+ );

+ }

+ else

+ {

+ return array(

+ array('passwords.driver.bcrypt_2y'),

+ array('passwords.driver.bcrypt'),

+ array('passwords.driver.salted_md5'),

+ array('passwords.driver.phpass'),

+ );

+ }

+ }

+

+ /**

+ * @dataProvider check_password_data

+ */

+ public function test_check_password($hash_type)

+ {

+ $password = $this->default_pw;

+ $time = microtime(true);

+ // Limit each test to 1 second

+ while ((microtime(true) - $time) < 1)

+ {

+ $hash = $this->manager->hash($password, $hash_type);

+ $this->assertEquals(true, $this->manager->check($password, $hash));

+ $password .= $this->pw_characters[mt_rand(0, 66)];

+ $this->assertEquals(false, $this->manager->check($password, $hash));

+ }

+

+ // Check if convert_flag is correctly set

+ $default_type = (version_compare(PHP_VERSION, '5.3.7', '<')) ? 'passwords.driver.bcrypt' : 'passwords.driver.bcrypt_2y';

+ $this->assertEquals(($hash_type !== $default_type), $this->manager->convert_flag);

+ }

+

+

+ public function check_hash_exceptions_data()

+ {

+ return array(

+ array('foobar', '3858f62230ac3c915f300c664312c63f', true),

+ array('foobar', '$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false),

+ array('foobar', '$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false),

+ array('foobar', '$H$kklk938d023k//k3023', false),

+ array('foobar', '$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false),

+ array('foobar', '$2a$kwiweorurlaeirw', false),

+ );

+ }

+

+ /**

+ * @dataProvider check_hash_exceptions_data

+ */

+ public function test_check_hash_exceptions($password, $hash, $expected)

+ {

+ $this->assertEquals($expected, $this->manager->check($password, $hash));

+ }

+

+ public function data_hash_password_length()

+ {

+ return array(

+ array('passwords.driver.bcrypt', false),

+ array('passwords.driver.bcrypt_2y', false),

+ array('passwords.driver.salted_md5', '3858f62230ac3c915f300c664312c63f'),

+ array('passwords.driver.phpass', '3858f62230ac3c915f300c664312c63f'),

+ );

+ }

+

+ /**

+ * @dataProvider data_hash_password_length

+ */

+ public function test_hash_password_length($driver, $expected)

+ {

+ $this->assertEquals($expected, $this->passwords_drivers[$driver]->hash('foobar', 'foobar'));

+ }

+

+ public function test_hash_password_8bit_bcrypt()

+ {

+ $this->assertEquals(false, $this->manager->hash('foobar𝄞', 'passwords.driver.bcrypt'));

+ if (version_compare(PHP_VERSION, '5.3.7', '<'))

+ {

+ $this->assertEquals(false, $this->manager->hash('foobar𝄞', 'passwords.driver.bcrypt_2y'));

+ }

+ else

+ {

+ $this->assertNotEquals(false, $this->manager->hash('foobar𝄞', 'passwords.driver.bcrypt_2y'));

+ }

+ }

+

+ public function test_combined_hash_data()

+ {

+ if (version_compare(PHP_VERSION, '5.3.7', '<'))

+ {

+ return array(

+ array(

+ 'passwords.driver.salted_md5',

+ array('passwords.driver.bcrypt'),

+ ),

+ array(

+ 'passwords.driver.phpass',

+ array('passwords.driver.salted_md5'),

+ ),

+ array(

+ 'passwords.driver.salted_md5',

+ array('passwords.driver.phpass', 'passwords.driver.bcrypt'),

+ ),

+ array(

+ 'passwords.driver.salted_md5',

+ array('passwords.driver.salted_md5'),

+ false,

+ ),

+ array(

+ '$H$',

+ array('$2a$'),

+ ),

+ );

