パスワード用のハッシュアルゴリズムにSHA-2(SHA-256, SHA-512)を利用できるようにする
関連:
保存フォーマット / scheme prefix | アルゴリズム | ソルト(seed) | ||
---|---|---|---|---|
1 | LDAP SSHA512 (sha-512 with a seed) | {SSHA512} | SHA-512 | あり |
2 | LDAP SHA512 | {SHA512} | SHA-512 | なし |
5 | LDAP SSHA256 (sha-256 with a seed) | {SSHA256} | SHA-256 | あり |
6 | LDAP SHA256 | {SHA256} | SHA-256 | なし |
7 | PHP hash('sha512')関数の出力 | {x-php-sha512} | SHA-512 | なし |
9 | PHP hash('sha256')関数の出力 | {x-php-sha256} | SHA-256 | なし |
//$adminpass = 'pass'; // Cleartext //$adminpass = '{SSHA512}e/6TcRqTNIviKydZM8Alb62LbUPw8itUzVoxEekKUT9NwUpJg9iDysPz/QhonidaaNOysTJcWxbnLGnbAYvrLKNJUuQ/6b8v'; //$adminpass = '{SHA512}W3IrMH/ObJRJBdEyaR1eSiIUt/6StziSDrP846kEIKGVEcMBCg53ErBU2u9bV7rVnsvZOzKA8hBXj1R/Su1NJQ=='; //$adminpass = '{SSHA256}ghLA4HsiVHGnj9uFEG17o/LacIQ837dueFryAUYWnlUHquqB+mDpdA=='; //$adminpass = '{SHA256}10/w7o2juYBrGMh32/KbveULW9jk2tejpyUAD+uC6PE='; //$adminpass = '{x-php-sha512}5b722b307fce6c944905d132691d5e4a2214b7fe92b738920eb3fce3a90420a' . // '19511c3010a0e7712b054daef5b57bad59ecbd93b3280f210578f547f4aed4d25'; //$adminpass = '{x-php-sha256}d74ff0ee8da3b9806b18c877dbf29bbde50b5bd8e4dad7a3a725000feb82e8f1';
基本的にオフラインで*1生成することを推奨します。
$ alias slappasswd="slappasswd -o module-path=/usr/lib64/openldap -o module-load=pw-sha2" $ slappasswd -h '{SHA256}' -s pass $ slappasswd -h '{SHA512}' -s pass $ slappasswd -h '{SSHA256}' -s pass # saltは指定不可、ランダム、固定長 $ slappasswd -h '{SSHA512}' -s pass # saltは指定不可、ランダム、固定長
slapd-sha2.c:#define SHA2_SALT_SIZE 8 slapd-sha2.c: char saltdata[SHA2_SALT_SIZE];
$ echo -n "secret" | openssl dgst -sha256 -binary | openssl enc -base64 $ echo -n "secret" | openssl dgst -sha512 -binary | openssl enc -base64
$ ./openssl_slappasswd.sh -h '{SHA256}' -s pass $ ./openssl_slappasswd.sh -h '{SHA512}' -s pass $ ./openssl_slappasswd.sh -h '{SSHA256}' -s pass # saltを指定しない場合ランダム、固定長 $ ./openssl_slappasswd.sh -h '{SSHA512}' -s pass # saltを指定しない場合ランダム、固定長
{SSHA256}SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv
{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=
※PukiWiki 1.5.2 に収録されている話題はここまで
diff --git a/plugin/md5.inc.php b/plugin/md5.inc.php index 854baa0..67e2bad 100644 --- a/plugin/md5.inc.php +++ b/plugin/md5.inc.php @@ -5,12 +5,16 @@ // License: GPL v2 or (at your option) any later version // // MD5 plugin: Allow to convert password/passphrase -// * PHP sha1() -- If you have sha1() or mhash extension // * PHP md5() -// * PHP hash('sha256') -// * PHP hash('sha512') -// * LDAP SHA / SSHA -- If you have sha1() or mhash extension +// * PHP sha1() -- If you have sha1() or mhash extension +// * PHP hash('sha256') -- If you have hash() (PHP 5 >= 5.1.2) +// * PHP hash('sha384') -- +// * PHP hash('sha512') -- // * LDAP MD5 / SMD5 +// * LDAP SHA / SSHA -- If you have sha1() or mhash extension +// * LDAP SHA256 / SSHA256 -- If you have hash() (PHP 5 >= 5.1.2) +// * LDAP SHA384 / SSHA384 -- +// * LDAP SHA512 / SSHA512 -- // User interface of pkwk_hash_compute() for system admin function plugin_md5_action() @@ -39,6 +43,9 @@ function plugin_md5_action() if ($algos_enabled->sha256) { array_push($scheme_list, 'x-php-sha256', 'SHA256', 'SSHA256'); } + if ($algos_enabled->sha384) { + array_push($scheme_list, 'x-php-sha384', 'SHA384', 'SSHA384'); + } if ($algos_enabled->sha512) { array_push($scheme_list, 'x-php-sha512', 'SHA512', 'SSHA512'); } @@ -67,8 +74,10 @@ function plugin_md5_show_form($nophrase = FALSE, $value = '') } if ($value != '') $value = 'value="' . htmlsc($value) . '" '; $algos_enabled = plugin_md5_get_algos_enabled(); - $sha1_checked = $md5_checked = ''; - if ($algos_enabled->sha1) { + $sha256_checked = $sha1_checked = $md5_checked = ''; + if ($algos_enabled->sha256) { + $sha256_checked = 'checked="checked" '; + } elseif ($algos_enabled->sha1) { $sha1_checked = 'checked="checked" '; } else { $md5_checked = 'checked="checked" '; @@ -85,48 +94,68 @@ EOD; <input type="hidden" name="plugin" value="md5" /> <label for="_p_md5_phrase">Phrase:</label> <input type="text" name="phrase" id="_p_md5_phrase" size="60" $value/><br /> + + EOD; - $form .= <<<EOD - <input type="radio" name="scheme" id="_p_md5_md5" value="x-php-md5" /> - <label for="_p_md5_md5">PHP md5</label><br /> + if ($algos_enabled->sha512) $form .= <<<EOD + <input type="radio" name="scheme" id="_p_md5_sha512" value="x-php-sha512" /> + <label for="_p_md5_sha512">PHP sha512</label><br /> + EOD; - if ($algos_enabled->sha1) $form .= <<<EOD - <input type="radio" name="scheme" id="_p_md5_sha1" value="x-php-sha1" /> - <label for="_p_md5_sha1">PHP sha1</label><br /> + if ($algos_enabled->sha384) $form .= <<<EOD + <input type="radio" name="scheme" id="_p_md5_sha384" value="x-php-sha384" /> + <label for="_p_md5_sha384">PHP sha384</label><br /> + EOD; if ($algos_enabled->sha256) $form .= <<<EOD <input type="radio" name="scheme" id="_p_md5_sha256" value="x-php-sha256" /> <label for="_p_md5_sha256">PHP sha256</label><br /> + +EOD; + if ($algos_enabled->sha1) $form .= <<<EOD + <input type="radio" name="scheme" id="_p_md5_sha1" value="x-php-sha1" /> + <label for="_p_md5_sha1">PHP sha1</label><br /> + +EOD; + $form .= <<<EOD + <input type="radio" name="scheme" id="_p_md5_md5" value="x-php-md5" /> + <label for="_p_md5_md5">PHP md5</label><br /> + EOD; if ($algos_enabled->sha512) $form .= <<<EOD - <input type="radio" name="scheme" id="_p_md5_sha512" value="x-php-sha512" /> - <label for="_p_md5_sha512">PHP sha512</label><br /> + <input type="radio" name="scheme" id="_p_md5_lssha512" value="SSHA512" /> + <label for="_p_md5_lssha512">LDAP SSHA512 (sha-512 with a seed) *</label><br /> + <input type="radio" name="scheme" id="_p_md5_lsha512" value="SHA512" /> + <label for="_p_md5_lsha512">LDAP SHA512 (sha-512)</label><br /> + +EOD; + if ($algos_enabled->sha384) $form .