Jump to content

Edit History

PatStevens

PatStevens


typos

46 minutes ago, UniArt said:

If you change it, new clients will not be able to login. I recommend you do the modification as I did or as KickMe so that the two types of clients can login.

The way I understand it, new clients that get their password hashed by bcrypt shouldn't have any problems, as I understand the code in:

src/Core/Crypto/Hashing.php 

private function initHashMethods()
    {
        $this->hashMethods = array(
            'bcrypt' => array(
                'option' => array(),
                'hash' => function ($passwd, $staticSalt, $option) {
                    return password_hash($passwd, PASSWORD_BCRYPT);
                },
                'verify' => function ($passwd, $hash, $staticSalt) {
                    return password_verify($passwd, $hash);
                },
            ),
            'md5' => array(
                'option' => array(),
                'hash' => function ($passwd, $staticSalt, $option) {
                    return md5($staticSalt . $passwd);
                },
                'verify' => function ($passwd, $hash, $staticSalt) {
                    return md5($staticSalt . $passwd) === $hash;
                },
            ),
        );
    }

 

The closures (see bcrpyt) for 'init' and 'verify' don't make any use of $staticSalt (which is the COOKIE_KEY passed in).
Only the second hashMethod 'md5' makes use of the COOKIE_KEY.

Or am I getting something wrong?

I just tested it on my installation and suddenly old users could log in again, while newly created users still can.

I'm on 1.7.6.2

PatStevens

PatStevens

39 minutes ago, UniArt said:

If you change it, new clients will not be able to login. I recommend you do the modification as I did or as KickMe so that the two types of clients can login.

Are you sure?

New clients that get their password hashed by bcrypt shouldn't have any problems, as I understand the code in:

src/Core/Crypto/Hashing.php 

private function initHashMethods()
    {
        $this->hashMethods = array(
            'bcrypt' => array(
                'option' => array(),
                'hash' => function ($passwd, $staticSalt, $option) {
                    return password_hash($passwd, PASSWORD_BCRYPT);
                },
                'verify' => function ($passwd, $hash, $staticSalt) {
                    return password_verify($passwd, $hash);
                },
            ),
            'md5' => array(
                'option' => array(),
                'hash' => function ($passwd, $staticSalt, $option) {
                    return md5($staticSalt . $passwd);
                },
                'verify' => function ($passwd, $hash, $staticSalt) {
                    return md5($staticSalt . $passwd) === $hash;
                },
            ),
        );
    }

 

The closures (see bcrpyt) for 'init' and 'verify' don't make any use of $staticSalt (which is the COOKIE_KEY passed in.
Only the seconde hashMethod 'md5' makes use of the COOKIE_KEY.

Or am I getting something wrong?

I just tested it on my installation and suddenly old users could log in again, while newly created users still can.

I'm on 1.7.6.2

×
×
  • Create New...