diff options
39 files changed, 1846 insertions, 236 deletions
diff --git a/phpBB/config/auth_providers.yml b/phpBB/config/auth_providers.yml index e1c289334e..43648b4ad3 100644 --- a/phpBB/config/auth_providers.yml +++ b/phpBB/config/auth_providers.yml @@ -10,6 +10,7 @@ services: arguments: - @dbal.conn - @config + - @passwords.manager - @request - @user - %core.root_path% @@ -21,6 +22,7 @@ services: arguments: - @dbal.conn - @config + - @passwords.manager - @request - @user - %core.root_path% @@ -32,6 +34,7 @@ services: arguments: - @dbal.conn - @config + - @passwords.manager - @user tags: - { name: auth.provider } diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml new file mode 100644 index 0000000000..9e249a2c12 --- /dev/null +++ b/phpBB/config/passwords.yml @@ -0,0 +1,62 @@ +parameters: + passwords.algorithms: + - passwords.driver.bcrypt_2y + - passwords.driver.bcrypt + - passwords.driver.salted_md5 + - passwords.driver.phpass + +services: + passwords.driver.bcrypt: + class: phpbb\passwords\driver\bcrypt + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + + passwords.driver.bcrypt_2y: + class: phpbb\passwords\driver\bcrypt_2y + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + + passwords.driver.salted_md5: + class: phpbb\passwords\driver\salted_md5 + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + + passwords.driver.phpass: + class: phpbb\passwords\driver\phpass + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + + passwords.driver_collection: + class: phpbb\di\service_collection + arguments: + - @service_container + tags: + - { name: service_collection, tag: passwords.driver } + + passwords.driver_helper: + class: phpbb\passwords\driver\helper + arguments: + - @config + + passwords.manager: + class: phpbb\passwords\manager + arguments: + - @config + - @passwords.driver_collection + - @passwords.helper + - %passwords.algorithms% + + passwords.helper: + class: phpbb\passwords\helper diff --git a/phpBB/config/services.yml b/phpBB/config/services.yml index c11184d6b6..8f7a7676ad 100644 --- a/phpBB/config/services.yml +++ b/phpBB/config/services.yml @@ -8,6 +8,7 @@ imports: - { resource: auth_providers.yml } - { resource: console.yml } - { resource: mimetype_guessers.yml } + - { resource: passwords.yml } services: acl.permissions: diff --git a/phpBB/includes/acp/acp_forums.php b/phpBB/includes/acp/acp_forums.php index 029f4b23c9..a1af8c489d 100644 --- a/phpBB/includes/acp/acp_forums.php +++ b/phpBB/includes/acp/acp_forums.php @@ -926,7 +926,7 @@ class acp_forums */ function update_forum_data(&$forum_data) { - global $db, $user, $cache, $phpbb_root_path, $phpbb_dispatcher; + global $db, $user, $cache, $phpbb_root_path, $phpbb_container, $phpbb_dispatcher; $errors = array(); @@ -1030,7 +1030,10 @@ class acp_forums } else { - $forum_data_sql['forum_password'] = phpbb_hash($forum_data_sql['forum_password']); + // Instantiate passwords manager + $passwords_manager = $phpbb_container->get('passwords.manager'); + + $forum_data_sql['forum_password'] = $passwords_manager->hash($forum_data_sql['forum_password']); } unset($forum_data_sql['forum_password_unset']); diff --git a/phpBB/includes/acp/acp_users.php b/phpBB/includes/acp/acp_users.php index b24adfc586..d77152e0cf 100644 --- a/phpBB/includes/acp/acp_users.php +++ b/phpBB/includes/acp/acp_users.php @@ -824,9 +824,12 @@ class acp_users $error[] = 'FORM_INVALID'; } + // Instantiate passwords manager + $passwords_manager = $phpbb_container->get('passwords.manager'); + // Which updates do we need to do? $update_username = ($user_row['username'] != $data['username']) ? $data['username'] : false; - $update_password = ($data['new_password'] && !phpbb_check_hash($data['new_password'], $user_row['user_password'])) ? true : false; + $update_password = $data['new_password'] && !$passwords_manager->check($data['new_password'], $user_row['user_password']); $update_email = ($data['email'] != $user_row['user_email']) ? $data['email'] : false; if (!sizeof($error)) @@ -910,7 +913,7 @@ class acp_users if ($update_password) { $sql_ary += array( - 'user_password' => phpbb_hash($data['new_password']), + 'user_password' => $passwords_manager->hash($data['new_password']), 'user_passchg' => time(), 'user_pass_convert' => 0, ); diff --git a/phpBB/includes/db/schema_data.php b/phpBB/includes/db/schema_data.php index 69d39e0f8c..e3e37f4c42 100644 --- a/phpBB/includes/db/schema_data.php +++ b/phpBB/includes/db/schema_data.php @@ -318,7 +318,7 @@ $schema_data['phpbb_forums'] = array( 'forum_desc_options' => array('UINT:11', 7), 'forum_desc_uid' => array('VCHAR:8', ''), 'forum_link' => array('VCHAR_UNI', ''), - 'forum_password' => array('VCHAR_UNI:40', ''), + 'forum_password' => array('VCHAR_UNI', ''), 'forum_style' => array('UINT', 0), 'forum_image' => array('VCHAR', ''), 'forum_rules' => array('TEXT_UNI', ''), @@ -1112,7 +1112,7 @@ $schema_data['phpbb_users'] = array( 'user_regdate' => array('TIMESTAMP', 0), 'username' => array('VCHAR_CI', ''), 'username_clean' => array('VCHAR_CI', ''), - 'user_password' => array('VCHAR_UNI:40', ''), + 'user_password' => array('VCHAR_UNI', ''), 'user_passchg' => array('TIMESTAMP', 0), 'user_pass_convert' => array('BOOL', 0), 'user_email' => array('VCHAR_UNI:100', ''), diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 916c3799c2..689a682de3 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -368,73 +368,27 @@ function still_on_time($extra_time = 15) } /** +* Hash the password * -* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier) -* -* Portable PHP password hashing framework. -* -* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in -* the public domain. -* -* There's absolutely no warranty. -* -* The homepage URL for this framework is: -* -* http://www.openwall.com/phpass/ -* -* Please be sure to update the Version line if you edit this file in any way. -* It is suggested that you leave the main version number intact, but indicate -* your project name (after the slash) and add your own revision information. -* -* Please do not change the "private" password hashing method implemented in -* here, thereby making your hashes incompatible. However, if you must, please -* change the hash type identifier (the "$P$") to something different. -* -* Obviously, since this code is in the public domain, the above are not -* requirements (there can be none), but merely suggestions. +* @deprecated 3.1.0-a2 (To be removed: 3.3.0) * +* @param string $password Password to be hashed * -* Hash the password +* @return string|bool Password hash or false if something went wrong during hashing */ function phpbb_hash($password) { - $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; - - $random_state = unique_id(); - $random = ''; - $count = 6; - - if (($fh = @fopen('/dev/urandom', 'rb'))) - { - $random = fread($fh, $count); - fclose($fh); - } - - if (strlen($random) < $count) - { - $random = ''; - - for ($i = 0; $i < $count; $i += 16) - { - $random_state = md5(unique_id() . $random_state); - $random .= pack('H*', md5($random_state)); - } - $random = substr($random, 0, $count); - } - - $hash = _hash_crypt_private($password, _hash_gensalt_private($random, $itoa64), $itoa64); - - if (strlen($hash) == 34) - { - return $hash; - } + global $phpbb_container; - return md5($password); + $passwords_manager = $phpbb_container->get('passwords.manager'); + return $passwords_manager->hash($password); } /** * Check for correct password * +* @deprecated 3.1.0-a2 (To be removed: 3.3.0) +* * @param string $password The password in plain text * @param string $hash The stored password hash * @@ -442,130 +396,10 @@ function phpbb_hash($password) */ function phpbb_check_hash($password, $hash) { - if (strlen($password) > 4096) - { - // If the password is too huge, we will simply reject it - // and not let the server try to hash it. - return false; - } - - $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; - if (strlen($hash) == 34) - { - return (_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false; - } + global $phpbb_container; - return (md5($password) === $hash) ? true : false; -} - -/** -* Generate salt for hash generation -*/ -function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6) -{ - if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) - { - $iteration_count_log2 = 8; - } - - $output = '$H$'; - $output .= $itoa64[min($iteration_count_log2 + 5, 30)]; - $output .= _hash_encode64($input, 6, $itoa64); - - return $output; -} - -/** -* Encode hash -*/ -function _hash_encode64($input, $count, &$itoa64) -{ - $output = ''; - $i = 0; - - do - { - $value = ord($input[$i++]); - $output .= $itoa64[$value & 0x3f]; - - if ($i < $count) - { - $value |= ord($input[$i]) << 8; - } - - $output .= $itoa64[($value >> 6) & 0x3f]; - - if ($i++ >= $count) - { - break; - } - - if ($i < $count) - { - $value |= ord($input[$i]) << 16; - } - - $output .= $itoa64[($value >> 12) & 0x3f]; - - if ($i++ >= $count) - { - break; - } - - $output .