Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
100.00% |
33 / 33 |
|
100.00% |
7 / 7 |
CRAP | |
100.00% |
1 / 1 |
| salted_md5 | |
100.00% |
33 / 33 |
|
100.00% |
7 / 7 |
14 | |
100.00% |
1 / 1 |
| get_prefix | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| is_legacy | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| hash | |
100.00% |
10 / 10 |
|
100.00% |
1 / 1 |
3 | |||
| check | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
2 | |||
| generate_salt | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
1 | |||
| get_hash_settings | |
100.00% |
11 / 11 |
|
100.00% |
1 / 1 |
5 | |||
| get_settings_only | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
| 1 | <?php |
| 2 | /** |
| 3 | * |
| 4 | * This file is part of the phpBB Forum Software package. |
| 5 | * |
| 6 | * @copyright (c) phpBB Limited <https://www.phpbb.com> |
| 7 | * @license GNU General Public License, version 2 (GPL-2.0) |
| 8 | * |
| 9 | * For full copyright and license information, please see |
| 10 | * the docs/CREDITS.txt file. |
| 11 | * |
| 12 | */ |
| 13 | |
| 14 | namespace phpbb\passwords\driver; |
| 15 | |
| 16 | /** |
| 17 | * |
| 18 | * @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier) |
| 19 | * |
| 20 | * Portable PHP password hashing framework. |
| 21 | * |
| 22 | * Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in |
| 23 | * the public domain. |
| 24 | * |
| 25 | * There's absolutely no warranty. |
| 26 | * |
| 27 | * The homepage URL for this framework is: |
| 28 | * |
| 29 | * http://www.openwall.com/phpass/ |
| 30 | * |
| 31 | * Please be sure to update the Version line if you edit this file in any way. |
| 32 | * It is suggested that you leave the main version number intact, but indicate |
| 33 | * your project name (after the slash) and add your own revision information. |
| 34 | * |
| 35 | * Please do not change the "private" password hashing method implemented in |
| 36 | * here, thereby making your hashes incompatible. However, if you must, please |
| 37 | * change the hash type identifier (the "$P$") to something different. |
| 38 | * |
| 39 | * Obviously, since this code is in the public domain, the above are not |
| 40 | * requirements (there can be none), but merely suggestions. |
| 41 | * |
| 42 | */ |
| 43 | |
| 44 | class salted_md5 extends base |
| 45 | { |
| 46 | const PREFIX = '$H$'; |
| 47 | |
| 48 | /** |
| 49 | * {@inheritdoc} |
| 50 | */ |
| 51 | public function get_prefix() |
| 52 | { |
| 53 | return self::PREFIX; |
| 54 | } |
| 55 | |
| 56 | /** |
| 57 | * {@inheritdoc} |
| 58 | */ |
| 59 | public function is_legacy() |
| 60 | { |
| 61 | return true; |
| 62 | } |
| 63 | |
| 64 | /** |
| 65 | * {@inheritdoc} |
| 66 | */ |
| 67 | public function hash($password, $setting = '') |
| 68 | { |
| 69 | if ($setting) |
| 70 | { |
| 71 | if (($settings = $this->get_hash_settings($setting)) === false) |
| 72 | { |
| 73 | // Return md5 of password if settings do not |
| 74 | // comply with our standards. This will only |
| 75 | // happen if pre-determined settings are |
| 76 | // directly passed to the driver. The manager |
| 77 | // will not do this. Same as the old hashing |
| 78 | // implementation in phpBB 3.0 |
| 79 | return md5($password); |
| 80 | } |
| 81 | } |
| 82 | else |
| 83 | { |
| 84 | $settings = $this->get_hash_settings($this->generate_salt()); |
| 85 | } |
| 86 | |
| 87 | $hash = md5($settings['salt'] . $password, true); |
| 88 | do |
| 89 | { |
| 90 | $hash = md5($hash . $password, true); |
| 91 | } |
| 92 | while (--$settings['count']); |
| 93 | |
| 94 | $output = $settings['full']; |
| 95 | $output .= $this->helper->hash_encode64($hash, 16); |
| 96 | |
| 97 | return $output; |
| 98 | } |
| 99 | |
| 100 | /** |
| 101 | * {@inheritdoc} |
| 102 | */ |
| 103 | public function check($password, $hash, $user_row = array()) |
| 104 | { |
| 105 | if (strlen($hash) !== 34) |
| 106 | { |
| 107 | return md5($password) === $hash; |
| 108 | } |
| 109 | |
| 110 | return $this->helper->string_compare($hash, $this->hash($password, $hash)); |
| 111 | } |
| 112 | |
| 113 | /** |
| 114 | * Generate salt for hashing method |
| 115 | * |
| 116 | * @return string Salt for hashing method |
| 117 | */ |
| 118 | protected function generate_salt() |
| 119 | { |
| 120 | $count = 6; |
| 121 | |
| 122 | $random = $this->helper->get_random_salt($count); |
| 123 | |
| 124 | $salt = $this->get_prefix(); |
| 125 | $salt .= $this->helper->itoa64[min($count + 5, 30)]; |
| 126 | $salt .= $this->helper->hash_encode64($random, $count); |
| 127 | |
| 128 | return $salt; |
| 129 | } |
| 130 | |
| 131 | /** |
| 132 | * Get hash settings |
| 133 | * |
| 134 | * @param string $hash The hash that contains the settings |
| 135 | * |
| 136 | * @return bool|array Array containing the count_log2, salt, and full |
| 137 | * hash settings string or false if supplied hash is empty |
| 138 | * or contains incorrect settings |
| 139 | */ |
| 140 | public function get_hash_settings($hash) |
| 141 | { |
| 142 | if (empty($hash)) |
| 143 | { |
| 144 | return false; |
| 145 | } |
| 146 | |
| 147 | $count_log2 = strpos($this->helper->itoa64, $hash[3]); |
| 148 | $salt = substr($hash, 4, 8); |
| 149 | |
| 150 | if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8) |
| 151 | { |
| 152 | return false; |
| 153 | } |
| 154 | |
| 155 | return array( |
| 156 | 'count' => 1 << $count_log2, |
| 157 | 'salt' => $salt, |
| 158 | 'full' => substr($hash, 0, 12), |
| 159 | ); |
| 160 | } |
| 161 | |
| 162 | /** |
| 163 | * {@inheritdoc} |
| 164 | */ |
| 165 | public function get_settings_only($hash, $full = false) |
| 166 | { |
| 167 | return substr($hash, 3, 9); |
| 168 | } |
| 169 | } |