|
1
|
<?php
|
|
2
|
/**
|
|
3
|
* @category Core
|
|
4
|
* @package Core_security
|
|
5
|
* @author Werner v.d.Decken
|
|
6
|
* @copyright ISTeasy-project(http://isteasy.de/)
|
|
7
|
* @license Creative Commons BY-SA 3.0 http://creativecommons.org/licenses/by-sa/3.0/
|
|
8
|
* @version $Id: PasswordHash.php 2 2017-07-02 15:14:29Z Manuela $
|
|
9
|
* @filesource $HeadURL: svn://isteam.dynxs.de/wb/2.10.x/branches/main/framework/PasswordHash.php $
|
|
10
|
* @since Datei vorhanden seit Release 2.8.2
|
|
11
|
* @lastmodified $Date: 2017-07-02 17:14:29 +0200 (Sun, 02 Jul 2017) $
|
|
12
|
*
|
|
13
|
* this class works with salted md5-hashes with several rounds.
|
|
14
|
* For backward compatibility it can compare normal md5-hashes also.
|
|
15
|
* Minimum requirements: PHP 5.2.2 or higher
|
|
16
|
*
|
|
17
|
* *****************************************************************************
|
|
18
|
* This class is based on the Portable PHP password hashing framework.
|
|
19
|
* Version 0.3 / genuine. Written by Solar Designer <solar at openwall.com>
|
|
20
|
* in 2004-2006 and placed in the public domain. Revised in subsequent years,
|
|
21
|
* still public domain. There's absolutely no warranty.
|
|
22
|
* The homepage URL for this framework is: http://www.openwall.com/phpass/
|
|
23
|
* *****************************************************************************
|
|
24
|
*/
|
|
25
|
class PasswordHash {
|
|
26
|
|
|
27
|
const SECURITY_WEAK = 6;
|
|
28
|
const SECURITY_MEDIUM = 8;
|
|
29
|
const SECURITY_NORMAL = 10;
|
|
30
|
const SECURITY_STRONG = 12;
|
|
31
|
const SECURITY_STRONGER = 16;
|
|
32
|
|
|
33
|
private $_itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
|
34
|
private $_iterationCountLog2 = 8;
|
|
35
|
private $_portableHashes = true;
|
|
36
|
private $_randomState = '';
|
|
37
|
|
|
38
|
/**
|
|
39
|
* @param int $iterationCountLog2 number of iterations as exponent of 2
|
|
40
|
* @param bool $portableHashes TRUE = use MD5 only | FALSE = automatic
|
|
41
|
*/
|
|
42
|
public function __construct($iterationCountLog2, $portableHashes = true)
|
|
43
|
{
|
|
44
|
|
|
45
|
if ($iterationCountLog2 < 4 || $iterationCountLog2 > 31) {
|
|
46
|
$iterationCountLog2 = 8;
|
|
47
|
}
|
|
48
|
$this->_iterationCountLog2 = $iterationCountLog2;
|
|
49
|
$this->_portableHashes = $portableHashes;
|
|
50
|
$this->_randomState = microtime();
|
|
51
|
if (function_exists('getmypid')) {
|
|
52
|
$this->_randomState .= getmypid();
|
|
53
|
}
|
|
54
|
}
|
|
55
|
|
|
56
|
|
|
57
|
private function _getRandomBytes($count)
|
|
58
|
{
|
|
59
|
$output = '';
|
|
60
|
if (is_readable('/dev/urandom') && ($fh = @fopen('/dev/urandom', 'rb'))) {
|
|
61
|
$output = fread($fh, $count);
|
|
62
|
fclose($fh);
|
|
63
|
}
|
|
64
|
if (strlen($output) < $count) {
|
|
65
|
$output = '';
|
|
66
|
for ($i = 0; $i < $count; $i += 16) {
|
|
67
|
$this->_randomState = md5(microtime() . $this->_randomState);
|
|
68
|
$output .= pack('H*', md5($this->_randomState));
|
|
69
|
}
|
|
