PageRenderTime 47ms CodeModel.GetById 18ms RepoModel.GetById 1ms app.codeStats 0ms

/vendor/ircmaxell/password-compat/lib/password.php

https://gitlab.com/techniconline/kmc
PHP | 321 lines | 209 code | 22 blank | 90 comment | 60 complexity | ff51226de4d0e3db8359a7051c75214f MD5 | raw file
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * A Compatibility library with PHP 5.5's simplified password hashing API.
    4. 

  4.  *
    5. 

  5.  * @author Anthony Ferrara <ircmaxell@php.net>
    6. 

  6.  * @license http://www.opensource.org/licenses/mit-license.html MIT License
    7. 

  7.  * @copyright 2012 The Authors
    8. 

  8.  */
    9. 

  9. 

  10. namespace {
    11. 

  11. 

  12.     if (!defined('PASSWORD_BCRYPT')) {
    13. 

  13.         /**
    14. 

  14.          * PHPUnit Process isolation caches constants, but not function declarations.
    15. 

  15.          * So we need to check if the constants are defined separately from
    16. 

  16.          * the functions to enable supporting process isolation in userland
    17. 

  17.          * code.
    18. 

  18.          */
    19. 

  19.         define('PASSWORD_BCRYPT', 1);
    20. 

  20.         define('PASSWORD_DEFAULT', PASSWORD_BCRYPT);
    21. 

  21.         define('PASSWORD_BCRYPT_DEFAULT_COST', 10);
    22. 

  22.     }
    23. 

  23. 

  24.     if (!function_exists('password_hash')) {
    25. 

  25. 

  26.         /**
    27. 

  27.          * Hash the password using the specified algorithm
    28. 

  28.          *
    29. 

  29.          * @param string $password The password to hash
    30. 

  30.          * @param int $algo The algorithm to use (Defined by PASSWORD_* constants)
    31. 

  31.          * @param array $options The options for the algorithm to use
    32. 

  32.          *
    33. 

  33.          * @return string|false The hashed password, or false on error.
    34. 

  34.          */
    35. 

  35.         function password_hash($password, $algo, array $options = array())
    36. 

  36.         {
    37. 

  37.             if (!function_exists('crypt')) {
    38. 

  38.                 trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING);
    39. 

  39.                 return null;
    40. 

  40.             }
    41. 

  41.             if (is_null($password) || is_int($password)) {
    42. 

  42.                 $password = (string)$password;
    43. 

  43.             }
    44. 

  44.             if (!is_string($password)) {
    45. 

  45.                 trigger_error("password_hash(): Password must be a string", E_USER_WARNING);
    46. 

  46.                 return null;
    47. 

  47.             }
    48. 

  48.             if (!is_int($algo)) {
    49. 

  49.                 trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING);
    50. 

  50.                 return null;
    51. 

  51.             }
    52. 

  52.             $resultLength = 0;
    53. 

  53.             switch ($algo) {
    54. 

  54.                 case PASSWORD_BCRYPT:
    55. 

  55.                     $cost = PASSWORD_BCRYPT_DEFAULT_COST;
    56. 

  56.                     if (isset($options['cost'])) {
    57. 

  57.                         $cost = $options['cost'];
    58. 

  58.                         if ($cost < 4 || $cost > 31) {
    59. 

  59.                             trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING);
    60. 

  60.                             return null;
    61. 

  61.                         }
    62. 

  62.                     }
    63. 

  63.                     // The length of salt to generate
    64. 

  64.                     $raw_salt_len = 16;
    65. 

  65.                     // The length required in the final serialization
    66. 

  66.                     $required_salt_len = 22;
    67. 

  67.                     $hash_format = sprintf("$2y$%02d$", $cost);
    68. 

  68.                     // The expected length of the final crypt() output
    69. 

  69.                     $resultLength = 60;
    70. 

  70.                     break;
    71. 

  71.                 default:
    72. 

  72.                     trigger_error(sprintf("password_hash(): Unknown password hashing algorithm: %s", $algo), E_USER_WARNING);
    73. 