= $itoa64[($value >> 18) & 0x3f]; - } - while ($i < $count); - - return $output; -} - -/** -* The crypt function/replacement -*/ -function _hash_crypt_private($password, $setting, &$itoa64) -{ - $output = '*'; - - // Check for correct hash - if (substr($setting, 0, 3) != '$H$' && substr($setting, 0, 3) != '$P$') - { - return $output; - } - - $count_log2 = strpos($itoa64, $setting[3]); - - if ($count_log2 < 7 || $count_log2 > 30) - { - return $output; - } - - $count = 1 << $count_log2; - $salt = substr($setting, 4, 8); - - if (strlen($salt) != 8) - { - return $output; - } - - /** - * We're kind of forced to use MD5 here since it's the only - * cryptographic primitive available in all versions of PHP - * currently in use. To implement our own low-level crypto - * in PHP would result in much worse performance and - * consequently in lower iteration counts and hashes that are - * quicker to crack (by non-PHP code). - */ - $hash = md5($salt . $password, true); - do - { - $hash = md5($hash . $password, true); - } - while (--$count); - - $output = substr($setting, 0, 12); - $output .= _hash_encode64($hash, 16, $itoa64); - - return $output; + $passwords_manager = $phpbb_container->get('passwords.manager'); + return $passwords_manager->check($password, $hash); } /** @@ -3206,9 +3040,9 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa */ function login_forum_box($forum_data) { - global $db, $config, $user, $template, $phpEx; + global $db, $phpbb_container, $request, $template, $user; - $password = request_var('password', '', true); + $password = $request->variable('password', '', true); $sql = 'SELECT forum_id FROM ' . FORUMS_ACCESS_TABLE . ' @@ -3249,7 +3083,9 @@ function login_forum_box($forum_data) } $db->sql_freeresult($result); - if (phpbb_check_hash($password, $forum_data['forum_password'])) + $passwords_manager = $phpbb_container->get('passwords.manager'); + + if ($passwords_manager->check($password, $forum_data['forum_password'])) { $sql_ary = array( 'forum_id' => (int) $forum_data['forum_id'], diff --git a/phpBB/includes/ucp/ucp_profile.php b/phpBB/includes/ucp/ucp_profile.php index 2252b2ea17..f509353683 100644 --- a/phpBB/includes/ucp/ucp_profile.php +++ b/phpBB/includes/ucp/ucp_profile.php @@ -82,13 +82,16 @@ class ucp_profile $error[] = ($data['password_confirm']) ? 'NEW_PASSWORD_ERROR' : 'NEW_PASSWORD_CONFIRM_EMPTY'; } + // Instantiate passwords manager + $passwords_manager = $phpbb_container->get('passwords.manager'); + // Only check the new password against the previous password if there have been no errors - if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && phpbb_check_hash($data['new_password'], $user->data['user_password'])) + if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && $passwords_manager->check($data['new_password'], $user->data['user_password'])) { $error[] = 'SAME_PASSWORD_ERROR'; } - if (!phpbb_check_hash($data['cur_password'], $user->data['user_password'])) + if (!$passwords_manager->check($data['cur_password'], $user->data['user_password'])) { $error[] = ($data['cur_password']) ? 'CUR_PASSWORD_ERROR' : 'CUR_PASSWORD_EMPTY'; } @@ -105,7 +108,7 @@ class ucp_profile 'username_clean' => ($auth->acl_get('u_chgname') && $config['allow_namechange']) ? utf8_clean_string($data['username']) : $user->data['username_clean'], 'user_email' => ($auth->acl_get('u_chgemail')) ? $data['email'] : $user->data['user_email'], 'user_email_hash' => ($auth->acl_get('u_chgemail')) ? phpbb_email_hash($data['email']) : $user->data['user_email_hash'], - 'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? phpbb_hash($data['new_password']) : $user->data['user_password'], + 'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? $passwords_manager->hash($data['new_password']) : $user->data['user_password'], 'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0, ); @@ -114,7 +117,7 @@ class ucp_profile add_log('user', $user->data['user_id'], 'LOG_USER_UPDATE_NAME', $user->data['username'], $data['username']); } - if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !phpbb_check_hash($data['new_password'], $user->data['user_password'])) + if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !$passwords_manager->check($data['new_password'], $user->data['user_password'])) { $user->reset_login_keys(); add_log('user', $user->data['user_id'], 'LOG_USER_NEW_PASSWORD', $data['username']); diff --git a/phpBB/includes/ucp/ucp_register.php b/phpBB/includes/ucp/ucp_register.php index 1641c6eef1..19068bae8a 100644 --- a/phpBB/includes/ucp/ucp_register.php +++ b/phpBB/includes/ucp/ucp_register.php @@ -294,9 +294,12 @@ class ucp_register $user_inactive_time = 0; } + // Instantiate passwords manager + $passwords_manager = $phpbb_container->get('passwords.manager'); + $user_row = array( 'username' => $data['username'], - 'user_password' => phpbb_hash($data['new_password']), + 'user_password' => $passwords_manager->hash($data['new_password']), 'user_email' => $data['email'], 'group_id' => (int) $group_id, 'user_timezone' => $data['tz'], diff --git a/phpBB/includes/ucp/ucp_remind.php b/phpBB/includes/ucp/ucp_remind.php index b3def63896..44395abb44 100644 --- a/phpBB/includes/ucp/ucp_remind.php +++ b/phpBB/includes/ucp/ucp_remind.php @@ -27,7 +27,7 @@ class ucp_remind function main($id, $mode) { global $config, $phpbb_root_path, $phpEx; - global $db, $user, $auth, $template; + global $db, $user, $auth, $template, $phpbb_container;; if (!$config['allow_password_reset']) { @@ -88,8 +88,11 @@ class ucp_remind // For the activation key a random length between 6 and 10 will do. $user_actkey = gen_rand_string(mt_rand(6, 10)); + // Instantiate passwords manager + $passwords_manager = $phpbb_container->get('passwords.manager'); + $sql = 'UPDATE ' . USERS_TABLE . " - SET user_newpasswd = '" . $db->sql_escape(phpbb_hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "' + SET user_newpasswd = '" . $db->sql_escape($passwords_manager->hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "' WHERE user_id = " . $user_row['user_id']; $db->sql_query($sql); diff --git a/phpBB/install/schemas/firebird_schema.sql b/phpBB/install/schemas/firebird_schema.sql index 6c6aca447d..9cf6d877ad 100644 --- a/phpBB/install/schemas/firebird_schema.sql +++ b/phpBB/install/schemas/firebird_schema.sql @@ -361,7 +361,7 @@ CREATE TABLE phpbb_forums ( forum_desc_options INTEGER DEFAULT 7 NOT NULL, forum_desc_uid VARCHAR(8) CHARACTER SET NONE DEFAULT '' NOT NULL, forum_link VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, - forum_password VARCHAR(40) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, + forum_password VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, forum_style INTEGER DEFAULT 0 NOT NULL, forum_image VARCHAR(255) CHARACTER SET NONE DEFAULT '' NOT NULL, forum_rules BLOB SUB_TYPE TEXT CHARACTER SET UTF8 DEFAULT '' NOT NULL, @@ -1365,7 +1365,7 @@ CREATE TABLE phpbb_users ( user_regdate INTEGER DEFAULT 0 NOT NULL, username VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, username_clean VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, - user_password VARCHAR(40) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, + user_password VARCHAR(255) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, user_passchg INTEGER DEFAULT 0 NOT NULL, user_pass_convert INTEGER DEFAULT 0 NOT NULL, user_email VARCHAR(100) CHARACTER SET UTF8 DEFAULT '' NOT NULL COLLATE UNICODE, diff --git a/phpBB/install/schemas/mssql_schema.sql b/phpBB/install/schemas/mssql_schema.sql index 49804bdcc0..644b50cbda 100644 --- a/phpBB/install/schemas/mssql_schema.sql +++ b/phpBB/install/schemas/mssql_schema.sql @@ -448,7 +448,7 @@ CREATE TABLE [phpbb_forums] ( [forum_desc_options] [int] DEFAULT (7) NOT NULL , [forum_desc_uid] [varchar] (8) DEFAULT ('') NOT NULL , [forum_link] [varchar] (255) DEFAULT ('') NOT NULL , - [forum_password] [varchar] (40) DEFAULT ('') NOT NULL , + [forum_password] [varchar] (255) DEFAULT ('') NOT NULL , [forum_style] [int] DEFAULT (0) NOT NULL , [forum_image] [varchar] (255) DEFAULT ('') NOT NULL , [forum_rules] [varchar] (4000) DEFAULT ('') NOT NULL , @@ -1681,7 +1681,7 @@ CREATE TABLE [phpbb_users] ( [user_regdate] [int] DEFAULT (0) NOT NULL , [username] [varchar] (255) DEFAULT ('') NOT NULL , [username_clean] [varchar] (255) DEFAULT ('') NOT NULL , - [user_password] [varchar] (40) DEFAULT ('') NOT NULL , + [user_password] [varchar] (255) DEFAULT ('') NOT NULL , [user_passchg] [int] DEFAULT (0) NOT NULL , [user_pass_convert] [int] DEFAULT (0) NOT NULL , [user_email] [varchar] (100) DEFAULT ('') NOT NULL , diff --git a/phpBB/install/schemas/mysql_40_schema.sql b/phpBB/install/schemas/mysql_40_schema.sql index e287e7dde1..fc8bb769d4 100644 --- a/phpBB/install/schemas/mysql_40_schema.sql +++ b/phpBB/install/schemas/mysql_40_schema.sql @@ -246,7 +246,7 @@ CREATE TABLE phpbb_forums ( forum_desc_options int(11) UNSIGNED DEFAULT '7' NOT NULL, forum_desc_uid varbinary(8) DEFAULT '' NOT NULL, forum_link blob NOT NULL, - forum_password varbinary(120) DEFAULT '' NOT NULL, + forum_password blob DEFAULT '' NOT NULL, forum_style mediumint(8) UNSIGNED DEFAULT '0' NOT NULL, forum_image varbinary(255) DEFAULT '' NOT NULL, forum_rules blob NOT NULL, @@ -974,7 +974,7 @@ CREATE TABLE phpbb_users ( user_regdate int(11) UNSIGNED DEFAULT '0' NOT NULL, username blob NOT NULL, username_clean blob NOT NULL, - user_password varbinary(120) DEFAULT '' NOT NULL, + user_password