Merge pull request #12428 from photodude/patch-9

crypt-blowfish salt is too short
joomla · Dec 8, 2016 · 11ee6cb · 11ee6cb
2 parents 24bd854 + 3f3ccb0
commit 11ee6cb
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/libraries/joomla/user/helper.php b/libraries/joomla/user/helper.php
@@ -389,7 +389,7 @@ public static function verifyPassword($password, $hash, $user_id = 0)
 	}
 
 	/**
-	 * Formats a password using the current encryption.
+	 * Formats a password using the old encryption methods.
 	 *
 	 * @param   string   $plaintext     The plaintext password to encrypt.
 	 * @param   string   $salt          The salt to use to encrypt the password. []
@@ -509,7 +509,7 @@ public static function getCryptedPassword($plaintext, $salt = '', $encryption =
 	}
 
 	/**
-	 * Returns a salt for the appropriate kind of password encryption.
+	 * Returns a salt for the appropriate kind of password encryption using the old encryption methods.
 	 * Optionally takes a seed and a plaintext password, to extract the seed
 	 * of an existing password, or for encryption types that use the plaintext
 	 * in the generation of the salt.
@@ -569,11 +569,11 @@ public static function getSalt($encryption = 'md5-hex', $seed = '', $plaintext =
 			case 'crypt-blowfish':
 				if ($seed)
 				{
-					return substr(preg_replace('|^{crypt}|i', '', $seed), 0, 16);
+					return substr(preg_replace('|^{crypt}|i', '', $seed), 0, 30);
 				}
 				else
 				{
-					return '$2$' . substr(md5(JCrypt::genRandomBytes()), 0, 12) . '$';
+					return '$2y$10$' . substr(md5(JCrypt::genRandomBytes()), 0, 22) . '$';
 				}
 				break;
 

diff --git a/tests/unit/suites/libraries/joomla/user/JUserHelperTest.php b/tests/unit/suites/libraries/joomla/user/JUserHelperTest.php
@@ -357,6 +357,21 @@ public function testVerifyPassword()
 			JUserHelper::verifyPassword('mySuperSecretPassword', '693560686f4d591d8dd5e34006442061'),
 			'Properly verifies a password hashed with Joomla legacy MD5'
 		);
+
+		$password = 'mySuperSecretPassword';
+		// Generate the old style password hash used before phpass was implemented.
+		$salt		= JUserHelper::genRandomPassword(32);
+		$crypted	= JUserHelper::getCryptedPassword($password, $salt);
+		$hashed	        = $crypted.':'.$salt;
+		$this->assertTrue(
+			JUserHelper::verifyPassword('mySuperSecretPassword', $hashed),
+			'Properly verifies a password which was hashed before phpass was implemented'
+		);
+
+		$this->assertTrue(
+			JUserHelper::verifyPassword('mySuperSecretPassword', 'fb7b0a16d7e0e6706c0f962832e1fdd8:vQnUrofbvGRcBR6l502Bt8nioKj8MObh'),
+			'Properly verifies an existing password hash which was hashed before phpass was implimented'
+		);
 	}
 
 	/**
@@ -438,7 +453,7 @@ public function testGetCryptedPassword()
 		$this->assertSame('my', substr($password, 7, 2), 'Password hash uses expected salt');
 
 		$this->assertTrue(
-			strlen(JUserHelper::getCryptedPassword('mySuperSecretPassword', '', 'crypt-blowfish')) === 13,
+			strlen(JUserHelper::getCryptedPassword('mySuperSecretPassword', '', 'crypt-blowfish')) === 60,
 			'Password is hashed to crypt-blowfish without salt'
 		);