Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Blowfish Clarifications. #948

Merged
merged 1 commit into from

3 participants

@sitedyno

Attempt to make blowfish usage clearer/easier as requested here. I'll be happy to change or cherry pick out things as needed :)

@ADmad ADmad commented on the diff
lib/Cake/Utility/Security.php
@@ -222,7 +235,7 @@ public static function rijndael($text, $key, $operation) {
* @param integer $length The length of the returned salt
* @return string The generated salt
*/
- public static function salt($length = 22) {
+ protected static function _salt($length = 22) {
@ADmad Collaborator
ADmad added a note

Why change it to protected?

It's not directly tested and it being protected implies the end developer doesn't need to/shouldn't use it. In other words: you don't need to bother with salts.

@markstory Owner

I'm fine with it moving to protected, @sitedyno makes some good points. Also 2.3 hasn't gone stable so this isn't a big break in compatibility.

@ADmad Collaborator
ADmad added a note

While the salt string generated is used only for hashing internally it could be useful as a random string generator which is often needed for various purposed in an app. Having this function as public would avoid having to write your own function.

Just a suggestion though. I am fine with making it protected if that's the general consensus.

@markstory Owner

Well we could always add a random() method to String class if that is something people will frequently need. I don't think it should belong on Security unless we're going to get crpyto strength random data which is harder to come by on most hosts.

@ADmad Collaborator
ADmad added a note

Fair enough, so I guess this is ready to merge once the commits are squashed.

1.1 had a NeatString::randomPassword() function. We could reinstate that as String::random() or have a better random string generator logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
lib/Cake/Utility/Security.php
((4 lines not shown))
- * Create a hash from string using given method.
- * Fallback on next available method.
- * If you are using blowfish, for comparisons simply pass the originally hashed
- * string as the salt (the salt is prepended to the hash and php handles the
- * parsing automagically. Do NOT use a constant salt for blowfish.
+ * Create a hash from string using given method or fallback on next available method.
+ *
+ * #### Using Blowfish
+ *
+ * -Creating Hashes: *Do not supply a salt*. Cake handles salt creation for
+ * you ensuring that each hashed password will have a *unique* salt.
+ * -Comparing Hashes: Simply pass the originally hashed password as the salt.
+ * The salt is prepended to the hash and php handles the parsing automagically.
+ * For convenience the BlowfishAuthenticate adapter is available for use with
+ * the AuthComponent.
+ * -Do NOT use a constant salt for blowfish!
@markstory Owner

You should have spaces after these - or the api docs won't understand what you mean.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
lib/Cake/Utility/Security.php
((11 lines not shown))
+ * #### Using Blowfish
+ *
+ * -Creating Hashes: *Do not supply a salt*. Cake handles salt creation for
+ * you ensuring that each hashed password will have a *unique* salt.
+ * -Comparing Hashes: Simply pass the originally hashed password as the salt.
+ * The salt is prepended to the hash and php handles the parsing automagically.
+ * For convenience the BlowfishAuthenticate adapter is available for use with
+ * the AuthComponent.
+ * -Do NOT use a constant salt for blowfish!
+ *
+ * Creating a blowfish/bcrypt hash:
+ *
+ * {{{
+ * Security::setHash('blowfish');
+ * $hash = Security::hash('secretpassword');
+ * }}}
@markstory Owner

I wouldn't recommend using setHash() instead why not recommend $hash = Security::hash($password, 'blowfish');

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sitedyno

Last commit fixed the formatting too. I'll gladly squash up commits once you guys are happy.

@markstory
Owner

@sitedyno I think this looks good.

