Revision 1903
Added by darkviper over 11 years ago
branches/2.8.x/CHANGELOG | ||
---|---|---|
11 | 11 |
! = Update/Change |
12 | 12 |
=============================================================================== |
13 | 13 |
|
14 |
13 May-2013 Build 1903 Werner v.d.Decken(DarkViper) |
|
15 |
! some typofixes in class PassWord |
|
16 |
- class /framework/PasswordHash never needed(replaced by /include/phpass/PasswordHash |
|
14 | 17 |
12 May-2013 Build 1902 Werner v.d.Decken(DarkViper) |
15 | 18 |
+ added posssibility to use different adaptors for each module |
16 | 19 |
+ added new adaptor to access language definitions in a MySQL database |
branches/2.8.x/wb/admin/interface/version.php | ||
---|---|---|
51 | 51 |
|
52 | 52 |
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) |
53 | 53 |
if(!defined('VERSION')) define('VERSION', '2.8.3'); |
54 |
if(!defined('REVISION')) define('REVISION', '1902');
|
|
54 |
if(!defined('REVISION')) define('REVISION', '1903');
|
|
55 | 55 |
if(!defined('SP')) define('SP', ''); |
branches/2.8.x/wb/framework/PasswordHash.php | ||
---|---|---|
1 |
<?php |
|
2 |
/** |
|
3 |
* @category Core |
|
4 |
* @package Core_security |
|
5 |
* @author Werner v.d.Decken |
|
6 |
* @copyright ISTeasy-project(http://isteasy.de/) |
|
7 |
* @license Creative Commons BY-SA 3.0 http://creativecommons.org/licenses/by-sa/3.0/ |
|
8 |
* @version $Id$ |
|
9 |
* @filesource $HeadURL:$ |
|
10 |
* @since Datei vorhanden seit Release 2.8.2 |
|
11 |
* @lastmodified $Date:$ |
|
12 |
* |
|
13 |
* this class works with salted md5-hashes with several rounds. |
|
14 |
* For backward compatibility it can compare normal md5-hashes also. |
|
15 |
* Minimum requirements: PHP 5.2.2 or higher |
|
16 |
* |
|
17 |
* ***************************************************************************** |
|
18 |
* This class is based on the Portable PHP password hashing framework. |
|
19 |
* Version 0.3 / genuine. Written by Solar Designer <solar at openwall.com> |
|
20 |
* in 2004-2006 and placed in the public domain. Revised in subsequent years, |
|
21 |
* still public domain. There's absolutely no warranty. |
|
22 |
* The homepage URL for this framework is: http://www.openwall.com/phpass/ |
|
23 |
* ***************************************************************************** |
|
24 |
*/ |
|
25 |
class PasswordHash { |
|
26 |
|
|
27 |
const SECURITY_WEAK = 6; |
|
28 |
const SECURITY_MEDIUM = 8; |
|
29 |
const SECURITY_NORMAL = 10; |
|
30 |
const SECURITY_STRONG = 12; |
|
31 |
const SECURITY_STRONGER = 16; |
|
32 |
|
|
33 |
private $_itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; |
|
34 |
private $_iterationCountLog2 = 8; |
|
35 |
private $_portableHashes = true; |
|
36 |
private $_randomState = ''; |
|
37 |
|
|
38 |
/** |
|
39 |
* @param int $iterationCountLog2 number of iterations as exponent of 2 |
|
40 |
* @param bool $portableHashes TRUE = use MD5 only | FALSE = automatic |
