From 7f126edad9d95a1bf63bb828fd7e0b54bfa3aa74 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Sun, 8 Jun 2008 13:41:20 +0000 Subject: [PATCH] Support for cluster added to RNG, hashPassword() finished for better hashes --- .../class_ShipSimuRegistration.php | 8 +++-- .../main/crypto/class_CryptoHelper.php | 36 ++++++++++++++++++- .../main/rng/class_RandomNumberGenerator.php | 22 +++++++++++- inc/config.php | 6 ++++ 4 files changed, 68 insertions(+), 4 deletions(-) diff --git a/application/ship-simu/main/registration/class_ShipSimuRegistration.php b/application/ship-simu/main/registration/class_ShipSimuRegistration.php index ff3a45a..a6639c5 100644 --- a/application/ship-simu/main/registration/class_ShipSimuRegistration.php +++ b/application/ship-simu/main/registration/class_ShipSimuRegistration.php @@ -67,8 +67,12 @@ class ShipSimuRegistration extends BaseRegistration { // Check if the password is found in the request if ($this->getRequestInstance()->isRequestElementSet($requestKey)) { // So encrypt the password and store it for later usage in - // the request - $this->hashedPassword = ObjectFactory::createObjectByConfiguredName('crypto_heler')->hashPassword($this->getRequestInstance()->getRequestElement($requestKey)); + // the request: + // 1.: Get the plain password + $plainPassword = $this->getRequestInstance()->getRequestElement($requestKey); + // 2. Get a crypto helper and hash the password + $this->hashedPassword = ObjectFactory::createObjectByConfiguredName('crypto_heler')->hashPassword($plainPassword); + // 3. Store the hash back in the request $this->getRequestInstance()->setRequestElement('pass_hash', $this->hashedPassword); } } diff --git a/inc/classes/main/crypto/class_CryptoHelper.php b/inc/classes/main/crypto/class_CryptoHelper.php index 5652b89..d236452 100644 --- a/inc/classes/main/crypto/class_CryptoHelper.php +++ b/inc/classes/main/crypto/class_CryptoHelper.php @@ -115,7 +115,41 @@ class CryptoHelper extends BaseFrameworkSystem { $length = $this->getConfigInstance()->readConfig('salt_length'); // Keep only defined number of characters - $this->salt = substr($randomString, -$length, $length); + $this->salt = substr(sha1($randomString), -$length, $length); + } + + /** + * Hashes a password with salt and returns the hash. If an old previous hash + * is supplied the method will use the first X chars of that hash for hashing + * the password. This is useful if you want to check if the password is + * identical for authorization purposes. + * + * @param $plainPassword The plain password to use + * @param $oldHash A previously hashed password + * @return $hashed The hashed and salted password + */ + public function hashPassword ($plainPassword, $oldHash = "") { + // Is the old password set? + if (empty($oldHash)) { + // No, then use the current salt + $salt = $this->salt; + } else { + // Use the salt from hash, first get length + $length = $this->getConfigInstance()->readConfig('salt_length'); + + // Then extract the X first characters from the hash as our salt + $salt = substr($oldHash, 0, $length); + } + + // Hash the password with salt + $hashed = $salt . md5(sprintf($this->getConfigInstance()->readConfig('hash_mask'), + $salt, + $this->rngInstance->getExtraSalt(), + $plainPassword + )); + + // And return it + return $hashed; } } diff --git a/inc/classes/main/rng/class_RandomNumberGenerator.php b/inc/classes/main/rng/class_RandomNumberGenerator.php index a8063c6..dded7e0 100644 --- a/inc/classes/main/rng/class_RandomNumberGenerator.php +++ b/inc/classes/main/rng/class_RandomNumberGenerator.php @@ -85,6 +85,9 @@ class RandomNumberGenerator extends BaseFrameworkSystem { * @return void */ protected function initRng () { + // Seed mt_rand() + mt_srand((double) microtime() * 1000000); + // Get the prime number from config $this->prime = $this->getConfigInstance()->readConfig('math_prime'); @@ -92,9 +95,17 @@ class RandomNumberGenerator extends BaseFrameworkSystem { // a better prime number $this->extraNumber = ($this->prime * $this->prime / (pi() ^ 2)); + // Set the server IP to cluster + $serverIp = "cluster"; + // Do we have a single server? + if ($this->getConfigInstance()->readConfig('is_single_server') == "Y") { + // Then use that IP for extra security + $serverIp = getenv('SERVER_ADDR'); + } + // One-way data we need for "extra-salting" the random number // @TODO Add site for stronger salt! - $this->extraSalt = sha1(getenv('SERVER_ADDR') . ":" . getenv('SERVER_SOFTWARE') . ":" . $this->getConfigInstance()->readConfig('date_key') . ":" . serialize($this->getDatabaseInstance()->getConnectionData())); + $this->extraSalt = sha1($serverIp . ":" . getenv('SERVER_SOFTWARE') . ":" . $this->getConfigInstance()->readConfig('date_key') . ":" . serialize($this->getDatabaseInstance()->getConnectionData())); // Get config entry for max salt length $this->rndStrLen = $this->getConfigInstance()->readConfig('rnd_str_length'); @@ -134,6 +145,15 @@ class RandomNumberGenerator extends BaseFrameworkSystem { // @TODO I had a better random number generator here return mt_rand($min, $max); } + + /** + * Getter for extra salt + * + * @return $extraSalt + */ + public final function getExtraSalt () { + return $this->extraSalt; + } } // [EOF] diff --git a/inc/config.php b/inc/config.php index eabfde1..4abf5ab 100644 --- a/inc/config.php +++ b/inc/config.php @@ -195,5 +195,11 @@ $cfg->setConfigEntry('salt_length', 10); // CFG: RND-STR-LENGTH $cfg->setConfigEntry('rnd_str_length', 128); +// CFG: HASH-MASK +$cfg->setConfigEntry('hash_mask', "%1s:%2s:%3s"); // 1=salt, 2=extra salt, 3=plain password + +// CFG: IS-SINGLE-SERVER +$cfg->setConfigEntry('is_single_server', "Y"); + // [EOF] ?> -- 2.39.5