Skip to content

Blowfish Clarifications. #948

Merged
merged 1 commit into from Nov 13, 2012
View
5 lib/Cake/Controller/Component/Auth/BlowfishAuthenticate.php
@@ -28,7 +28,10 @@
* }}}
*
* When configuring BlowfishAuthenticate you can pass in settings to which fields, model and additional conditions
- * are used. See BlowfishAuthenticate::$settings for more information.
+ * are used. See FormAuthenticate::$settings for more information.
+ *
+ * For inital password hashing/creation see Security::hash(). Other than how the password is initally hashed,
+ * BlowfishAuthenticate works exactly the same way as FormAuthenticate.
*
* @package Cake.Controller.Component.Auth
* @since CakePHP(tm) v 2.3
View
31 lib/Cake/Utility/Security.php
@@ -78,14 +78,26 @@ public static function validateAuthKey($authKey) {
}
/**
- * Create a hash from string using given method.
- * Fallback on next available method.
- * If you are using blowfish, for comparisons simply pass the originally hashed
- * string as the salt (the salt is prepended to the hash and php handles the
- * parsing automagically. Do NOT use a constant salt for blowfish.
+ * Create a hash from string using given method or fallback on next available method.
+ *
+ * #### Using Blowfish
+ *
+ * - Creating Hashes: *Do not supply a salt*. Cake handles salt creation for
+ * you ensuring that each hashed password will have a *unique* salt.
+ * - Comparing Hashes: Simply pass the originally hashed password as the salt.
+ * The salt is prepended to the hash and php handles the parsing automagically.
+ * For convenience the BlowfishAuthenticate adapter is available for use with
+ * the AuthComponent.
+ * - Do NOT use a constant salt for blowfish!
+ *
+ * Creating a blowfish/bcrypt hash:
+ *
+ * {{{
+ * $hash = Security::hash($password, 'blowfish');
+ * }}}
*
* @param string $string String to hash
- * @param string $type Method to use (sha1/sha256/md5)
+ * @param string $type Method to use (sha1/sha256/md5/blowfish)
* @param mixed $salt If true, automatically appends the application's salt
* value to $string (Security.salt). If you are using blowfish the salt
* must be false or a previously generated salt.
@@ -222,7 +234,7 @@ public static function rijndael($text, $key, $operation) {
* @param integer $length The length of the returned salt
* @return string The generated salt
*/
- public static function salt($length = 22) {
+ protected static function _salt($length = 22) {
@ADmad
CakePHP member
ADmad added a note Nov 11, 2012

Why change it to protected?

@sitedyno
sitedyno added a note Nov 11, 2012

It's not directly tested and it being protected implies the end developer doesn't need to/shouldn't use it. In other words: you don't need to bother with salts.

@markstory
CakePHP member
markstory added a note Nov 12, 2012

I'm fine with it moving to protected, @sitedyno makes some good points. Also 2.3 hasn't gone stable so this isn't a big break in compatibility.

@ADmad
CakePHP member
ADmad added a note Nov 12, 2012

While the salt string generated is used only for hashing internally it could be useful as a random string generator which is often needed for various purposed in an app. Having this function as public would avoid having to write your own function.

Just a suggestion though. I am fine with making it protected if that's the general consensus.

@markstory
CakePHP member
markstory added a note Nov 12, 2012

Well we could always add a random() method to String class if that is something people will frequently need. I don't think it should belong on Security unless we're going to get crpyto strength random data which is harder to come by on most hosts.

@ADmad
CakePHP member
ADmad added a note Nov 12, 2012

Fair enough, so I guess this is ready to merge once the commits are squashed.

1.1 had a NeatString::randomPassword() function. We could reinstate that as String::random() or have a better random string generator logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
$salt = str_replace(
array('+', '='),
'.',
@@ -232,14 +244,15 @@ public static function salt($length = 22) {
}
/**
- * One way encryption using php's crypt() function, used with type blowfish in ``Security::hash()``
+ * One way encryption using php's crypt() function. To use blowfish hashing see ``Security::hash()``
*
* @param string $password The string to be encrypted.
* @param mixed $salt false to generate a new salt or an existing salt.
+ * @return string The hashed string or an empty string on error.
*/
protected static function _crypt($password, $salt = false) {
if ($salt === false) {
- $salt = self::salt(22);
+ $salt = self::_salt(22);
$salt = vsprintf('$2a$%02d$%s', array(self::$hashCost, $salt));
}
Something went wrong with that request. Please try again.