Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-03-04 02:48:32 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Prevent use of an invalid salt for Blowfish hashing of passwords

Browse Source
This commit is contained in:
Fedor A. Fetisov 2014-07-11 09:20:49 +00:00 committed by Dmitriy Simushev
parent dadbe36bd2
commit 524302fb2e
1 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
src/mibew/libs/operator.php
View File

@ -837,9 +837,9 @@ function calculate_password_hash($login, $password)
$hash = '*0'; $hash = '*0';
if (CRYPT_BLOWFISH == 1) { if (CRYPT_BLOWFISH == 1) {
if (defined('PHP_VERSION_ID') && (PHP_VERSION_ID > 50306)) { if (defined('PHP_VERSION_ID') && (PHP_VERSION_ID > 50306)) {
$hash = crypt($password, '$2y$08$' . $login); $hash = crypt($password, '$2y$08$' . generate_bf_salt($login));
} else { } else {
$hash = crypt($password, '$2a$08$' . $login); $hash = crypt($password, '$2a$08$' . generate_bf_salt($login));
} }
} }
@ -850,6 +850,61 @@ function calculate_password_hash($login, $password)
return strcmp($hash, '*0') ? $hash : md5($password); return strcmp($hash, '*0') ? $hash : md5($password);
} }
/**
* Generates correct blowfish salt based a string.
*
* @param string $string A string which should be turned to blowfish salt.
* @return string Correct blowfish salt.
*/
function generate_bf_salt($string)
{
$result = '';
$bin = unpack('C*', md5($string, true));
for ($i = 0; $i < count($bin); $i++) {
$shift = 2 + ($i % 3) * 2;
$first = ($bin[$i + 1] >> $shift);
$second = ($bin[$i + 1] & bindec(str_repeat('1', $shift)));
switch ($shift) {
case 2:
$result .= bf_salt_character($first);
$tmp = $second;
break;
case 4:
$result .= bf_salt_character(($tmp << 4) | $first);
$tmp = $second;
break;
case 6:
$result .= bf_salt_character(($tmp << 2) | $first);
$result .= bf_salt_character($second);
break;
}
}
if ($shift == 2) {
$result .= bf_salt_character($second);
}
return $result;
}
/**
* Convert character code to a correct blowfish character.
*
* @param integer $num Character code.
* @return string Character that can be used in blowfish salt.
*/
function bf_salt_character($num)
{
if ($num > 63) {
return chr(46);
} elseif ($num < 12) {
return chr(46 + $num);
} elseif ($num < 38) {
return chr(53 + $num);
} else {
return chr(59 + $num);
}
}
/** /**
* Validate incoming hashed value to be the hashed value of operator's password * Validate incoming hashed value to be the hashed value of operator's password
* *