CODEWITHSUNDEEP
phphashpassword-hashxenforo
Juan Agudelo
Juan Agudelo

Reputation: 11

How can I modify or delete the PasswordHash class in XenForo to change the hashing algorithm?

I am using XenForo [2.2.13]. Currently, the PasswordHash class handles password generation and verification using a custom algorithm and what I want to do is to modify that class to change or remove the hashing algorithm, but I really don't know how to do this. I would be very grateful if you could help me with this.

function gensalt_blowfish($input)
{
# This one needs to use a different order of characters and a
# different encoding scheme from the one in encode64() above.
# We care because the last character in our encoded string will
# only represent 2 bits.  While two known implementations of
# bcrypt will happily accept and correct a salt string which
# has the 4 unused bits set to non-zero, we do not want to take
# chances and we also do not want to waste an additional byte
# of entropy.
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

$output = '$2a$';
$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
$output .= '$';

$i = 0;
do {
    $c1 = ord($input[$i++]);
    $output .= $itoa64[$c1 >> 2];
    $c1 = ($c1 & 0x03) << 4;
    if ($i >= 16) {
        $output .= $itoa64[$c1];
        break;
    }

    $c2 = ord($input[$i++]);
    $c1 |= $c2 >> 4;
    $output .= $itoa64[$c1];
    $c1 = ($c2 & 0x0f) << 2;

    $c2 = ord($input[$i++]);
    $c1 |= $c2 >> 6;
    $output .= $itoa64[$c1];
    $output .= $itoa64[$c2 & 0x3f];
} while (1);

return $output;
}

function HashPassword($password)
{
$random = '';

if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
    $random = $this->get_random_bytes(16);
    $hash = $this->gensalt_blowfish($random);
    return $this->crypt_private($password, $hash);
}

if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
    $random = $this->get_random_bytes(3);
    $hash = $this->gensalt_extended($random);
    return $this->crypt_private($password, $hash);
}

$random = $this->get_random_bytes(6);
$hash = $this->gensalt_private($random);

return $this->crypt_private($password, $hash);
}

function CheckPassword($password, $stored_hash)
{
$hash = $this->crypt_private($password, $stored_hash);

return hash_equals($stored_hash, $hash);
}

public function reverseItoA64($char)
{
return strpos($this->itoa64, $char);
}

Upvotes: 0

Views: 83

Answers (0)

Related Questions