|
41 |
*/ |
|
42 |
public function __construct($iterationCountLog2, $portableHashes = true) |
|
43 |
{ |
|
44 |
|
|
45 |
if ($iterationCountLog2 < 4 || $iterationCountLog2 > 31) { |
|
46 |
$iterationCountLog2 = 8; |
|
47 |
} |
|
48 |
$this->_iterationCountLog2 = $iterationCountLog2; |
|
49 |
$this->_portableHashes = $portableHashes; |
|
50 |
$this->_randomState = microtime(); |
|
51 |
if (function_exists('getmypid')) { |
|
52 |
$this->_randomState .= getmypid(); |
|
53 |
} |
|
54 |
} |
|
55 |
|
|
56 |
|
|
57 |
private function _getRandomBytes($count) |
|
58 |
{ |
|
59 |
$output = ''; |
|
60 |
if (is_readable('/dev/urandom') && ($fh = @fopen('/dev/urandom', 'rb'))) { |
|
61 |
$output = fread($fh, $count); |
|
62 |
fclose($fh); |
|
63 |
} |
|
64 |
if (strlen($output) < $count) { |
|
65 |
$output = ''; |
|
66 |
for ($i = 0; $i < $count; $i += 16) { |
|
67 |
$this->_randomState = md5(microtime() . $this->_randomState); |
|
68 |
$output .= pack('H*', md5($this->_randomState)); |
|
69 |
} |
|
70 |
$output = substr($output, 0, $count); |
|
71 |
} |
|
72 |
return $output; |
|
73 |
} |
|
74 |
|
|
75 |
private function _Encode64($input, $count) |
|
76 |
{ |
|
77 |
$output = ''; |
|
78 |
$i = 0; |
|
79 |
do { |
|
80 |
$value = ord($input[$i++]); |
|
81 |
$output .= $this->_itoa64[$value & 0x3f]; |
|
82 |
if ($i < $count) { |
|
83 |
$value |= ord($input[$i]) << 8; |
|
84 |
} |
|
85 |
$output .= $this->_itoa64[($value >> 6) & 0x3f]; |
|
86 |
if ($i++ >= $count) { break; } |
|
87 |
if ($i < $count) { |
|
88 |
$value |= ord($input[$i]) << 16; |
|
89 |
} |
|
90 |
$output .= $this->_itoa64[($value >> 12) & 0x3f]; |
|
91 |
if ($i++ >= $count) { break; } |
|
92 |
$output .= $this->_itoa64[($value >> 18) & 0x3f]; |
|
93 |
} while ($i < $count); |
|
94 |
return $output; |
|
95 |
} |
|
96 |
|
|
97 |
private function _GenSaltPrivate($input) |
|
98 |
{ |
|
99 |
$output = '$P$'; |
|
100 |
$output .= $this->_itoa64[min($this->_iterationCountLog2 + 5, 30)]; |
|
101 |
$output .= $this->_Encode64($input, 6); |
|
102 |
return $output; |
|
103 |
} |
|
104 |
|
|
105 |
private function _CryptPrivate($password, $setting) |
|
106 |
{ |
|
107 |
$output = '*0'; |
|
108 |
if (substr($setting, 0, 2) == $output) { |
|
109 |
$output = '*1'; |
|
110 |
} |
|
111 |
$id = substr($setting, 0, 3); |
|
112 |
# We use "$P$", phpBB3 uses "$H$" for the same thing |
|
113 |
if ($id != '$P$' && $id != '$H$') { |
|
114 |
return $output; |
|
115 |
} |
|
116 |
$count_log2 = strpos($this->_itoa64, $setting[3]); |
|
117 |
if ($count_log2 < 7 || $count_log2 > 30) { |
|
118 |
return $output; |
|
119 |
} |
|
120 |
$count = 1 << $count_log2; |
|
121 |
$salt = substr($setting, 4, 8); |
|
122 |
if (strlen($salt) != 8) { |
|
123 |
return $output; |
|
124 |
} |
|
125 |
# We're kind of forced to use MD5 here since it's the only |
|
126 |
# cryptographic primitive available in all versions of PHP |
|
