SimpleMachines /
SMF2.1
@@ -18,7 +18,8 @@ discard block |
||
| 18 | 18 | |
| 19 | 19 | namespace { |
| 20 | 20 | |
| 21 | - if (!defined('PASSWORD_DEFAULT')) { |
|
| 21 | + if (!defined('PASSWORD_DEFAULT')) |
|
| 22 | + { |
|
| 22 | 23 | |
| 23 | 24 | define('PASSWORD_BCRYPT', 1); |
| 24 | 25 | define('PASSWORD_DEFAULT', PASSWORD_BCRYPT); |
@@ -34,31 +35,39 @@ discard block |
||
| 34 | 35 | * |
| 35 | 36 | * @return string|false The hashed password, or false on error. |
| 36 | 37 | */ |
| 37 | - function password_hash($password, $algo, array $options = array()) { |
|
| 38 | + function password_hash($password, $algo, array $options = array()) |
|
| 39 | + { |
|
| 38 | 40 | global $smcFunc; |
| 39 | 41 | |
| 40 | - if (!function_exists('crypt')) { |
|
| 42 | + if (!function_exists('crypt')) |
|
| 43 | + { |
|
| 41 | 44 | trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING); |
| 42 | 45 | return null; |
| 43 | 46 | } |
| 44 | - if (!is_string($password)) { |
|
| 47 | + if (!is_string($password)) |
|
| 48 | + { |
|
| 45 | 49 | trigger_error("password_hash(): Password must be a string", E_USER_WARNING); |
| 46 | 50 | return null; |
| 47 | 51 | } |
| 48 | - if (!is_int($algo)) { |
|
| 52 | + if (!is_int($algo)) |
|
| 53 | + { |
|
| 49 | 54 | trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING); |
| 50 | 55 | return null; |
| 51 | 56 | } |
| 52 | - if (PasswordCompat\binary\_strlen($password) > 72) { |
|
| 57 | + if (PasswordCompat\binary\_strlen($password) > 72) |
|
| 58 | + { |
|
| 53 | 59 | $password = PasswordCompat\binary\_substr($password, 0, 72); |
| 54 | 60 | } |
| 55 | - switch ($algo) { |
|
| 61 | + switch ($algo) |
|
| 62 | + { |
|
| 56 | 63 | case PASSWORD_BCRYPT: |
| 57 | 64 | // Note that this is a C constant, but not exposed to PHP, so we don't define it here. |
| 58 | 65 | $cost = 10; |
| 59 | - if (isset($options['cost'])) { |
|
| 66 | + if (isset($options['cost'])) |
|
| 67 | + { |
|
| 60 | 68 | $cost = $options['cost']; |
| 61 | - if ($cost < 4 || $cost > 31) { |
|
| 69 | + if ($cost < 4 || $cost > 31) |
|
| 70 | + { |
|
| 62 | 71 | trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING); |
| 63 | 72 | return null; |
| 64 | 73 | } |
@@ -76,8 +85,10 @@ discard block |
||
| 76 | 85 | return null; |
| 77 | 86 | } |
| 78 | 87 | $salt_requires_encoding = false; |
| 79 | - if (isset($options['salt'])) { |
|
| 80 | - switch (gettype($options['salt'])) { |
|
| 88 | + if (isset($options['salt'])) |
|
| 89 | + { |
|
| 90 | + switch (gettype($options['salt'])) |
|
| 91 | + { |
|
| 81 | 92 | case 'NULL': |
| 82 | 93 | case 'boolean': |
| 83 | 94 | case 'integer': |
@@ -86,7 +97,8 @@ discard block |
||
| 86 | 97 | $salt = (string) $options['salt']; |
| 87 | 98 | break; |
| 88 | 99 | case 'object': |
| 89 | - if (method_exists($options['salt'], '__tostring')) { |
|
| 100 | + if (method_exists($options['salt'], '__tostring')) |
|
| 101 | + { |
|
| 90 | 102 | $salt = (string) $options['salt']; |
| 91 | 103 | break; |
| 92 | 104 | } |
@@ -96,51 +108,70 @@ discard block |
||
| 96 | 108 | trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING); |
| 97 | 109 | return null; |
| 98 | 110 | } |
| 99 | - if (PasswordCompat\binary\_strlen($salt) < $required_salt_len) { |
|
| 111 | + if (PasswordCompat\binary\_strlen($salt) < $required_salt_len) |
|
| 112 | + { |
|
| 100 | 113 | trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", PasswordCompat\binary\_strlen($salt), $required_salt_len), E_USER_WARNING); |
| 101 | 114 | return null; |
| 102 | - } elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) { |
|
| 115 | + } |
|
| 116 | + elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) |
|
| 117 | + { |
|
| 103 | 118 | $salt_requires_encoding = true; |
| 104 | 119 | } |
| 105 | - } else { |
|
| 120 | + } |
|
| 121 | + else |
|
| 122 | + { |
|
| 106 | 123 | $buffer = ''; |
