CryptPlus

Summary: Additional password hashing algorithms for AuthUser and HtpasswdForm
Version: 2012-12-27
Prerequisites: PmWiki 2.x; AuthUser; PHP 5.3.0 or above (or OS support for the algorithms you want to use)
Status: Initial release ("works for me")
Maintainer: MG
Categories: Security
Discussion: CryptPlus-Talk?

Questions answered by this recipe

  • Can I use stronger hashing algorithms for PmWiki passwords?

Description

Adds functionality to allow Blowfish, SHA-256 and SHA-512 algorithms for password hashing.

Installation

  1. Download cryptplus.phpΔ and save it in the cookbook/ directory.
  2. Edit scripts/crypt.php (this controls the behaviour of ?action=crypt):
    1. Add this line near the top:
      include_once("$FarmD/cookbook/cryptplus.php");
    2. Replace this line:
      $crypt = crypt($passwd);
      with this:
      $crypt = secureHash($passwd);
  3. If you use HtpasswdForm, also edit cookbook/htpasswdform.php:
    1. Add this line near the top:
      include_once("$FarmD/cookbook/cryptplus.php");
    2. Change the $HtpasswordTypes array section near the top, so it reads:
      SDVA($HtpasswordTypes, array(
      /* label algorithm timestamp? */
      0 => array('apr1', 0, true),
      1 => array('crypt', 1, false),
      2 => array('SHA-1', 2, false),
      3 => array('Blowfish', 3, false),
      4 => array('SHA-256', 4, false),
      5 => array('SHA-512', 5, false),
      ));
    3. Replace this section, around line 535:
      if(!$salt) {
      ...
      }
      $pw = _crypt($plain, $salt);
      return $pw;
      with this:
      if(!$algorithm) {
      $algorithm = $HtpasswordTypes[$pwtype][1];
      }
      $pw = secureHash($plain, $algorithm);
      return $pw;
  4. Finally, and again if you use HtpasswdForm, edit local/SiteHtpasswdForm.php (or whatever your local customisation file is), and set:
    $HtpasswdDefaultType = 4;
    This sets SHA-256 as the default algorithm, which will be used whenever a user changes their own password.

Usage

If you've made the edits above, usage is automatic with both ?action=crypt (default algorithm is used) and HtpasswdForm (users get default algorithm; administrators can choose).

You could probably integrate this recipe with any other that asks for a hash, so here's what happens:

  1. secureHash() is called, with a minimum argument of a plaintext password.
  2. If an algorithm isn't passed as an additional argument, it defaults to SHA-256 (see Notes, below).
  3. secureHash() function generates a pseudo-random salt of the appropriate length for the algorithm, then calls PmWiki's _crypt() function, which is part of authuser.php.
  4. If _crypt() is passed an apr1 or sha1 salt, it calculates the hash.
  5. If _crypt() is passed any other sort of salt, it passes the job to your operating system's crypt() function.

If your OS crypt() function doesn't support Blowfish, SHA-256 or SHA-512, PHP v5.3.0 upwards has its own native implementation. I haven't included any sort of error checking for this, so if you get weird results, this might be worth checking.

Notes

If secureHash() is called with only the plaintext password as an argument, it defaults to SHA-256. This can be changed by editing cryptplus.php, or you can pass your choice directly as an additional argument.

Blowfish preferences can also be set the same way.

I suspect that if you use APR1-MD5, crypt MD5 or SHA-1, then anything that this recipe does in terms of creating a salt is basically ignored by PmWiki's _crypt() function (see Usage, above). I haven't really looked at this, because this recipe works even if only as a passthrough, and I don't intend to use these algorithms, but I might come back to it in future for the sake of elegance.

Finally, this recipe currently involves editing scripts/crypt.php, which is a core PmWiki file, so it could be overwritten in an upgrade (and doing this seems like an ugly hack anyway). I'm new to PHP, so if anybody knows of a better way to integrate this recipe with both AuthUser and HtpasswdForm, I'd be happy to hear it?!

Change log / Release notes

  • 2012-12-27 - initial release

Comments

See discussion at CryptPlus-Talk?

User notes? : If you use, used or reviewed this recipe, you can add your name. These statistics appear in the Cookbook listings and will help newcomers browsing through the wiki.