WB 2.08.x

26 Aug-2011 Build 1506 Werner v.d.Decken(DarkViper)

+ new class PasswordHash

+ new Password-/Hash-generator

if(!defined('REVISION')) define('REVISION', '1506');

<?php

/**

 * @category     Core

 * @package      Core_security

 * @author       Werner v.d.Decken

 * @copyright    ISTeasy-project(http://isteasy.de/)

 * @license      Creative Commons BY-SA 3.0 http://creativecommons.org/licenses/by-sa/3.0/

 * @version      $Id$

 * @filesource   $HeadURL:$

 * @since        Datei vorhanden seit Release 2.8.2

 * @lastmodified $Date:$

 *

 * this class works with salted md5-hashes with several rounds. 

 * For backward compatibility it can compare normal md5-hashes also.

 *

 * *****************************************************************************

 * This class is based on the Portable PHP password hashing framework.

 * Version 0.3 / genuine. Written by Solar Designer <solar at openwall.com>

 * in 2004-2006 and placed in the public domain. Revised in subsequent years,

 * still public domain. There's absolutely no warranty.

 * The homepage URL for this framework is: http://www.openwall.com/phpass/

 * *****************************************************************************

 */

class PasswordHash {

	private $_itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

	private $_iterationCountLog2 = 8;

	private $_portableHashes = true;

	private $_randomState = '';

	/**

	 * @param int $iterationCountLog2 number of iterations as exponent of 2

	 * @param bool $portableHashes TRUE = use MD5 only | FALSE = automatic

	 */

	public function __construct($iterationCountLog2, $portableHashes = true)

	{

		if ($iterationCountLog2 < 4 || $iterationCountLog2 > 31) {

			$iterationCountLog2 = 8;

		}

		$this->_iterationCountLog2 = $iterationCountLog2;

		$this->_portableHashes = $portableHashes;

		$this->_randomState = microtime();

		if (function_exists('getmypid')) {

			$this->_randomState .= getmypid();

		}

	}

	private function _getRandomBytes($count)

	{

		$output = '';

		if (is_readable('/dev/urandom') && ($fh = @fopen('/dev/urandom', 'rb'))) {

			$output = fread($fh, $count);

			fclose($fh);

		}

		if (strlen($output) < $count) {

			$output = '';

			for ($i = 0; $i < $count; $i += 16) {

				$this->_randomState = md5(microtime() . $this->_randomState);

				$output .= pack('H*', md5($this->_randomState));

			}

			$output = substr($output, 0, $count);

		}

		return $output;

	}

	private function _Encode64($input, $count)

	{

		$output = '';

		$i = 0;

		do {

			$value = ord($input[$i++]);

			$output .= $this->_itoa64[$value & 0x3f];

			if ($i < $count) {

				$value |= ord($input[$i]) << 8;

			}

			$output .= $this->_itoa64[($value >> 6) & 0x3f];

			if ($i++ >= $count) { break; }

			if ($i < $count) {

				$value |= ord($input[$i]) << 16;

			}

			$output .= $this->_itoa64[($value >> 12) & 0x3f];

			if ($i++ >= $count) { break; }

			$output .= $this->_itoa64[($value >> 18) & 0x3f];

		} while ($i < $count);

		return $output;

	}

	private function _GenSaltPrivate($input)

	{

		$output = '$P$';

		$output .= $this->_itoa64[min($this->_iterationCountLog2 +

		                          ((PHP_VERSION >= '5') ? 5 : 3), 30)];

		$output .= $this->_Encode64($input, 6);

		return $output;

	}

	private function _CryptPrivate($password, $setting)

	{

		$output = '*0';

		if (substr($setting, 0, 2) == $output) {

			$output = '*1';

		}

		$id = substr($setting, 0, 3);

		# We use "$P$", phpBB3 uses "$H$" for the same thing

		if ($id != '$P$' && $id != '$H$') {

			return $output;

		}

		$count_log2 = strpos($this->_itoa64, $setting[3]);

		if ($count_log2 < 7 || $count_log2 > 30) {

			return $output;

		}

		$count = 1 << $count_log2;