127 |
# currently in use. To implement our own low-level crypto |
|
128 |
# in PHP would result in much worse performance and |
|
129 |
# consequently in lower iteration counts and hashes that are |
|
130 |
# quicker to crack (by non-PHP code). |
|
131 |
$hash = md5($salt . $password, TRUE); |
|
132 |
do { |
|
133 |
$hash = md5($hash . $password, TRUE); |
|
134 |
} while (--$count); |
|
135 |
$output = substr($setting, 0, 12); |
|
136 |
$output .= $this->_Encode64($hash, 16); |
|
137 |
return $output; |
|
138 |
} |
|
139 |
|
|
140 |
/** |
|
141 |
* calculate the hash from a given password |
|
142 |
* @param string $password password as original string |
|
143 |
* @return string generated hash | '*' on error |
|
144 |
*/ |
|
145 |
public function HashPassword($password, $md5 = false) |
|
146 |
{ |
|
147 |
if ($md5) { return(md5($password)); } |
|
148 |
$random = ''; |
|
149 |
if (strlen($random) < 6) { |
|
150 |
$random = $this->_getRandomBytes(6); |
|
151 |
} |
|
152 |
$hash = $this->_CryptPrivate($password, $this->_GenSaltPrivate($random)); |
|
153 |
if (strlen($hash) == 34) { |
|
154 |
return $hash; |
|
155 |
} |
|
156 |
# Returning '*' on error is safe here, but would _not_ be safe |
|
157 |
# in a crypt(3)-like function used _both_ for generating new |
|
158 |
# hashes and for validating passwords against existing hashes. |
|
159 |
return '*'; |
|
160 |
} |
|
161 |
|
|
162 |
/** |
|
163 |
* encodes the password and compare it against the given hash |
|
164 |
* @param string $password clear password |
|
165 |
* @param string $stored_hash the hash to compare against |
|
166 |
* @return bool |
|
167 |
*/ |
|
168 |
public function CheckPassword($password, $stored_hash) |
|
169 |
{ |
|
170 |
// compare against a normal, simple md5-hash |
|
171 |
if(preg_match('/^[0-9a-f]{32}$/i', $stored_hash)) { |
|
172 |
return md5($password) == $stored_hash; |
|
173 |
} |
|
174 |
// compare against a rounded, salted md5-hash |
|
175 |
$hash = $this->_CryptPrivate($password, $stored_hash); |
|
176 |
if ($hash[0] == '*') { |
|
177 |
$hash = crypt($password, $stored_hash); |
|
178 |
} |
|
179 |
return $hash == $stored_hash; |
|
180 |
} |
|
181 |
/** |
|
182 |
* generate a case sensitive mnemonic password including numbers and special chars |
|
183 |
* makes no use of lowercase 'l', uppercase 'I', 'O' or number '0' |
|
184 |
* @param int $length length of the generated password. default = 8 |
|
185 |
* @return string |
|
186 |
*/ |
|
187 |
public static function NewPassword($length = self::SECURITY_MEDIUM) |
|
188 |
{ |
|
189 |
$chars = array( |
|
190 |
array('b','c','d','f','g','h','j','k','l','m','n','p','r','s','t','v','w','x','y','z'), |
|
191 |
array('a','e','i','o','u'), |
|
192 |
array('!','-','@','_',':','.','+','%','/','*') |
|
193 |
); |
|
194 |
if($length < self::SECURITY_WEAK) { $length = self::SECURITY_WEAK; } |
|
195 |
$length = ceil($length / 2); |