= <<<EOD + <input type="radio" name="scheme" id="_p_md5_lssha384" value="SSHA384" /> + <label for="_p_md5_lssha384">LDAP SSHA384 (sha-384 with a seed) *</label><br /> + <input type="radio" name="scheme" id="_p_md5_lsha384" value="SHA384" /> + <label for="_p_md5_lsha384">LDAP SHA384 (sha-384)</label><br /> + +EOD; + if ($algos_enabled->sha256) $form .= <<<EOD + <input type="radio" name="scheme" id="_p_md5_lssha256" value="SSHA256" /> + <label for="_p_md5_lssha256">LDAP SSHA256 (sha-256 with a seed) *</label><br /> + <input type="radio" name="scheme" id="_p_md5_lsha256" value="SHA256" $sha256_checked/> + <label for="_p_md5_lsha256">LDAP SHA256 (sha-256)</label><br /> + EOD; if ($algos_enabled->sha1) $form .= <<<EOD <input type="radio" name="scheme" id="_p_md5_lssha" value="SSHA" $sha1_checked/> <label for="_p_md5_lssha">LDAP SSHA (sha-1 with a seed) *</label><br /> <input type="radio" name="scheme" id="_p_md5_lsha" value="SHA" /> <label for="_p_md5_lsha">LDAP SHA (sha-1)</label><br /> + EOD; $form .= <<<EOD <input type="radio" name="scheme" id="_p_md5_lsmd5" value="SMD5" $md5_checked/> <label for="_p_md5_lsmd5">LDAP SMD5 (md5 with a seed) *</label><br /> <input type="radio" name="scheme" id="_p_md5_lmd5" value="MD5" /> <label for="_p_md5_lmd5">LDAP MD5</label><br /> -EOD; - if ($algos_enabled->sha256) $form .= <<<EOD - <input type="radio" name="scheme" id="_p_md5_lssha256" value="SSHA256"/> - <label for="_p_md5_lssha256">LDAP SSHA256 (sha256 with a seed) *</label><br /> - <input type="radio" name="scheme" id="_p_md5_lsha256" value="SHA256" /> - <label for="_p_md5_lsha256">LDAP SHA256</label><br /> -EOD; - if ($algos_enabled->sha512) $form .= <<<EOD - <input type="radio" name="scheme" id="_p_md5_lssha512" value="SSHA512"/> - <label for="_p_md5_lssha512">LDAP SSHA512 (sha512 with a seed) *</label><br /> - <input type="radio" name="scheme" id="_p_md5_lsha512" value="SHA512" /> - <label for="_p_md5_lsha512">LDAP SHA512</label><br /> -EOD; - $form .= <<<EOD + <input type="checkbox" name="prefix" id="_p_md5_prefix" checked="checked" /> <label for="_p_md5_prefix">Add scheme prefix (RFC2307, Using LDAP as NIS)</label><br /> @@ -139,6 +168,7 @@ EOD; <p>* = Salt enabled<p/> </div> </form> + EOD; return $form; @@ -149,21 +179,11 @@ EOD; */ function plugin_md5_get_algos_enabled() { - $sha1_enabled = function_exists('sha1'); - $sha256_enabled = false; - $sha512_enabled = false; - if (function_exists('hash') && function_exists('hash_algos')) { - $algos = hash_algos(); - if (in_array('sha256', $algos)) { - $sha256_enabled = true; - } - if (in_array('sha512', $algos)) { - $sha512_enabled = true; - } - } + $algos = function_exists('hash_algos') ? hash_algos() : array(); return (object) array( - 'sha1' => $sha1_enabled, - 'sha256' => $sha256_enabled, - 'sha512' => $sha512_enabled, + 'sha1' => function_exists('sha1'), + 'sha256' => in_array('sha256', $algos), + 'sha384' => in_array('sha384', $algos), + 'sha512' => in_array('sha512', $algos), ); }