aboutsummaryrefslogtreecommitdiff
path: root/ratatoeskr
diff options
context:
space:
mode:
authorKevin Chabowski <kevin@kch42.de>2011-08-25 00:03:31 +0200
committerKevin Chabowski <kevin@kch42.de>2011-08-25 00:03:31 +0200
commit04241a5ccbf839dee953d7e47c894d5c8141f7ee (patch)
treeaf6160508689ad4536667bfe0a58af200c45c818 /ratatoeskr
parent958e9e467736690a46ae9129db43f8428fc3f04c (diff)
downloadratatoeskr-cms-04241a5ccbf839dee953d7e47c894d5c8141f7ee.tar.gz
ratatoeskr-cms-04241a5ccbf839dee953d7e47c894d5c8141f7ee.tar.bz2
ratatoeskr-cms-04241a5ccbf839dee953d7e47c894d5c8141f7ee.zip
Added a fairly secure password hashing method.
Diffstat (limited to 'ratatoeskr')
-rw-r--r--ratatoeskr/sys/models.php6
-rw-r--r--ratatoeskr/sys/pwhash.php74
2 files changed, 77 insertions, 3 deletions
diff --git a/ratatoeskr/sys/models.php b/ratatoeskr/sys/models.php
index 4448266..cd327e1 100644
--- a/ratatoeskr/sys/models.php
+++ b/ratatoeskr/sys/models.php
@@ -48,9 +48,9 @@ class User
/*
* Variables: Public class properties
*
- * $username - The username
- * $pwhash - SHA1-Hash of the password
- * $mail - E-Mail-address
+ * $username - The username.
+ * $pwhash - <PasswordHash> of the password.
+ * $mail - E-Mail-address.
* $fullname - The full name of the user.
* $language - Users language
*/
diff --git a/ratatoeskr/sys/pwhash.php b/ratatoeskr/sys/pwhash.php
new file mode 100644
index 0000000..69ec837
--- /dev/null
+++ b/ratatoeskr/sys/pwhash.php
@@ -0,0 +1,74 @@
+<?php
+/*
+ * File: ratatoeskr/sys/pwhash.php
+ *
+ * Hashing passwords
+ *
+ * License:
+ * This file is part of Ratatöskr.
+ * Ratatöskr is licensed unter the MIT / X11 License.
+ * See "ratatoeskr/licenses/ratatoeskr" for more information.
+ */
+
+/*
+ * Class:PasswordHash
+ * Contains static functions for password hashes.
+ * Is just used as a namespace, can not be created.
+ *
+ * It should be fairly difficult to break these salted hashes via bruteforce attacks.
+ */
+class PasswordHash
+{
+ private function __construct() {} /* Prevent construction */
+
+ private static $saltlen_min = 20;
+ private static $saltlen_max = 30;
+ private static $iterations_min = 5;
+ private static $iterations_max = 10;
+
+ private static function hash($data, $salt, $iterations)
+ {
+ $hash = $data . $salt;
+ for($i = $iterations ;$i--;)
+ $hash = sha1($data . $hash . $salt, (bool) $i);
+ return $iterations . '$' . bin2hex($salt) . '$' . $hash;
+ }
+
+ /*
+ * Function: create
+ * Create a password hash string.
+ *
+ * Parameters:
+ * $password - The password (or other data) to hash.
+ *
+ * Returns:
+ * The salted hash as a string.
+ */
+ public static function create($password)
+ {
+ $salt = "";
+ $saltlen = mt_rand(self::$saltlen_min, self::$saltlen_max);
+ for($i = 0; $i < $saltlen; $i++)
+ $salt .= chr(mt_rand(0,255));
+ return self::hash($password, $salt, mt_rand(self::$iterations_min, self::$iterations_max));
+ }
+
+ /*
+ * Function: validate
+ * Validate a salted hash.
+ *
+ * Parameters:
+ * $password - The password to test.
+ * $pwhash - The hash to test against.
+ *
+ * Returns:
+ * True, if $password was correct, False otherwise.
+ */
+ public static function validate($password, $pwhash)
+ {
+ list($iterations, $hexsalt, $hash) = explode('$', $pwhash);
+ return self::hash($password, pack("H*", $hexsalt), $iterations) == $pwhash;
+ }
+}
+
+?>