70
|
$output = substr($output, 0, $count);
|
|
71
|
}
|
|
72
|
return $output;
|
|
73
|
}
|
|
74
|
|
|
75
|
private function _Encode64($input, $count)
|
|
76
|
{
|
|
77
|
$output = '';
|
|
78
|
$i = 0;
|
|
79
|
do {
|
|
80
|
$value = ord($input[$i++]);
|
|
81
|
$output .= $this->_itoa64[$value & 0x3f];
|
|
82
|
if ($i < $count) {
|
|
83
|
$value |= ord($input[$i]) << 8;
|
|
84
|
}
|
|
85
|
$output .= $this->_itoa64[($value >> 6) & 0x3f];
|
|
86
|
if ($i++ >= $count) { break; }
|
|
87
|
if ($i < $count) {
|
|
88
|
$value |= ord($input[$i]) << 16;
|
|
89
|
}
|
|
90
|
$output .= $this->_itoa64[($value >> 12) & 0x3f];
|
|
91
|
if ($i++ >= $count) { break; }
|
|
92
|
$output .= $this->_itoa64[($value >> 18) & 0x3f];
|
|
93
|
} while ($i < $count);
|
|
94
|
return $output;
|
|
95
|
}
|
|
96
|
|
|
97
|
private function _GenSaltPrivate($input)
|
|
98
|
{
|
|
99
|
$output = '$P$';
|
|
100
|
$output .= $this->_itoa64[min($this->_iterationCountLog2 + 5, 30)];
|
|
101
|
$output .= $this->_Encode64($input, 6);
|
|
102
|
return $output;
|
|
103
|
}
|
|
104
|
|
|
105
|
private function _CryptPrivate($password, $setting)
|
|
106
|
{
|
|
107
|
$output = '*0';
|
|
108
|
if (substr($setting, 0, 2) == $output) {
|
|
109
|
$output = '*1';
|
|
110
|
}
|
|
111
|
$id = substr($setting, 0, 3);
|
|
112
|
# We use "$P$", phpBB3 uses "$H$" for the same thing
|
|
113
|
if ($id != '$P$' && $id != '$H$') {
|
|
114
|
return $output;
|
|
115
|
}
|
|
116
|
$count_log2 = strpos($this->_itoa64, $setting[3]);
|
|
117
|
if ($count_log2 < 7 || $count_log2 > 30) {
|
|
118
|
return $output;
|
|
119
|
}
|
|
120
|
$count = 1 << $count_log2;
|
|
121
|
$salt = substr($setting, 4, 8);
|
|
122
|
if (strlen($salt) != 8) {
|
|
123
|
return $output;
|
|
124
|
}
|
|
125
|
# We're kind of forced to use MD5 here since it's the only
|
|
126
|
# cryptographic primitive available in all versions of PHP
|
|
127
|
# currently in use. To implement our own low-level crypto
|
|
128
|
# in PHP would result in much worse performance and
|
|
129
|
# consequently in lower iteration counts and hashes that are
|
|
130
|
# quicker to crack (by non-PHP code).
|
|
131
|
$hash = md5($salt . $password, TRUE);
|
|
132
|
do {
|
|
133
|
$hash = md5($hash . $password, TRUE);
|
|
134
|
} while (--$count);
|
|
135
|
$output = substr($setting, 0, 12);
|
|
136
|
$output .= $this->_Encode64($hash, 16);
|
|
137
|
return $output;
|
|
138
|
}
|
|
139
|
|
|
140
|
/**
|
|
141
|
* calculate the hash from a given password
|
|
142
|
* @param string $password password as original string
|
|
143
|
* @return string generated hash | '*' on error
|
|
144
|
*/
|
|
145
|
public function HashPassword($password, $md5 = false)
|
|
146
|
{
|
|
147
|
if ($md5) { return(md5($password)); }
|
|
148
|
$random = '';
|
|
149
|
if (strlen($random) < 6) {
|
|
150
|
$random = $this->_getRandomBytes(6);
|
|
151
|
}
|
|
152
|
$hash = $this->_CryptPrivate($password, $this->_GenSaltPrivate($random));
|
|
153
|
if (strlen($hash) == 34) {
|
|
154
|
return $hash;
