Commit 2bb079a1 authored by Patrick Schmalstig's avatar Patrick Schmalstig
Browse files

Allow ratchets between 4 and 31 in crypt

parent b5bb5c8c

sources/crypt.php

+3 −3
Original line number Original line Diff line number Diff line
@@ -223,7 +223,7 @@ function ratchet_hash($password, $salt, $legacy_style = 0) 
{

{

    if (function_exists('password_hash')) {

    if (function_exists('password_hash')) {

        // NB: We don't pass the salt separately, we let password_hash generate its own internal salt also (that builds into the hash). So it is double salted.

        // NB: We don't pass the salt separately, we let password_hash generate its own internal salt also (that builds into the hash). So it is double salted.

        $ratchet = max(10, intval(get_option('crypt_ratchet')));

        $ratchet = max(4, min(31, intval(get_option('crypt_ratchet'))));

        return password_hash($salt . md5($password), PASSWORD_BCRYPT, array('cost' => $ratchet));

        return password_hash($salt . md5($password), PASSWORD_BCRYPT, array('cost' => $ratchet));

    }

    }
@@ -268,7 +268,7 @@ function produce_salt() 
    if ((function_exists('openssl_random_pseudo_bytes')) && (get_value('disable_openssl') !== '1')) {

    if ((function_exists('openssl_random_pseudo_bytes')) && (get_value('disable_openssl') !== '1')) {

        $u = substr(md5(openssl_random_pseudo_bytes(13)), 0, 13);

        $u = substr(md5(openssl_random_pseudo_bytes(13)), 0, 13);

    } elseif (function_exists('password_hash')) { // password_hash will include a randomised component

    } elseif (function_exists('password_hash')) { // password_hash will include a randomised component

        $ratchet = max(10, intval(get_option('crypt_ratchet')));

        $ratchet = max(4, min(31, intval(get_option('crypt_ratchet'))));

        return substr(md5(password_hash(uniqid('', true), PASSWORD_BCRYPT, array('cost' => $ratchet))), 0, 13);

        return substr(md5(password_hash(uniqid('', true), PASSWORD_BCRYPT, array('cost' => $ratchet))), 0, 13);

    } else {

    } else {

        $u = substr(md5(uniqid(strval(get_secure_random_number()), true)), 0, 13);

        $u = substr(md5(uniqid(strval(get_secure_random_number()), true)), 0, 13);
@@ -318,7 +318,7 @@ function get_secure_random_number() 
            $code = -$code;

            $code = -$code;

        }

        }

    } elseif (function_exists('password_hash')) { // password_hash will include a randomised component

    } elseif (function_exists('password_hash')) { // password_hash will include a randomised component

        $ratchet = max(10, intval(get_option('crypt_ratchet')));

        $ratchet = max(4, min(31, intval(get_option('crypt_ratchet'))));

        $hash = password_hash(uniqid('', true), PASSWORD_BCRYPT, array('cost' => $ratchet));

        $hash = password_hash(uniqid('', true), PASSWORD_BCRYPT, array('cost' => $ratchet));

        return crc32($hash);

        return crc32($hash);

    } else {

    } else {