blob DEFAULT '' NOT NULL, user_passchg int(11) UNSIGNED DEFAULT '0' NOT NULL, user_pass_convert tinyint(1) UNSIGNED DEFAULT '0' NOT NULL, user_email blob NOT NULL, diff --git a/phpBB/install/schemas/mysql_41_schema.sql b/phpBB/install/schemas/mysql_41_schema.sql index 870fbd05e4..60f3dd4c68 100644 --- a/phpBB/install/schemas/mysql_41_schema.sql +++ b/phpBB/install/schemas/mysql_41_schema.sql @@ -246,7 +246,7 @@ CREATE TABLE phpbb_forums ( forum_desc_options int(11) UNSIGNED DEFAULT '7' NOT NULL, forum_desc_uid varchar(8) DEFAULT '' NOT NULL, forum_link varchar(255) DEFAULT '' NOT NULL, - forum_password varchar(40) DEFAULT '' NOT NULL, + forum_password varchar(255) DEFAULT '' NOT NULL, forum_style mediumint(8) UNSIGNED DEFAULT '0' NOT NULL, forum_image varchar(255) DEFAULT '' NOT NULL, forum_rules text NOT NULL, @@ -974,7 +974,7 @@ CREATE TABLE phpbb_users ( user_regdate int(11) UNSIGNED DEFAULT '0' NOT NULL, username varchar(255) DEFAULT '' NOT NULL, username_clean varchar(255) DEFAULT '' NOT NULL, - user_password varchar(40) DEFAULT '' NOT NULL, + user_password varchar(255) DEFAULT '' NOT NULL, user_passchg int(11) UNSIGNED DEFAULT '0' NOT NULL, user_pass_convert tinyint(1) UNSIGNED DEFAULT '0' NOT NULL, user_email varchar(100) DEFAULT '' NOT NULL, diff --git a/phpBB/install/schemas/oracle_schema.sql b/phpBB/install/schemas/oracle_schema.sql index 5354e5b1bb..af3ff02f8d 100644 --- a/phpBB/install/schemas/oracle_schema.sql +++ b/phpBB/install/schemas/oracle_schema.sql @@ -509,7 +509,7 @@ CREATE TABLE phpbb_forums ( forum_desc_options number(11) DEFAULT '7' NOT NULL, forum_desc_uid varchar2(8) DEFAULT '' , forum_link varchar2(765) DEFAULT '' , - forum_password varchar2(120) DEFAULT '' , + forum_password varchar2(255) DEFAULT '' , forum_style number(8) DEFAULT '0' NOT NULL, forum_image varchar2(255) DEFAULT '' , forum_rules clob DEFAULT '' , @@ -986,7 +986,7 @@ CREATE TABLE phpbb_poll_votes ( topic_id number(8) DEFAULT '0' NOT NULL, poll_option_id number(4) DEFAULT '0' NOT NULL, vote_user_id number(8) DEFAULT '0' NOT NULL, - vote_user_ip varchar2(40) DEFAULT '' + vote_user_ip varchar2(40) DEFAULT '' ) / @@ -1798,7 +1798,7 @@ CREATE TABLE phpbb_users ( user_regdate number(11) DEFAULT '0' NOT NULL, username varchar2(255) DEFAULT '' , username_clean varchar2(255) DEFAULT '' , - user_password varchar2(120) DEFAULT '' , + user_password varchar2(255) DEFAULT '' , user_passchg number(11) DEFAULT '0' NOT NULL, user_pass_convert number(1) DEFAULT '0' NOT NULL, user_email varchar2(300) DEFAULT '' , diff --git a/phpBB/install/schemas/postgres_schema.sql b/phpBB/install/schemas/postgres_schema.sql index 7773602c16..6806639a35 100644 --- a/phpBB/install/schemas/postgres_schema.sql +++ b/phpBB/install/schemas/postgres_schema.sql @@ -384,7 +384,7 @@ CREATE TABLE phpbb_forums ( forum_desc_options INT4 DEFAULT '7' NOT NULL CHECK (forum_desc_options >= 0), forum_desc_uid varchar(8) DEFAULT '' NOT NULL, forum_link varchar(255) DEFAULT '' NOT NULL, - forum_password varchar(40) DEFAULT '' NOT NULL, + forum_password varchar(255) DEFAULT '' NOT NULL, forum_style INT4 DEFAULT '0' NOT NULL CHECK (forum_style >= 0), forum_image varchar(255) DEFAULT '' NOT NULL, forum_rules varchar(4000) DEFAULT '' NOT NULL, @@ -1246,7 +1246,7 @@ CREATE TABLE phpbb_users ( user_regdate INT4 DEFAULT '0' NOT NULL CHECK (user_regdate >= 0), username varchar_ci DEFAULT '' NOT NULL, username_clean varchar_ci DEFAULT '' NOT NULL, - user_password varchar(40) DEFAULT '' NOT NULL, + user_password varchar(255) DEFAULT '' NOT NULL, user_passchg INT4 DEFAULT '0' NOT NULL CHECK (user_passchg >= 0), user_pass_convert INT2 DEFAULT '0' NOT NULL CHECK (user_pass_convert >= 0), user_email varchar(100) DEFAULT '' NOT NULL, diff --git a/phpBB/install/schemas/sqlite_schema.sql b/phpBB/install/schemas/sqlite_schema.sql index 079d48bc65..05262787c0 100644 --- a/phpBB/install/schemas/sqlite_schema.sql +++ b/phpBB/install/schemas/sqlite_schema.sql @@ -239,7 +239,7 @@ CREATE TABLE phpbb_forums ( forum_desc_options INTEGER UNSIGNED NOT NULL DEFAULT '7', forum_desc_uid varchar(8) NOT NULL DEFAULT '', forum_link varchar(255) NOT NULL DEFAULT '', - forum_password varchar(40) NOT NULL DEFAULT '', + forum_password varchar(255) NOT NULL DEFAULT '', forum_style INTEGER UNSIGNED NOT NULL DEFAULT '0', forum_image varchar(255) NOT NULL DEFAULT '', forum_rules text(65535) NOT NULL DEFAULT '', @@ -945,7 +945,7 @@ CREATE TABLE phpbb_users ( user_regdate INTEGER UNSIGNED NOT NULL DEFAULT '0', username varchar(255) NOT NULL DEFAULT '', username_clean varchar(255) NOT NULL DEFAULT '', - user_password varchar(40) NOT NULL DEFAULT '', + user_password varchar(255) NOT NULL DEFAULT '', user_passchg INTEGER UNSIGNED NOT NULL DEFAULT '0', user_pass_convert INTEGER UNSIGNED NOT NULL DEFAULT '0', user_email varchar(100) NOT NULL DEFAULT '', diff --git a/phpBB/phpbb/auth/provider/apache.php b/phpBB/phpbb/auth/provider/apache.php index 77bc976938..23cdc89829 100644 --- a/phpBB/phpbb/auth/provider/apache.php +++ b/phpBB/phpbb/auth/provider/apache.php @@ -17,19 +17,28 @@ namespace phpbb\auth\provider; class apache extends \phpbb\auth\provider\base { /** + * phpBB passwords manager + * + * @var \phpbb\passwords\manager + */ + protected $passwords_manager; + + /** * Apache Authentication Constructor * * @param \phpbb\db\driver\driver $db * @param \phpbb\config\config $config + * @param \phpbb\passwords\manager $passwords_manager * @param \phpbb\request\request $request * @param \phpbb\user $user * @param string $phpbb_root_path * @param string $php_ext */ - public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext) + public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext) { $this->db = $db; $this->config = $config; + $this->passwords_manager = $passwords_manager; $this->request = $request; $this->user = $user; $this->phpbb_root_path = $phpbb_root_path; @@ -220,7 +229,7 @@ class apache extends \phpbb\auth\provider\base // generate user account data return array( 'username' => $username, - 'user_password' => phpbb_hash($password), + 'user_password' => $this->passwords_manager->hash($password), 'user_email' => '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php index 6ea04eab36..6bbbc0be16 100644 --- a/phpBB/phpbb/auth/provider/db.php +++ b/phpBB/phpbb/auth/provider/db.php @@ -18,21 +18,29 @@ namespace phpbb\auth\provider; */ class db extends \phpbb\auth\provider\base { + /** + * phpBB passwords manager + * + * @var \phpbb\passwords\manager + */ + protected $passwords_manager; /** * Database Authentication Constructor * - * @param \phpbb\db\driver\driver $db - * @param \phpbb\config\config $config - * @param \phpbb\request\request $request - * @param \phpbb\user $user - * @param string $phpbb_root_path - * @param string $php_ext + * @param \phpbb\db\driver\driver $db + * @param \phpbb\config\config $config + * @param \phpbb\passwords\manager $passwords_manager + * @param \phpbb\request\request $request + * @param \phpbb\user $user + * @param string $phpbb_root_path + * @param string $php_ext */ - public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext) + public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, $phpbb_root_path, $php_ext) { $this->db = $db; $this->config = $config; + $this->passwords_manager = $passwords_manager; $this->request = $request; $this->user = $user; $this->phpbb_root_path = $phpbb_root_path; @@ -191,10 +199,10 @@ class db extends \phpbb\auth\provider\base // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding // plain md5 support left in for conversions from other systems. - if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) + if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))) { - $hash = phpbb_hash($password_new_format); + $hash = $this->passwords_manager->hash($password_new_format); // Update the password in the users table to the new format and remove user_pass_convert flag $sql = 'UPDATE ' . USERS_TABLE . ' @@ -226,12 +234,12 @@ class db extends \phpbb\auth\provider\base } // Check password ... - if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password'])) + if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password'])) { // Check for old password hash... - if (strlen($row['user_password']) == 32) + if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32) { - $hash = phpbb_hash($password); + $hash = $this->passwords_manager->hash($password); // Update the password in the users table to the new format $sql = 'UPDATE ' . USERS_TABLE . " diff --git a/phpBB/phpbb/auth/provider/ldap.php b/phpBB/phpbb/auth/provider/ldap.php index 4ce43853bd..e92a227e16 100644 --- a/phpBB/phpbb/auth/provider/ldap.php +++ b/phpBB/phpbb/auth/provider/ldap.php @@ -19,16 +19,25 @@ namespace phpbb\auth\provider; class ldap extends \phpbb\auth\provider\base { /** + * phpBB passwords manager + * + * @var \phpbb\passwords\manager + */ + protected $passwords_manager; + + /** * LDAP Authentication Constructor * - * @param \phpbb\db\driver\driver $db - * @param \phpbb\config\config $config - * @param \phpbb\user $user + * @param \phpbb\db\driver\driver $db + * @param \phpbb\config\config $config + * @param \phpbb\passwords\manager $passwords_manager + * @param \phpbb\user $user */ - public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\user $user) + public function __construct(\phpbb\db\driver\driver $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\user $user) { $this->db = $db; $this->config = $config; + $this->passwords_manager = $passwords_manager; $this->user = $user; } @@ -235,7 +244,7 @@ class ldap extends \phpbb\auth\provider\base // generate user account data $ldap_user_row = array( 'username' => $username, - 'user_password' => phpbb_hash($password), + 'user_password' => $this->passwords_manager->hash($password), 'user_email' => (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($this->config['ldap_email'])][0]) : '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, diff --git a/phpBB/phpbb/db/migration/data/v310/passwords.php b/phpBB/phpbb/db/migration/data/v310/passwords.php new file mode 100644 index 0000000000..3422f75917 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v310/passwords.php @@ -0,0 +1,46 @@ +<?php +/** +* +* @package migration +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-license.php GNU Public License v2 +* +*/ + +namespace phpbb\db\migration\data\v310; + +class passwords extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array('\phpbb\db\migration\data\v30x\release_3_0_11'); + } + + public function update_schema() + { + return array( + 'change_columns' => array( + $this->table_prefix . 'users' => array( + 'user_password' => array('VCHAR:255', ''), + ), + $this->table_prefix . 'forums' => array( + 'forum_password' => array('VCHAR:255', ''), + ), + ), + ); + } + + public function revert_schema() + { + return array( + 'change_columns' => array( + $this->table_prefix . 'users' => array( + 'user_password' => array('VCHAR:40', ''), + ), + $this->table_prefix . 'forums' => array( + 'forum_password' => array('VCHAR:40', ''), + ), + ), + ); + } +} diff --git a/phpBB/phpbb/passwords/driver/base.php b/phpBB/phpbb/passwords/driver/base.php new file mode 100644 index 0000000000..8256fd721c --- /dev/null +++ b/phpBB/phpbb/passwords/driver/base.php @@ -0,0 +1,45 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords\driver; + +/** +* @package passwords +*/ +abstract class base implements driver_interface +{ + /** @var phpbb\config\config */ + protected $config; + + /** @var phpbb\passwords\driver\helper */ + protected $helper; + + /** @var driver name */ + protected $name; + + /** + * Constructor of passwords driver object + * + * @param \phpbb\config\config $config phpBB config + * @param \phpbb\passwords\driver\helper $helper Password driver helper + */ + public function __construct(\phpbb\config\config $config, helper $helper) + { + $this->config = $config; + $this->helper = $helper; + } + + /** + * @inheritdoc + */ + public function is_supported() + { + return true; + } +} diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php new file mode 100644 index 0000000000..1d1b1e267d --- /dev/null +++ b/phpBB/phpbb/passwords/driver/bcrypt.php @@ -0,0 +1,104 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords\driver; + +/** +* @package passwords +*/ +class bcrypt extends base +{ + const PREFIX = '$2a$'; + + /** + * @inheritdoc + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * @inheritdoc + */ + public function hash($password, $salt = '') + { + // The 2x and 2y prefixes of bcrypt might not be supported + // Revert to 2a if this is the case + $prefix = (!$this->is_supported()) ? '$2a$' : $this->get_prefix(); + + // Do not support 8-bit characters with $2a$ bcrypt + // Also see http://www.php.net/security/crypt_blowfish.php + if ($prefix === self::PREFIX) + { + if (ord($password[strlen($password)-1]) & 128) + { + return false; + } + } + + if ($salt == '') + { + $salt = $prefix . '10$' . $this->get_random_salt(); + } + + $hash = crypt($password, $salt); + if (strlen($hash) < 60) + { + return false; + } + return $hash; + } + + /** + * @inheritdoc + */ + public function check($password, $hash) + { + $salt = substr($hash, 0, 29); + if (strlen($salt) != 29) + { + return false; + } + + if ($hash == $this->hash($password, $salt)) + { + return true; + } + return false; + } + + /** + * Get a random salt value with a length of 22 characters + * + * @return string Salt for password hashing + */ + protected function get_random_salt() + { + return $this->helper->hash_encode64($this->helper->get_random_salt(22), 22); + } + + /** + * @inheritdoc + */ + public function get_settings_only($hash, $full = false) + { + if ($full) + { + $pos = stripos($hash, '$', 1) + 1; + $length = 22 + (strripos($hash, '$') + 1 - $pos); + } + else + { + $pos = strripos($hash, '$') + 1; + $length = 22; + } + return substr($hash, $pos, $length); + } +} diff --git a/phpBB/phpbb/passwords/driver/bcrypt_2y.php b/phpBB/phpbb/passwords/driver/bcrypt_2y.php new file mode 100644 index 0000000000..11c3617e49 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/bcrypt_2y.php @@ -0,0 +1,34 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords\driver; + +/** +* @package passwords +*/ +class bcrypt_2y extends bcrypt +{ + const PREFIX = '$2y$'; + + /** + * @inheritdoc + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * @inheritdoc + */ + public function is_supported() + { + return (version_compare(PHP_VERSION, '5.3.7', '<')) ? false : true; + } +} diff --git a/phpBB/phpbb/passwords/driver/driver_interface.php b/phpBB/phpbb/passwords/driver/driver_interface.php new file mode 100644 index 0000000000..ebaf0626af --- /dev/null +++ b/phpBB/phpbb/passwords/driver/driver_interface.php @@ -0,0 +1,60 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords\driver; + +/** +* @package passwords +*/ +interface driver_interface +{ + /** + * Check if hash type is supported + * + * @return bool True if supported, false if not + */ + public function is_supported(); + + /** + * Returns the hash prefix + * + * @return string Hash prefix + */ + public function get_prefix(); + + /** + * Hash the password + * + * @param string $password The password that should be hashed + * + * @return bool|string Password hash or false if something went wrong + * during hashing + */ + public function hash($password); + + /** + * Check the password against the supplied hash + * + * @param string $password The password to check + * @param string $hash The password hash to check against + * + * @return bool True if password is correct, else false + */ + public function check($password, $hash); + + /** + * Get only the settings of the specified hash + * + * @param string $hash Password hash + * @param bool $full Return full settings or only settings + * related to the salt + * @return string String containing the hash settings + */ + public function get_settings_only($hash, $full = false); +} diff --git a/phpBB/phpbb/passwords/driver/helper.php b/phpBB/phpbb/passwords/driver/helper.php new file mode 100644 index 0000000000..4b8dc9a123 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/helper.php @@ -0,0 +1,144 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords\driver; + +/** +* @package passwords +*/ +class helper +{ + /** + * @var phpbb\config\config + */ + protected $config; + + /** + * base64 alphabet + * @var string + */ + public $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + + /** + * Construct a driver helper object + * + * @param phpbb\config\config $config phpBB configuration + */ + public function __construct(\phpbb\config\config $config) + { + $this->config = $config; + } + + /** + * Base64 encode hash + * + * @param string $input Input string + * @param int $count Input string length + * + * @return string base64 encoded string + */ + public function hash_encode64($input, $count) + { + $output = ''; + $i = 0; + + do + { + $value = ord($input[$i++]); + $output .= $this->itoa64[$value & 0x3f]; + + if ($i < $count) + { + $value |= ord($input[$i]) << 8; + } + + $output .= $this->itoa64[($value >> 6) & 0x3f]; + + if ($i++ >= $count) + { + break; + } + + if ($i < $count) + { + $value |= ord($input[$i]) << 16; + } + + $output .= $this->itoa64[($value >> 12) & 0x3f]; + + if ($i++ >= $count) + { + break; + } + + $output .= $this->itoa64[($value >> 18) & 0x3f]; + } + while ($i < $count); + + return $output; + } + + /** + * Return unique id + * + * @param string $extra Additional entropy + * + * @return string Unique id + */ + public function unique_id($extra = 'c') + { + static $dss_seeded = false; + + $val = $this->config['rand_seed'] . microtime(); + $val = md5($val); + $this->config['rand_seed'] = md5($this->config['rand_seed'] . $val . $extra); + + if ($dss_seeded !== true && ($this->config['rand_seed_last_update'] < time() - rand(1,10))) + { + $this->config->set('rand_seed_last_update', time(), true); + $this->config->set('rand_seed', $this->config['rand_seed'], true); + $dss_seeded = true; + } + + return substr($val, 4, 16); + } + + /** + * Get random salt with specified length + * + * @param int $length Salt length + * @param string $rand_seed Seed for random data (optional). For tests. + * + * @return string Random salt with specified length + */ + public function get_random_salt($length, $rand_seed = '/dev/urandom') + { + $random = ''; + + if (($fh = @fopen($rand_seed, 'rb'))) + { + $random = fread($fh, $length); + fclose($fh); + } + + if (strlen($random) < $length) + { + $random = ''; + $random_state = $this->unique_id(); + + for ($i = 0; $i < $length; $i += 16) + { + $random_state = md5($this->unique_id() . $random_state); + $random .