  73.                     return null;
    74. 

  74.             }
    75. 

  75.             $salt_requires_encoding = false;
    76. 

  76.             if (isset($options['salt'])) {
    77. 

  77.                 switch (gettype($options['salt'])) {
    78. 

  78.                     case 'NULL':
    79. 

  79.                     case 'boolean':
    80. 

  80.                     case 'integer':
    81. 

  81.                     case 'double':
    82. 

  82.                     case 'string':
    83. 

  83.                         $salt = (string)$options['salt'];
    84. 

  84.                         break;
    85. 

  85.                     case 'object':
    86. 

  86.                         if (method_exists($options['salt'], '__tostring')) {
    87. 

  87.                             $salt = (string)$options['salt'];
    88. 

  88.                             break;
    89. 

  89.                         }
    90. 

  90.                     case 'array':
    91. 

  91.                     case 'resource':
    92. 

  92.                     default:
    93. 

  93.                         trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING);
    94. 

  94.                         return null;
    95. 

  95.                 }
    96. 

  96.                 if (PasswordCompat\binary\_strlen($salt) < $required_salt_len) {
    97. 

  97.                     trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", PasswordCompat\binary\_strlen($salt), $required_salt_len), E_USER_WARNING);
    98. 

  98.                     return null;
    99. 

  99.                 } elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) {
    100. 

  100.                     $salt_requires_encoding = true;
    101. 

  101.                 }
    102. 

  102.             } else {
    103. 

  103.                 $buffer = '';
    104. 

  104.                 $buffer_valid = false;
    105. 

  105.                 if (function_exists('mcrypt_create_iv') && !defined('PHALANGER')) {
    106. 

  106.                     $buffer = mcrypt_create_iv($raw_salt_len, MCRYPT_DEV_URANDOM);
    107. 

  107.                     if ($buffer) {
    108. 

  108.                         $buffer_valid = true;
    109. 

  109.                     }
    110. 

  110.                 }
    111. 

  111.                 if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) {
    112. 

  112.                     $buffer = openssl_random_pseudo_bytes($raw_salt_len);
    113. 

  113.                     if ($buffer) {
    114. 

  114.                         $buffer_valid = true;
    115. 

  115.                     }
    116. 

  116.                 }
    117. 

  117.                 if (!$buffer_valid && @is_readable('/dev/urandom')) {
    118. 

  118.                     $f = fopen('/dev/urandom', 'r');
    119. 

  119.                     $read = PasswordCompat\binary\_strlen($buffer);
    120. 

  120.                     while ($read < $raw_salt_len) {
    121. 

  121.                         $buffer .= fread($f, $raw_salt_len - $read);
    122. 

  122.                         $read = PasswordCompat\binary\_strlen($buffer);
    123. 

  123.                     }
    124. 

  124.                     fclose($f);
    125. 

  125.                     if ($read >= $raw_salt_len) {
    126. 

  126.                         $buffer_valid = true;
    127. 

  127.                     }
    128. 

  128.                 }
    129. 

  129.                 if (!$buffer_valid || PasswordCompat\binary\_strlen($buffer) < $raw_salt_len) {
    130. 

  130.                     $bl = PasswordCompat\binary\_strlen($buffer);
    131. 

  131.                     for ($i = 0; $i < $raw_salt_len; $i++) {
    132. 

  132.                         if ($i < $bl) {
    133. 

  133.                             $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));
    134. 

  134.                         } else {
    135. 

  135.                             $buffer .= chr(mt_rand(0, 255));
    136. 

  136.                         }
    137. 

  137.                     }
    138. 

  138.                 }
    139. 

  139.                 $salt = $buffer;
    140. 

  140.                 $salt_requires_encoding = true;
    141. 

  141.             }
    142. 

  142.             if ($salt_requires_encoding) {
    143. 

  143.                 // encode string with the Base64 variant used by crypt
    144. 

  144.                 $base64_digits =
    145. 

  145.                     'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
    146. 

  146.                 $bcrypt64_digits =
    147. 

