* @license GNU General Public License, version 2 (GPL-2.0) * * For full copyright and license information, please see * the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; /** * * @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier) * * Portable PHP password hashing framework. * * Written by Solar Designer in 2004-2006 and placed in * the public domain. * * There's absolutely no warranty. * * The homepage URL for this framework is: * * http://www.openwall.com/phpass/ * * Please be sure to update the Version line if you edit this file in any way. * It is suggested that you leave the main version number intact, but indicate * your project name (after the slash) and add your own revision information. * * Please do not change the "private" password hashing method implemented in * here, thereby making your hashes incompatible. However, if you must, please * change the hash type identifier (the "$P$") to something different. * * Obviously, since this code is in the public domain, the above are not * requirements (there can be none), but merely suggestions. * */ class salted_md5 extends base { const PREFIX = '$H$'; /** * {@inheritdoc} */ public function get_prefix() { return self::PREFIX; } /** * {@inheritdoc} */ public function is_legacy() { return true; } /** * {@inheritdoc} */ public function hash($password, $setting = '') { if ($setting) { if (($settings = $this->get_hash_settings($setting)) === false) { // Return md5 of password if settings do not // comply with our standards. This will only // happen if pre-determined settings are // directly passed to the driver. The manager // will not do this. Same as the old hashing // implementation in phpBB 3.0 return md5($password); } } else { $settings = $this->get_hash_settings($this->generate_salt()); } $hash = md5($settings['salt'] . $password, true); do { $hash = md5($hash . $password, true); } while (--$settings['count']); $output = $settings['full']; $output .= $this->helper->hash_encode64($hash, 16); return $output; } /** * {@inheritdoc} */ public function check($password, $hash, $user_row = array()) { if (strlen($hash) !== 34) { return md5($password) === $hash; } return $this->helper->string_compare($hash, $this->hash($password, $hash)); } /** * Generate salt for hashing method * * @return string Salt for hashing method */ protected function generate_salt() { $count = 6; $random = $this->helper->get_random_salt($count); $salt = $this->get_prefix(); $salt .= $this->helper->itoa64[min($count + 5, 30)]; $salt .= $this->helper->hash_encode64($random, $count); return $salt; } /** * Get hash settings * * @param string $hash The hash that contains the settings * * @return bool|array Array containing the count_log2, salt, and full * hash settings string or false if supplied hash is empty * or contains incorrect settings */ public function get_hash_settings($hash) { if (empty($hash)) { return false; } $count_log2 = strpos($this->helper->itoa64, $hash[3]); $salt = substr($hash, 4, 8); if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8) { return false; } return array( 'count' => 1 << $count_log2, 'salt' => $salt, 'full' => substr($hash, 0, 12), ); } /** * {@inheritdoc} */ public function get_settings_only($hash, $full = false) { return substr($hash, 3, 9); } }