Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implemented support for forum auth using bcrypt as per #1761
Newer versions of phpbb use bcrypt for password hashing requiring this change. This is squash commit of bcrypt_auth branch.
- Loading branch information
1 parent
eb900c9
commit 1c8f520
Showing
21 changed files
with
2,615 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
Creative Commons Legal Code | ||
|
||
CC0 1.0 Universal | ||
|
||
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE | ||
LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN | ||
ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS | ||
INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES | ||
REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS | ||
PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM | ||
THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED | ||
HEREUNDER. | ||
|
||
Statement of Purpose | ||
|
||
The laws of most jurisdictions throughout the world automatically confer | ||
exclusive Copyright and Related Rights (defined below) upon the creator | ||
and subsequent owner(s) (each and all, an "owner") of an original work of | ||
authorship and/or a database (each, a "Work"). | ||
|
||
Certain owners wish to permanently relinquish those rights to a Work for | ||
the purpose of contributing to a commons of creative, cultural and | ||
scientific works ("Commons") that the public can reliably and without fear | ||
of later claims of infringement build upon, modify, incorporate in other | ||
works, reuse and redistribute as freely as possible in any form whatsoever | ||
and for any purposes, including without limitation commercial purposes. | ||
These owners may contribute to the Commons to promote the ideal of a free | ||
culture and the further production of creative, cultural and scientific | ||
works, or to gain reputation or greater distribution for their Work in | ||
part through the use and efforts of others. | ||
|
||
For these and/or other purposes and motivations, and without any | ||
expectation of additional consideration or compensation, the person | ||
associating CC0 with a Work (the "Affirmer"), to the extent that he or she | ||
is an owner of Copyright and Related Rights in the Work, voluntarily | ||
elects to apply CC0 to the Work and publicly distribute the Work under its | ||
terms, with knowledge of his or her Copyright and Related Rights in the | ||
Work and the meaning and intended legal effect of CC0 on those rights. | ||
|
||
1. Copyright and Related Rights. A Work made available under CC0 may be | ||
protected by copyright and related or neighboring rights ("Copyright and | ||
Related Rights"). Copyright and Related Rights include, but are not | ||
limited to, the following: | ||
|
||
i. the right to reproduce, adapt, distribute, perform, display, | ||
communicate, and translate a Work; | ||
ii. moral rights retained by the original author(s) and/or performer(s); | ||
iii. publicity and privacy rights pertaining to a person's image or | ||
likeness depicted in a Work; | ||
iv. rights protecting against unfair competition in regards to a Work, | ||
subject to the limitations in paragraph 4(a), below; | ||
v. rights protecting the extraction, dissemination, use and reuse of data | ||
in a Work; | ||
vi. database rights (such as those arising under Directive 96/9/EC of the | ||
European Parliament and of the Council of 11 March 1996 on the legal | ||
protection of databases, and under any national implementation | ||
thereof, including any amended or successor version of such | ||
directive); and | ||
vii. other similar, equivalent or corresponding rights throughout the | ||
world based on applicable law or treaty, and any national | ||
implementations thereof. | ||
|
||
2. Waiver. To the greatest extent permitted by, but not in contravention | ||
of, applicable law, Affirmer hereby overtly, fully, permanently, | ||
irrevocably and unconditionally waives, abandons, and surrenders all of | ||
Affirmer's Copyright and Related Rights and associated claims and causes | ||
of action, whether now known or unknown (including existing as well as | ||
future claims and causes of action), in the Work (i) in all territories | ||
worldwide, (ii) for the maximum duration provided by applicable law or | ||
treaty (including future time extensions), (iii) in any current or future | ||
medium and for any number of copies, and (iv) for any purpose whatsoever, | ||
including without limitation commercial, advertising or promotional | ||
purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each | ||
member of the public at large and to the detriment of Affirmer's heirs and | ||