  147.                     './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    148. 

  148. 

  149.                 $base64_string = base64_encode($salt);
    150. 

  150.                 $salt = strtr(rtrim($base64_string, '='), $base64_digits, $bcrypt64_digits);
    151. 

  151.             }
    152. 

  152.             $salt = PasswordCompat\binary\_substr($salt, 0, $required_salt_len);
    153. 

  153. 

  154.             $hash = $hash_format . $salt;
    155. 

  155. 

  156.             $ret = crypt($password, $hash);
    157. 

  157. 

  158.             if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != $resultLength) {
    159. 

  159.                 return false;
    160. 

  160.             }
    161. 

  161. 

  162.             return $ret;
    163. 

  163.         }
    164. 

  164. 

  165.         /**
    166. 

  166.          * Get information about the password hash. Returns an array of the information
    167. 

  167.          * that was used to generate the password hash.
    168. 

  168.          *
    169. 

  169.          * array(
    170. 

  170.          *    'algo' => 1,
    171. 

  171.          *    'algoName' => 'bcrypt',
    172. 

  172.          *    'options' => array(
    173. 

  173.          *        'cost' => PASSWORD_BCRYPT_DEFAULT_COST,
    174. 

  174.          *    ),
    175. 

  175.          * )
    176. 

  176.          *
    177. 

  177.          * @param string $hash The password hash to extract info from
    178. 

  178.          *
    179. 

  179.          * @return array The array of information about the hash.
    180. 

  180.          */
    181. 

  181.         function password_get_info($hash)
    182. 

  182.         {
    183. 

  183.             $return = array(
    184. 

  184.                 'algo' => 0,
    185. 

  185.                 'algoName' => 'unknown',
    186. 

  186.                 'options' => array(),
    187. 

  187.             );
    188. 

  188.             if (PasswordCompat\binary\_substr($hash, 0, 4) == '$2y$' && PasswordCompat\binary\_strlen($hash) == 60) {
    189. 

  189.                 $return['algo'] = PASSWORD_BCRYPT;
    190. 

  190.                 $return['algoName'] = 'bcrypt';
    191. 

  191.                 list($cost) = sscanf($hash, "$2y$%d$");
    192. 

  192.                 $return['options']['cost'] = $cost;
    193. 

  193.             }
    194. 

  194.             return $return;
    195. 

  195.         }
    196. 

  196. 

  197.         /**
    198. 

  198.          * Determine if the password hash needs to be rehashed according to the options provided
    199. 

  199.          *
    200. 

  200.          * If the answer is true, after validating the password using password_verify, rehash it.
    201. 

  201.          *
    202. 

  202.          * @param string $hash The hash to test
    203. 

  203.          * @param int $algo The algorithm used for new password hashes
    204. 

  204.          * @param array $options The options array passed to password_hash
    205. 

  205.          *
    206. 

  206.          * @return boolean True if the password needs to be rehashed.
    207. 

  207.          */
    208. 

  208.         function password_needs_rehash($hash, $algo, array $options = array())
    209. 

  209.         {
    210. 

  210.             $info = password_get_info($hash);
    211. 

  211.             if ($info['algo'] != $algo) {
    212. 

  212.                 return true;
    213. 

  213.             }
    214. 

  214.             switch ($algo) {
    215. 

  215.                 case PASSWORD_BCRYPT:
    216. 

  216.                     $cost = isset($options['cost']) ? $options['cost'] : PASSWORD_BCRYPT_DEFAULT_COST;
    217. 

  217.                     if ($cost != $info['options']['cost']) {
    218. 

  218.                         return true;
    219. 

  219.                     }
    220. 

  220.                     break;
    221. 

  221.             }
    222. 

  222.             return false;
    223. 

  223.         }
    224. 

  224. 

  225.         /**
    226. 

  226.          * Verify a password against a hash using a timing attack resistant approach
    227. 

  227.          *
    228. 

  228.          * @param string $password The password to verify
    229. 

  229.          * @param string $hash The hash to verify against
    230. 

