* @author Schplurtz le Déboulonné * @license LGPL2 */ class PassHash { /** * Verifies a cleartext password against a crypted hash * * The method and salt used for the crypted hash is determined automatically, * then the clear text password is crypted using the same method. If both hashs * match true is is returned else false * * @author Andreas Gohr * @author Schplurtz le Déboulonné * * @param string $clear Clear-Text password * @param string $hash Hash to compare against * @return bool */ public function verify_hash($clear, $hash) { $method = ''; $salt = ''; $magic = ''; //determine the used method and salt if (str_starts_with($hash, 'U$')) { // This may be an updated password from user_update_7000(). Such hashes // have 'U' added as the first character and need an extra md5(). $hash = substr($hash, 1); $clear = md5($clear); } $len = strlen($hash); if (preg_match('/^\$1\$([^\$]{0,8})\$/', $hash, $m)) { $method = 'smd5'; $salt = $m[1]; $magic = '1'; } elseif (preg_match('/^\$apr1\$([^\$]{0,8})\$/', $hash, $m)) { $method = 'apr1'; $salt = $m[1]; $magic = 'apr1'; } elseif (preg_match('/^\$S\$(.{52})$/', $hash, $m)) { $method = 'drupal_sha512'; $salt = $m[1]; $magic = 'S'; } elseif (preg_match('/^\$P\$(.{31})$/', $hash, $m)) { $method = 'pmd5'; $salt = $m[1]; $magic = 'P'; } elseif (preg_match('/^\$H\$(.{31})$/', $hash, $m)) { $method = 'pmd5'; $salt = $m[1]; $magic = 'H'; } elseif (preg_match('/^pbkdf2_(\w+?)\$(\d+)\$(.{12})\$/', $hash, $m)) { $method = 'djangopbkdf2'; $magic = ['algo' => $m[1], 'iter' => $m[2]]; $salt = $m[3]; } elseif (preg_match('/^PBKDF2(SHA\d+)\$(\d+)\$([[:xdigit:]]+)\$([[:xdigit:]]+)$/', $hash, $m)) { $method = 'seafilepbkdf2'; $magic = ['algo' => $m[1], 'iter' => $m[2]]; $salt = $m[3]; } elseif (preg_match('/^sha1\$(.{5})\$/', $hash, $m)) { $method = 'djangosha1'; $salt = $m[1]; } elseif (preg_match('/^md5\$(.{5})\$/', $hash, $m)) { $method = 'djangomd5'; $salt = $m[1]; } elseif (preg_match('/^\$2([abxy])\$(.{2})\$/', $hash, $m)) { $method = 'bcrypt'; $salt = $hash; } elseif (str_starts_with($hash, '{SSHA}')) { $method = 'ssha'; $salt = substr(base64_decode(substr($hash, 6)), 20); } elseif (str_starts_with($hash, '{SMD5}')) { $method = 'lsmd5'; $salt = substr(base64_decode(substr($hash, 6)), 16); } elseif (preg_match('/^:B:(.+?):.{32}$/', $hash, $m)) { $method = 'mediawiki'; $salt = $m[1]; } elseif (preg_match('/^\$(5|6)\$(rounds=\d+)?\$?(.+?)\$/', $hash, $m)) { $method = 'sha2'; $salt = $m[3]; $magic = ['prefix' => $m[1], 'rounds' => $m[2]]; } elseif (preg_match('/^\$(argon2id?)/', $hash, $m)) { if (!defined('PASSWORD_' . strtoupper($m[1]))) { throw new \Exception('This PHP installation has no ' . strtoupper($m[1]) . ' support'); } return password_verify($clear, $hash); } elseif ($len == 32) { $method = 'md5'; } elseif ($len == 40) { $method = 'sha1'; } elseif ($len == 16) { $method = 'mysql'; } elseif ($len == 41 && $hash[0] == '*') { $method = 'my411'; } elseif ($len == 34) { $method = 'kmd5'; $salt = $hash; } else { $method = 'crypt'; $salt = substr($hash, 0, 2); } //crypt and compare $call = 'hash_' . $method; $newhash = $this->$call($clear, $salt, $magic); if (\hash_equals($newhash, $hash)) { return true; } return false; } /** * Create a random salt * * @param int $len The length of the salt * @return string */ public function gen_salt($len = 32) { $salt = ''; $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; for ($i = 0; $i < $len; $i++) { $salt .