successors, fully intending that such Waiver shall not be subject to | ||
revocation, rescission, cancellation, termination, or any other legal or | ||
equitable action to disrupt the quiet enjoyment of the Work by the public | ||
as contemplated by Affirmer's express Statement of Purpose. | ||
|
||
3. Public License Fallback. Should any part of the Waiver for any reason | ||
be judged legally invalid or ineffective under applicable law, then the | ||
Waiver shall be preserved to the maximum extent permitted taking into | ||
account Affirmer's express Statement of Purpose. In addition, to the | ||
extent the Waiver is so judged Affirmer hereby grants to each affected | ||
person a royalty-free, non transferable, non sublicensable, non exclusive, | ||
irrevocable and unconditional license to exercise Affirmer's Copyright and | ||
Related Rights in the Work (i) in all territories worldwide, (ii) for the | ||
maximum duration provided by applicable law or treaty (including future | ||
time extensions), (iii) in any current or future medium and for any number | ||
of copies, and (iv) for any purpose whatsoever, including without | ||
limitation commercial, advertising or promotional purposes (the | ||
"License"). The License shall be deemed effective as of the date CC0 was | ||
applied by Affirmer to the Work. Should any part of the License for any | ||
reason be judged legally invalid or ineffective under applicable law, such | ||
partial invalidity or ineffectiveness shall not invalidate the remainder | ||
of the License, and in such case Affirmer hereby affirms that he or she | ||
will not (i) exercise any of his or her remaining Copyright and Related | ||
Rights in the Work or (ii) assert any associated claims and causes of | ||
action with respect to the Work, in either case contrary to Affirmer's | ||
express Statement of Purpose. | ||
|
||
4. Limitations and Disclaimers. | ||
|
||
a. No trademark or patent rights held by Affirmer are waived, abandoned, | ||
surrendered, licensed or otherwise affected by this document. | ||
b. Affirmer offers the Work as-is and makes no representations or | ||
warranties of any kind concerning the Work, express, implied, | ||
statutory or otherwise, including without limitation warranties of | ||
title, merchantability, fitness for a particular purpose, non | ||
infringement, or the absence of latent or other defects, accuracy, or | ||
the present or absence of errors, whether or not discoverable, all to | ||
the greatest extent permissible under applicable law. | ||
c. Affirmer disclaims responsibility for clearing rights of other persons | ||
that may apply to the Work or any use thereof, including without | ||
limitation any person's Copyright and Related Rights in the Work. | ||
Further, Affirmer disclaims responsibility for obtaining any necessary | ||
consents, permissions or other rights required for any use of the | ||
Work. | ||
d. Affirmer understands and acknowledges that Creative Commons is not a | ||
party to this document and has no duty or obligation with respect to | ||
this CC0 or use of the Work. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
This library is a simple wrapper providing a convenient reentrant interface for | ||
the bcrypt password hashing algorithm implementation as provided by Solar | ||
Designer at http://www.openwall.com/crypt/. An exact copy of that source code | ||
is included in the crypt_blowfish subdirectory. | ||
|
||
The provided C interface is inspired in the bcrypt Python module that can be | ||
found at http://code.google.com/p/py-bcrypt/, and consists of a function to | ||
generate salts with the characteristic work factor parameter, one to generate | ||
password hashes which can also used to verify passwords and one designed | ||
specifically to verify passwords and avoid timing attacks. Please check the | ||
header bcrypt.h. It contains the prototypes and lots of comments with examples. | ||
|
||
All this code is released to the public domain under the terms of CC0. See the | ||
COPYING file for the legal text. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,195 @@ | ||
/* | ||
* bcrypt wrapper library | ||
* | ||
* Written in 2011, 2013, 2014, 2015 by Ricardo Garcia <r@rg3.name> | ||
* | ||
* To the extent possible under law, the author(s) have dedicated all copyright | ||
* and related and neighboring rights to this software to the public domain | ||
* worldwide. This software is distributed without any warranty. | ||
* | ||
* You should have received a copy of the CC0 Public Domain Dedication along | ||
* with this software. If not, see | ||
* <http://creativecommons.org/publicdomain/zero/1.0/>. | ||
*/ | ||
#include <string.h> | ||
