From e8e7efbd23bb56136ac538b30e73acaddda92d96 Mon Sep 17 00:00:00 2001
From: Daniel Lange <DLange@git.local>
Date: Fri, 11 Mar 2016 17:43:15 +0100
Subject: Add support for SHA-256-crypt and SHA-512-crypt salted hashes
 Warning: Database schema change. Using varchar(128) instead of varchar(64)
 now. Thanks for reading the full git log comment :)

---
 HTPasswdSync.module | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

(limited to 'HTPasswdSync.module')

diff --git a/HTPasswdSync.module b/HTPasswdSync.module
index 85e835f..fd5402d 100644
--- a/HTPasswdSync.module
+++ b/HTPasswdSync.module
@@ -33,7 +33,7 @@ function _htpasswdsync_roles() {
  * @return array
  */
 function _htpasswdsync_hashes() {
-    return array ('crypt' => 'crypt', 'SHA-1' => 'SHA-1');
+    return array ('crypt' => 'crypt', 'SHA-1' => 'SHA-1', 'SHA-256-crypt' => 'SHA-256-crypt', 'SHA-512-crypt' => 'SHA-512-crypt');
 }
 
 
@@ -42,7 +42,7 @@ function _htpasswdsync_hashes() {
  * @return string
  */
 function _htpasswdsync_hash() {
-    return variable_get('htpasswdsync_hash', 'SHA-1');
+    return variable_get('htpasswdsync_hash', 'SHA-512-crypt');
 }
 
 
@@ -83,6 +83,21 @@ function _htpasswdsync_email_domain() {
     return variable_get('htpasswdsync_export_email_domain', '');
 }
 
+/**
+ * Returns a random (safe) string for salts
+ * Adopted from phpass by SolarDesigner and TimWolla on Stack Codereview
+ * @param int $count
+ * @return string
+ */
+function get_salt($count) {
+     $charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/\\][{}\'";:?.>,<!@#$%^&*()-_=+|';
+     $randString = "";
+     for ($i = 0; $i < $count; $i++) {
+         $randString .= $charset[mt_rand(0, strlen($charset) - 1)];
+     }
+     return $randString;
+}
+
 
 /**
  * Sanitizes the user name to be htpasswd conform. Removes ":" character as it
@@ -113,6 +128,15 @@ function _htpasswdsync_crypt($password) {
         case 'SHA-1':
             return '{SHA}' . base64_encode(sha1($password, TRUE));
             break;
+        case 'SHA-256-crypt':
+            $salt = get_salt(16);
+            return '{SHA256-crypt}' . crypt($password, '$5$' . $salt . '$');
+            break;
+        case 'SHA-512-crypt':
+            $salt = get_salt(16);
+            return '{SHA512-crypt}' . crypt($password, '$6$' . $salt . '$');
+            break;
+
         default:
             return _htpasswdsync_hash();
     }
@@ -509,7 +533,7 @@ function htpasswdsync_admin_form() {
     $form['htpasswdsync_hash'] = array(
         '#type' => 'radios',
         '#title' => t('password hashing algorythm'),
-        '#description' => t("How shall the password be hashed (crypt only available for unix, SHA1 can be used on all platforms)"),
+        '#description' => t("How shall the password be hashed crypt (old unix), SHA1 (insecure, not salted!), SHA-256-crypt (safe) or SHA-512-crypt (best)"),
         '#options' => _htpasswdsync_hashes(),
         '#default_value' => _htpasswdsync_hash(),
     );
-- 
cgit v1.2.3