diff --git a/classes/kohana/auth.php b/classes/kohana/auth.php index 33e3a52..4e425dc 100644 --- a/classes/kohana/auth.php +++ b/classes/kohana/auth.php @@ -61,9 +61,6 @@ public static function factory($config = array()) */ public function __construct($config = array()) { - // Clean up the salt pattern and split it into an array - $config['salt_pattern'] = preg_split('/,\s*/', Kohana::config('auth')->get('salt_pattern')); - // Save the config in the object $this->_config = $config; @@ -102,11 +99,8 @@ public function login($username, $password, $remember = FALSE) if (is_string($password)) { - // Get the salt from the stored password - $salt = $this->find_salt($this->password($username)); - - // Create a hashed password using the salt from the stored password - $password = $this->hash_password($password, $salt); + // Create a hashed password + $password = $this->hash_password($password); } return $this->_login($username, $password, $remember); @@ -152,79 +146,24 @@ public function logged_in($role = NULL) } /** - * Creates a hashed password from a plaintext password, inserting salt - * based on the configured salt pattern. + * Creates a hashed hmac password from a plaintext password * * @param string plaintext password - * @return string hashed password string */ - public function hash_password($password, $salt = FALSE) + public function hash_password($password) { - if ($salt === FALSE) - { - // Create a salt seed, same length as the number of offsets in the pattern - $salt = substr($this->hash(uniqid(NULL, TRUE)), 0, count($this->_config['salt_pattern'])); - } - - // Password hash that the salt will be inserted into - $hash = $this->hash($salt.$password); - - // Change salt to an array - $salt = str_split($salt, 1); - - // Returned password - $password = ''; - - // Used to calculate the length of splits - $last_offset = 0; - - foreach ($this->_config['salt_pattern'] as $offset) - { - // Split a new part of the hash off - $part = substr($hash, 0, $offset - $last_offset); - - // Cut the current part out of the hash - $hash = substr($hash, $offset - $last_offset); - - // Add the part to the password, appending the salt character - $password .= $part.array_shift($salt); - - // Set the last offset to the current offset - $last_offset = $offset; - } - - // Return the password, with the remaining hash appended - return $password.$hash; + return $this->hash($password); } /** - * Perform a hash, using the configured method. + * Perform a hmac hash, using the configured method. * * @param string string to hash * @return string */ public function hash($str) { - return hash($this->_config['hash_method'], $str); - } - - /** - * Finds the salt from a password, based on the configured salt pattern. - * - * @param string hashed password - * @return string - */ - public function find_salt($password) - { - $salt = ''; - - foreach ($this->_config['salt_pattern'] as $i => $offset) - { - // Find salt characters, take a good long look... - $salt .= substr($password, $offset + $i, 1); - } - - return $salt; + return hash_hmac($this->_config['hash_method'], $str, $this->_config['key']); } protected function complete_login($user) diff --git a/classes/kohana/auth/orm.php b/classes/kohana/auth/orm.php index 26581a0..846e035 100644 --- a/classes/kohana/auth/orm.php +++ b/classes/kohana/auth/orm.php @@ -276,7 +276,7 @@ public function check_password($password) return FALSE; } - $hash = $this->hash_password($password, $this->find_salt($user->password)); + $hash = $this->hash_password($password); return $hash == $user->password; } diff --git a/config/auth.php b/config/auth.php index 3d18e7b..11d686b 100644 --- a/config/auth.php +++ b/config/auth.php @@ -3,8 +3,8 @@ return array( 'driver' => 'ORM', - 'hash_method' => 'sha1', - 'salt_pattern' => '1, 3, 5, 9, 14, 15, 20, 21, 28, 30', + 'hash_method' => 'sha256', + 'key' => 'k0h4n@', 'lifetime' => 1209600, 'session_key' => 'auth_user',