#include <sys/types.h> | ||
#include <sys/stat.h> | ||
#include <fcntl.h> | ||
#include <unistd.h> | ||
#include <errno.h> | ||
|
||
#include "bcrypt.h" | ||
#include "crypt_blowfish/ow-crypt.h" | ||
|
||
#define RANDBYTES (16) | ||
|
||
static int try_close(int fd) | ||
{ | ||
int ret; | ||
for (;;) { | ||
errno = 0; | ||
ret = close(fd); | ||
if (ret == -1 && errno == EINTR) | ||
continue; | ||
break; | ||
} | ||
return ret; | ||
} | ||
|
||
static int try_read(int fd, char *out, size_t count) | ||
{ | ||
size_t total; | ||
ssize_t partial; | ||
|
||
total = 0; | ||
while (total < count) | ||
{ | ||
for (;;) { | ||
errno = 0; | ||
partial = read(fd, out + total, count - total); | ||
if (partial == -1 && errno == EINTR) | ||
continue; | ||
break; | ||
} | ||
|
||
if (partial < 1) | ||
return -1; | ||
|
||
total += partial; | ||
} | ||
|
||
return 0; | ||
} | ||
|
||
/* | ||
* This is a best effort implementation. Nothing prevents a compiler from | ||
* optimizing this function and making it vulnerable to timing attacks, but | ||
* this method is commonly used in crypto libraries like NaCl. | ||
* | ||
* Return value is zero if both strings are equal and nonzero otherwise. | ||
*/ | ||
static int timing_safe_strcmp(const char *str1, const char *str2) | ||
{ | ||
const unsigned char *u1; | ||
const unsigned char *u2; | ||
int ret; | ||
int i; | ||
|
||
int len1 = strlen(str1); | ||
int len2 = strlen(str2); | ||
|
||
/* In our context both strings should always have the same length | ||
* because they will be hashed passwords. */ | ||
if (len1 != len2) | ||
return 1; | ||
|
||
/* Force unsigned for bitwise operations. */ | ||
u1 = (const unsigned char *)str1; | ||
u2 = (const unsigned char *)str2; | ||
|
||
ret = 0; | ||
for (i = 0; i < len1; ++i) | ||
ret |= (u1[i] ^ u2[i]); | ||
|
||
return ret; | ||
} | ||
|
||
int bcrypt_gensalt(int factor, char salt[BCRYPT_HASHSIZE]) | ||
{ | ||
int fd; | ||
char input[RANDBYTES]; | ||
int workf; | ||
char *aux; | ||
|
||
fd = open("/dev/urandom", O_RDONLY); | ||
if (fd == -1) | ||
return 1; | ||
|
||
if (try_read(fd, input, RANDBYTES) != 0) { | ||
if (try_close(fd) != 0) | ||
return 4; | ||
return 2; | ||
} | ||
|
||
if (try_close(fd) != 0) | ||
return 3; | ||
|
||
/* Generate salt. */ | ||
workf = (factor < 4 || factor > 31)?12:factor; | ||
aux = crypt_gensalt_rn("$2a$", workf, input, RANDBYTES, | ||
salt, BCRYPT_HASHSIZE); | ||
return (aux == NULL)?5:0; | ||
} | ||
|
||
int bcrypt_hashpw(const char *passwd, const char salt[BCRYPT_HASHSIZE], char hash[BCRYPT_HASHSIZE]) | ||
{ | ||
char *aux; | ||
aux = crypt_rn(passwd, salt, hash, BCRYPT_HASHSIZE); | ||
return (aux == NULL)?1:0; | ||
} | ||
|
||
int bcrypt_checkpw(const char *passwd, const char hash[BCRYPT_HASHSIZE]) | ||
{ | ||
int ret; | ||
char outhash[BCRYPT_HASHSIZE]; | ||
|
||
ret = bcrypt_hashpw(passwd, hash, outhash); | ||
if (ret != 0) | ||
return -1; | ||
|
||
return timing_safe_strcmp(hash, outhash); | ||
} | ||
|
||
#ifdef TEST_BCRYPT | ||
#include <assert.h> | ||
#include <stdio.h> | ||
#include <string.h> | ||
#include <time.h> | ||
|
||
int main(void) | ||
{ | ||
clock_t before; | ||
clock_t after; | ||
char salt[BCRYPT_HASHSIZE]; | ||
char hash[BCRYPT_HASHSIZE]; | ||
int ret; | ||
|
||
const char pass[] = "hi,mom"; | ||
const char hash1[] = "$2a$10$VEVmGHy4F4XQMJ3eOZJAUeb.MedU0W10pTPCuf53eHdKJPiSE8sMK"; | ||
const char hash2[] = "$2a$10$3F0BVk5t8/aoS.3ddaB3l.fxg5qvafQ9NybxcpXLzMeAt.nVWn.NO"; | ||
|
||
ret = bcrypt_gensalt(12, salt); | ||
assert(ret == 0); | ||
printf("Generated salt: %s\n", salt); | ||
before = clock(); | ||
ret = bcrypt_hashpw("testtesttest", salt, hash); | ||
assert(ret == 0); | ||
after = clock(); | ||
printf("Hashed password: %s\n", hash); | ||
printf("Time taken: %f seconds\n", | ||
(double)(after - before) / CLOCKS_PER_SEC); | ||
|
||
ret = bcrypt_hashpw(pass, hash1, hash); | ||
assert(ret == 0); | ||
printf("First hash check: %s\n", (strcmp(hash1, hash) == 0)?"OK":"FAIL"); | ||
ret = bcrypt_hashpw(pass, hash2, hash); | ||
assert(ret == 0); | ||
printf("Second hash check: %s\n", (strcmp(hash2, hash) == 0)?"OK":"FAIL"); | ||
|
||
before = clock(); | ||
ret = (bcrypt_checkpw(pass, hash1) == 0); | ||
after = clock(); | ||
printf("First hash check with bcrypt_checkpw: %s\n", ret?"OK":"FAIL"); | ||
printf("Time taken: %f seconds\n", | ||
(double)(after - before) / CLOCKS_PER_SEC); | ||
|
||
before = clock(); | ||
ret = (bcrypt_checkpw(pass, hash2) == 0); | ||
after = clock(); | ||
printf("Second hash check with bcrypt_checkpw: %s\n", ret?"OK":"FAIL"); | ||
printf("Time taken: %f seconds\n", | ||
(double)(after - before) / CLOCKS_PER_SEC); | ||
|
||
return 0; | ||
} | ||
#endif |
Oops, something went wrong.