= $chars[$this->random(0, 61)]; } return $salt; } /** * Initialize the passed variable with a salt if needed. * * If $salt is not null, the value is kept, but the lenght restriction is * applied (unless, $cut is false). * * @param string|null &$salt The salt, pass null if you want one generated * @param int $len The length of the salt * @param bool $cut Apply length restriction to existing salt? */ public function init_salt(&$salt, $len = 32, $cut = true) { if (is_null($salt)) { $salt = $this->gen_salt($len); $cut = true; // for new hashes we alway apply length restriction } if (strlen($salt) > $len && $cut) $salt = substr($salt, 0, $len); } // Password hashing methods follow below /** * Password hashing method 'smd5' * * Uses salted MD5 hashs. Salt is 8 bytes long. * * The same mechanism is used by Apache's 'apr1' method. This will * fallback to a implementation in pure PHP if MD5 support is not * available in crypt() * * @author Andreas Gohr * @author * @link http://php.net/manual/en/function.crypt.php#73619 * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_smd5($clear, $salt = null) { $this->init_salt($salt, 8); if (defined('CRYPT_MD5') && CRYPT_MD5 && $salt !== '') { return crypt($clear, '$1$' . $salt . '$'); } else { // Fall back to PHP-only implementation return $this->hash_apr1($clear, $salt, '1'); } } /** * Password hashing method 'lsmd5' * * Uses salted MD5 hashs. Salt is 8 bytes long. * * This is the format used by LDAP. * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_lsmd5($clear, $salt = null) { $this->init_salt($salt, 8); return "{SMD5}" . base64_encode(md5($clear . $salt, true) . $salt); } /** * Password hashing method 'apr1' * * Uses salted MD5 hashs. Salt is 8 bytes long. * * This is basically the same as smd1 above, but as used by Apache. * * @author * @link http://php.net/manual/en/function.crypt.php#73619 * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param string $magic The hash identifier (apr1 or 1) * @return string Hashed password */ public function hash_apr1($clear, $salt = null, $magic = 'apr1') { $this->init_salt($salt, 8); $len = strlen($clear); $text = $clear . '$' . $magic . '$' . $salt; $bin = pack("H32", md5($clear . $salt . $clear)); for ($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); } for ($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $clear[0]; } $bin = pack("H32", md5($text)); for ($i = 0; $i < 1000; $i++) { $new = ($i & 1) ? $clear : $bin; if ($i % 3) $new .= $salt; if ($i % 7) $new .= $clear; $new .= ($i & 1) ? $bin : $clear; $bin = pack("H32", md5($new)); } $tmp = ''; for ($i = 0; $i < 5; $i++) { $k = $i + 6; $j = $i + 12; if ($j == 16) $j = 5; $tmp = $bin[$i] . $bin[$k] . $bin[$j] . $tmp; } $tmp = chr(0) . chr(0) . $bin[11] . $tmp; $tmp = strtr( strrev(substr(base64_encode($tmp), 2)), "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" ); return '$' . $magic . '$' . $salt . '$' . $tmp; } /** * Password hashing method 'md5' * * Uses MD5 hashs. * * @param string $clear The clear text to hash * @return string Hashed password */ public function hash_md5($clear) { return md5($clear); } /** * Password hashing method 'sha1' * * Uses SHA1 hashs. * * @param string $clear The clear text to hash * @return string Hashed password */ public function hash_sha1($clear) { return sha1($clear); } /** * Password hashing method 'ssha' as used by LDAP * * Uses salted SHA1 hashs. Salt is 4 bytes long. * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_ssha($clear, $salt = null) { $this->init_salt($salt, 4); return '{SSHA}' . base64_encode(pack("H*", sha1($clear . $salt)) . $salt); } /** * Password hashing method 'crypt' * * Uses salted crypt hashs. Salt is 2 bytes long. * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_crypt($clear, $salt = null) { $this->init_salt($salt, 2); return crypt($clear, $salt); } /** * Password hashing method 'mysql' * * This method was used by old MySQL systems * * @link http://php.net/mysql * @author * @param string $clear The clear text to hash * @return string Hashed password */ public function hash_mysql($clear) { $nr = 0x50305735; $nr2 = 0x12345671; $add = 7; $charArr = preg_split("//", $clear); foreach ($charArr as $char) { if (($char == '') || ($char == ' ') || ($char == '\t')) continue; $charVal = ord($char); $nr ^= ((($nr & 63) + $add) * $charVal) + ($nr << 8); $nr2 += ($nr2 << 8) ^ $nr; $add += $charVal; } return sprintf("%08x%08x", ($nr & 0x7fffffff), ($nr2 & 0x7fffffff)); } /** * Password hashing method 'my411' * * Uses SHA1 hashs. This method is used by MySQL 4.11 and above * * @param string $clear The clear text to hash * @return string Hashed password */ public function hash_my411($clear) { return '*' . strtoupper(sha1(pack("H*", sha1($clear)))); } /** * Password hashing method 'kmd5' * * Uses salted MD5 hashs. * * Salt is 2 bytes long, but stored at position 16, so you need to pass at * least 18 bytes. You can pass the crypted hash as salt. * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_kmd5($clear, $salt = null) { $this->init_salt($salt); $key = substr($salt, 16, 2); $hash1 = strtolower(md5($key . md5($clear))); $hash2 = substr($hash1, 0, 16) . $key . substr($hash1, 16); return $hash2; } /** * Password stretched hashing wrapper. * * Initial hash is repeatedly rehashed with same password. * Any salted hash algorithm supported by PHP hash() can be used. Salt * is 1+8 bytes long, 1st byte is the iteration count when given. For null * salts $compute is used. * * The actual iteration count is 2 to the power of the given count, * maximum is 30 (-> 2^30 = 1_073_741_824). If a higher one is given, * the function throws an exception. * This iteration count is expected to grow with increasing power of * new computers. * * @author Andreas Gohr * @author Schplurtz le Déboulonné * @link http://www.openwall.com/phpass/ * * @param string $algo The hash algorithm to be used * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param string $magic The hash identifier (P or H) * @param int $compute The iteration count for new passwords * @throws \Exception * @return string Hashed password */ protected function stretched_hash($algo, $clear, $salt = null, $magic = 'P', $compute = 8) { $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; if (is_null($salt)) { $this->init_salt($salt); $salt = $itoa64[$compute] . $salt; // prefix iteration count } $iterc = $salt[0]; // pos 0 of salt is log2(iteration count) $iter = strpos($itoa64, $iterc); if ($iter > 30) { throw new \Exception("Too high iteration count ($iter) in " . self::class . '::' . __FUNCTION__); } $iter = 1 << $iter; $salt = substr($salt, 1, 8); // iterate $hash = hash($algo, $salt . $clear, true); do { $hash = hash($algo, $hash . $clear, true); } while (--$iter); // encode $output = ''; $count = strlen($hash); $i = 0; do { $value = ord($hash[$i++]); $output .= $itoa64[$value & 0x3f]; if ($i < $count) $value |= ord($hash[$i]) << 8; $output .= $itoa64[($value >> 6) & 0x3f]; if ($i++ >= $count) break; if ($i < $count) $value |= ord($hash[$i]) << 16; $output .= $itoa64[($value >> 12) & 0x3f]; if ($i++ >= $count) break; $output .