library/authentication/password_hashing.php

   1 <?php
   2 /**
   3  * Hashing and salt generation algorithms for use in password management.
   4  *
   5  * <pre>
   6  * These are the algorithms used for password hashing, including generation of salt and selection
   7  * of a hashing algorithm.  crypt() with blowfish will be used on systems that support it.
   8  * If blowfish is not available, then SHA1 with a prepended salt will be used.
   9  *
  10  * When a system without blowfish (e.g. PHP 5.2) is upgraded to one with support (e.g. php 5.3),
  11  * the passwords will continue to be stored and useable in SHA1 format until a user either changes
  12  * his own password, or an administrator issues a new password.
  13  * </pre>
  14  * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
  15  *
  16  * LICENSE: This program is free software; you can redistribute it and/or
  17  * modify it under the terms of the GNU General Public License
  18  * as published by the Free Software Foundation; either version 3
  19  * of the License, or (at your option) any later version.
  20  * This program is distributed in the hope that it will be useful,
  21  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  22  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  23  * GNU General Public License for more details.
  24  * You should have received a copy of the GNU General Public License
  25  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  26  *
  27  * @package OpenEMR
  28  * @author  Kevin Yeh <kevin.y@integralemr.com>
  29  * @link    http://www.open-emr.org
  30  */
  31
  32 define("SALT_PREFIX_SHA1",'$SHA1$');
  33
  34 /**
  35  *
  36  * Generate a salt to be used with the password_hash() function.
  37  *
  38  * <pre>
  39  * This function checks for the availability of the preferred hashing algorithm (BLOWFISH)
  40  * on the system.  If it is available the salt returned is prefixed to indicate it is for BLOWFISH.
  41  * If it is not available, then SHA1 will be used instead.
  42  *
  43  * See php documentation on crypt() for more details.
  44  * </pre>
  45  *
  46  *
  47  * @return type     The algorithm prefix + random data for salt.
  48  */
  49 function oemr_password_salt()
  50 {
  51     $Allowed_Chars ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
  52     $Chars_Len = 63;
  53
  54     $Salt_Length = 21;
  55
  56     $salt = "";
  57
  58     for($i=0; $i<$Salt_Length; $i++)
  59     {
  60         $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
  61     }
  62
  63     // This is the preferred hashing mechanism
  64     if(CRYPT_BLOWFISH===1)
  65     {
  66         $rounds='05';
  67         //This string tells crypt to apply blowfish $rounds times.
  68         $Blowfish_Pre = '$2a$'.$rounds.'$';
  69         $Blowfish_End = '$';
  70
  71         return $Blowfish_Pre.$salt.$Blowfish_End;
  72     }
  73     error_log("Blowfish hashing algorithm not available.  Upgrading to PHP 5.3.x or newer is strongly recommended");
  74
  75     return SALT_PREFIX_SHA1.$salt;
  76
  77
  78 }
  79
  80 /**
  81  * Hash a plaintext password for comparison or initial storage.
  82  *
  83  * <pre>
  84  * This function either uses the built in PHP crypt() function, or sha1() depending
  85  * on a prefix in the salt.  This on systems without a strong enough built in algorithm
  86  * for crypt(), sha1() can be used as a fallback.
  87  * </pre>
  88  *
  89  * @param type $plaintext
  90  * @param type $salt
  91  * @return type
  92  */
  93 function oemr_password_hash($plaintext,$salt)
  94 {
  95     // if this is a SHA1 salt, the use prepended salt
  96     if(strpos($salt,SALT_PREFIX_SHA1)===0)
  97     {
  98         return SALT_PREFIX_SHA1 . sha1($salt.$plaintext);
  99     }
 100     else { // Otherwise use PHP crypt()
 101
 102         return crypt($plaintext,$salt);
 103     }
 104 }
 105 ?>