From 3f70699aa378cce091c441bb4c06c38866ff10a9 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 15 Jun 2013 16:25:03 +0200 Subject: [PATCH] [feature/passwords] Use common salt generation function for all types We will be using the same method inside the driver helper class for all hash types. This is the same function that has been used for the salted md5 hash of phpBB 3.0. PHPBB3-11610 --- phpBB/includes/crypto/driver/bcrypt.php | 2 +- phpBB/includes/crypto/driver/helper.php | 47 ++++++++++++++++++--- phpBB/includes/crypto/driver/salted_md5.php | 29 +++---------- 3 files changed, 47 insertions(+), 31 deletions(-) diff --git a/phpBB/includes/crypto/driver/bcrypt.php b/phpBB/includes/crypto/driver/bcrypt.php index 82ff2fb844..d98bf8c940 100644 --- a/phpBB/includes/crypto/driver/bcrypt.php +++ b/phpBB/includes/crypto/driver/bcrypt.php @@ -81,6 +81,6 @@ class phpbb_crypto_driver_bcrypt extends phpbb_crypto_driver_base */ protected function get_random_salt() { - return substr(str_replace('+', '.', bin2hex(openssl_random_pseudo_bytes(22))), 0, 22); + return $this->helper->hash_encode64($this->helper->get_random_salt(22), 22); } } diff --git a/phpBB/includes/crypto/driver/helper.php b/phpBB/includes/crypto/driver/helper.php index 2931058629..3eafdf1ecc 100644 --- a/phpBB/includes/crypto/driver/helper.php +++ b/phpBB/includes/crypto/driver/helper.php @@ -23,6 +23,12 @@ class phpbb_crypto_driver_helper /** @var phpbb_config */ protected $driver; + /** + * base64 alphabet + * @var string + */ + public $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + /** * Constructor of crypto driver helper object */ @@ -36,11 +42,10 @@ class phpbb_crypto_driver_helper * * @param string $input Input string * @param int $count Input string length - * @param string $itoa64 Allowed characters string * * @return string base64 encoded string */ - public function hash_encode64($input, $count, &$itoa64) + public function hash_encode64($input, $count) { $output = ''; $i = 0; @@ -48,14 +53,14 @@ class phpbb_crypto_driver_helper do { $value = ord($input[$i++]); - $output .= $itoa64[$value & 0x3f]; + $output .= $this->itoa64[$value & 0x3f]; if ($i < $count) { $value |= ord($input[$i]) << 8; } - $output .= $itoa64[($value >> 6) & 0x3f]; + $output .= $this->itoa64[($value >> 6) & 0x3f]; if ($i++ >= $count) { @@ -67,14 +72,14 @@ class phpbb_crypto_driver_helper $value |= ord($input[$i]) << 16; } - $output .= $itoa64[($value >> 12) & 0x3f]; + $output .= $this->itoa64[($value >> 12) & 0x3f]; if ($i++ >= $count) { break; } - $output .= $itoa64[($value >> 18) & 0x3f]; + $output .= $this->itoa64[($value >> 18) & 0x3f]; } while ($i < $count); @@ -105,4 +110,34 @@ class phpbb_crypto_driver_helper return substr($val, 4, 16); } + + /** + * Get random salt with specified length + * + * @param int $length Salt length + */ + public function get_random_salt($length) + { + $random = ''; + + if (($fh = @fopen('/dev/urandom', 'rb'))) + { + $random = fread($fh, $length); + fclose($fh); + } + + if (strlen($random) < $length) + { + $random = ''; + $random_state = $this->helper->unique_id(); + + for ($i = 0; $i < $length; $i += 16) + { + $random_state = md5($this->helper->unique_id() . $random_state); + $random .= pack('H*', md5($random_state)); + } + $random = substr($random, 0, $length); + } + return $random; + } } diff --git a/phpBB/includes/crypto/driver/salted_md5.php b/phpBB/includes/crypto/driver/salted_md5.php index 8e1c8a0d05..1bb7a17afc 100644 --- a/phpBB/includes/crypto/driver/salted_md5.php +++ b/phpBB/includes/crypto/driver/salted_md5.php @@ -20,8 +20,6 @@ if (!defined('IN_PHPBB')) */ class phpbb_crypto_driver_salted_md5 extends phpbb_crypto_driver_base { - protected $itoa = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; - const PREFIX = '$H$'; /** @@ -68,7 +66,7 @@ class phpbb_crypto_driver_salted_md5 extends phpbb_crypto_driver_base while (--$settings['count']); $output = $settings['full']; - $output .= $this->helper->hash_encode64($hash, 16, $this->itoa); + $output .= $this->helper->hash_encode64($hash, 16); if (strlen($output) == 34) { @@ -108,28 +106,11 @@ class phpbb_crypto_driver_salted_md5 extends phpbb_crypto_driver_base $random = ''; $count = 6; - if (($fh = @fopen('/dev/urandom', 'rb'))) - { - $random = fread($fh, $count); - fclose($fh); - } - - if (strlen($random) < $count) - { - $random = ''; - $random_state = $this->helper->unique_id(); - - for ($i = 0; $i < $count; $i += 16) - { - $random_state = md5($this->helper->unique_id() . $random_state); - $random .= pack('H*', md5($random_state)); - } - $random = substr($random, 0, $count); - } + $random = $this->helper->get_random_salt($count); $salt = '$H$'; - $salt .= $this->itoa[min($count + 5, 30)]; - $salt .= $this->helper->hash_encode64($random, 6, $this->itoa); + $salt .= $this->helper->itoa64[min($count + 5, 30)]; + $salt .= $this->helper->hash_encode64($random, $count); return $salt; } @@ -146,7 +127,7 @@ class phpbb_crypto_driver_salted_md5 extends phpbb_crypto_driver_base { return false; } - $count_log2 = strpos($this->itoa, $hash[3]); + $count_log2 = strpos($this->helper->itoa64, $hash[3]); $salt = substr($hash, 4, 8); if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8)