|
196 |
$Password = array(); |
|
197 |
// at first fill array alternating with vowels and consonants |
|
198 |
for($x = 0; $x < $length; $x++) { |
|
199 |
$char = $chars[0][rand(1000, 10000) % sizeof($chars[0])]; |
|
200 |
$Password[] = $char == 'l' ? 'L' : $char; |
|
201 |
$Password[] = $chars[1][rand(1000, 10000) % sizeof($chars[1])]; |
|
202 |
} |
|
203 |
// transform some random chars into uppercase |
|
204 |
$pos = ((rand(1000, 10000) % 3) + 1); |
|
205 |
while($pos < sizeof($Password)) { |
|
206 |
$Password[$pos] = ($Password[$pos] == 'i' || $Password[$pos] == 'o') |
|
207 |
? $Password[$pos] : strtoupper($Password[$pos]); |
|
208 |
$pos += ((rand(1000, 10000) % 3) + 1); |
|
209 |
} |
|
210 |
// insert some numeric chars, between 1 and 9 |
|
211 |
$specialChars = array(); |
|
212 |
$specialCharsCount = floor(sizeof($Password) / 4); |
|
213 |
while(sizeof($specialChars) < $specialCharsCount) { |
|
214 |
$key = (rand(1000, 10000) % sizeof($Password)); |
|
215 |
if(!isset($specialChars[$key])) { |
|
216 |
$specialChars[$key] = (rand(1000, 10000) % 9) + 1; |
|
217 |
} |
|
218 |
} |
|
219 |
// insert some punctuation chars, but not leading or trailing |
|
220 |
$specialCharsCount += floor((sizeof($Password)-1) / 6); |
|
221 |
while(sizeof($specialChars) < $specialCharsCount) { |
|
222 |
$key = (rand(1000, 10000) % (sizeof($Password)-2))+1; |
|
223 |
if(!isset($specialChars[$key])) { |
|
224 |
$specialChars[$key] = $chars[2][(rand(1000, 10000) % sizeof($chars[2]))]; |
|
225 |
} |
|
226 |
} |
|
227 |
foreach($specialChars as $key=>$val) { |
|
228 |
$Password[$key] = $val; |
|
229 |
} |
|
230 |
|
|
231 |
return implode($Password); |
|
232 |
} |
|
233 |
|
|
234 |
} // end of class |
branches/2.8.x/wb/framework/Password.php | ||
---|---|---|
16 | 16 |
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
17 | 17 |
*/ |
18 | 18 |
/** |
19 |
* Description of Password |
|
20 |
* ***************************************************************************** |
|
21 |
* This class is interfacing the Portable PHP password hashing framework. |
|
22 |
* Version 0.4 / ISTeam Rev. 0.1 |
|
23 |
* ISTeam changes: added SHA-256, SHA-512 (2012/10/27 Werner v.d. Decken) |
|
24 |
* ***************************************************************************** |
|
25 |
* |
|
26 | 19 |
* @category WBCore |
27 | 20 |
* @package WBCore_Security |
28 | 21 |
* @author Werner v.d. Decken <wkl@isteam.de> |
... | ... | |
33 | 26 |
* @link $HeadURL$ |
34 | 27 |
* @lastmodified $Date$ |
35 | 28 |
* @since Datei vorhanden seit Release 1.2.0 |
29 |
* @description This class is interfacing the Portable PHP password hashing framework.<br /> |
|
30 |
* Version 0.4 / ISTeam Rev. 0.1<br /> |
|
31 |
* ISTeam changes: added SHA-256, SHA-512 (2012/10/27 Werner v.d. Decken) |
|
36 | 32 |
*/ |
37 | 33 |
|
38 |
// use \vendors\phpass\PasswordHash;
|
|
34 |
// backwardcompatibility for PHP 5.2.2 + WB2.8.x
