1<?php 2/** 3 * Portable PHP password hashing framework. 4 * @package phpass 5 * @since 2.5.0 6 * @version 0.5 / WordPress 7 * @link https://www.openwall.com/phpass/ 8 */ 9 10# 11# Portable PHP password hashing framework. 12# 13# Version 0.5.4 / WordPress. 14# 15# Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in 16# the public domain. Revised in subsequent years, still public domain. 17# 18# There's absolutely no warranty. 19# 20# The homepage URL for this framework is: 21# 22# http://www.openwall.com/phpass/ 23# 24# Please be sure to update the Version line if you edit this file in any way. 25# It is suggested that you leave the main version number intact, but indicate 26# your project name (after the slash) and add your own revision information. 27# 28# Please do not change the "private" password hashing method implemented in 29# here, thereby making your hashes incompatible. However, if you must, please 30# change the hash type identifier (the "$P$") to something different. 31# 32# Obviously, since this code is in the public domain, the above are not 33# requirements (there can be none), but merely suggestions. 34# 35 36/** 37 * Portable PHP password hashing framework. 38 * 39 * @package phpass 40 * @version 0.5 / WordPress 41 * @link https://www.openwall.com/phpass/ 42 * @since 2.5.0 43 */ 44class PasswordHash { 45 var $itoa64; 46 var $iteration_count_log2; 47 var $portable_hashes; 48 var $random_state; 49 50 function __construct($iteration_count_log2, $portable_hashes) 51 { 52 $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 53 54 if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) { 55 $iteration_count_log2 = 8; 56 } 57 $this->iteration_count_log2 = $iteration_count_log2; 58 59 $this->portable_hashes = $portable_hashes; 60 61 $this->random_state = microtime(); 62 if (function_exists('getmypid')) { 63 $this->random_state .= getmypid(); 64 } 65 } 66 67 function PasswordHash($iteration_count_log2, $portable_hashes) 68 { 69 self::__construct($iteration_count_log2, $portable_hashes); 70 } 71 72 function get_random_bytes($count) 73 { 74 $output = ''; 75 if (@is_readable('/dev/urandom') && 76 ($fh = @fopen('/dev/urandom', 'rb'))) { 77 $output = fread($fh, $count); 78 fclose($fh); 79 } 80 81 if (strlen($output) < $count) { 82 $output = ''; 83 for ($i = 0; $i < $count; $i += 16) { 84 $this->random_state = 85 md5(microtime() . $this->random_state); 86 $output .= md5($this->random_state, TRUE); 87 } 88 $output = substr($output, 0, $count); 89 } 90 91 return $output; 92 } 93 94 function encode64($input, $count) 95 { 96 $output = ''; 97 $i = 0; 98 do { 99 $value = ord($input[$i++]); 100 $output .= $this->itoa64[$value & 0x3f]; 101 if ($i < $count) { 102 $value |= ord($input[$i]) << 8; 103 } 104 $output .= $this->itoa64[($value >> 6) & 0x3f]; 105 if ($i++ >= $count) { 106 break; 107 } 108 if ($i < $count) { 109 $value |= ord($input[$i]) << 16; 110 } 111 $output .= $this->itoa64[($value >> 12) & 0x3f]; 112 if ($i++ >= $count) { 113 break; 114 } 115 $output .= $this->itoa64[($value >> 18) & 0x3f]; 116 } while ($i < $count); 117 118 return $output; 119 } 120 121 function gensalt_private($input) 122 { 123 $output = '$P$'; 124 $output .= $this->itoa64[min($this->iteration_count_log2 + 5, 125 30)]; 126 $output .= $this->encode64($input, 6); 127 128 return $output; 129 } 130 131 function crypt_private($password, $setting) 132 { 133 $output = '*0'; 134 if (substr($setting, 0, 2) === $output) { 135 $output = '*1'; 136 } 137 138 $id = substr($setting, 0, 3); 139 # We use "$P$", phpBB3 uses "$H$" for the same thing 140 if ($id !