diff --git a/core/includes/password.inc b/core/includes/password.inc index b052a4a..616fed0 100644 --- a/core/includes/password.inc +++ b/core/includes/password.inc @@ -193,23 +193,43 @@ function _password_get_count_log2($setting) { } /** - * Hash a password using a secure hash. + * Generate a bcrypt hashed password. * * @param $password * A plain-text password. - * @param $count_log2 - * Optional integer to specify the iteration count. Generally used only during - * mass operations where a value less than the default is needed for speed. * * @return * A string containing the hashed password (and a salt), or FALSE on failure. */ -function user_hash_password($password, $count_log2 = 0) { - if (empty($count_log2)) { - // Use the standard iteration count. - $count_log2 = variable_get('password_count_log2', DRUPAL_HASH_COUNT); +function _password_bcrypt($password) { + // Don't allow passwords longer than 72 chars. + if(strlen($password) > 72) { + return false; } - return _password_crypt('sha512', $password, _password_generate_salt($count_log2)); + + // The salt should be 22 chars long. + $salt = sprintf('$2a$%s$%s', 12, _password_base64_encode(drupal_random_bytes(22), 22)); + $hash = crypt($password, $salt); + + // Expected hash length is over 13 chars. + if(strlen($hash) > 13) { + return $hash; + } + return false; +} + + +/** + * Hash a password using a secure hash. + * + * @param $password + * A plain-text password. + * + * @return + * A string containing the hashed password (and a salt), or FALSE on failure. + */ +function user_hash_password($password) { + return _password_bcrypt($password); } /** @@ -245,6 +265,10 @@ function user_check_password($password, $account) { // A normal Drupal 7 password using sha512. $hash = _password_crypt('sha512', $password, $stored_hash); break; + case '$2a': + // Bcrypt hashed password. + return crypt($password, $stored_hash) === $stored_hash; + break; case '$H$': // phpBB3 uses "$H$" for the same thing as "$P$". case '$P$':