  230.          *
    231. 

  231.          * @return boolean If the password matches the hash
    232. 

  232.          */
    233. 

  233.         function password_verify($password, $hash)
    234. 

  234.         {
    235. 

  235.             if (!function_exists('crypt')) {
    236. 

  236.                 trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING);
    237. 

  237.                 return false;
    238. 

  238.             }
    239. 

  239.             $ret = crypt($password, $hash);
    240. 

  240.             if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != PasswordCompat\binary\_strlen($hash) || PasswordCompat\binary\_strlen($ret) <= 13) {
    241. 

  241.                 return false;
    242. 

  242.             }
    243. 

  243. 

  244.             $status = 0;
    245. 

  245.             for ($i = 0; $i < PasswordCompat\binary\_strlen($ret); $i++) {
    246. 

  246.                 $status |= (ord($ret[$i]) ^ ord($hash[$i]));
    247. 

  247.             }
    248. 

  248. 

  249.             return $status === 0;
    250. 

  250.         }
    251. 

  251.     }
    252. 

  252. 

  253. }
    254. 

  254. 

  255. namespace PasswordCompat\binary {
    256. 

  256. 

  257.     if (!function_exists('PasswordCompat\\binary\\_strlen')) {
    258. 

  258. 

  259.         /**
    260. 

  260.          * Count the number of bytes in a string
    261. 

  261.          *
    262. 

  262.          * We cannot simply use strlen() for this, because it might be overwritten by the mbstring extension.
    263. 

  263.          * In this case, strlen() will count the number of *characters* based on the internal encoding. A
    264. 

  264.          * sequence of bytes might be regarded as a single multibyte character.
    265. 

  265.          *
    266. 

  266.          * @param string $binary_string The input string
    267. 

  267.          *
    268. 

  268.          * @internal
    269. 

  269.          * @return int The number of bytes
    270. 

  270.          */
    271. 

  271.         function _strlen($binary_string)
    272. 

  272.         {
    273. 

  273.             if (function_exists('mb_strlen')) {
    274. 

  274.                 return mb_strlen($binary_string, '8bit');
    275. 

  275.             }
    276. 

  276.             return strlen($binary_string);
    277. 

  277.         }
    278. 

  278. 

  279.         /**
    280. 

  280.          * Get a substring based on byte limits
    281. 

  281.          *
    282. 

  282.          * @see _strlen()
    283. 

  283.          *
    284. 

  284.          * @param string $binary_string The input string
    285. 

  285.          * @param int $start
    286. 

  286.          * @param int $length
    287. 

  287.          *
    288. 

  288.          * @internal
    289. 

  289.          * @return string The substring
    290. 

  290.          */
    291. 

  291.         function _substr($binary_string, $start, $length)
    292. 

  292.         {
    293. 

  293.             if (function_exists('mb_substr')) {
    294. 

  294.                 return mb_substr($binary_string, $start, $length, '8bit');
    295. 

  295.             }
    296. 

  296.             return substr($binary_string, $start, $length);
    297. 

  297.         }
    298. 

  298. 

  299.         /**
    300. 

  300.          * Check if current PHP version is compatible with the library
    301. 

  301.          *
    302. 

  302.          * @return boolean the check result
    303. 

  303.          */
    304. 

  304.         function check()
    305. 

  305.         {
    306. 

  306.             static $pass = NULL;
    307. 

  307. 

  308.             if (is_null($pass)) {
    309. 

  309.                 if (function_exists('crypt')) {
    310. 

  310.                     $hash = '$2y$04$usesomesillystringfore7hnbRJHxXVLeakoG8K30oukPsA.ztMG';
    311. 

  311.                     $test = crypt("password", $hash);
    312. 

  312.                     $pass = $test == $hash;
    313. 

  313.                 } else {
    314. 

  314.                     $pass = false;
    315. 

  315.                 }
    316. 

  316.             }
    317. 

  317.             return $pass;
    318. 

  318.         }
    319. 

  319. 

  320.     }
    321. 

  321. }
    322.