From e8e7efbd23bb56136ac538b30e73acaddda92d96 Mon Sep 17 00:00:00 2001
From: Daniel Lange <DLange@git.local>
Date: Fri, 11 Mar 2016 17:43:15 +0100
Subject: Add support for SHA-256-crypt and SHA-512-crypt salted hashes
 Warning: Database schema change. Using varchar(128) instead of varchar(64)
 now. Thanks for reading the full git log comment :)

---
 CHANGELOG.txt        |  2 ++
 HTPasswdSync.info    |  2 +-
 HTPasswdSync.install |  4 ++--
 HTPasswdSync.module  | 30 +++++++++++++++++++++++++++---
 README.txt           | 13 ++++++++++++-
 5 files changed, 44 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index b7a5a39..3806fa8 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,2 +1,4 @@
+v1.1 Support SHA-256-crypt and SHA-512-crypt hashes
+     See git log for other changes / patches applied
 
 v1.0 Initial release for DP7
diff --git a/HTPasswdSync.info b/HTPasswdSync.info
index bf24406..2955ee7 100644
--- a/HTPasswdSync.info
+++ b/HTPasswdSync.info
@@ -1,5 +1,5 @@
 name = HTPasswdSync
 description = Export user login data into htpasswd and htgroup files.
 core = 7.x
-php = 5.0
+php = 5.5
 configure = admin/config/people/htpasswdsync
diff --git a/HTPasswdSync.install b/HTPasswdSync.install
index e83c828..f35f2f0 100644
--- a/HTPasswdSync.install
+++ b/HTPasswdSync.install
@@ -30,14 +30,14 @@ function htpasswdsync_db_schema() {
             'username' => array(
                 'description' => 'The {users}.username.',
                 'type' => 'varchar',
-                'length' => 64,
+                'length' => 128,
                 'not null' => true,
                 'default' => 0,
             ),
             'passwd' => array(
                 'description' => 'The crypted (crypt) password.',
                 'type' => 'varchar',
-                'length' => 64,
+                'length' => 128,
                 'not null' => true,
                 'default' => '',
             ),
diff --git a/HTPasswdSync.module b/HTPasswdSync.module
index 85e835f..fd5402d 100644
--- a/HTPasswdSync.module
+++ b/HTPasswdSync.module
@@ -33,7 +33,7 @@ function _htpasswdsync_roles() {
  * @return array
  */
 function _htpasswdsync_hashes() {
-    return array ('crypt' => 'crypt', 'SHA-1' => 'SHA-1');
+    return array ('crypt' => 'crypt', 'SHA-1' => 'SHA-1', 'SHA-256-crypt' => 'SHA-256-crypt', 'SHA-512-crypt' => 'SHA-512-crypt');
 }
 
 
@@ -42,7 +42,7 @@ function _htpasswdsync_hashes() {
  * @return string
  */
 function _htpasswdsync_hash() {
-    return variable_get('htpasswdsync_hash', 'SHA-1');
+    return variable_get('htpasswdsync_hash', 'SHA-512-crypt');
 }
 
 
@@ -83,6 +83,21 @@ function _htpasswdsync_email_domain() {
     return variable_get('htpasswdsync_export_email_domain', '');
 }
 
+/**
+ * Returns a random (safe) string for salts
+ * Adopted from phpass by SolarDesigner and TimWolla on Stack Codereview
+ * @param int $count
+ * @return string
+ */
+function get_salt($count) {
+     $charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/\\][{}\'";:?.>,<!@#$%^&*()-_=+|';
+     $randString = "";
+     for ($i = 0; $i < $count; $i++) {
+         $randString .= $charset[mt_rand(0, strlen($charset) - 1)];
+     }
+     return $randString;
+}
+
 
 /**
  * Sanitizes the user name to be htpasswd conform. Removes ":" character as it
@@ -113,6 +128,15 @@ function _htpasswdsync_crypt($password) {
         case 'SHA-1':
             return '{SHA}' . base64_encode(sha1($password, TRUE));
             break;
+        case 'SHA-256-crypt':
+            $salt = get_salt(16);
+            return '{SHA256-crypt}' . crypt($password, '$5$' . $salt . '$');
+            break;
+        case 'SHA-512-crypt':
+            $salt = get_salt(16);
+            return '{SHA512-crypt}' . crypt($password, '$6$' . $salt . '$');
+            break;
+
         default:
             return _htpasswdsync_hash();
     }
@@ -509,7 +533,7 @@ function htpasswdsync_admin_form() {
     $form['htpasswdsync_hash'] = array(
         '#type' => 'radios',
         '#title' => t('password hashing algorythm'),
-        '#description' => t("How shall the password be hashed (crypt only available for unix, SHA1 can be used on all platforms)"),
+        '#description' => t("How shall the password be hashed crypt (old unix), SHA1 (insecure, not salted!), SHA-256-crypt (safe) or SHA-512-crypt (best)"),
         '#options' => _htpasswdsync_hashes(),
         '#default_value' => _htpasswdsync_hash(),
     );
diff --git a/README.txt b/README.txt
index 0baf95b..c6c980f 100644
--- a/README.txt
+++ b/README.txt
@@ -5,7 +5,18 @@ Mirrored at https://github.com/fasterit/drupal_htpasswdsync
 
 This is the Faster IT version of the htpasswdsync module for Drupal 7.
 We have applied patches and improved over the module hosted on drupal.org.
-Please review the git log for details.
+This version supports secure (salted) SHA-256-crypt and SHA-512-crypt password
+storage.
+
+Pleas be aware that SHA-512-crypt hashes are larger than the 64 bytes the
+original authors of this module specified. So if you are upgrading from a
+previous version and not re-installing new, please execute the following
+in MySQL:
+
+  use drupal7; # or whatever your Drupal database is
+  alter table htpasswdsync_htpasswd modify passwd varchar(128);
+
+For an overview of other changes please review the git log.
 
 -- SUMMARY --
 
-- 
cgit v1.2.3