= $itoa64[($value >> 18) & 0x3f]; } while ($i < $count); return '$' . $magic . '$' . $iterc . $salt . $output; } /** * Password hashing method 'pmd5' * * Repeatedly uses salted MD5 hashs. See stretched_hash() for the * details. * * * @author Schplurtz le Déboulonné * @link http://www.openwall.com/phpass/ * @see PassHash::stretched_hash() for the implementation details. * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param string $magic The hash identifier (P or H) * @param int $compute The iteration count for new passwords * @throws Exception * @return string Hashed password */ public function hash_pmd5($clear, $salt = null, $magic = 'P', $compute = 8) { return $this->stretched_hash('md5', $clear, $salt, $magic, $compute); } /** * Password hashing method 'drupal_sha512' * * Implements Drupal salted sha512 hashs. Drupal truncates the hash at 55 * characters. See stretched_hash() for the details; * * @author Schplurtz le Déboulonné * @link https://api.drupal.org/api/drupal/includes%21password.inc/7.x * @see PassHash::stretched_hash() for the implementation details. * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param string $magic The hash identifier (S) * @param int $compute The iteration count for new passwords (defautl is drupal 7's) * @throws Exception * @return string Hashed password */ public function hash_drupal_sha512($clear, $salt = null, $magic = 'S', $compute = 15) { return substr($this->stretched_hash('sha512', $clear, $salt, $magic, $compute), 0, 55); } /** * Alias for hash_pmd5 * * @param string $clear * @param null|string $salt * @param string $magic * @param int $compute * * @return string * @throws \Exception */ public function hash_hmd5($clear, $salt = null, $magic = 'H', $compute = 8) { return $this->hash_pmd5($clear, $salt, $magic, $compute); } /** * Password hashing method 'djangosha1' * * Uses salted SHA1 hashs. Salt is 5 bytes long. * This is used by the Django Python framework * * @link http://docs.djangoproject.com/en/dev/topics/auth/#passwords * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_djangosha1($clear, $salt = null) { $this->init_salt($salt, 5); return 'sha1$' . $salt . '$' . sha1($salt . $clear); } /** * Password hashing method 'djangomd5' * * Uses salted MD5 hashs. Salt is 5 bytes long. * This is used by the Django Python framework * * @link http://docs.djangoproject.com/en/dev/topics/auth/#passwords * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_djangomd5($clear, $salt = null) { $this->init_salt($salt, 5); return 'md5$' . $salt . '$' . md5($salt . $clear); } /** * Password hashing method 'seafilepbkdf2' * * An algorithm and iteration count should be given in the opts array. * * Hash algorithm is the string that is in the password string in seafile * database. It has to be converted to a php algo name. * * @author Schplurtz le Déboulonné * @see https://stackoverflow.com/a/23670177 * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param array $opts ('algo' => hash algorithm, 'iter' => iterations) * @return string Hashed password * @throws Exception when PHP is missing support for the method/algo */ public function hash_seafilepbkdf2($clear, $salt = null, $opts = []) { $this->init_salt($salt, 64); if (empty($opts['algo'])) { $prefixalgo = 'SHA256'; } else { $prefixalgo = $opts['algo']; } $algo = strtolower($prefixalgo); if (empty($opts['iter'])) { $iter = 10000; } else { $iter = (int) $opts['iter']; } if (!function_exists('hash_pbkdf2')) { throw new Exception('This PHP installation has no PBKDF2 support'); } if (!in_array($algo, hash_algos())) { throw new Exception("This PHP installation has no $algo support"); } $hash = hash_pbkdf2($algo, $clear, hex2bin($salt), $iter, 0); return "PBKDF2$prefixalgo\$$iter\$$salt\$$hash"; } /** * Password hashing method 'djangopbkdf2' * * An algorithm and iteration count should be given in the opts array. * Defaults to sha256 and 24000 iterations * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param array $opts ('algo' => hash algorithm, 'iter' => iterations) * @return string Hashed password * @throws \Exception when PHP is missing support for the method/algo */ public function hash_djangopbkdf2($clear, $salt = null, $opts = []) { $this->init_salt($salt, 12); if (empty($opts['algo'])) { $algo = 'sha256'; } else { $algo = $opts['algo']; } if (empty($opts['iter'])) { $iter = 24000; } else { $iter = (int) $opts['iter']; } if (!function_exists('hash_pbkdf2')) { throw new \Exception('This PHP installation has no PBKDF2 support'); } if (!in_array($algo, hash_algos())) { throw new \Exception("This PHP installation has no $algo support"); } $hash = base64_encode(hash_pbkdf2($algo, $clear, $salt, $iter, 0, true)); return "pbkdf2_$algo\$$iter\$$salt\$$hash"; } /** * Alias for djangopbkdf2 defaulting to sha256 as hash algorithm * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param array $opts ('iter' => iterations) * @return string Hashed password * @throws \Exception when PHP is missing support for the method/algo */ public function hash_djangopbkdf2_sha256($clear, $salt = null, $opts = []) { $opts['algo'] = 'sha256'; return $this->hash_djangopbkdf2($clear, $salt, $opts); } /** * Alias for djangopbkdf2 defaulting to sha1 as hash algorithm * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param array $opts ('iter' => iterations) * @return string Hashed password * @throws \Exception when PHP is missing support for the method/algo */ public function hash_djangopbkdf2_sha1($clear, $salt = null, $opts = []) { $opts['algo'] = 'sha1'; return $this->hash_djangopbkdf2($clear, $salt, $opts); } /** * Passwordhashing method 'bcrypt' * * Uses a modified blowfish algorithm called eksblowfish * This method works on PHP 5.3+ only and will throw an exception * if the needed crypt support isn't available * * A full hash should be given as salt (starting with $a2$) or this * will break. When no salt is given, the iteration count can be set * through the $compute variable. * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param int $compute The iteration count (between 4 and 31) * @throws \Exception * @return string Hashed password */ public function hash_bcrypt($clear, $salt = null, $compute = 10) { if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH !== 1) { throw new \Exception('This PHP installation has no bcrypt support'); } if (is_null($salt)) { if ($compute < 4 || $compute > 31) $compute = 8; $salt = '$2y$' . str_pad($compute, 2, '0', STR_PAD_LEFT) . '$' . $this->gen_salt(22); } return crypt($clear, $salt); } /** * Password hashing method SHA-2 * * This is only supported on PHP 5.3.2 or higher and will throw an exception if * the needed crypt support is not available * * Uses: * - SHA-2 with 256-bit output for prefix $5$ * - SHA-2 with 512-bit output for prefix $6$ (default) * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @param array $opts ('rounds' => rounds for sha256/sha512, 'prefix' => selected method from SHA-2 family) * @return string Hashed password * @throws \Exception */ public function hash_sha2($clear, $salt = null, $opts = []) { if (empty($opts['prefix'])) { $prefix = '6'; } else { $prefix = $opts['prefix']; } if (empty($opts['rounds'])) { $rounds = null; } else { $rounds = $opts['rounds']; } if ($prefix == '5' && (!defined('CRYPT_SHA256') || CRYPT_SHA256 !== 1)) { throw new \Exception('This PHP installation has no SHA256 support'); } if ($prefix == '6' && (!defined('CRYPT_SHA512') || CRYPT_SHA512 !