|
|
155
|
}
|
|
156
|
# Returning '*' on error is safe here, but would _not_ be safe
|
|
157
|
# in a crypt(3)-like function used _both_ for generating new
|
|
158
|
# hashes and for validating passwords against existing hashes.
|
|
159
|
return '*';
|
|
160
|
}
|
|
161
|
|
|
162
|
/**
|
|
163
|
* encodes the password and compare it against the given hash
|
|
164
|
* @param string $password clear password
|
|
165
|
* @param string $stored_hash the hash to compare against
|
|
166
|
* @return bool
|
|
167
|
*/
|
|
168
|
public function CheckPassword($password, $stored_hash)
|
|
169
|
{
|
|
170
|
// compare against a normal, simple md5-hash
|
|
171
|
if(preg_match('/^[0-9a-f]{32}$/i', $stored_hash)) {
|
|
172
|
return md5($password) == $stored_hash;
|
|
173
|
}
|
|
174
|
// compare against a rounded, salted md5-hash
|
|
175
|
$hash = $this->_CryptPrivate($password, $stored_hash);
|
|
176
|
if ($hash[0] == '*') {
|
|
177
|
$hash = crypt($password, $stored_hash);
|
|
178
|
}
|
|
179
|
return $hash == $stored_hash;
|
|
180
|
}
|
|
181
|
/**
|
|
182
|
* generate a case sensitive mnemonic password including numbers and special chars
|
|
183
|
* makes no use of lowercase 'l', uppercase 'I', 'O' or number '0'
|
|
184
|
* @param int $length length of the generated password. default = 8
|
|
185
|
* @return string
|
|
186
|
*/
|
|
187
|
public static function NewPassword($length = self::SECURITY_MEDIUM)
|
|
188
|
{
|
|
189
|
$chars = array(
|
|
190
|
array('b','c','d','f','g','h','j','k','l','m','n','p','r','s','t','v','w','x','y','z'),
|
|
191
|
array('a','e','i','o','u'),
|
|
192
|
array('!','-','@','_',':','.','+','%','/','*')
|
|
193
|
);
|
|
194
|
if($length < self::SECURITY_WEAK) { $length = self::SECURITY_WEAK; }
|
|
195
|
$length = ceil($length / 2);
|
|
196
|
$Password = array();
|
|
197
|
// at first fill array alternating with vowels and consonants
|
|
198
|
for($x = 0; $x < $length; $x++) {
|
|
199
|
$char = $chars[0][rand(1000, 10000) % sizeof($chars[0])];
|
|
200
|
$Password[] = $char == 'l' ? 'L' : $char;
|
|
201
|
$Password[] = $chars[1][rand(1000, 10000) % sizeof($chars[1])];
|
|
202
|
}
|
|
203
|
// transform some random chars into uppercase
|
|
204
|
$pos = ((rand(1000, 10000) % 3) + 1);
|
|
205
|
while($pos < sizeof($Password)) {
|
|
206
|
$Password[$pos] = ($Password[$pos] == 'i' || $Password[$pos] == 'o')
|
|
207
|
? $Password[$pos] : strtoupper($Password[$pos]);
|
|
208
|
$pos += ((rand(1000, 10000) % 3) + 1);
|
|
209
|
}
|
|
210
|
// insert some numeric chars, between 1 and 9
|
|
211
|
$specialChars = array();
|
|
212
|
$specialCharsCount = floor(sizeof($Password) / 4);
|
|
213
|
while(sizeof($specialChars) < $specialCharsCount) {
|
|
214
|
$key = (rand(1000, 10000) % sizeof($Password));
|
|
215
|
if(!isset($specialChars[$key])) {
|
|
216
|
$specialChars[$key] = (rand(1000, 10000) % 9) + 1;
|
|
217
|
}
|
|
218
|
}
|
|
219
|
// insert some punctuation chars, but not leading or trailing
|
|
220
|
$specialCharsCount += floor((sizeof($Password)-1) / 6);
|
|
221
|
while(sizeof($specialChars) < $specialCharsCount) {
|
|
222
|
$key = (rand(1000, 10000) % (sizeof($Password)-2))+1;
|
|
223
|
if(!isset($specialChars[$key])) {
|
|
224
|
$specialChars[$key] = $chars[2][(rand(1000, 10000) % sizeof($chars[2]))];
|
|
225
|
}
|
|
226
|
}
|
|
227
|
foreach($specialChars as $key=>$val) {
|
|
228
|
$Password[$key] = $val;
|
|
229
|
}
|
|
230
|
|
|
231
|
return implode($Password);
|
|
232
|
}
|
|
233
|
|
|
234
|
} // end of class
|