diff --git a/security/PasswordEncryptor.php b/security/PasswordEncryptor.php index c60335525..92fcadab9 100644 --- a/security/PasswordEncryptor.php +++ b/security/PasswordEncryptor.php @@ -150,74 +150,74 @@ class PasswordEncryptor_Blowfish extends PasswordEncryptor { // See: http://nz.php.net/security/crypt_blowfish.php // There are three version of the algorithm - y, a and x, in order // of decreasing security. Attempt to use the strongest version. - $encrypted_password = $this->encrypt_y($password, $salt); - if(!$encrypted_password) { - $encrypted_password = $this->encrypt_a($password, $salt); + $encryptedPassword = $this->encryptY($password, $salt); + if(!$encryptedPassword) { + $encryptedPassword = $this->encryptA($password, $salt); } - if(!$encrypted_password) { - $encrypted_password = $this->encrypt_x($password, $salt); + if(!$encryptedPassword) { + $encryptedPassword = $this->encryptX($password, $salt); } // We *never* want to generate blank passwords. If something // goes wrong, throw an exception. - if(strpos($encrypted_password, '$2') === false) { + if(strpos($encryptedPassword, '$2') === false) { throw new PasswordEncryptor_EncryptionFailed('Blowfish password encryption failed.'); } - return $encrypted_password; + return $encryptedPassword; } - function encrypt_x($password, $salt) { - $method_and_salt = '$2x$' . $salt; - $encrypted_password = crypt($password, $method_and_salt); + function encryptX($password, $salt) { + $methodAndSalt = '$2x$' . $salt; + $encryptedPassword = crypt($password, $methodAndSalt); - if(strpos($encrypted_password, '$2x$') === 0) { - return $encrypted_password; + if(strpos($encryptedPassword, '$2x$') === 0) { + return $encryptedPassword; } // Check if system a is actually x, and if available, use that. - if($this->what_is_a() == 'x') { - $method_and_salt = '$2a$' . $salt; - $encrypted_password = crypt($password, $method_and_salt); + if($this->checkAEncryptionLevel() == 'x') { + $methodAndSalt = '$2a$' . $salt; + $encryptedPassword = crypt($password, $methodAndSalt); - if(strpos($encrypted_password, '$2a$') === 0) { - $encrypted_password = '$2x$' . substr($encrypted_password, strlen('$2a$')); - return $encrypted_password; + if(strpos($encryptedPassword, '$2a$') === 0) { + $encryptedPassword = '$2x$' . substr($encryptedPassword, strlen('$2a$')); + return $encryptedPassword; } } return false; } - function encrypt_y($password, $salt) { - $method_and_salt = '$2y$' . $salt; - $encrypted_password = crypt($password, $method_and_salt); + function encryptY($password, $salt) { + $methodAndSalt = '$2y$' . $salt; + $encryptedPassword = crypt($password, $methodAndSalt); - if(strpos($encrypted_password, '$2y$') === 0) { - return $encrypted_password; + if(strpos($encryptedPassword, '$2y$') === 0) { + return $encryptedPassword; } // Check if system a is actually y, and if available, use that. - if($this->what_is_a() == 'y') { - $method_and_salt = '$2a$' . $salt; - $encrypted_password = crypt($password, $method_and_salt); + if($this->checkAEncryptionLevel() == 'y') { + $methodAndSalt = '$2a$' . $salt; + $encryptedPassword = crypt($password, $methodAndSalt); - if(strpos($encrypted_password, '$2a$') === 0) { - $encrypted_password = '$2y$' . substr($encrypted_password, strlen('$2a$')); - return $encrypted_password; + if(strpos($encryptedPassword, '$2a$') === 0) { + $encryptedPassword = '$2y$' . substr($encryptedPassword, strlen('$2a$')); + return $encryptedPassword; } } return false; } - function encrypt_a($password, $salt) { - if($this->what_is_a() == 'a') { - $method_and_salt = '$2a$' . $salt; - $encrypted_password = crypt($password, $method_and_salt); + function encryptA($password, $salt) { + if($this->checkAEncryptionLevel() == 'a') { + $methodAndSalt = '$2a$' . $salt; + $encryptedPassword = crypt($password, $methodAndSalt); - if(strpos($encrypted_password, '$2a$') === 0) { - return $encrypted_password; + if(strpos($encryptedPassword, '$2a$') === 0) { + return $encryptedPassword; } } @@ -230,16 +230,16 @@ class PasswordEncryptor_Blowfish extends PasswordEncryptor { * version, depending on the version of PHP and the operating system, * so we need to test it. */ - function what_is_a() { + function checkAEncryptionLevel() { // Test hashes taken from http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/glibc/crypt_blowfish/wrapper.c?rev=1.9.2.1;content-type=text%2Fplain - $x_or_y = crypt("\xff\xa334\xff\xff\xff\xa3345", '$2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi') == '$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi'; - $y_or_a = crypt("\xa3", '$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq') == '$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq'; + $xOrY = crypt("\xff\xa334\xff\xff\xff\xa3345", '$2a$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi') == '$2x$05$/OK.fbVrR/bpIqNJ5ianF.o./n25XVfn6oAPaUvHe.Csk4zRfsYPi'; + $yOrA = crypt("\xa3", '$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq') == '$2a$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq'; - if($x_or_y && $y_or_a) { + if($xOrY && $yOrA) { return 'y'; - } elseif($x_or_y) { + } elseif($xOrY) { return 'x'; - } elseif($y_or_a) { + } elseif($yOrA) { return 'a'; } @@ -253,11 +253,11 @@ class PasswordEncryptor_Blowfish extends PasswordEncryptor { function check($hash, $password, $salt = null, $member = null) { if(strpos($hash, '$2y$') === 0) { - return $hash === $this->encrypt_y($password, $salt); + return $hash === $this->encryptY($password, $salt); } elseif(strpos($hash, '$2a$') === 0) { - return $hash === $this->encrypt_a($password, $salt); + return $hash === $this->encryptA($password, $salt); } elseif(strpos($hash, '$2x$') === 0) { - return $hash === $this->encrypt_x($password, $salt); + return $hash === $this->encryptX($password, $salt); } return false; diff --git a/tests/security/PasswordEncryptorTest.php b/tests/security/PasswordEncryptorTest.php index 96ee18843..a12325cde 100644 --- a/tests/security/PasswordEncryptorTest.php +++ b/tests/security/PasswordEncryptorTest.php @@ -67,7 +67,7 @@ class PasswordEncryptorTest extends SapphireTest { $password = 'mypassword'; $salt = '10$mysaltmustbetwen2chars'; - $this->assertTrue($e->what_is_a() == 'y' || $e->what_is_a() == 'x' || $e->what_is_a() == 'a'); + $this->assertTrue($e->checkAEncryptionLevel() == 'y' || $e->checkAEncryptionLevel() == 'x' || $e->checkAEncryptionLevel() == 'a'); $this->assertTrue($e->check($e->encrypt($password, $salt), "mypassword", $salt)); $this->assertFalse($e->check($e->encrypt($password, $salt), "anotherpw", $salt)); $this->assertFalse($e->check($e->encrypt($password, $salt), "mypassword", '10$anothersaltetwen2chars'));