[ Index ]

PHP Cross Reference of BackPress

title

Body

[close]

/includes/ -> class.passwordhash.php (source)

   1  <?php
   2  // Last sync [WP13429]
   3  
   4  /**
   5   * Portable PHP password hashing framework.
   6   * @package phpass
   7   * @since 2.5
   8   * @version 0.2 / genuine.
   9   * @link http://www.openwall.com/phpass/
  10   */
  11  
  12  #
  13  # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
  14  # the public domain.
  15  #
  16  # There's absolutely no warranty.
  17  #
  18  # Please be sure to update the Version line if you edit this file in any way.
  19  # It is suggested that you leave the main version number intact, but indicate
  20  # your project name (after the slash) and add your own revision information.
  21  #
  22  # Please do not change the "private" password hashing method implemented in
  23  # here, thereby making your hashes incompatible.  However, if you must, please
  24  # change the hash type identifier (the "$P$") to something different.
  25  #
  26  # Obviously, since this code is in the public domain, the above are not
  27  # requirements (there can be none), but merely suggestions.
  28  #
  29  
  30  /**
  31   * Portable PHP password hashing framework.
  32   *
  33   * @package phpass
  34   * @version 0.2 / genuine.
  35   * @link http://www.openwall.com/phpass/
  36   * @since 2.5
  37   */
  38  class PasswordHash {
  39      var $itoa64;
  40      var $iteration_count_log2;
  41      var $portable_hashes;
  42      var $random_state;
  43  
  44  	function __construct($iteration_count_log2, $portable_hashes)
  45      {
  46          $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
  47  
  48          if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
  49              $iteration_count_log2 = 8;
  50          $this->iteration_count_log2 = $iteration_count_log2;
  51  
  52          $this->portable_hashes = $portable_hashes;
  53  
  54          $this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compability reasons
  55      }
  56  
  57  	function PasswordHash($iteration_count_log2, $portable_hashes)
  58      {
  59          self::__construct($iteration_count_log2, $portable_hashes);
  60      }
  61  
  62  	function get_random_bytes($count)
  63      {
  64          $output = '';
  65          if ( @is_readable('/dev/urandom') &&
  66              ($fh = @fopen('/dev/urandom', 'rb'))) {
  67              $output = fread($fh, $count);
  68              fclose($fh);
  69          }
  70  
  71          if (strlen($output) < $count) {
  72              $output = '';
  73              for ($i = 0; $i < $count; $i += 16) {
  74                  $this->random_state =
  75                      md5(microtime() . $this->random_state);
  76                  $output .=
  77                      pack('H*', md5($this->random_state));
  78              }
  79              $output = substr($output, 0, $count);
  80          }
  81  
  82          return $output;
  83      }
  84  
  85  	function encode64($input, $count)
  86      {
  87          $output = '';
  88          $i = 0;
  89          do {
  90              $value = ord($input[$i++]);
  91              $output .= $this->itoa64[$value & 0x3f];
  92              if ($i < $count)
  93                  $value |= ord($input[$i]) << 8;
  94              $output .= $this->itoa64[($value >> 6) & 0x3f];
  95              if ($i++ >= $count)
  96                  break;
  97              if ($i < $count)
  98                  $value |= ord($input[$i]) << 16;
  99              $output .= $this->itoa64[($value >> 12) & 0x3f];
 100              if ($i++ >= $count)
 101                  break;
 102              $output .= $this->itoa64[($value >> 18) & 0x3f];
 103          } while ($i < $count);
 104  
 105          return $output;
 106      }
 107  
 108  	function gensalt_private($input)
 109      {
 110          $output = '$P$';
 111          $output .= $this->itoa64[min($this->iteration_count_log2 +
 112              ((PHP_VERSION >= '5') ? 5 : 3), 30)];
 113          $output .= $this->encode64($input, 6);
 114  
 115          return $output;
 116      }
 117  
 118  	function crypt_private($password, $setting)
 119      {
 120          $output = '*0';
 121          if (substr($setting, 0, 2) == $output)
 122              $output = '*1';
 123  
 124          if (substr($setting, 0, 3) != '$P$')
 125              return $output;
 126  
 127          $count_log2 = strpos($this->itoa64, $setting[3]);
 128          if ($count_log2 < 7 || $count_log2 > 30)
 129              return $output;
 130  
 131          $count = 1 << $count_log2;
 132  
 133          $salt = substr($setting, 4, 8);
 134          if (strlen($salt) != 8)
 135              return $output;
 136  
 137          # We're kind of forced to use MD5 here since it's the only
 138          # cryptographic primitive available in all versions of PHP