|
|
39 | 35 |
if(!class_exists('PasswordHash')) { |
40 | 36 |
include(dirname(dirname(__FILE__)).'/include/phpass/PasswordHash.php'); |
41 | 37 |
} |
42 | 38 |
|
43 | 39 |
|
44 | 40 |
class Password extends PasswordHash |
45 |
//class Password extends v_phpass_PasswordHash
|
|
41 |
//class Password extends vendors\phpass\PasswordHash
|
|
46 | 42 |
{ |
47 | 43 |
|
48 |
const MIN_CRYPT_LOOPS = 6; // minimum numbers of loops is 2^6 (64) very, very quick
|
|
49 |
const MAX_CRYPT_LOOPS = 31; // maximum numbers of loops is 2^31 (2,147,483,648) extremely slow
|
|
50 |
const DEFAULT_CRYPT_LOOPS = 12; // default numbers of loopf is 2^12 (4096) a good average
|
|
44 |
const CRYPT_LOOPS_MIN = 6; // minimum numbers of loops is 2^6 (64) very, very quick
|
|
45 |
const CRYPT_LOOPS_MAX = 31; // maximum numbers of loops is 2^31 (2,147,483,648) extremely slow
|
|
46 |
const CRYPT_LOOPS_DEFAULT = 12; // default numbers of loopf is 2^12 (4096) a good average
|
|
51 | 47 |
|
52 | 48 |
const HASH_TYPE_PORTABLE = true; // use MD5 only |
53 | 49 |
const HASH_TYPE_AUTO = false; // select highest available crypting methode |
54 | 50 |
|
55 |
const MIN_PW_LENGTH = 6;
|
|
56 |
const MAX_PW_LENGTH = 100;
|
|
57 |
const DEFAULT_PW_LENGTH = 10;
|
|
51 |
const PW_LENGTH_MIN = 6;
|
|
52 |
const PW_LENGTH_MAX = 100;
|
|
53 |
const PW_LENGTH_DEFAULT = 10;
|
|
58 | 54 |
|
59 | 55 |
const PW_USE_LOWERCHAR = 0x0001; // use lower chars |
60 | 56 |
const PW_USE_UPPERCHAR = 0x0002; // use upper chars |
... | ... | |
67 | 63 |
* @param int number of iterations as exponent of 2 (must be between 4 and 31) |
68 | 64 |
* @param bool TRUE = use MD5 only | FALSE = automatic |
69 | 65 |
*/ |
70 |
public function __construct($iIterationCountLog2 = self::DEFAULT_CRYPT_LOOPS, $bPortableHashes = self::HASH_TYPE_AUTO)
|
|
66 |
public function __construct($iIterationCountLog2 = self::CRYPT_LOOPS_DEFAULT, $bPortableHashes = self::HASH_TYPE_AUTO)
|
|
71 | 67 |
{ |
72 | 68 |
parent::__construct($iIterationCountLog2, $bPortableHashes); |
73 | 69 |
} |
... | ... | |
96 | 92 |
/** |
97 | 93 |
* generate a case sensitive mnemonic password including numbers and special chars |
98 | 94 |
* makes no use of confusing characters like 'O' and '0' and so on. |
99 |
* @param int length of the generated password. default = DEFAULT_PW_LENGTH
|
|
95 |
* @param int length of the generated password. default = PW_LENGTH_DEFAULT
|
|
100 | 96 |
* @param int defines which elemets are used to generate a password. Default = PW_USE_ALL |
101 | 97 |
* @return string |
102 | 98 |
*/ |
103 |
public static function createNew($iLength = self::DEFAULT_PW_LENGTH, $iElements = self::PW_USE_ALL)
|
|
99 |
public static function createNew($iLength = self::PW_LENGTH_DEFAULT, $iElements = self::PW_USE_ALL)
|
|
104 | 100 |
{ |
105 | 101 |
$aChars = array( |
106 | 102 |
array('b','c','d','f','g','h','j','k','m','n','p','q','r','s','t','v','w','x','y','z'), |