		$salt = substr($setting, 4, 8);

		if (strlen($salt) != 8) {

			return $output;

		}

		# We're kind of forced to use MD5 here since it's the only

		# cryptographic primitive available in all versions of PHP

		# currently in use.  To implement our own low-level crypto

		# in PHP would result in much worse performance and

		# consequently in lower iteration counts and hashes that are

		# quicker to crack (by non-PHP code).

		if (PHP_VERSION >= '5') {

			$hash = md5($salt . $password, TRUE);

			do {

				$hash = md5($hash . $password, TRUE);

			} while (--$count);

		} else {

			$hash = pack('H*', md5($salt . $password));

			do {

				$hash = pack('H*', md5($hash . $password));

			} while (--$count);

		}

		$output = substr($setting, 0, 12);

		$output .= $this->_Encode64($hash, 16);

		return $output;

	}

	/**

	 * calculate the hash from a given password

	 * @param string $password password as original string

	 * @return string generated hash | '*' on error

	 */

	public function HashPassword($password)

	{

		$random = '';

		if (strlen($random) < 6) {

			$random = $this->_getRandomBytes(6);

		}

		$hash = $this->_CryptPrivate($password, $this->_GenSaltPrivate($random));

		if (strlen($hash) == 34) {

			return $hash;

		}

		# Returning '*' on error is safe here, but would _not_ be safe

		# in a crypt(3)-like function used _both_ for generating new

		# hashes and for validating passwords against existing hashes.

		return '*';

	}

	/**

	 * encodes the password and compare it against the given hash

	 * @param string $password clear password

	 * @param string $stored_hash the hash to compare against

	 * @return bool

	 */

	public function CheckPassword($password, $stored_hash)

	{

	// compare against a normal, simple md5-hash

		if(preg_match('/^[0-9a-f]{32}$/i', $stored_hash)) {

			return md5($password) == $stored_hash;

		}

	// compare against a rounded, salted md5-hash

		$hash = $this->_CryptPrivate($password, $stored_hash);

		if ($hash[0] == '*') {

			$hash = crypt($password, $stored_hash);

		}

		return $hash == $stored_hash;

	}

	/**

	 * generate a case sensitive mnemonic password including numbers and special chars

	 * makes no use of lowercase 'l', uppercase 'I', 'O' or number '0'

	 * @param int $length length of the generated password. default = 8

	 * @return string

	 */

	public static function NewPassword($length = 8)

	{

		$chars = array(

			array('b','c','d','f','g','h','j','k','l','m','n','p','r','s','t','v','w','x','y','z'),

			array('a','e','i','o','u'),

			array('!','-','@','_',':','.','+','%','/','*')

		);

		$length = ceil($length / 2);

		$Password = array();

	// at first fill array alternating with vowels and consonants

		for($x = 0; $x < $length; $x++) {

			$char = $chars[0][rand(1000, 10000) % sizeof($chars[0])];

			$Password[] = $char == 'l' ? 'L' : $char;

			$Password[] = $chars[1][rand(1000, 10000) % sizeof($chars[1])];

		}

	// transform 2 random chars into uppercase

		for($x = 0; $x < 2; $x++) {

			$pos = rand(1000, 10000) % sizeof($Password);

			$Password[$pos] = ($Password[$pos] == 'i' || $Password[$pos] == 'o')

			                  ? $Password[$pos] : strtoupper($Password[$pos]);

		}

	// randomly insert one special char, but not at position 0 or as last char

		$pos = (rand(1000, 10000) % (sizeof($Password)-2))+1;

		$Password[$pos] = $chars[2][rand(1000, 10000) % sizeof($chars[2])];

	// randomly insert a numeric char, between 1 and 9

		$pos = rand(1000, 10000) % sizeof($Password);

		$Password[$pos] = (rand(1000, 10000) % 9) + 1;

		return implode($Password);

	}

} // end of class

<?php

/**

 * @category     Core

 * @package      Core_security

 * @author       Werner v.d.Decken

 * @copyright    ISTeasy-project(http://isteasy.de/)

 * @license      Creative Commons BY-SA 3.0 http://creativecommons.org/licenses/by-sa/3.0/

 * @version      $Id$

 * @filesource   $HeadURL:$

 * @since        Datei vorhanden seit Release 2.8.2

 * @lastmodified $Date:$

 *

 * this class works with salted md5-hashes with several rounds. 

