Diff: STRATO-apps/wordpress_03/app/wp-includes/class-phpass.php

Keine Baseline-Datei – Diff nur gegen leer.
Baseline Vorherige Version
Zur Liste
1 -
1 + <?php
2 + /**
3 + * Portable PHP password hashing framework.
4 + * @package phpass
5 + * @since 2.5.0
6 + * @version 0.5 / WordPress
7 + * @link https://www.openwall.com/phpass/
8 + */
9 +
10 + #
11 + # Portable PHP password hashing framework.
12 + #
13 + # Version 0.5.4 / WordPress.
14 + #
15 + # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
16 + # the public domain. Revised in subsequent years, still public domain.
17 + #
18 + # There's absolutely no warranty.
19 + #
20 + # The homepage URL for this framework is:
21 + #
22 + # http://www.openwall.com/phpass/
23 + #
24 + # Please be sure to update the Version line if you edit this file in any way.
25 + # It is suggested that you leave the main version number intact, but indicate
26 + # your project name (after the slash) and add your own revision information.
27 + #
28 + # Please do not change the "private" password hashing method implemented in
29 + # here, thereby making your hashes incompatible. However, if you must, please
30 + # change the hash type identifier (the "$P$") to something different.
31 + #
32 + # Obviously, since this code is in the public domain, the above are not
33 + # requirements (there can be none), but merely suggestions.
34 + #
35 +
36 + /**
37 + * Portable PHP password hashing framework.
38 + *
39 + * @package phpass
40 + * @version 0.5 / WordPress
41 + * @link https://www.openwall.com/phpass/
42 + * @since 2.5.0
43 + */
44 + class PasswordHash {
45 + var $itoa64;
46 + var $iteration_count_log2;
47 + var $portable_hashes;
48 + var $random_state;
49 +
50 + function __construct($iteration_count_log2, $portable_hashes)
51 + {
52 + $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
53 +
54 + if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) {
55 + $iteration_count_log2 = 8;
56 + }
57 + $this->iteration_count_log2 = $iteration_count_log2;
58 +
59 + $this->portable_hashes = $portable_hashes;
60 +
61 + $this->random_state = microtime();
62 + if (function_exists('getmypid')) {
63 + $this->random_state .= getmypid();
64 + }
65 + }
66 +
67 + function PasswordHash($iteration_count_log2, $portable_hashes)
68 + {
69 + self::__construct($iteration_count_log2, $portable_hashes);
70 + }
71 +
72 + function get_random_bytes($count)
73 + {
74 + $output = '';
75 + if (@is_readable('/dev/urandom') &&
76 + ($fh = @fopen('/dev/urandom', 'rb'))) {
77 + $output = fread($fh, $count);
78 + fclose($fh);
79 + }
80 +
81 + if (strlen($output) < $count) {
82 + $output = '';
83 + for ($i = 0; $i < $count; $i += 16) {
84 + $this->random_state =
85 + md5(microtime() . $this->random_state);
86 + $output .= md5($this->random_state, TRUE);
87 + }
88 + $output = substr($output, 0, $count);
89 + }
90 +
91 + return $output;
92 + }
93 +
94 + function encode64($input, $count)
95 + {
96 + $output = '';
97 + $i = 0;
98 + do {
99 + $value = ord($input[$i++]);
100 + $output .= $this->itoa64[$value & 0x3f];
101 + if ($i < $count) {
102 + $value |= ord($input[$i]) << 8;
103 + }
104 + $output .= $this->itoa64[($value >> 6) & 0x3f];
105 + if ($i++ >= $count) {
106 + break;
107 + }
108 + if ($i < $count) {
109 + $value |= ord($input[$i]) << 16;
110 + }
111 + $output .= $this->itoa64[($value >> 12) & 0x3f];
112 + if ($i++ >= $count) {
113 + break;
114 + }
115 + $output .= $this->itoa64[($value >> 18) & 0x3f];
116 + } while ($i < $count);
117 +
118 + return $output;
119 + }
120 +
121 + function gensalt_private($input)
122 + {
123 + $output = '$P$';
124 + $output .= $this->itoa64[min($this->iteration_count_log2 + 5,
125 + 30)];
126 + $output .= $this->encode64($input, 6);
127 +
128 + return $output;
129 + }
130 +
131 + function crypt_private($password, $setting)
132 + {
133 + $output = '*0';
134 + if (substr($setting, 0, 2) === $output) {
135 + $output = '*1';
136 + }
137 +
138 + $id = substr($setting, 0, 3);
139 + # We use "$P$", phpBB3 uses "$H$" for the same thing
140 + if ($id !== '$P$' && $id !== '$H$') {
141 + return $output;
142 + }
143 +
144 + $count_log2 = strpos($this->itoa64, $setting[3]);
145 + if ($count_log2 < 7 || $count_log2 > 30) {
146 + return $output;
147 + }
148 +
149 + $count = 1 << $count_log2;
150 +
151 + $salt = substr($setting, 4, 8);
152 + if (strlen($salt) !== 8) {
153 + return $output;
154 + }
155 +
156 + # We were kind of forced to use MD5 here since it's the only
157 + # cryptographic primitive that was available in all versions
158 + # of PHP in use. To implement our own low-level crypto in PHP
159 + # would have resulted in much worse performance and
160 + # consequently in lower iteration counts and hashes that are
161 + # quicker to crack (by non-PHP code).
