diff options
| author | Tristan Darricau <github@nicofuma.fr> | 2016-12-03 14:07:56 +0100 |
|---|---|---|
| committer | Tristan Darricau <github@nicofuma.fr> | 2016-12-03 14:07:56 +0100 |
| commit | 487df8befc9477c742b2794593c2ddb290c1c678 (patch) | |
| tree | 7e04e7c2a5bcdcc1a7e19327669ec5ec52a57e88 /phpBB/phpbb/passwords | |
| parent | 48db9cbcf035001a9a39e88973d297104e89bbcb (diff) | |
| parent | 380be9f1fd713dbcee91f12f18060d6b3ff4819e (diff) | |
| download | forums-487df8befc9477c742b2794593c2ddb290c1c678.tar forums-487df8befc9477c742b2794593c2ddb290c1c678.tar.gz forums-487df8befc9477c742b2794593c2ddb290c1c678.tar.bz2 forums-487df8befc9477c742b2794593c2ddb290c1c678.tar.xz forums-487df8befc9477c742b2794593c2ddb290c1c678.zip | |
Merge pull request #4405 from marc1706/ticket/14733
[ticket/14733] Support increasing hashing cost factor
* marc1706/ticket/14733:
[ticket/14733] Make sure detect_algorithm() works correctly and add tests
[ticket/14733] Extend passwords driver_interface in rehashable_driver_interface
[ticket/14733] Use new interface to preserve backwards compatibility
[ticket/14733] Use default cost factor in bcrypt constructor
[ticket/14733] Support increasing hashing cost factor
Diffstat (limited to 'phpBB/phpbb/passwords')
| -rw-r--r-- | phpBB/phpbb/passwords/driver/base.php | 12 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/bcrypt.php | 32 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/rehashable_driver_interface.php | 25 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/manager.php | 11 |
4 files changed, 75 insertions, 5 deletions
diff --git a/phpBB/phpbb/passwords/driver/base.php b/phpBB/phpbb/passwords/driver/base.php index fd07a61bf4..0997b5b700 100644 --- a/phpBB/phpbb/passwords/driver/base.php +++ b/phpBB/phpbb/passwords/driver/base.php @@ -13,7 +13,7 @@ namespace phpbb\passwords\driver; -abstract class base implements driver_interface +abstract class base implements rehashable_driver_interface { /** @var \phpbb\config\config */ protected $config; @@ -21,7 +21,7 @@ abstract class base implements driver_interface /** @var \phpbb\passwords\driver\helper */ protected $helper; - /** @var driver name */ + /** @var string Driver name */ protected $name; /** @@ -53,6 +53,14 @@ abstract class base implements driver_interface } /** + * {@inheritdoc} + */ + public function needs_rehash($hash) + { + return false; + } + + /** * {@inheritdoc} */ public function get_settings_only($hash, $full = false) diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php index eab1c3d569..eb1aeeeb76 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt.php +++ b/phpBB/phpbb/passwords/driver/bcrypt.php @@ -17,6 +17,24 @@ class bcrypt extends base { const PREFIX = '$2a$'; + /** @var int Hashing cost factor */ + protected $cost_factor; + + /** + * Constructor of passwords driver object + * + * @param \phpbb\config\config $config phpBB config + * @param \phpbb\passwords\driver\helper $helper Password driver helper + * @param int $cost_factor Hashing cost factor (optional) + */ + public function __construct(\phpbb\config\config $config, helper $helper, $cost_factor = 10) + { + parent::__construct($config, $helper); + + // Don't allow cost factor to be below default setting + $this->cost_factor = max(10, $cost_factor); + } + /** * {@inheritdoc} */ @@ -26,6 +44,18 @@ class bcrypt extends base } /** + * {@inheritdoc} + */ + public function needs_rehash($hash) + { + preg_match('/^' . preg_quote($this->get_prefix()) . '([0-9]+)\$/', $hash, $matches); + + list(, $cost_factor) = $matches; + + return empty($cost_factor) || $this->cost_factor !== intval($cost_factor); + } + + /** * {@inheritdoc} */ public function hash($password, $salt = '') @@ -46,7 +76,7 @@ class bcrypt extends base if ($salt == '') { - $salt = $prefix . '10$' . $this->get_random_salt(); + $salt = $prefix . $this->cost_factor . '$' . $this->get_random_salt(); } $hash = crypt($password, $salt); diff --git a/phpBB/phpbb/passwords/driver/rehashable_driver_interface.php b/phpBB/phpbb/passwords/driver/rehashable_driver_interface.php new file mode 100644 index 0000000000..ca30748502 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/rehashable_driver_interface.php @@ -0,0 +1,25 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +interface rehashable_driver_interface extends driver_interface +{ + /** + * Check if password needs to be rehashed + * + * @param string $hash Hash to check for rehash + * @return bool True if password needs to be rehashed, false if not + */ + public function needs_rehash($hash); +} diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index b2caba81f2..fad76a9fe5 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -174,7 +174,7 @@ class manager // Be on the lookout for multiple hashing algorithms // 2 is correct: H\2a > 2, H\P > 2 - if (strlen($match[1]) > 2) + if (strlen($match[1]) > 2 && strpos($match[1], '\\') !== false) { $hash_types = explode('\\', $match[1]); $return_ary = array(); @@ -297,7 +297,14 @@ class manager } else { - $this->convert_flag = false; + if ($stored_hash_type instanceof driver\rehashable_driver_interface) + { + $this->convert_flag = $stored_hash_type->needs_rehash($hash); + } + else + { + $this->convert_flag = false; + } } // Check all legacy hash types if prefix is $CP$ |