= pack('H*', md5($random_state)); + } + $random = substr($random, 0, $length); + } + return $random; + } +} diff --git a/phpBB/phpbb/passwords/driver/phpass.php b/phpBB/phpbb/passwords/driver/phpass.php new file mode 100644 index 0000000000..80c4d7a7f0 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/phpass.php @@ -0,0 +1,26 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords\driver; + +/** +* @package passwords +*/ +class phpass extends salted_md5 +{ + const PREFIX = '$P$'; + + /** + * @inheritdoc + */ + public function get_prefix() + { + return self::PREFIX; + } +} diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php new file mode 100644 index 0000000000..5c72726422 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/salted_md5.php @@ -0,0 +1,160 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords\driver; + +/** +* +* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier) +* +* Portable PHP password hashing framework. +* +* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in +* the public domain. +* +* There's absolutely no warranty. +* +* The homepage URL for this framework is: +* +* http://www.openwall.com/phpass/ +* +* Please be sure to update the Version line if you edit this file in any way. +* It is suggested that you leave the main version number intact, but indicate +* your project name (after the slash) and add your own revision information. +* +* Please do not change the "private" password hashing method implemented in +* here, thereby making your hashes incompatible. However, if you must, please +* change the hash type identifier (the "$P$") to something different. +* +* Obviously, since this code is in the public domain, the above are not +* requirements (there can be none), but merely suggestions. +* +*/ + +/** +* @package passwords +*/ +class salted_md5 extends base +{ + const PREFIX = '$H$'; + + /** + * @inheritdoc + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * @inheritdoc + */ + public function hash($password, $setting = '') + { + if ($setting) + { + if (($settings = $this->get_hash_settings($setting)) === false) + { + // Return md5 of password if settings do not + // comply with our standards. This will only + // happen if pre-determined settings are + // directly passed to the driver. The manager + // will not do this. Same as the old hashing + // implementatio in phpBB 3.0 + return md5($password); + } + } + else + { + $settings = $this->get_hash_settings($this->generate_salt()); + } + + $hash = md5($settings['salt'] . $password, true); + do + { + $hash = md5($hash . $password, true); + } + while (--$settings['count']); + + $output = $settings['full']; + $output .= $this->helper->hash_encode64($hash, 16); + + return $output; + } + + /** + * @inheritdoc + */ + public function check($password, $hash) + { + if (strlen($hash) !== 34) + { + return md5($password) === $hash; + } + + return $hash === $this->hash($password, $hash); + } + + /** + * Generate salt for hashing method + * + * @return string Salt for hashing method + */ + protected function generate_salt() + { + $count = 6; + + $random = $this->helper->get_random_salt($count); + + $salt = $this->get_prefix(); + $salt .= $this->helper->itoa64[min($count + 5, 30)]; + $salt .= $this->helper->hash_encode64($random, $count); + + return $salt; + } + + /** + * Get hash settings + * + * @param string $hash The hash that contains the settings + * + * @return bool|array Array containing the count_log2, salt, and full + * hash settings string or false if supplied hash is empty + * or contains incorrect settings + */ + public function get_hash_settings($hash) + { + if (empty($hash)) + { + return false; + } + + $count_log2 = strpos($this->helper->itoa64, $hash[3]); + $salt = substr($hash, 4, 8); + + if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8) + { + return false; + } + + return array( + 'count' => 1 << $count_log2, + 'salt' => $salt, + 'full' => substr($hash, 0, 12), + ); + } + + /** + * @inheritdoc + */ + public function get_settings_only($hash, $full = false) + { + return substr($hash, 3, 9); + } +} diff --git a/phpBB/phpbb/passwords/helper.php b/phpBB/phpbb/passwords/helper.php new file mode 100644 index 0000000000..95bad5805f --- /dev/null +++ b/phpBB/phpbb/passwords/helper.php @@ -0,0 +1,103 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords; + +/** +* @package passwords +*/ +class helper +{ + /** + * Get hash settings from combined hash + * + * @param string $hash Password hash of combined hash + * + * @return array An array containing the hash settings for the hash + * types in successive order as described by the combined + * password hash or an empty array if hash does not + * properly fit the combined hash format + */ + public function get_combined_hash_settings($hash) + { + $output = array(); + + preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match); + $hash_settings = substr($hash, strpos($hash, $match[1]) + strlen($match[1]) + 1); + $matches = explode('\\', $match[1]); + foreach ($matches as $cur_type) + { + $dollar_position = strpos($hash_settings, '$'); + $output[] = substr($hash_settings, 0, ($dollar_position != false) ? $dollar_position : strlen($hash_settings)); + $hash_settings = substr($hash_settings, $dollar_position + 1); + } + + return $output; + } + + /** + * Combine hash prefixes, settings, and actual hash + * + * @param array $data Array containing the keys 'prefix' and 'settings'. + * It will hold the prefixes and settings + * @param string $type Data type of the supplied value + * @param string $value Value that should be put into the data array + * + * @return string|null Return complete combined hash if type is neither + * 'prefix' nor 'settings', nothing if it is + */ + public function combine_hash_output(&$data, $type, $value) + { + if ($type == 'prefix') + { + $data[$type] .= ($data[$type] !== '$') ? '\\' : ''; + $data[$type] .= str_replace('$', '', $value); + } + elseif ($type == 'settings') + { + $data[$type] .= ($data[$type] !== '$') ? '$' : ''; + $data[$type] .= $value; + } + else + { + // Return full hash + return $data['prefix'] . $data['settings'] . '$' . $value; + } + } + + /** + * Rebuild hash for hashing functions + * + * @param string $prefix Hash prefix + * @param string $settings Hash settings + * + * @return string Rebuilt hash for hashing functions + */ + public function rebuild_hash($prefix, $settings) + { + $rebuilt_hash = $prefix; + if (strpos($settings, '\\') !== false) + { + $settings = str_replace('\\', '$', $settings); + } + $rebuilt_hash .= $settings; + return $rebuilt_hash; + } + + /** + * Obtain only the actual hash after the prefixes + * + * @param string $hash The full password hash + * @return string Actual hash (incl. settings) + */ + public function obtain_hash_only($hash) + { + return substr($hash, strripos($hash, '$') + 1); + } +} diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php new file mode 100644 index 0000000000..0ac6b05ec4 --- /dev/null +++ b/phpBB/phpbb/passwords/manager.php @@ -0,0 +1,341 @@ +<?php +/** +* +* @package phpBB3 +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +namespace phpbb\passwords; + +/** +* @package passwords +*/ +class manager +{ + /** + * Default hashing method + */ + protected $type = false; + + /** + * Hashing algorithm type map + * Will be used to map hash prefix to type + */ + protected $type_map = false; + + /** + * Service collection of hashing algorithms + * Needs to be public for passwords helper + */ + public $algorithms = false; + + /** + * Password convert flag. Signals that password should be converted + */ + public $convert_flag = false; + + /** + * Passwords helper + * @var phpbb\passwords\helper + */ + protected $helper; + + /** + * phpBB configuration + * @var phpbb\config\config + */ + protected $config; + + /** + * Construct a passwords object + * + * @param phpbb\config\config $config phpBB configuration + * @param array $hashing_algorithms Hashing driver + * service collection + * @param phpbb\passwords\helper $helper Passwords helper object + * @param string $defaults List of default driver types + */ + public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) + { + $this->config = $config; + $this->helper = $helper; + + $this->fill_type_map($hashing_algorithms); + $this->register_default_type($defaults); + } + + /** + * Register default type + * Will register the first supported type from the list of default types + * + * @param array $defaults List of default types in order from first to + * use to last to use + */ + protected function register_default_type($defaults) + { + foreach ($defaults as $type) + { + if ($this->algorithms[$type]->is_supported()) + { + $this->type = $this->algorithms[$type]->get_prefix(); + break; + } + } + } + + /** + * Fill algorithm type map + * + * @param phpbb\di\service_collection $hashing_algorithms + */ + protected function fill_type_map($hashing_algorithms) + { + foreach ($hashing_algorithms as $algorithm) + { + if (!isset($this->type_map[$algorithm->get_prefix()])) + { + $this->type_map[$algorithm->get_prefix()] = $algorithm; + } + } + $this->algorithms = $hashing_algorithms; + } + + /** + * Get the algorithm specified by a specific prefix + * + * @param string $prefix Password hash prefix + * + * @return object|bool The hash type object or false if prefix is not + * supported + */ + protected function get_algorithm($prefix) + { + if (isset($this->type_map[$prefix])) + { + return $this->type_map[$prefix]; + } + else + { + return false; + } + } + + /** + * Detect the hash type of the supplied hash + * + * @param string $hash Password hash that should be checked + * + * @return object|bool The hash type object or false if the specified + * type is not supported + */ + public function detect_algorithm($hash) + { + /* + * preg_match() will also show hashing algos like $2a\H$, which + * is a combination of bcrypt and phpass. Legacy algorithms + * like md5 will not be matched by this and need to be treated + * differently. + */ + if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) + { + return $this->get_algorithm('$H$'); + } + + // Be on the lookout for multiple hashing algorithms + // 2 is correct: H\2a > 2, H\P > 2 + if (strlen($match[1]) > 2) + { + $hash_types = explode('\\', $match[1]); + $return_ary = array(); + foreach ($hash_types as $type) + { + // we do not support the same hashing + // algorithm more than once + if (isset($return_ary[$type])) + { + return false; + } + + $return_ary[$type] = $this->get_algorithm('$' . $type . '$'); + + if (empty($return_ary[$type])) + { + return false; + } + } + return $return_ary; + } + + // get_algorithm() will automatically return false if prefix + // is not supported + return $this->get_algorithm($match[0]); + } + + /** + * Hash supplied password + * + * @param string $password Password that should be hashed + * @param string $type Hash type. Will default to standard hash type if + * none is supplied + * @return string|bool Password hash of supplied password or false if + * if something went wrong during hashing + */ + public function hash($password, $type = '') + { + if (strlen($password) > 4096) + { + // If the password is too huge, we will simply reject it + // and not let the server try to hash it. + return false; + } + + // Try to retrieve algorithm by service name if type doesn't + // start with dollar sign + if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type])) + { + $type = $this->algorithms[$type]->get_prefix(); + } + + $type = ($type === '') ? $this->type : $type; + + if (is_array($type)) + { + return $this->combined_hash_password($password, $type); + } + + if (isset($this->type_map[$type])) + { + $hashing_algorithm = $this->type_map[$type]; + } + else + { + return false; + } + + return $hashing_algorithm->hash($password); + } + + /** + * Check supplied password against hash and set convert_flag if password + * needs to be converted to different format (preferrably newer one) + * + * @param string $password Password that should be checked + * @param string $hash Stored hash + * @return string|bool True if password is correct, false if not + */ + public function check($password, $hash) + { + if (strlen($password) > 4096) + { + // If the password is too huge, we will simply reject it + // and not let the server try to hash it. + return false; + } + + // First find out what kind of hash we're dealing with + $stored_hash_type = $this->detect_algorithm($hash); + if ($stored_hash_type == false) + { + return false; + } + + // Multiple hash passes needed + if (is_array($stored_hash_type)) + { + $correct = $this->check_combined_hash($password, $stored_hash_type, $hash); + $this->convert_flag = ($correct === true) ? true : false; + return $correct; + } + + if ($stored_hash_type->get_prefix() !== $this->type) + { + $this->convert_flag = true; + } + else + { + $this->convert_flag = false; + } + + return $stored_hash_type->check($password, $hash); + } + + /** + * Create combined hash from already hashed password + * + * @param string $password_hash Complete current password hash + * @param string $type Type of the hashing algorithm the password hash + * should be combined with + * @return string|bool Combined password hash if combined hashing was + * successful, else false + */ + public function combined_hash_password($password_hash, $type) + { + $data = array( + 'prefix' => '$', + 'settings' => '$', + ); + $hash_settings = $this->helper->get_combined_hash_settings($password_hash); + $hash = $hash_settings[0]; + + // Put settings of current hash into data array + $stored_hash_type = $this->detect_algorithm($password_hash); + $this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix()); + $this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash)); + + // Hash current hash with the defined types + foreach ($type as $cur_type) + { + if (isset($this->algorithms[$cur_type])) + { + $new_hash_type = $this->algorithms[$cur_type]; + } + else + { + $new_hash_type = $this->get_algorithm($cur_type); + } + + if (!$new_hash_type) + { + return false; + } + + $new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash)); + $this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix()); + $this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0)); + $hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash)); + } + return $this->helper->combine_hash_output($data, 'hash', $hash); + } + + /** + * Check combined password hash against the supplied password + * + * @param string $password Password entered by user + * @param array $stored_hash_type An array containing the hash types + * as described by stored password hash + * @param string $hash Stored password hash + * + * @return bool True if password is correct, false if not + */ + public function check_combined_hash($password, $stored_hash_type, $hash) + { + $i = 0; + $data = array( + 'prefix' => '$', + 'settings' => '$', + ); + $hash_settings = $this->helper->get_combined_hash_settings($hash); + foreach ($stored_hash_type as $key => $hash_type) + { + $rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]); + $this->helper->combine_hash_output($data, 'prefix', $key); + $this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]); + $cur_hash = $hash_type->hash($password, $rebuilt_hash); + $password = str_replace($rebuilt_hash, '', $cur_hash); + $i++; + } + return ($hash === $this->helper->combine_hash_output($data, 'hash', $password)); + } +} diff --git a/tests/auth/fixtures/user.xml b/tests/auth/fixtures/user.xml index 34584babbf..6d475930a4 100644 --- a/tests/auth/fixtures/user.xml +++ b/tests/auth/fixtures/user.xml @@ -18,6 +18,21 @@ <value>1</value> <value>foobar</value> <value>foobar</value> + <value>$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i</value> + <value>0</value> + <value>0</value> + <value>example@example.com</value> + <value>0</value> + <value>0</value> + <value></value> + <value></value> + <value></value> + <value></value> + </row> + <row> + <value>2</value> + <value>foobar2</value> + <value>foobar2</value> <value>$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/</value> <value>0</value> <value>0</value> diff --git a/tests/auth/fixtures/user_533.xml b/tests/auth/fixtures/user_533.xml new file mode 100644 index 0000000000..c2a86ea0f9 --- /dev/null +++ b/tests/auth/fixtures/user_533.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<dataset> + <table name="phpbb_users"> + <column>user_id</column> + <column>username</column> + <column>username_clean</column> + <column>user_password</column> + <column>user_passchg</column> + <column>user_pass_convert</column> + <column>user_email</column> + <column>user_type</column> + <column>user_login_attempts</column> + <column>user_permissions</column> + <column>user_sig</column> + <column>user_occ</column> + <column>user_interests</column> + <row> + <value>1</value> + <value>foobar</value> + <value>foobar</value> + <value>$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi</value> + <value>0</value> + <value>0</value> + <value>example@example.com</value> + <value>0</value> + <value>0</value> + <value></value> + <value></value> + <value></value> + <value></value> + </row> + <row> + <value>2</value> + <value>foobar2</value> + <value>foobar2</value> + <value>$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/</value> + <value>0</value> + <value>0</value> + <value>example@example.com</value> + <value>0</value> + <value>0</value> + <value></value> + <value></value> + <value></value> + <value></value> + </row> + </table> +</dataset> diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php index d7509a72bf..1231c16a4c 100644 --- a/tests/auth/provider_apache_test.php +++ b/tests/auth/provider_apache_test.php @@ -26,13 +26,40 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case $config = new \phpbb\config\config(array()); $this->request = $this->getMock('\phpbb\request\request'); $this->user = $this->getMock('\phpbb\user'); + $driver_helper = new \phpbb\passwords\driver\helper($config); + $passwords_drivers = array( + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper), + ); + + $passwords_helper = new \phpbb\passwords\helper; + // Set up passwords manager + $passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers)); + + if (version_compare(PHP_VERSION, '5.3.7', '<')) + { + $this->password_hash = '$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi'; + } + else + { + $this->password_hash = '$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i'; + } - $this->provider = new \phpbb\auth\provider\apache($db, $config, $this->request, $this->user, $phpbb_root_path, $phpEx); + $this->provider = new \phpbb\auth\provider\apache($db, $config, $passwords_manager, $this->request, $this->user, $phpbb_root_path, $phpEx); } public function getDataSet() { - return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml'); + if ((version_compare(PHP_VERSION, '5.3.7', '<'))) + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user_533.xml'); + } + else + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml'); + } } /** @@ -79,7 +106,7 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case 'user_row' => array( 'user_id' => '1', 'username' => 'foobar', - 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', + 'user_password' => $this->password_hash, 'user_passchg' => '0', 'user_email' => 'example@example.com', 'user_type' => '0', @@ -115,7 +142,7 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case 'user_regdate' => '0', 'username' => 'foobar', 'username_clean' => 'foobar', - 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', + 'user_password' => $this->password_hash, 'user_passchg' => '0', 'user_pass_convert' => '0', 'user_email' => 'example@example.com', diff --git a/tests/auth/provider_db_test.php b/tests/auth/provider_db_test.php index 45a893220b..91ffcdc2a7 100644 --- a/tests/auth/provider_db_test.php +++ b/tests/auth/provider_db_test.php @@ -14,7 +14,14 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case { public function getDataSet() { - return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml'); + if ((version_compare(PHP_VERSION, '5.3.7', '<'))) + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user_533.xml'); + } + else + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml'); + } } public function test_login() @@ -29,7 +36,27 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case )); $request = $this->getMock('\phpbb\request\request'); $user = $this->getMock('\phpbb\user'); - $provider = new \phpbb\auth\provider\db($db, $config, $request, $user, $phpbb_root_path, $phpEx); + $driver_helper = new \phpbb\passwords\driver\helper($config); + $passwords_drivers = array( + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper), + ); + + $passwords_helper = new \phpbb\passwords\helper; + // Set up passwords manager + $passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers)); + + $provider = new \phpbb\auth\provider\db($db, $config, $passwords_manager, $request, $user, $phpbb_root_path, $phpEx); + if (version_compare(PHP_VERSION, '5.3.7', '<')) + { + $password_hash = '$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi'; + } + else + { + $password_hash = '$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i'; + } $expected = array( 'status' => LOGIN_SUCCESS, @@ -37,7 +64,7 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case 'user_row' => array( 'user_id' => '1', 'username' => 'foobar', - 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', + 'user_password' => $password_hash, 'user_passchg' => '0', 'user_pass_convert' => '0', 'user_email' => 'example@example.com', @@ -47,5 +74,10 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case ); $this->assertEquals($expected, $provider->login('foobar', 'example')); + + // Check if convert works + $login_return = $provider->login('foobar2', 'example'); + $password_start = (version_compare(PHP_VERSION, '5.3.7', '<')) ? '$2a$10$' : '$2y$10$'; + $this->assertStringStartsWith($password_start, $login_return['user_row']['user_password']); } } diff --git a/tests/functional/forum_password_test.php b/tests/functional/forum_password_test.php new file mode 100644 index 0000000000..40a8059ad1 --- /dev/null +++ b/tests/functional/forum_password_test.php @@ -0,0 +1,55 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +/** +* @group functional +*/ +class phpbb_functional_forum_password_test extends phpbb_functional_test_case +{ + public function test_setup_forum_with_password() + { + $this->login(); + $this->admin_login(); + + $crawler = self::request('GET', "adm/index.php?i=acp_forums&mode=manage&sid={$this->sid}"); + $form = $crawler->selectButton('addforum')->form(array( + 'forum_name' => 'Password protected', + )); + $crawler = self::submit($form); + $form = $crawler->selectButton('update')->form(array( + 'forum_perm_from' => 2, + 'forum_password' => 'foobar', + 'forum_password_confirm' => 'foobar', + )); + $crawler = self::submit($form); + } + + public function data_enter_forum_with_password() + { + return array( + array('foowrong', 'WRONG_PASSWORD'), + array('foobar', 'NO_TOPICS'), + ); + } + + /** + * @dataProvider data_enter_forum_with_password + */ + public function test_enter_forum_with_password($password, $message) + { + $crawler = self::request('GET', "index.php?sid={$this->sid}"); + preg_match('/.?f=([0-9])/', $crawler->selectLink('Password protected')->link()->getUri(), $match); + $crawler = self::request('GET', "viewforum.php?f={$match[1]}&sid={$this->sid}"); + $form = $crawler->selectButton('login')->form(array( + 'password' => $password, + )); + $crawler = self::submit($form); + $this->assertContainsLang($message, $crawler->text()); + } +} diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php new file mode 100644 index 0000000000..2d26be7da5 --- /dev/null +++ b/tests/passwords/drivers_test.php @@ -0,0 +1,81 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +class phpbb_passwords_helper_test extends PHPUnit_Framework_TestCase +{ + public function setUp() + { + // Prepare dependencies for drivers + $config = new \phpbb\config\config(array()); + $this->driver_helper = new \phpbb\passwords\driver\helper($config); + + $this->passwords_drivers = array( + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), + ); + } + + public function data_helper_encode64() + { + return array( + array('foobar', 6, 'axqPW3aQ'), + array('foobar', 7, 'axqPW3aQ..'), + array('foobar', 5, 'axqPW34'), + ); + } + + /** + * @dataProvider data_helper_encode64 + */ + public function test_helper_encode64($input, $length, $output) + { + $return = $this->driver_helper->hash_encode64($input, $length); + $this->assertEquals($output, $return); + } + + public function data_get_random_salt() + { + return array( + array(24, false), + array(24, '/dev/foobar'), + ); + } + + /** + * @dataProvider data_get_random_salt + */ + public function test_get_random_salt($length, $rand_seed) + { + $rand_string = (empty($rand_seed)) ? $this->driver_helper->get_random_salt($length) : $this->driver_helper->get_random_salt($length, $rand_seed); + $start = microtime(true); + + // Run each test for max. 1 second + while ((microtime(true) - $start) < 1) + { + $urandom_string = (empty($rand_seed)) ? $this->driver_helper->get_random_salt($length) : $this->driver_helper->get_random_salt($length, $rand_seed); + $this->assertEquals($length, strlen($urandom_string)); + $this->assertNotEquals($rand_string, $urandom_string); + } + } + + public function test_get_hash_settings_salted_md5() + { + $settings = $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings('$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1'); + $this->assertEquals(array( + 'count' => pow(2, 11), + 'salt' => 'isfrtKXW', + 'full' => '$H$9isfrtKXW', + ), + $settings + ); + $this->assertEquals(false, $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings(false)); + } +} diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php new file mode 100644 index 0000000000..ee295ff043 --- /dev/null +++ b/tests/passwords/manager_test.php @@ -0,0 +1,295 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +class phpbb_passwords_manager_test extends PHPUnit_Framework_TestCase +{ + protected $passwords_drivers; + + protected $pw_characters = '0123456789abcdefghijklmnopqrstuvwyzABCDEFGHIJKLMNOPQRSTUVXYZ.,_!?/\\'; + + protected $default_pw = 'foobar'; + + public function setUp() + { + // Prepare dependencies for manager and driver + $config = new \phpbb\config\config(array()); + $this->driver_helper = new \phpbb\passwords\driver\helper($config); + + $this->passwords_drivers = array( + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), + ); + + $this->helper = new \phpbb\passwords\helper; + // Set up passwords manager + $this->manager = new \phpbb\passwords\manager($config, $this->passwords_drivers, $this->helper, array_keys($this->passwords_drivers)); + } + + public function hash_password_data() + { + if (version_compare(PHP_VERSION, '5.3.7', '<')) + { + return array( + array('', '2a', 60), + array('passwords.driver.bcrypt_2y', '2a', 60), + array('passwords.driver.bcrypt', '2a', 60), + array('passwords.driver.salted_md5', 'H', 34), + array('passwords.driver.foobar', '', false), + ); + } + else + { + return array( + array('', '2y', 60), + array('passwords.driver.bcrypt_2y', '2y', 60), + array('passwords.driver.bcrypt', '2a', 60), + array('passwords.driver.salted_md5', 'H', 34), + array('passwords.driver.foobar', '', false), + ); + } + } + + /** + * @dataProvider hash_password_data + */ + public function test_hash_password($type, $prefix, $length) + { + $password = $this->default_pw; + + if (!