Modernize sha1 and md5 password hash and check functions: remove unnecessary pack, no longer use very old fallbacks, and use random_salt
This commit is contained in:
Bert Van de Poel
Deon George
parent
1a09e4ff3c
commit
fe3798f8ec
@ -2230,7 +2230,7 @@ function pla_password_hash($password_clear,$enc_type) {
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 'md5':
|
case 'md5':
|
||||||
$new_value = sprintf('{MD5}%s',base64_encode(pack('H*',md5($password_clear))));
|
$new_value = sprintf('{MD5}%s',base64_encode(md5($password_clear, true)));
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'md5crypt':
|
case 'md5crypt':
|
||||||
@ -2242,25 +2242,13 @@ function pla_password_hash($password_clear,$enc_type) {
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 'sha':
|
case 'sha':
|
||||||
# Use php 4.3.0+ sha1 function, if it is available.
|
$new_value = sprintf('{SHA}%s',base64_encode(sha1($password_clear, true)));
|
||||||
if (function_exists('sha1'))
|
|
||||||
$new_value = sprintf('{SHA}%s',base64_encode(pack('H*',sha1($password_clear))));
|
|
||||||
elseif (function_exists('mhash'))
|
|
||||||
$new_value = sprintf('{SHA}%s',base64_encode(mhash(MHASH_SHA1,$password_clear)));
|
|
||||||
else
|
|
||||||
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'ssha':
|
case 'ssha':
|
||||||
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
|
$salt = hex2bin(random_salt(8));
|
||||||
mt_srand((double)microtime()*1000000);
|
$new_value = sprintf('{SSHA}%s',base64_encode(sha1($password_clear.$salt, true).$salt));
|
||||||
$salt = mhash_keygen_s2k(MHASH_SHA1,$password_clear,substr(pack('h*',md5(mt_rand())),0,8),4);
|
|
||||||
$new_value = sprintf('{SSHA}%s',base64_encode(mhash(MHASH_SHA1,$password_clear.$salt).$salt));
|
|
||||||
|
|
||||||
} else {
|
|
||||||
error(_('Your PHP install does not have the mhash() or mhash_keygen_s2k() function. Cannot do S2K hashes.'),'error','index.php');
|
|
||||||
}
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -2278,14 +2266,8 @@ function pla_password_hash($password_clear,$enc_type) {
|
|||||||
|
|
||||||
|
|
||||||
case 'smd5':
|
case 'smd5':
|
||||||
if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
|
$salt = hex2bin(random_salt(8));
|
||||||
mt_srand((double)microtime()*1000000);
|
$new_value = sprintf('{SMD5}%s',base64_encode(md5($password_clear.$salt, true).$salt));
|
||||||
$salt = mhash_keygen_s2k(MHASH_MD5,$password_clear,substr(pack('h*',md5(mt_rand())),0,8),4);
|
|
||||||
$new_value = sprintf('{SMD5}%s',base64_encode(mhash(MHASH_MD5,$password_clear.$salt).$salt));
|
|
||||||
|
|
||||||
} else {
|
|
||||||
error(_('Your PHP install does not have the mhash() or mhash_keygen_s2k() function. Cannot do S2K hashes.'),'error','index.php');
|
|
||||||
}
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -2388,23 +2370,17 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
|
|||||||
switch($cypher) {
|
switch($cypher) {
|
||||||
# SSHA crypted passwords
|
# SSHA crypted passwords
|
||||||
case 'ssha':
|
case 'ssha':
|
||||||
# Check php mhash support before using it
|
|
||||||
if (function_exists('mhash')) {
|
|
||||||
$hash = base64_decode($cryptedpassword);
|
$hash = base64_decode($cryptedpassword);
|
||||||
|
|
||||||
# OpenLDAP uses a 4 byte salt, SunDS uses an 8 byte salt - both from char 20.
|
# OpenLDAP uses a 4 byte salt, SunDS uses an 8 byte salt - both from char 20.
|
||||||
$salt = substr($hash,20);
|
$salt = substr($hash,20);
|
||||||
$new_hash = base64_encode(mhash(MHASH_SHA1,$plainpassword.$salt).$salt);
|
$new_hash = base64_encode(sha1($plainpassword.$salt, true).$salt);
|
||||||
|
|
||||||
if (strcmp($cryptedpassword,$new_hash) == 0)
|
if (strcmp($cryptedpassword,$new_hash) == 0)
|
||||||
return true;
|
return true;
|
||||||
else
|
else
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
} else {
|
|
||||||
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
|
|
||||||
}
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#BCRYPT hashed passwords
|
#BCRYPT hashed passwords
|
||||||
@ -2426,21 +2402,15 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
|
|||||||
|
|
||||||
# Salted MD5
|
# Salted MD5
|
||||||
case 'smd5':
|
case 'smd5':
|
||||||
# Check php mhash support before using it
|
|
||||||
if (function_exists('mhash')) {
|
|
||||||
$hash = base64_decode($cryptedpassword);
|
$hash = base64_decode($cryptedpassword);
|
||||||
$salt = substr($hash,16);
|
$salt = substr($hash,16);
|
||||||
$new_hash = base64_encode(mhash(MHASH_MD5,$plainpassword.$salt).$salt);
|
$new_hash = base64_encode(md5($plainpassword.$salt).$salt, true);
|
||||||
|
|
||||||
if (strcmp($cryptedpassword,$new_hash) == 0)
|
if (strcmp($cryptedpassword,$new_hash) == 0)
|
||||||
return true;
|
return true;
|
||||||
else
|
else
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
} else {
|
|
||||||
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
|
|
||||||
}
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
# SHA crypted passwords
|
# SHA crypted passwords
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user