leftypol/leftypol
1
2
Fork 1
Code Issues 42 Pull requests 7 Projects Releases Packages Wiki Activity Actions

auth.php: use pre-hashing for BCRYPT

Browse source
This commit is contained in:
Zankaria 2025-04-16 19:18:50 +02:00
parent a8a947af65
commit f7bef11ac9
1 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
inc/mod/auth.php
View file

@ -46,8 +46,13 @@ function crypt_password($password) {
global $config; global $config;
// `salt` database field is reused as a version value. We don't want it to be 0. // `salt` database field is reused as a version value. We don't want it to be 0.
$version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1; $version = $config['password_crypt_version'] ? $config['password_crypt_version'] : 1;
$hash = \password_hash($password, \PASSWORD_BCRYPT); $pre_hash = \hash('tiger160,3', $password, false); // Note that it's truncated to 72 in the next line.
return [$version, $hash]; $r = \password_hash($pre_hash, \PASSWORD_BCRYPT);
if ($r === false) {
throw new \RuntimeException("Could not hash password");
}
return [ $version, $r ];
} }
function test_password(string $db_hash, string|int $version, string $input_password): array { function test_password(string $db_hash, string|int $version, string $input_password): array {
@ -57,7 +62,8 @@ function test_password(string $db_hash, string|int $version, string $input_passw
if ($version < 2) { if ($version < 2) {
$ok = \hash_equals($db_hash, \crypt($input_password, $db_hash)); $ok = \hash_equals($db_hash, \crypt($input_password, $db_hash));
} else { } else {
$ok = \password_verify($input_password, $db_hash); $pre_hash = \hash('tiger160,3', $input_password, false);
$ok = \password_verify($pre_hash, $db_hash);
} }
return [ $version, $ok ]; return [ $version, $ok ];
} }