== 1)) { throw new \Exception('This PHP installation has no SHA512 support'); } $this->init_salt($salt, 8, false); if (empty($rounds)) { return crypt($clear, '$' . $prefix . '$' . $salt . '$'); } else { return crypt($clear, '$' . $prefix . '$' . $rounds . '$' . $salt . '$'); } } /** @see sha2 */ public function hash_sha512($clear, $salt = null, $opts = []) { $opts['prefix'] = 6; return $this->hash_sha2($clear, $salt, $opts); } /** @see sha2 */ public function hash_sha256($clear, $salt = null, $opts = []) { $opts['prefix'] = 5; return $this->hash_sha2($clear, $salt, $opts); } /** * Password hashing method 'mediawiki' * * Uses salted MD5, this is referred to as Method B in MediaWiki docs. Unsalted md5 * method 'A' is not supported. * * @link http://www.mediawiki.org/wiki/Manual_talk:User_table#user_password_column * * @param string $clear The clear text to hash * @param string $salt The salt to use, null for random * @return string Hashed password */ public function hash_mediawiki($clear, $salt = null) { $this->init_salt($salt, 8, false); return ':B:' . $salt . ':' . md5($salt . '-' . md5($clear)); } /** * Password hashing method 'argon2i' * * Uses php's own password_hash function to create argon2i password hash * Default Cost and thread options are used for now. * * @link https://www.php.net/manual/de/function.password-hash.php * * @param string $clear The clear text to hash * @return string Hashed password */ public function hash_argon2i($clear) { if (!defined('PASSWORD_ARGON2I')) { throw new \Exception('This PHP installation has no ARGON2I support'); } return password_hash($clear, PASSWORD_ARGON2I); } /** * Password hashing method 'argon2id' * * Uses php's own password_hash function to create argon2id password hash * Default Cost and thread options are used for now. * * @link https://www.php.net/manual/de/function.password-hash.php * * @param string $clear The clear text to hash * @return string Hashed password */ public function hash_argon2id($clear) { if (!defined('PASSWORD_ARGON2ID')) { throw new \Exception('This PHP installation has no ARGON2ID support'); } return password_hash($clear, PASSWORD_ARGON2ID); } /** * Wraps around native hash_hmac() or reimplents it * * This is not directly used as password hashing method, and thus isn't callable via the * verify_hash() method. It should be used to create signatures and might be used in other * password hashing methods. * * @see hash_hmac() * @author KC Cloyd * @link http://php.net/manual/en/function.hash-hmac.php#93440 * * @param string $algo Name of selected hashing algorithm (i.e. "md5", "sha256", "haval160,4", * etc..) See hash_algos() for a list of supported algorithms. * @param string $data Message to be hashed. * @param string $key Shared secret key used for generating the HMAC variant of the message digest. * @param bool $raw_output When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits. * @return string */ public static function hmac($algo, $data, $key, $raw_output = false) { // use native function if available and not in unit test if (function_exists('hash_hmac') && !defined('SIMPLE_TEST')) { return hash_hmac($algo, $data, $key, $raw_output); } $algo = strtolower($algo); $pack = 'H' . strlen($algo('test')); $size = 64; $opad = str_repeat(chr(0x5C), $size); $ipad = str_repeat(chr(0x36), $size); if (strlen($key) > $size) { $key = str_pad(pack($pack, $algo($key)), $size, chr(0x00)); } else { $key = str_pad($key, $size, chr(0x00)); } for ($i = 0; $i < strlen($key) - 1; $i++) { $ochar = $opad[$i] ^ $key[$i]; $ichar = $ipad[$i] ^ $key[$i]; $opad[$i] = $ochar; $ipad[$i] = $ichar; } $output = $algo($opad . pack($pack, $algo($ipad . $data))); return ($raw_output) ? pack($pack, $output) : $output; } /** * Use a secure random generator * * @param int $min * @param int $max * @return int */ protected function random($min, $max) { try { return random_int($min, $max); } catch (\Exception $e) { // availability of random source is checked elsewhere in DokuWiki // we demote this to an unchecked runtime exception here throw new \RuntimeException($e->getMessage(), $e->getCode(), $e); } } }