 * For backward compatibility it can compare normal md5-hashes also.

 *

 */

 $path2class = './framework/PasswordHash.php';

	$newpass = '';

	$pass    = '';

	$hash    = '';

	include $path2class;

	if(!isset($_POST['action']) ) { $_POST['action'] = 'pass'; }

	if($_POST['action'] == 'hash') {

		if(isset($_POST['pass']) && trim($_POST['pass']) != '') {

			$pass = trim($_POST['pass']);

			$newpass = $pass;

			$ph = new PasswordHash(12);

			$hash = $ph->HashPassword($pass);

		}

	}else {

		if(!isset($_POST['length']) ) { $_POST['length'] = 8; }

		$length = intval($_POST['length']);

		$newpass = PasswordHash::NewPassword($length);

		$pass = $newpass;

	}

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">

	<head>

		<title>PWH-Generator v.0.1</title>

		<meta http-equiv="content-type" content="text/html; charset=utf-8" />

		<meta name="author" content="Werner von der Decken" />

		<meta name="copyright" content="ISTeasy, W.v.d.Decken" />

		<meta name="generator" content="ISTeasy - PWH-Generator v.0.1" />

		<style type="text/css">

			html { /* Schrifteinstellung für das ganze Dokument */

				font-family: "Trebuchet MS",Verdana, Arial, Helvetica, sans-serif;

				font-size: 78%;

				font-weight: normal;

				color: #303030;

				min-height: 100.2%;

			}

			body {

				text-align: center;

				padding-top: 4em;

			}

			.body {

				width: 40em;

				margin: auto;

			}

			fieldset {

				padding: 1em 0;

			}

			legend {

				font-size: 1.3em;

			}

			input {

				width: 90%;

				margin: 0.5em 0;

				padding: 3px;

				font-size: 1.2em;

			}

			#hash { font-size: 1em; }

		</style>

		<script type="text/javascript">

			function clearHash() {

				document.genhash.hash.value = "";

			}

		</script>

	</head>

	<body>

		<div class="body">

			<h1>PWH-Generator v.0.1</h1>

			<fieldset>

				<legend>&nbsp;Password-Generator&nbsp;</legend>

				<form  method="post" name="genpass" action="">

					<input type="hidden" name="action" value="pass" />

					<label for="length">length of password </label>&nbsp;&nbsp;

					<input type="radio" name="length" value="6">06</input>&nbsp;

					<input type="radio" name="length" value="8" checked="checked">08</input>&nbsp;

					<input type="radio" name="length" value="10">10</input>&nbsp;

					<input type="radio" name="length" value="12">12</input>&nbsp;

					<input type="radio" name="length" value="14">14</input>&nbsp;

					<input type="radio" name="length" value="16">16</input>&nbsp;

					<input type="radio" name="length" value="18">18</input>&nbsp;

					<input type="radio" name="length" value="20">20</input>&nbsp;<br /><br />

					<label for="pass">Our password suggestion</label><br />

					<input type="text" id="pass" name="pass" value="<?php echo $newpass; ?>" readonly="readonly" /><br /><br />

					<input name="submit" id="submit1" type="submit" value="suggest password" />

				</form>

			</fieldset><br /><br />

			<fieldset>

				<legend>&nbsp;Hash-Generator&nbsp;</legend>

				<form  method="post" name="genhash" action="">

					<input type="hidden" name="action" value="hash" />

					<label for="pass">Enter Text to hash</label><br />

					<input type="text" id="pass" name="pass" value="<?php echo $pass; ?>" onkeypress="clearHash();" /><br />

					<label for="hash">Hash to copy</label><br />

					<input type="text" id="hash" name="hash" value="<?php echo $hash; ?>" readonly="readonly" /><br /><br />

					<input name="submit" id="submit0" type="submit" value="calculate hash" />

				</form>

			</fieldset>

		</div>

	</body>

</html>