+ }

+ else

+ {

+ return array(

+ array(

+ 'passwords.driver.salted_md5',

+ array('passwords.driver.bcrypt_2y'),

+ ),

+ array(

+ 'passwords.driver.salted_md5',

+ array('passwords.driver.bcrypt'),

+ ),

+ array(

+ 'passwords.driver.phpass',

+ array('passwords.driver.salted_md5'),

+ ),

+ array(

+ 'passwords.driver.salted_md5',

+ array('passwords.driver.bcrypt_2y', 'passwords.driver.bcrypt'),

+ ),

+ array(

+ 'passwords.driver.salted_md5',

+ array('passwords.driver.salted_md5'),

+ false,

+ ),

+ array(

+ 'passwords.driver.bcrypt_2y',

+ array('passwords.driver.salted_md4'),

+ false,

+ ),

+ array(

+ '$H$',

+ array('$2y$'),

+ ),

+ );

+ }

+ }

+

+ /**

+ * @dataProvider test_combined_hash_data

+ */

+ public function test_combined_hash_password($first_type, $second_type, $expected = true)

+ {

+ $password = $this->default_pw;

+ $time = microtime(true);

+ // Limit each test to 1 second

+ while ((microtime(true) - $time) < 1)

+ {

+ $hash = $this->manager->hash($password, $first_type);

+ $combined_hash = $this->manager->hash($hash, $second_type);

+ $this->assertEquals($expected, $this->manager->check($password, $combined_hash));

+ $password .= $this->pw_characters[mt_rand(0, 66)];

+ $this->assertEquals(false, $this->manager->check($password, $combined_hash));

+

+ // If we are expecting the check to fail then there is

+ // no need to run this more than once

+ if (!$expected)

+ {

+ break;

+ }

+ }

+ }

+

+ public function test_unique_id()

+ {

+ $time = microtime(true);

+ $first_id = $this->driver_helper->unique_id();

+ // Limit test to 1 second

+ while ((microtime(true) - $time) < 1)

+ {

+ $this->assertNotEquals($first_id, $this->driver_helper->unique_id());

+ }

+ }

+

+ public function test_check_hash_with_large_input()

+ {

+ // 16 MB password, should be rejected quite fast

+ $start_time = time();

+ $this->assertFalse($this->manager->check(str_repeat('a', 1024 * 1024 * 16), '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'));

+ $this->assertLessThanOrEqual(5, time() - $start_time);

+ }

+

+ public function test_hash_password_with_large_input()

+ {

+ // 16 MB password, should be rejected quite fast

+ $start_time = time();

+ $this->assertFalse($this->manager->hash(str_repeat('a', 1024 * 1024 * 16)));

+ $this->assertLessThanOrEqual(5, time() - $start_time);

+ }

+}

+ public function setUp()

+ {

+ global $phpbb_container;

+

+ $config = new \phpbb\config\config(array());

+ $phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface');

+ $driver_helper = new \phpbb\passwords\driver\helper($config);

+ $passwords_drivers = array(

+ 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),

+ 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),

+ 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),

+ 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),

+ );

+

+ $passwords_helper = new \phpbb\passwords\helper;

+ // Set up passwords manager

+ $passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));

+

+ $phpbb_container

+ ->expects($this->any())

+ ->method('get')

+ ->with('passwords.manager')

+ ->will($this->returnValue($passwords_manager));

+ }

+

+ $passwords_manager = $this->get_passwords_manager();

+ 'user_password' => $passwords_manager->hash($username . $username),

+

+ /**

+ * Return a passwords manager instance

+ *

+ * @return phpbb\passwords\manager

+ */

+ public function get_passwords_manager()

+ {

+ // Prepare dependencies for manager and driver

+ $config = new \phpbb\config\config(array());

+ $driver_helper = new \phpbb\passwords\driver\helper($config);

+

+ $passwords_drivers = array(

+ 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper),

+ 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper),

+ 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper),

+ 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper),

+ );

+

+ $passwords_helper = new \phpbb\passwords\helper;

+ // Set up passwords manager

+ $manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers));

+

+ return $manager;

+ }