 139          # currently in use.  To implement our own low-level crypto
 140          # in PHP would result in much worse performance and
 141          # consequently in lower iteration counts and hashes that are
 142          # quicker to crack (by non-PHP code).
 143          if (PHP_VERSION >= '5') {
 144              $hash = md5($salt . $password, TRUE);
 145              do {
 146                  $hash = md5($hash . $password, TRUE);
 147              } while (--$count);
 148          } else {
 149              $hash = pack('H*', md5($salt . $password));
 150              do {
 151                  $hash = pack('H*', md5($hash . $password));
 152              } while (--$count);
 153          }
 154  
 155          $output = substr($setting, 0, 12);
 156          $output .= $this->encode64($hash, 16);
 157  
 158          return $output;
 159      }
 160  
 161  	function gensalt_extended($input)
 162      {
 163          $count_log2 = min($this->iteration_count_log2 + 8, 24);
 164          # This should be odd to not reveal weak DES keys, and the
 165          # maximum valid value is (2**24 - 1) which is odd anyway.
 166          $count = (1 << $count_log2) - 1;
 167  
 168          $output = '_';
 169          $output .= $this->itoa64[$count & 0x3f];
 170          $output .= $this->itoa64[($count >> 6) & 0x3f];
 171          $output .= $this->itoa64[($count >> 12) & 0x3f];
 172          $output .= $this->itoa64[($count >> 18) & 0x3f];
 173  
 174          $output .= $this->encode64($input, 3);
 175  
 176          return $output;
 177      }
 178  
 179  	function gensalt_blowfish($input)
 180      {
 181          # This one needs to use a different order of characters and a
 182          # different encoding scheme from the one in encode64() above.
 183          # We care because the last character in our encoded string will
 184          # only represent 2 bits.  While two known implementations of
 185          # bcrypt will happily accept and correct a salt string which
 186          # has the 4 unused bits set to non-zero, we do not want to take
 187          # chances and we also do not want to waste an additional byte
 188          # of entropy.
 189          $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
 190  
 191          $output = '$2a$';
 192          $output .= chr(ord('0') + $this->iteration_count_log2 / 10);
 193          $output .= chr(ord('0') + $this->iteration_count_log2 % 10);
 194          $output .= '$';
 195  
 196          $i = 0;
 197          do {
 198              $c1 = ord($input[$i++]);
 199              $output .= $itoa64[$c1 >> 2];
 200              $c1 = ($c1 & 0x03) << 4;
 201              if ($i >= 16) {
 202                  $output .= $itoa64[$c1];
 203                  break;
 204              }
 205  
 206              $c2 = ord($input[$i++]);
 207              $c1 |= $c2 >> 4;
 208              $output .= $itoa64[$c1];
 209              $c1 = ($c2 & 0x0f) << 2;
 210  
 211              $c2 = ord($input[$i++]);
 212              $c1 |= $c2 >> 6;
 213              $output .= $itoa64[$c1];
 214              $output .= $itoa64[$c2 & 0x3f];
 215          } while (1);
 216  
 217          return $output;
 218      }
 219  
 220  	function HashPassword($password)
 221      {
 222          $random = '';
 223  
 224          if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
 225              $random = $this->get_random_bytes(16);
 226              $hash =
 227                  crypt($password, $this->gensalt_blowfish($random));
 228              if (strlen($hash) == 60)
 229                  return $hash;
 230          }
 231  
 232          if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
 233              if (strlen($random) < 3)
 234                  $random = $this->get_random_bytes(3);
 235              $hash =
 236                  crypt($password, $this->gensalt_extended($random));
 237              if (strlen($hash) == 20)
 238                  return $hash;
 239          }
 240  
 241          if (strlen($random) < 6)
 242              $random = $this->get_random_bytes(6);
 243          $hash =
 244              $this->crypt_private($password,
 245              $this->gensalt_private($random));
 246          if (strlen($hash) == 34)
 247              return $hash;
 248  
 249          # Returning '*' on error is safe here, but would _not_ be safe
 250          # in a crypt(3)-like function used _both_ for generating new
 251          # hashes and for validating passwords against existing hashes.
 252          return '*';
 253      }
 254  
 255  	function CheckPassword($password, $stored_hash)
 256      {
 257          $hash = $this->crypt_private($password, $stored_hash);
 258          if ($hash[0] == '*')
 259              $hash = crypt($password, $stored_hash);
 260  
 261          return $hash == $stored_hash;
 262      }
 263  }


Generated: Fri Mar 29 01:01:00 2024 Cross-referenced by PHPXref 0.7.1