Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge pull request #948 from sitedyno/blowfish-updates

Blowfish Clarifications.
  • Loading branch information...
commit eb3e5095cddda9ad57b00bf67381246e7791111b 2 parents e0aab77 + 895fcac
@markstory markstory authored
View
5 lib/Cake/Controller/Component/Auth/BlowfishAuthenticate.php
@@ -28,7 +28,10 @@
* }}}
*
* When configuring BlowfishAuthenticate you can pass in settings to which fields, model and additional conditions
- * are used. See BlowfishAuthenticate::$settings for more information.
+ * are used. See FormAuthenticate::$settings for more information.
+ *
+ * For inital password hashing/creation see Security::hash(). Other than how the password is initally hashed,
+ * BlowfishAuthenticate works exactly the same way as FormAuthenticate.
*
* @package Cake.Controller.Component.Auth
* @since CakePHP(tm) v 2.3
View
31 lib/Cake/Utility/Security.php
@@ -78,14 +78,26 @@ public static function validateAuthKey($authKey) {
}
/**
- * Create a hash from string using given method.
- * Fallback on next available method.
- * If you are using blowfish, for comparisons simply pass the originally hashed
- * string as the salt (the salt is prepended to the hash and php handles the
- * parsing automagically. Do NOT use a constant salt for blowfish.
+ * Create a hash from string using given method or fallback on next available method.
+ *
+ * #### Using Blowfish
+ *
+ * - Creating Hashes: *Do not supply a salt*. Cake handles salt creation for
+ * you ensuring that each hashed password will have a *unique* salt.
+ * - Comparing Hashes: Simply pass the originally hashed password as the salt.
+ * The salt is prepended to the hash and php handles the parsing automagically.
+ * For convenience the BlowfishAuthenticate adapter is available for use with
+ * the AuthComponent.
+ * - Do NOT use a constant salt for blowfish!
+ *
+ * Creating a blowfish/bcrypt hash:
+ *
+ * {{{
+ * $hash = Security::hash($password, 'blowfish');
+ * }}}
*
* @param string $string String to hash
- * @param string $type Method to use (sha1/sha256/md5)
+ * @param string $type Method to use (sha1/sha256/md5/blowfish)
* @param mixed $salt If true, automatically appends the application's salt
* value to $string (Security.salt). If you are using blowfish the salt
* must be false or a previously generated salt.
@@ -222,7 +234,7 @@ public static function rijndael($text, $key, $operation) {
* @param integer $length The length of the returned salt
* @return string The generated salt
*/
- public static function salt($length = 22) {
+ protected static function _salt($length = 22) {
$salt = str_replace(
array('+', '='),
'.',
@@ -232,14 +244,15 @@ public static function salt($length = 22) {
}
/**
- * One way encryption using php's crypt() function, used with type blowfish in ``Security::hash()``
+ * One way encryption using php's crypt() function. To use blowfish hashing see ``Security::hash()``
*
* @param string $password The string to be encrypted.
* @param mixed $salt false to generate a new salt or an existing salt.
+ * @return string The hashed string or an empty string on error.
*/
protected static function _crypt($password, $salt = false) {
if ($salt === false) {
- $salt = self::salt(22);
+ $salt = self::_salt(22);
$salt = vsprintf('$2a$%02d$%s', array(self::$hashCost, $salt));
}
Please sign in to comment.
Something went wrong with that request. Please try again.