Changeset

2168:28d99ffa3c06

mod_auth_phpbb3: Add support for verifying bcrypt hashes (thanks bios)
author Kim Alvefur <zash@zash.se>
date Sat, 30 Apr 2016 19:09:45 +0200
parents 2167:24dcf496df6b
children 2169:9fa588babbba
files mod_auth_phpbb3/README.markdown mod_auth_phpbb3/mod_auth_phpbb3.lua
diffstat 2 files changed, 10 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/mod_auth_phpbb3/README.markdown	Wed Apr 27 21:48:13 2016 +0200
+++ b/mod_auth_phpbb3/README.markdown	Sat Apr 30 19:09:45 2016 +0200
@@ -10,6 +10,11 @@
 
 This module allows you to authenticate against an PHPBB3 database.
 
+To support the `bcrypt` password hashing algorithm, install
+[bcrypt](https://luarocks.org/modules/mikejsavage/bcrypt) from luarocks:
+
+    luarocks install bcrypt
+
 Configuration
 =============
 
--- a/mod_auth_phpbb3/mod_auth_phpbb3.lua	Wed Apr 27 21:48:13 2016 +0200
+++ b/mod_auth_phpbb3/mod_auth_phpbb3.lua	Sat Apr 30 19:09:45 2016 +0200
@@ -10,6 +10,7 @@
 local DBI = require "DBI"
 local md5 = require "util.hashes".md5;
 local uuid_gen = require "util.uuid".generate;
+local have_bcrypt, bcrypt = pcall(require, "bcrypt"); -- available from luarocks
 
 local connection;
 local params = module:get_option("sql");
@@ -176,7 +177,10 @@
 end
 local function phpbbCheckHash(password, hash)
 	if #hash == 32 then return hash == md5(password, true); end -- legacy PHPBB2 hash
-	return #hash == 34 and hashCryptPrivate(password, hash) == hash;
+	if #hash == 34 then return hashCryptPrivate(password, hash) == hash; end
+	if #hash == 60 and have_bcrypt then return bcrypt.verify(password, hash); end
+	module:log("error", "Unsupported hash: %s", hash);
+	return false;
 end
 local function phpbbCreateHash(password)
 	local random = uuid_gen():sub(-6);