| 107 | 124 | $buffer_valid = false; |
| 108 | - if (function_exists('random_bytes')) { |
|
| 125 | + if (function_exists('random_bytes')) |
|
| 126 | + { |
|
| 109 | 127 | $buffer = random_bytes($raw_salt_len); |
| 110 | - if ($buffer) { |
|
| 128 | + if ($buffer) |
|
| 129 | + { |
|
| 111 | 130 | $buffer_valid = true; |
| 112 | 131 | } |
| 113 | 132 | } |
| 114 | - if (!$buffer_valid && function_exists('mcrypt_create_iv') && !defined('PHALANGER')) { |
|
| 133 | + if (!$buffer_valid && function_exists('mcrypt_create_iv') && !defined('PHALANGER')) |
|
| 134 | + { |
|
| 115 | 135 | $buffer = mcrypt_create_iv($raw_salt_len, MCRYPT_DEV_URANDOM); |
| 116 | - if ($buffer) { |
|
| 136 | + if ($buffer) |
|
| 137 | + { |
|
| 117 | 138 | $buffer_valid = true; |
| 118 | 139 | } |
| 119 | 140 | } |
| 120 | - if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) { |
|
| 141 | + if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) |
|
| 142 | + { |
|
| 121 | 143 | $buffer = openssl_random_pseudo_bytes($raw_salt_len); |
| 122 | - if ($buffer) { |
|
| 144 | + if ($buffer) |
|
| 145 | + { |
|
| 123 | 146 | $buffer_valid = true; |
| 124 | 147 | } |
| 125 | 148 | } |
| 126 | - if (!$buffer_valid && @is_readable('/dev/urandom')) { |
|
| 149 | + if (!$buffer_valid && @is_readable('/dev/urandom')) |
|
| 150 | + { |
|
| 127 | 151 | $f = fopen('/dev/urandom', 'r'); |
| 128 | 152 | $read = PasswordCompat\binary\_strlen($buffer); |
| 129 | - while ($read < $raw_salt_len) { |
|
| 153 | + while ($read < $raw_salt_len) |
|
| 154 | + { |
|
| 130 | 155 | $buffer .= fread($f, $raw_salt_len - $read); |
| 131 | 156 | $read = PasswordCompat\binary\_strlen($buffer); |
| 132 | 157 | } |
| 133 | 158 | fclose($f); |
| 134 | - if ($read >= $raw_salt_len) { |
|
| 159 | + if ($read >= $raw_salt_len) |
|
| 160 | + { |
|
| 135 | 161 | $buffer_valid = true; |
| 136 | 162 | } |
| 137 | 163 | } |
| 138 | - if (!$buffer_valid || PasswordCompat\binary\_strlen($buffer) < $raw_salt_len) { |
|
| 164 | + if (!$buffer_valid || PasswordCompat\binary\_strlen($buffer) < $raw_salt_len) |
|
| 165 | + { |
|
| 139 | 166 | $bl = PasswordCompat\binary\_strlen($buffer); |
| 140 | - for ($i = 0; $i < $raw_salt_len; $i++) { |
|
| 141 | - if ($i < $bl) { |
|
| 167 | + for ($i = 0; $i < $raw_salt_len; $i++) |
|
| 168 | + { |
|
| 169 | + if ($i < $bl) |
|
| 170 | + { |
|
| 142 | 171 | $buffer[$i] = $buffer[$i] ^ chr($smcFunc['random_int'](0, 255)); |
| 143 | - } else { |
|
| 172 | + } |
|
| 173 | + else |
|
| 174 | + { |
|
| 144 | 175 | $buffer .= chr($smcFunc['random_int'](0, 255)); |
| 145 | 176 | } |
| 146 | 177 | } |
@@ -148,7 +179,8 @@ discard block |
||
| 148 | 179 | $salt = $buffer; |
| 149 | 180 | $salt_requires_encoding = true; |
| 150 | 181 | } |
| 151 | - if ($salt_requires_encoding) { |
|
| 182 | + if ($salt_requires_encoding) |
|
| 183 | + { |
|
| 152 | 184 | // encode string with the Base64 variant used by crypt |
| 153 | 185 | $base64_digits = |
| 154 | 186 | 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'; |
@@ -164,7 +196,8 @@ discard block |
||
| 164 | 196 | |
| 165 | 197 | $ret = crypt($password, $hash); |
| 166 | 198 | |
| 167 | - if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != $resultLength) { |
|
| 199 | + if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != $resultLength) |
|
| 200 | + { |
|
| 168 | 201 | return false; |
| 169 | 202 | } |
| 170 | 203 | |
@@ -187,13 +220,15 @@ discard block |
||
| 187 | 220 | * |
| 188 | 221 | * @return array The array of information about the hash. |
| 189 | 222 | */ |
| 190 | - function password_get_info($hash) { |
|
| 223 | + function password_get_info($hash) |
|
| 224 | + { |
|
| 191 | 225 | $return = array( |
| 192 | 226 | 'algo' => 0, |
| 193 | 227 | 'algoName' => 'unknown', |
| 194 | 228 | 'options' => array(), |
| 195 | 229 | ); |
