/
PasswordEncryptor_Blowfish.php
180 lines (154 loc) · 5.99 KB
/
PasswordEncryptor_Blowfish.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
<?php
namespace SilverStripe\Security;
/**
* Blowfish encryption - this is the default from SilverStripe 3.
* PHP 5.3+ will provide a php implementation if there is no system
* version available.
*/
class PasswordEncryptor_Blowfish extends PasswordEncryptor
{
/**
* Cost of encryption.
* Higher costs will increase security, but also increase server load.
* If you are using basic auth, you may need to decrease this as encryption
* will be run on every request.
* The two digit cost parameter is the base-2 logarithm of the iteration
* count for the underlying Blowfish-based hashing algorithmeter and must
* be in range 04-31, values outside this range will cause crypt() to fail.
*/
protected static $cost = 10;
/**
* Sets the cost of the blowfish algorithm.
* See {@link PasswordEncryptor_Blowfish::$cost}
* Cost is set as an integer but
* Ensure that set values are from 4-31
*
* @param int $cost range 4-31
*/
public static function set_cost($cost)
{
self::$cost = max(min(31, $cost), 4);
}
/**
* Gets the cost that is set for the blowfish algorithm
*
* @return int
*/
public static function get_cost()
{
return self::$cost;
}
public function encrypt($password, $salt = null, $member = null)
{
// See: http://nz.php.net/security/crypt_blowfish.php
// There are three version of the algorithm - y, a and x, in order
// of decreasing security. Attempt to use the strongest version.
$encryptedPassword = $this->encryptY($password, $salt);
if (!$encryptedPassword) {
$encryptedPassword = $this->encryptA($password, $salt);
}
if (!$encryptedPassword) {
$encryptedPassword = $this->encryptX($password, $salt);
}
// We *never* want to generate blank passwords. If something
// goes wrong, throw an exception.
if (strpos($encryptedPassword ?? '', '$2') === false) {
throw new PasswordEncryptor_EncryptionFailed('Blowfish password encryption failed.');
}
return $encryptedPassword;
}
public function encryptX($password, $salt)
{
$methodAndSalt = '$2x$' . $salt;
$encryptedPassword = crypt($password ?? '', $methodAndSalt ?? '');
if (strpos($encryptedPassword ?? '', '$2x$') === 0) {
return $encryptedPassword;
}
// Check if system a is actually x, and if available, use that.
if ($this->checkAEncryptionLevel() == 'x') {
$methodAndSalt = '$2a$' . $salt;
$encryptedPassword = crypt($password ?? '', $methodAndSalt ?? '');
if (strpos($encryptedPassword ?? '', '$2a$') === 0) {
$encryptedPassword = '$2x$' . substr($encryptedPassword ?? '', strlen('$2a$'));
return $encryptedPassword;
}
}
return false;
}
public function encryptY($password, $salt)
{
$methodAndSalt = '$2y$' . $salt;
$encryptedPassword = crypt($password ?? '', $methodAndSalt ?? '');
if (strpos($encryptedPassword ?? '', '$2y$') === 0) {
return $encryptedPassword;
}
// Check if system a is actually y, and if available, use that.
if ($this->checkAEncryptionLevel() == 'y') {
$methodAndSalt = '$2a$' . $salt;
$encryptedPassword = crypt($password ?? '', $methodAndSalt ?? '');
if (strpos($encryptedPassword ?? '', '$2a$') === 0) {
$encryptedPassword = '$2y$' . substr($encryptedPassword ?? '', strlen('$2a$'));
return $encryptedPassword;
}
}
return false;
}
public function encryptA($password, $salt)
{
if ($this->checkAEncryptionLevel() == 'a') {
$methodAndSalt = '$2a$' . $salt;
$encryptedPassword = crypt($password ?? '', $methodAndSalt ?? '');
if (strpos($encryptedPassword ?? '', '$2a$') === 0) {
return $encryptedPassword;
}
}
return false;
}
/**
* The algorithm returned by using '$2a$' is not consistent -
* it might be either the correct (y), incorrect (x) or mostly-correct (a)
* version, depending on the version of PHP and the operating system,
* so we need to test it.
*/
public function checkAEncryptionLevel()
{
// Test hashes taken from
// http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/glibc
// /crypt_blowfish/wrapper.c?rev=1.9.2.1;content-type=text%2Fplain
$xOrY = crypt("\xff\xa334\xff\xff\xff\xa3345", '$2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi')
== '$2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi';
$yOrA = crypt("\xa3", '$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq')
== '$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq';
if ($xOrY && $yOrA) {
return 'y';
} elseif ($xOrY) {
return 'x';
} elseif ($yOrA) {
return 'a';
}
return 'unknown';
}
/**
* self::$cost param is forced to be two digits with leading zeroes for ints 4-9
*
* @param string $password
* @param Member $member
* @return string
*/
public function salt($password, $member = null)
{
$generator = new RandomGenerator();
return sprintf('%02d', self::$cost) . '$' . substr($generator->randomToken('sha1') ?? '', 0, 22);
}
public function check($hash, $password, $salt = null, $member = null)
{
if (strpos($hash ?? '', '$2y$') === 0) {
return $hash === $this->encryptY($password, $salt);
} elseif (strpos($hash ?? '', '$2a$') === 0) {
return $hash === $this->encryptA($password, $salt);
} elseif (strpos($hash ?? '', '$2x$') === 0) {
return $hash === $this->encryptX($password, $salt);
}
return false;
}
}