... | ... | |
110 | 106 |
array('!','-','@','_',':','.','+','%','/','*') |
111 | 107 |
); |
112 | 108 |
$iElements = ($iElements & self::PW_USE_ALL) == 0 ? self::PW_USE_ALL : $iElements; |
113 |
if(($iLength < self::MIN_PW_LENGTH) || ($iLength > self::MAX_PW_LENGTH)) {
|
|
114 |
$iLength = self::DEFAULT_PW_LENGTH;
|
|
109 |
if(($iLength < self::PW_LENGTH_MIN) || ($iLength > self::PW_LENGTH_MAX)) {
|
|
110 |
$iLength = self::PW_LENGTH_DEFAULT;
|
|
115 | 111 |
} |
116 | 112 |
// at first create random arrays of lowerchars and uperchars |
117 | 113 |
// alternating between vowels and consonants |
... | ... | |
119 | 115 |
$aLowerCase = array(); |
120 | 116 |
for($x = 0; $x < ceil($iLength / 2); $x++) { |
121 | 117 |
// consonants |
122 |
$y = rand(1000, 10000) % sizeof($aChars[0]);
|
|
123 |
$aLowerCase[] = $aChars[0][$y];
|
|
124 |
$y = rand(1000, 10000) % sizeof($aChars[1]);
|
|
125 |
$aUpperCase[] = $aChars[1][$y];
|
|
118 |
$i1 = rand(1000, 10000) % sizeof($aChars[0]);
|
|
119 |
$aLowerCase[] = $aChars[0][$i1];
|
|
120 |
$i2 = rand(1000, 10000) % sizeof($aChars[1]);
|
|
121 |
$aUpperCase[] = $aChars[1][$i2];
|
|
126 | 122 |
// vowels |
127 |
$y = rand(1000, 10000) % sizeof($aChars[2]);
|
|
128 |
$aLowerCase[] = $aChars[2][$y];
|
|
129 |
$y = rand(1000, 10000) % sizeof($aChars[3]);
|
|
130 |
$aUpperCase[] = $aChars[3][$y];
|
|
123 |
$i3 = rand(1000, 10000) % sizeof($aChars[2]);
|
|
124 |
$aLowerCase[] = $aChars[2][$i3];
|
|
125 |
$i4 = rand(1000, 10000) % sizeof($aChars[3]);
|
|
126 |
$aUpperCase[] = $aChars[3][$i4];
|
|
131 | 127 |
} |
132 | 128 |
// create random arrays of numeric digits 2-9 and special chars |
133 | 129 |
$aDigits = array(); |
... | ... | |
154 | 150 |
} |
155 | 151 |
if($iElements & self::PW_USE_DIGITS) { |
156 | 152 |
if($bMerge) { |
157 |
$iNumberOfDigits = (rand(1000, 10000) % ceil($iLength / 2.5));
|
|
158 |
$iNumberOfDigits = $iNumberOfDigits ? $iNumberOfDigits : 1;
|
|
153 |
$x = (rand(1000, 10000) % ceil($iLength / 2.5));
|
|
154 |
$iNumberOfDigits = $x ? $x : 1;
|
|
159 | 155 |
$aPassword = self::_mergeIntoPassword($aPassword, $aDigits, $iNumberOfDigits); |
160 | 156 |
}else { |
161 | 157 |
$aPassword = $aDigits; |
... | ... | |
164 | 160 |
} |
165 | 161 |
if($iElements & self::PW_USE_SPECIAL) { |
166 | 162 |
if($bMerge) { |
167 |
$iNumberOfSpecialChars = rand(1000, 10000) % ceil($iLength / 5);
|
|
168 |
$iNumberOfSpecialChars = $iNumberOfSpecialChars ? $iNumberOfSpecialChars : 1;
|
|
163 |
$x = rand(1000, 10000) % ceil($iLength / 5);
|
|
164 |
$iNumberOfSpecialChars = $x ? $x : 1;
|
|
169 | 165 |
$aPassword = self::_mergeIntoPassword($aPassword, $aSpecialChars, $iNumberOfSpecialChars); |
170 | 166 |
}else { |
171 | 167 |
$aPassword = $aSpecialChars; |
Also available in: Unified diff
some typofixes in class PassWord
class /framework/PasswordHash never needed(replaced by /include/phpass/PasswordHash