@sitedyno

@markstory It's been squashed up ;)

@markstory markstory merged commit eb3e509 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 12, 2012
  1. @sitedyno

    Improve Blowfish Docblocks

    sitedyno authored
This page is out of date. Refresh to see the latest.
View
5 lib/Cake/Controller/Component/Auth/BlowfishAuthenticate.php
@@ -28,7 +28,10 @@
* }}}
*
* When configuring BlowfishAuthenticate you can pass in settings to which fields, model and additional conditions
- * are used. See BlowfishAuthenticate::$settings for more information.
+ * are used. See FormAuthenticate::$settings for more information.
+ *
+ * For inital password hashing/creation see Security::hash(). Other than how the password is initally hashed,
+ * BlowfishAuthenticate works exactly the same way as FormAuthenticate.
*
* @package Cake.Controller.Component.Auth
* @since CakePHP(tm) v 2.3
View
31 lib/Cake/Utility/Security.php
@@ -78,14 +78,26 @@ public static function validateAuthKey($authKey) {
}
/**
- * Create a hash from string using given method.
- * Fallback on next available method.
- * If you are using blowfish, for comparisons simply pass the originally hashed
- * string as the salt (the salt is prepended to the hash and php handles the
- * parsing automagically. Do NOT use a constant salt for blowfish.
+ * Create a hash from string using given method or fallback on next available method.
+ *
+ * #### Using Blowfish
+ *
+ * - Creating Hashes: *Do not supply a salt*. Cake handles salt creation for
+ * you ensuring that each hashed password will have a *unique* salt.
+ * - Comparing Hashes: Simply pass the originally hashed password as the salt.
+ * The salt is prepended to the hash and php handles the parsing automagically.
+ * For convenience the BlowfishAuthenticate adapter is available for use with
+ * the AuthComponent.
+ * - Do NOT use a constant salt for blowfish!
+ *
+ * Creating a blowfish/bcrypt hash:
+ *
+ * {{{
+ * $hash = Security::hash($password, 'blowfish');
+ * }}}
*
* @param string $string String to hash
- * @param string $type Method to use (sha1/sha256/md5)
+ * @param string $type Method to use (sha1/sha256/md5/blowfish)
* @param mixed $salt If true, automatically appends the application's salt
* value to $string (Security.salt). If you are using blowfish the salt
* must be false or a previously generated salt.
@@ -222,7 +234,7 @@ public static function rijndael($text, $key, $operation) {
* @param integer $length The length of the returned salt
* @return string The generated salt
*/
- public static function salt($length = 22) {
+ protected static function _salt($length = 22) {
@ADmad Collaborator
ADmad added a note

Why change it to protected?

It's not directly tested and it being protected implies the end developer doesn't need to/shouldn't use it. In other words: you don't need to bother with salts.

@markstory Owner

I'm fine with it moving to protected, @sitedyno makes some good points. Also 2.3 hasn't gone stable so this isn't a big break in compatibility.

@ADmad Collaborator
ADmad added a note

While the salt string generated is used only for hashing internally it could be useful as a random string generator which is often needed for various purposed in an app. Having this function as public would avoid having to write your own function.

Just a suggestion though. I am fine with making it protected if that's the general consensus.

@markstory Owner

Well we could always add a random() method to String class if that is something people will frequently need. I don't think it should belong on Security unless we're going to get crpyto strength random data which is harder to come by on most hosts.

@ADmad Collaborator
ADmad added a note

Fair enough, so I guess this is ready to merge once the commits are squashed.

1.1 had a NeatString::randomPassword() function. We could reinstate that as String::random() or have a better random string generator logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
$salt = str_replace(
array('+', '='),
'.',
@@ -232,14 +244,15 @@ public static function salt($length = 22) {
}
/**
- * One way encryption using php's crypt() function, used with type blowfish in ``Security::hash()``
+ * One way encryption using php's crypt() function. To use blowfish hashing see ``Security::hash()``
*
* @param string $password The string to be encrypted.
* @param mixed $salt false to generate a new salt or an existing salt.
+ * @return string The hashed string or an empty string on error.
*/
protected static function _crypt($password, $salt = false) {
if ($salt === false) {
- $salt = self::salt(22);
+ $salt = self::_salt(22);
$salt = vsprintf('$2a$%02d$%s', array(self::$hashCost, $salt));
}
Something went wrong with that request. Please try again.