$length) + { + $this->assertEquals(false, $hash = $this->manager->hash($password, $type)); + return; + } + $time = microtime(true); + + // Limit each test to 1 second + while ((microtime(true) - $time) < 1) + { + $hash = $this->manager->hash($password, $type); + preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match); + $this->assertEquals($prefix, $match[1]); + $this->assertEquals($length, strlen($hash)); + $password .= $this->pw_characters[mt_rand(0, 66)]; + } + } + + public function check_password_data() + { + if (version_compare(PHP_VERSION, '5.3.7', '<')) + { + return array( + array('passwords.driver.bcrypt'), + array('passwords.driver.salted_md5'), + array('passwords.driver.phpass'), + ); + } + else + { + return array( + array('passwords.driver.bcrypt_2y'), + array('passwords.driver.bcrypt'), + array('passwords.driver.salted_md5'), + array('passwords.driver.phpass'), + ); + } + } + + /** + * @dataProvider check_password_data + */ + public function test_check_password($hash_type) + { + $password = $this->default_pw; + $time = microtime(true); + // Limit each test to 1 second + while ((microtime(true) - $time) < 1) + { + $hash = $this->manager->hash($password, $hash_type); + $this->assertEquals(true, $this->manager->check($password, $hash)); + $password .= $this->pw_characters[mt_rand(0, 66)]; + $this->assertEquals(false, $this->manager->check($password, $hash)); + } + + // Check if convert_flag is correctly set + $default_type = (version_compare(PHP_VERSION, '5.3.7', '<')) ? 'passwords.driver.bcrypt' : 'passwords.driver.bcrypt_2y'; + $this->assertEquals(($hash_type !== $default_type), $this->manager->convert_flag); + } + + + public function check_hash_exceptions_data() + { + return array( + array('foobar', '3858f62230ac3c915f300c664312c63f', true), + array('foobar', '$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false), + array('foobar', '$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false), + array('foobar', '$H$kklk938d023k//k3023', false), + array('foobar', '$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false), + array('foobar', '$2a$kwiweorurlaeirw', false), + ); + } + + /** + * @dataProvider check_hash_exceptions_data + */ + public function test_check_hash_exceptions($password, $hash, $expected) + { + $this->assertEquals($expected, $this->manager->check($password, $hash)); + } + + public function data_hash_password_length() + { + return array( + array('passwords.driver.bcrypt', false), + array('passwords.driver.bcrypt_2y', false), + array('passwords.driver.salted_md5', '3858f62230ac3c915f300c664312c63f'), + array('passwords.driver.phpass', '3858f62230ac3c915f300c664312c63f'), + ); + } + + /** + * @dataProvider data_hash_password_length + */ + public function test_hash_password_length($driver, $expected) + { + $this->assertEquals($expected, $this->passwords_drivers[$driver]->hash('foobar', 'foobar')); + } + + public function test_hash_password_8bit_bcrypt() + { + $this->assertEquals(false, $this->manager->hash('foobarš¯„˛', 'passwords.driver.bcrypt')); + if (version_compare(PHP_VERSION, '5.3.7', '<')) + { + $this->assertEquals(false, $this->manager->hash('foobarš¯„˛', 'passwords.driver.bcrypt_2y')); + } + else + { + $this->assertNotEquals(false, $this->manager->hash('foobarš¯„˛', 'passwords.driver.bcrypt_2y')); + } + } + + public function test_combined_hash_data() + { + if (version_compare(PHP_VERSION, '5.3.7', '<')) + { + return array( + array( + 'passwords.driver.salted_md5', + array('passwords.driver.bcrypt'), + ), + array( + 'passwords.driver.phpass', + array('passwords.driver.salted_md5'), + ), + array( + 'passwords.driver.salted_md5', + array('passwords.driver.phpass', 'passwords.driver.bcrypt'), + ), + array( + 'passwords.driver.salted_md5', + array('passwords.driver.salted_md5'), + false, + ), + array( + '$H$', + array('$2a$'), + ), + ); + } + else + { + return array( + array( + 'passwords.driver.salted_md5', + array('passwords.driver.bcrypt_2y'), + ), + array( + 'passwords.driver.salted_md5', + array('passwords.driver.bcrypt'), + ), + array( + 'passwords.driver.phpass', + array('passwords.driver.salted_md5'), + ), + array( + 'passwords.driver.salted_md5', + array('passwords.driver.bcrypt_2y', 'passwords.driver.bcrypt'), + ), + array( + 'passwords.driver.salted_md5', + array('passwords.driver.salted_md5'), + false, + ), + array( + 'passwords.driver.bcrypt_2y', + array('passwords.driver.salted_md4'), + false, + ), + array( + '$H$', + array('$2y$'), + ), + ); + } + } + + /** + * @dataProvider test_combined_hash_data + */ + public function test_combined_hash_password($first_type, $second_type, $expected = true) + { + $password = $this->default_pw; + $time = microtime(true); + // Limit each test to 1 second + while ((microtime(true) - $time) < 1) + { + $hash = $this->manager->hash($password, $first_type); + $combined_hash = $this->manager->hash($hash, $second_type); + $this->assertEquals($expected, $this->manager->check($password, $combined_hash)); + $password .= $this->pw_characters[mt_rand(0, 66)]; + $this->assertEquals(false, $this->manager->check($password, $combined_hash)); + + // If we are expecting the check to fail then there is + // no need to run this more than once + if (!$expected) + { + break; + } + } + } + + public function test_unique_id() + { + $time = microtime(true); + $first_id = $this->driver_helper->unique_id(); + // Limit test to 1 second + while ((microtime(true) - $time) < 1) + { + $this->assertNotEquals($first_id, $this->driver_helper->unique_id()); + } + } + + public function test_check_hash_with_large_input() + { + // 16 MB password, should be rejected quite fast + $start_time = time(); + $this->assertFalse($this->manager->check(str_repeat('a', 1024 * 1024 * 16), '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); + $this->assertLessThanOrEqual(5, time() - $start_time); + } + + public function test_hash_password_with_large_input() + { + // 16 MB password, should be rejected quite fast + $start_time = time(); + $this->assertFalse($this->manager->hash(str_repeat('a', 1024 * 1024 * 16))); + $this->assertLessThanOrEqual(5, time() - $start_time); + } +} diff --git a/tests/security/hash_test.php b/tests/security/hash_test.php index e226365ef3..bc1bebd87a 100644 --- a/tests/security/hash_test.php +++ b/tests/security/hash_test.php @@ -11,6 +11,31 @@ require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; class phpbb_security_hash_test extends phpbb_test_case { + public function setUp() + { + global $phpbb_container; + + $config = new \phpbb\config\config(array()); + $phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface'); + $driver_helper = new \phpbb\passwords\driver\helper($config); + $passwords_drivers = array( + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper), + ); + + $passwords_helper = new \phpbb\passwords\helper; + // Set up passwords manager + $passwords_manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers)); + + $phpbb_container + ->expects($this->any()) + ->method('get') + ->with('passwords.manager') + ->will($this->returnValue($passwords_manager)); + } + public function test_check_hash_with_phpass() { $this->assertTrue(phpbb_check_hash('test', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); diff --git a/tests/test_framework/phpbb_functional_test_case.php b/tests/test_framework/phpbb_functional_test_case.php index eba5a2dfdf..71d03746a9 100644 --- a/tests/test_framework/phpbb_functional_test_case.php +++ b/tests/test_framework/phpbb_functional_test_case.php @@ -503,6 +503,7 @@ class phpbb_functional_test_case extends phpbb_test_case set_config(null, null, null, $config); set_config_count(null, null, null, $config); $phpbb_dispatcher = new phpbb_mock_event_dispatcher(); + $passwords_manager = $this->get_passwords_manager(); $user_row = array( 'username' => $username, @@ -512,7 +513,7 @@ class phpbb_functional_test_case extends phpbb_test_case 'user_lang' => 'en', 'user_timezone' => 0, 'user_dateformat' => '', - 'user_password' => phpbb_hash($username . $username), + 'user_password' => $passwords_manager->hash($username . $username), ); return user_add($user_row); } @@ -997,4 +998,29 @@ class phpbb_functional_test_case extends phpbb_test_case } return null; } + + /** + * Return a passwords manager instance + * + * @return phpbb\passwords\manager + */ + public function get_passwords_manager() + { + // Prepare dependencies for manager and driver + $config = new \phpbb\config\config(array()); + $driver_helper = new \phpbb\passwords\driver\helper($config); + + $passwords_drivers = array( + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $driver_helper), + ); + + $passwords_helper = new \phpbb\passwords\helper; + // Set up passwords manager + $manager = new \phpbb\passwords\manager($config, $passwords_drivers, $passwords_helper, array_keys($passwords_drivers)); + + return $manager; + } } |