diff options
Diffstat (limited to 'phpBB/phpbb/passwords/driver')
| -rw-r--r-- | phpBB/phpbb/passwords/driver/base.php | 12 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/bcrypt.php | 32 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/md5_phpbb2.php | 2 | ||||
| -rw-r--r-- | phpBB/phpbb/passwords/driver/rehashable_driver_interface.php | 25 | 
4 files changed, 67 insertions, 4 deletions
| diff --git a/phpBB/phpbb/passwords/driver/base.php b/phpBB/phpbb/passwords/driver/base.php index fd07a61bf4..0997b5b700 100644 --- a/phpBB/phpbb/passwords/driver/base.php +++ b/phpBB/phpbb/passwords/driver/base.php @@ -13,7 +13,7 @@  namespace phpbb\passwords\driver; -abstract class base implements driver_interface +abstract class base implements rehashable_driver_interface  {  	/** @var \phpbb\config\config */  	protected $config; @@ -21,7 +21,7 @@ abstract class base implements driver_interface  	/** @var \phpbb\passwords\driver\helper */  	protected $helper; -	/** @var driver name */ +	/** @var string Driver name */  	protected $name;  	/** @@ -53,6 +53,14 @@ abstract class base implements driver_interface  	}  	/** +	 * {@inheritdoc} +	 */ +	public function needs_rehash($hash) +	{ +		return false; +	} + +	/**  	* {@inheritdoc}  	*/  	public function get_settings_only($hash, $full = false) diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php index eab1c3d569..eb1aeeeb76 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt.php +++ b/phpBB/phpbb/passwords/driver/bcrypt.php @@ -17,6 +17,24 @@ class bcrypt extends base  {  	const PREFIX = '$2a$'; +	/** @var int Hashing cost factor */ +	protected $cost_factor; + +	/** +	 * Constructor of passwords driver object +	 * +	 * @param \phpbb\config\config $config phpBB config +	 * @param \phpbb\passwords\driver\helper $helper Password driver helper +	 * @param int $cost_factor Hashing cost factor (optional) +	 */ +	public function __construct(\phpbb\config\config $config, helper $helper, $cost_factor = 10) +	{ +		parent::__construct($config, $helper); + +		// Don't allow cost factor to be below default setting +		$this->cost_factor = max(10, $cost_factor); +	} +  	/**  	* {@inheritdoc}  	*/ @@ -26,6 +44,18 @@ class bcrypt extends base  	}  	/** +	 * {@inheritdoc} +	 */ +	public function needs_rehash($hash) +	{ +		preg_match('/^' . preg_quote($this->get_prefix()) . '([0-9]+)\$/', $hash, $matches); + +		list(, $cost_factor) = $matches; + +		return empty($cost_factor) || $this->cost_factor !== intval($cost_factor); +	} + +	/**  	* {@inheritdoc}  	*/  	public function hash($password, $salt = '') @@ -46,7 +76,7 @@ class bcrypt extends base  		if ($salt == '')  		{ -			$salt = $prefix . '10$' . $this->get_random_salt(); +			$salt = $prefix . $this->cost_factor . '$' . $this->get_random_salt();  		}  		$hash = crypt($password, $salt); diff --git a/phpBB/phpbb/passwords/driver/md5_phpbb2.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php index bd8cc51e5a..b38b041d6c 100644 --- a/phpBB/phpbb/passwords/driver/md5_phpbb2.php +++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php @@ -95,7 +95,7 @@ class md5_phpbb2 extends base  		// in phpBB2 passwords were used exactly as they were sent, with addslashes applied  		$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; -		$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; +		$password_old_format = addslashes($password_old_format);  		$password_new_format = $this->request->variable('password', '', true);  		if ($super_globals_disabled) diff --git a/phpBB/phpbb/passwords/driver/rehashable_driver_interface.php b/phpBB/phpbb/passwords/driver/rehashable_driver_interface.php new file mode 100644 index 0000000000..ca30748502 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/rehashable_driver_interface.php @@ -0,0 +1,25 @@ +<?php +/** +* +* This file is part of the phpBB Forum Software package. +* +* @copyright (c) phpBB Limited <https://www.phpbb.com> +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\passwords\driver; + +interface rehashable_driver_interface extends driver_interface +{ +	/** +	 * Check if password needs to be rehashed +	 * +	 * @param string $hash Hash to check for rehash +	 * @return bool True if password needs to be rehashed, false if not +	 */ +	public function needs_rehash($hash); +} | 
