From e0dd04a6493f1b7f7133f75c08f9ea55ee8bd50a Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 14 Oct 2011 16:39:36 +0200 Subject: Added bcrypt support for password hashes This method require PHP 5.3+ it will fail otherwise! --- inc/PassHash.class.php | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'inc/PassHash.class.php') diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php index 31493c022..77f2115bd 100644 --- a/inc/PassHash.class.php +++ b/inc/PassHash.class.php @@ -47,6 +47,9 @@ class PassHash { }elseif(preg_match('/^md5\$(.{5})\$/',$hash,$m)){ $method = 'djangomd5'; $salt = $m[1]; + }elseif(preg_match('/^\$2a\$(.{2})\$/',$hash,$m)){ + $method = 'bcrypt'; + $salt = $hash; }elseif(substr($hash,0,6) == '{SSHA}'){ $method = 'ssha'; $salt = substr(base64_decode(substr($hash, 6)),20); @@ -379,4 +382,35 @@ class PassHash { return 'md5$'.$salt.'$'.md5($salt.$clear); } + + /** + * Passwordhashing method 'bcrypt' + * + * Uses a modified blowfish algorithm called eksblowfish + * This method works on PHP 5.3+ only and will throw an exception + * if the needed crypt support isn't available + * + * A full hash should be given as salt (starting with $a2$) or this + * will break. When no salt is given, the iteration count can be set + * through the $compute variable. + * + * @param string $clear - the clear text to hash + * @param string $salt - the salt to use, null for random + * @param int $compute - the iteration count (between 4 and 31) + * @returns string - hashed password + */ + public function hash_bcrypt($clear, $salt=null, $compute=8){ + if(!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH != 1){ + throw new Exception('This PHP installation has no bcrypt support'); + } + + if(is_null($salt)){ + if($compute < 4 || $compute > 31) $compute = 8; + $salt = '$2a$'.str_pad($compute, 2, '0', STR_PAD_LEFT).'$'. + $this->gen_salt(22); + } + + return crypt($password, $salt); + } + } -- cgit v1.2.3 From 502a92e072be7b42750b4c9032e7269d1fd7c7b4 Mon Sep 17 00:00:00 2001 From: Patrick Michel Date: Sun, 27 Nov 2011 10:55:27 +0100 Subject: MD5 password hash format of the LDAP RFC FS#2378 This implements the salted MD5 password hash format of the LDAP RFC. The format is quite simple the password, followed by the 8 byte hash in base64 encoding, which results in 32 characters, prepended with the string "{smd5}". --- inc/PassHash.class.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'inc/PassHash.class.php') diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php index 31493c022..c13cf4a54 100644 --- a/inc/PassHash.class.php +++ b/inc/PassHash.class.php @@ -50,6 +50,9 @@ class PassHash { }elseif(substr($hash,0,6) == '{SSHA}'){ $method = 'ssha'; $salt = substr(base64_decode(substr($hash, 6)),20); + }elseif(substr($hash,0,6) == '{SMD5}'){ + $method = 'smd6'; + $salt = substr(base64_decode(substr($hash, 6)),16); }elseif($len == 32){ $method = 'md5'; }elseif($len == 40){ @@ -130,6 +133,18 @@ class PassHash { } } + + /** + * Password hashing method 'smd6' + * + * Uses salted MD5 hashs. Salt is 8 bytes long. Yes, really 8 bytes... + */ + public function hash_smd6($clear, $salt=null){ + $this->init_salt($salt,8); + return "{SMD5}".base64_encode(md5($clear.$salt, true).$salt); + } + + /** * Password hashing method 'apr1' * -- cgit v1.2.3 From 491a2c68bc685e7e0cd4f9622ef4051e4a580d62 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 27 Nov 2011 11:08:07 +0100 Subject: renamed passhash method smd6 to lsmd5 --- inc/PassHash.class.php | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'inc/PassHash.class.php') diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php index c13cf4a54..8f62425aa 100644 --- a/inc/PassHash.class.php +++ b/inc/PassHash.class.php @@ -51,7 +51,7 @@ class PassHash { $method = 'ssha'; $salt = substr(base64_decode(substr($hash, 6)),20); }elseif(substr($hash,0,6) == '{SMD5}'){ - $method = 'smd6'; + $method = 'lsmd5'; $salt = substr(base64_decode(substr($hash, 6)),16); }elseif($len == 32){ $method = 'md5'; @@ -135,13 +135,15 @@ class PassHash { /** - * Password hashing method 'smd6' + * Password hashing method 'lsmd5' * - * Uses salted MD5 hashs. Salt is 8 bytes long. Yes, really 8 bytes... + * Uses salted MD5 hashs. Salt is 8 bytes long. + * + * This is the format used by LDAP. */ - public function hash_smd6($clear, $salt=null){ - $this->init_salt($salt,8); - return "{SMD5}".base64_encode(md5($clear.$salt, true).$salt); + public function hash_lsmd5($clear, $salt=null){ + $this->init_salt($salt,8); + return "{SMD5}".base64_encode(md5($clear.$salt, true).$salt); } -- cgit v1.2.3 From d4dca43453a7a9e798c208cbb89ee09616381dde Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 16 Mar 2012 11:11:15 +0100 Subject: fixed error in bcrypt password method --- inc/PassHash.class.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/PassHash.class.php') diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php index 2558f37c6..0521ee305 100644 --- a/inc/PassHash.class.php +++ b/inc/PassHash.class.php @@ -427,7 +427,7 @@ class PassHash { $this->gen_salt(22); } - return crypt($password, $salt); + return crypt($clear, $salt); } } -- cgit v1.2.3 From 63703ba5bd81f50c43bc45f8bf79c514afa3ee49 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 16 Mar 2012 12:09:30 +0100 Subject: coding style updates --- inc/PassHash.class.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'inc/PassHash.class.php') diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php index 0521ee305..3fb1349d2 100644 --- a/inc/PassHash.class.php +++ b/inc/PassHash.class.php @@ -88,7 +88,9 @@ class PassHash { public function gen_salt($len=32){ $salt = ''; $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; - for($i=0;$i<$len;$i++) $salt .= $chars[mt_rand(0,61)]; + for($i=0; $i<$len; $i++){ + $salt .= $chars[mt_rand(0,61)]; + } return $salt; } -- cgit v1.2.3