Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

tests reveal that the last two bits do count for blowfish; revert enc…

…oding change for that one
  • Loading branch information...
commit 041c866a9443191cc01726e5ffcb37f14f76e137 1 parent 4bd985b
@ddebernardy ddebernardy authored nateabele committed
View
4 libraries/lithium/security/Crypto.php
@@ -62,8 +62,8 @@ public static function random64($bytes) {
// Given that we're working on random bytes, we can use safely use
// base64_encode() without losing any entropy, sparing ourselves the
// hassle of maintaining more code than needed.
- $base64 = base64_encode(static::random($bytes));
- return strtr(rtrim($base64, '='), '+', '.');
+ $encoded = base64_encode(static::random($bytes));
+ return strtr(rtrim($encoded, '='), '+', '.');
}
/**
View
32 libraries/lithium/security/Password.php
@@ -162,11 +162,39 @@ protected static function _genSaltBf($count = null) {
if ($count < 4 || $count > 31)
$count = static::BF;
+ // We don't use the random64() method here because it can result
+ // in 2 bits less of entropy depending on the last char.
+ $base64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+ $i = 0;
+
+ $input = static::random(16); // 128 bits of salt
+ $output = '';
+
+ do {
+ $c1 = ord($input[$i++]);
+ $output .= $base64[$c1 >> 2];
+ $c1 = ($c1 & 0x03) << 4;
+ if ($i >= 16) {
+ $output .= $base64[$c1];
+ break;
+ }
+
+ $c2 = ord($input[$i++]);
+ $c1 |= $c2 >> 4;
+ $output .= $base64[$c1];
+ $c1 = ($c2 & 0x0f) << 2;
+
+ $c2 = ord($input[$i++]);
+ $c1 |= $c2 >> 6;
+ $output .= $base64[$c1];
+ $output .= $base64[$c2 & 0x3f];
+ } while (1);
+
return '$2a$'
// zeroize iterations
. chr(ord('0') + $count / 10) . chr(ord('0') + $count % 10)
- // 128 bits of salt
- . '$' . static::random64(16);
+ // 128 bits of salt, encoded
+ . '$' . $output;
}
/**
View
2  libraries/lithium/tests/cases/security/PasswordTest.php
@@ -29,7 +29,7 @@ public function testPassword() {
$md5Hash = "{^\\$1\\$[0-9A-Za-z./]{8}\\$[0-9A-Za-z./]{22}$}";
// Make it faster than the default settings, else we'll be there tomorrow
- foreach (array('bf' => 6, 'xdes' => 10, 'md5' => false) as $method => $log2) {
+ foreach (array('bf' => 6, 'xdes' => 10, 'md5' => null) as $method => $log2) {
$salts = array();
$hashes = array();
$count = 20;
Please sign in to comment.
Something went wrong with that request. Please try again.