| 196 | - if (PasswordCompat\binary\_substr($hash, 0, 4) == '$2y$' && PasswordCompat\binary\_strlen($hash) == 60) { |
|
| 230 | + if (PasswordCompat\binary\_substr($hash, 0, 4) == '$2y$' && PasswordCompat\binary\_strlen($hash) == 60) |
|
| 231 | + { |
|
| 197 | 232 | $return['algo'] = PASSWORD_BCRYPT; |
| 198 | 233 | $return['algoName'] = 'bcrypt'; |
| 199 | 234 | list($cost) = sscanf($hash, "$2y$%d$"); |
@@ -213,15 +248,19 @@ discard block |
||
| 213 | 248 | * |
| 214 | 249 | * @return boolean True if the password needs to be rehashed. |
| 215 | 250 | */ |
| 216 | - function password_needs_rehash($hash, $algo, array $options = array()) { |
|
| 251 | + function password_needs_rehash($hash, $algo, array $options = array()) |
|
| 252 | + { |
|
| 217 | 253 | $info = password_get_info($hash); |
| 218 | - if ($info['algo'] != $algo) { |
|
| 254 | + if ($info['algo'] != $algo) |
|
| 255 | + { |
|
| 219 | 256 | return true; |
| 220 | 257 | } |
| 221 | - switch ($algo) { |
|
| 258 | + switch ($algo) |
|
| 259 | + { |
|
| 222 | 260 | case PASSWORD_BCRYPT: |
| 223 | 261 | $cost = isset($options['cost']) ? $options['cost'] : 10; |
| 224 | - if ($cost != $info['options']['cost']) { |
|
| 262 | + if ($cost != $info['options']['cost']) |
|
| 263 | + { |
|
| 225 | 264 | return true; |
| 226 | 265 | } |
| 227 | 266 | break; |
@@ -237,21 +276,26 @@ discard block |
||
| 237 | 276 | * |
| 238 | 277 | * @return boolean If the password matches the hash |
| 239 | 278 | */ |
| 240 | - function password_verify($password, $hash) { |
|
| 241 | - if (!function_exists('crypt')) { |
|
| 279 | + function password_verify($password, $hash) |
|
| 280 | + { |
|
| 281 | + if (!function_exists('crypt')) |
|
| 282 | + { |
|
| 242 | 283 | trigger_error("Crypt must be loaded for password_verify to function", E_USER_WARNING); |
| 243 | 284 | return false; |
| 244 | 285 | } |
| 245 | - if (PasswordCompat\binary\_strlen($password) > 72) { |
|
| 286 | + if (PasswordCompat\binary\_strlen($password) > 72) |
|
| 287 | + { |
|
| 246 | 288 | $password = PasswordCompat\binary\_substr($password, 0, 72); |
| 247 | 289 | } |
| 248 | 290 | $ret = crypt($password, $hash); |
| 249 | - if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != PasswordCompat\binary\_strlen($hash) || PasswordCompat\binary\_strlen($ret) <= 13) { |
|
| 291 | + if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != PasswordCompat\binary\_strlen($hash) || PasswordCompat\binary\_strlen($ret) <= 13) |
|
| 292 | + { |
|
| 250 | 293 | return false; |
| 251 | 294 | } |
| 252 | 295 | |
| 253 | 296 | $status = 0; |
| 254 | - for ($i = 0; $i < PasswordCompat\binary\_strlen($ret); $i++) { |
|
| 297 | + for ($i = 0; $i < PasswordCompat\binary\_strlen($ret); $i++) |
|
| 298 | + { |
|
| 255 | 299 | $status |= (ord($ret[$i]) ^ ord($hash[$i])); |
| 256 | 300 | } |
| 257 | 301 | |
@@ -273,8 +317,10 @@ discard block |
||
| 273 | 317 | * @internal |
| 274 | 318 | * @return int The number of bytes |
| 275 | 319 | */ |
| 276 | - function _strlen($binary_string) { |
|
| 277 | - if (function_exists('mb_strlen')) { |
|
| 320 | + function _strlen($binary_string) |
|
| 321 | + { |
|
| 322 | + if (function_exists('mb_strlen')) |
|
| 323 | + { |
|
| 278 | 324 | return mb_strlen($binary_string, '8bit'); |
| 279 | 325 | } |
| 280 | 326 | return strlen($binary_string); |
@@ -292,8 +338,10 @@ discard block |
||
| 292 | 338 | * @internal |
| 293 | 339 | * @return string The substring |
| 294 | 340 | */ |
| 295 | - function _substr($binary_string, $start, $length) { |
|
| 296 | - if (function_exists('mb_substr')) { |
|
| 341 | + function _substr($binary_string, $start, $length) |
|
| 342 | + { |
|
| 343 | + if (function_exists('mb_substr')) |
|
| 344 | + { |
|
| 297 | 345 | return mb_substr($binary_string, $start, $length, '8bit'); |
| 298 | 346 | } |
| 299 | 347 | return substr($binary_string, $start, $length); |