162 + $hash = md5($salt . $password, TRUE);
163 + do {
164 + $hash = md5($hash . $password, TRUE);
165 + } while (--$count);
166 +
167 + $output = substr($setting, 0, 12);
168 + $output .= $this->encode64($hash, 16);
169 +
170 + return $output;
171 + }
172 +
173 + function gensalt_blowfish($input)
174 + {
175 + # This one needs to use a different order of characters and a
176 + # different encoding scheme from the one in encode64() above.
177 + # We care because the last character in our encoded string will
178 + # only represent 2 bits. While two known implementations of
179 + # bcrypt will happily accept and correct a salt string which
180 + # has the 4 unused bits set to non-zero, we do not want to take
181 + # chances and we also do not want to waste an additional byte
182 + # of entropy.
183 + $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
184 +
185 + $output = '$2a$';
186 + $output .= chr((int)(ord('0') + $this->iteration_count_log2 / 10));
187 + $output .= chr(ord('0') + $this->iteration_count_log2 % 10);
188 + $output .= '$';
189 +
190 + $i = 0;
191 + do {
192 + $c1 = ord($input[$i++]);
193 + $output .= $itoa64[$c1 >> 2];
194 + $c1 = ($c1 & 0x03) << 4;
195 + if ($i >= 16) {
196 + $output .= $itoa64[$c1];
197 + break;
198 + }
199 +
200 + $c2 = ord($input[$i++]);
201 + $c1 |= $c2 >> 4;
202 + $output .= $itoa64[$c1];
203 + $c1 = ($c2 & 0x0f) << 2;
204 +
205 + $c2 = ord($input[$i++]);
206 + $c1 |= $c2 >> 6;
207 + $output .= $itoa64[$c1];
208 + $output .= $itoa64[$c2 & 0x3f];
209 + } while (1);
210 +
211 + return $output;
212 + }
213 +
214 + function HashPassword($password)
215 + {
216 + if ( strlen( $password ) > 4096 ) {
217 + return '*';
218 + }
219 +
220 + $random = '';
221 +
222 + if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
223 + $random = $this->get_random_bytes(16);
224 + $hash =
225 + crypt($password, $this->gensalt_blowfish($random));
226 + if (strlen($hash) === 60) {
227 + return $hash;
228 + }
229 + }
230 +
231 + if (strlen($random) < 6) {
232 + $random = $this->get_random_bytes(6);
233 + }
234 + $hash =
235 + $this->crypt_private($password,
236 + $this->gensalt_private($random));
237 + if (strlen($hash) === 34) {
238 + return $hash;
239 + }
240 +
241 + # Returning '*' on error is safe here, but would _not_ be safe
242 + # in a crypt(3)-like function used _both_ for generating new
243 + # hashes and for validating passwords against existing hashes.
244 + return '*';
245 + }
246 +
247 + function CheckPassword($password, $stored_hash)
248 + {
249 + if ( strlen( $password ) > 4096 ) {
250 + return false;
251 + }
252 +
253 + $hash = $this->crypt_private($password, $stored_hash);
254 + if ($hash[0] === '*') {
255 + $hash = crypt($password, $stored_hash);
256 + }
257 +
258 + # This is not constant-time. In order to keep the code simple,
259 + # for timing safety we currently rely on the salts being
260 + # unpredictable, which they are at least in the non-fallback
261 + # cases (that is, when we use /dev/urandom and bcrypt).
262 + return $hash === $stored_hash;
263 + }
264 + }
265 +