== '$P$' && $id !== '$H$') { 141 return $output; 142 } 143 144 $count_log2 = strpos($this->itoa64, $setting[3]); 145 if ($count_log2 < 7 || $count_log2 > 30) { 146 return $output; 147 } 148 149 $count = 1 << $count_log2; 150 151 $salt = substr($setting, 4, 8); 152 if (strlen($salt) !== 8) { 153 return $output; 154 } 155 156 # We were kind of forced to use MD5 here since it's the only 157 # cryptographic primitive that was available in all versions 158 # of PHP in use. To implement our own low-level crypto in PHP 159 # would have resulted in much worse performance and 160 # consequently in lower iteration counts and hashes that are 161 # quicker to crack (by non-PHP code). 162 $hash = md5($salt . $password, TRUE); 163 do { 164 $hash = md5($hash . $password, TRUE); 165 } while (--$count); 166 167 $output = substr($setting, 0, 12); 168 $output .= $this->encode64($hash, 16); 169 170 return $output; 171 } 172 173 function gensalt_blowfish($input) 174 { 175 # This one needs to use a different order of characters and a 176 # different encoding scheme from the one in encode64() above. 177 # We care because the last character in our encoded string will 178 # only represent 2 bits. While two known implementations of 179 # bcrypt will happily accept and correct a salt string which 180 # has the 4 unused bits set to non-zero, we do not want to take 181 # chances and we also do not want to waste an additional byte 182 # of entropy. 183 $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; 184 185 $output = '$2a$'; 186 $output .= chr((int)(ord('0') + $this->iteration_count_log2 / 10)); 187 $output .= chr(ord('0') + $this->iteration_count_log2 % 10); 188 $output .= '$'; 189 190 $i = 0; 191 do { 192 $c1 = ord($input[$i++]); 193 $output .= $itoa64[$c1 >> 2]; 194 $c1 = ($c1 & 0x03) << 4; 195 if ($i >= 16) { 196 $output .= $itoa64[$c1]; 197 break; 198 } 199 200 $c2 = ord($input[$i++]); 201 $c1 |= $c2 >> 4; 202 $output .= $itoa64[$c1]; 203 $c1 = ($c2 & 0x0f) << 2; 204 205 $c2 = ord($input[$i++]); 206 $c1 |= $c2 >> 6; 207 $output .= $itoa64[$c1]; 208 $output .= $itoa64[$c2 & 0x3f]; 209 } while (1); 210 211 return $output; 212 } 213 214 function HashPassword($password) 215 { 216 if ( strlen( $password ) > 4096 ) { 217 return '*'; 218 } 219 220 $random = ''; 221 222 if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) { 223 $random = $this->get_random_bytes(16); 224 $hash = 225 crypt($password, $this->gensalt_blowfish($random)); 226 if (strlen($hash) === 60) { 227 return $hash; 228 } 229 } 230 231 if (strlen($random) < 6) { 232 $random = $this->get_random_bytes(6); 233 } 234 $hash = 235 $this->crypt_private($password, 236 $this->gensalt_private($random)); 237 if (strlen($hash) === 34) { 238 return $hash; 239 } 240 241 # Returning '*' on error is safe here, but would _not_ be safe 242 # in a crypt(3)-like function used _both_ for generating new 243 # hashes and for validating passwords against existing hashes. 244 return '*'; 245 } 246 247 function CheckPassword($password, $stored_hash) 248 { 249 if ( strlen( $password ) > 4096 ) { 250 return false; 251 } 252 253 $hash = $this->crypt_private($password, $stored_hash); 254 if ($hash[0] === '*') { 255 $hash = crypt($password, $stored_hash); 256 } 257 258 # This is not constant-time. In order to keep the code simple, 259 # for timing safety we currently rely on the salts being 260 # unpredictable, which they are at least in the non-fallback 261 # cases (that is, when we use /dev/urandom and bcrypt). 262 return $hash === $stored_hash; 263 } 264} 265