Home Explore Help
Sign In
crazycat
/
IDCOL
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 7ecb137e94
Branches Tags
IDCOL
/
api
/
system
/
core
/
compat
/
password.php

password.php 7.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * CodeIgniter
    4. 

  4.  *
    5. 

  5.  * An open source application development framework for PHP
    6. 

  6.  *
    7. 

  7.  * This content is released under the MIT License (MIT)
    8. 

  8.  *
    9. 

  9.  * Copyright (c) 2014 - 2017, British Columbia Institute of Technology
    10. 

  10.  *
    11. 

  11.  * Permission is hereby granted, free of charge, to any person obtaining a copy
    12. 

  12.  * of this software and associated documentation files (the "Software"), to deal
    13. 

  13.  * in the Software without restriction, including without limitation the rights
    14. 

  14.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    15. 

  15.  * copies of the Software, and to permit persons to whom the Software is
    16. 

  16.  * furnished to do so, subject to the following conditions:
    17. 

  17.  *
    18. 

  18.  * The above copyright notice and this permission notice shall be included in
    19. 

  19.  * all copies or substantial portions of the Software.
    20. 

  20.  *
    21. 

  21.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    22. 

  22.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    23. 

  23.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    24. 

  24.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    25. 

  25.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    26. 

  26.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    27. 

  27.  * THE SOFTWARE.
    28. 

  28.  *
    29. 

  29.  * @package	CodeIgniter
    30. 

  30.  * @author	EllisLab Dev Team
    31. 

  31.  * @copyright	Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
    32. 

  32.  * @copyright	Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/)
    33. 

  33.  * @license	http://opensource.org/licenses/MIT	MIT License
    34. 

  34.  * @link	https://codeigniter.com
    35. 

  35.  * @since	Version 3.0.0
    36. 

  36.  * @filesource
    37. 

  37.  */
    38. 

  38. defined('BASEPATH') OR exit('No direct script access allowed');
    39. 

  39. 

  40. /**
    41. 

  41.  * PHP ext/standard/password compatibility package
    42. 

  42.  *
    43. 

  43.  * @package		CodeIgniter
    44. 

  44.  * @subpackage	CodeIgniter
    45. 

  45.  * @category	Compatibility
    46. 

  46.  * @author		Andrey Andreev
    47. 

  47.  * @link		https://codeigniter.com/user_guide/
    48. 

  48.  * @link		http://php.net/password
    49. 

  49.  */
    50. 

  50. 

  51. // ------------------------------------------------------------------------
    52. 

  52. 

  53. if (is_php('5.5') OR ! defined('CRYPT_BLOWFISH') OR CRYPT_BLOWFISH !== 1 OR defined('HHVM_VERSION'))
    54. 

  54. {
    55. 

  55. 	return;
    56. 

  56. }
    57. 

  57. 

  58. // ------------------------------------------------------------------------
    59. 

  59. 

  60. defined('PASSWORD_BCRYPT') OR define('PASSWORD_BCRYPT', 1);
    61. 

  61. defined('PASSWORD_DEFAULT') OR define('PASSWORD_DEFAULT', PASSWORD_BCRYPT);
    62. 

  62. 

  63. // ------------------------------------------------------------------------
    64. 

  64. 

  65. if ( ! function_exists('password_get_info'))
    66. 

  66. {
    67. 

  67. 	/**
    68. 

  68. 	 * password_get_info()
    69. 

  69. 	 *
    70. 

  70. 	 * @link	http://php.net/password_get_info
    71. 

  71. 	 * @param	string	$hash
    72. 

  72. 	 * @return	array
    73. 

  73. 	 */
    74. 

  74. 	function password_get_info($hash)
    75. 

  75. 	{
    76. 

  76. 		return (strlen($hash) < 60 OR sscanf($hash, '$2y$%d', $hash) !== 1)
    77. 

  77. 			? array('algo' => 0, 'algoName' => 'unknown', 'options' => array())
    78. 

  78. 			: array('algo' => 1, 'algoName' => 'bcrypt', 'options' => array('cost' => $hash));
    79. 

  79. 	}
    80. 

  80. }
    81. 

  81. 

  82. // ------------------------------------------------------------------------
    83. 

  83. 

  84. if ( ! function_exists('password_hash'))
    85. 

  85. {
    86. 

  86. 	/**
    87. 

  87. 	 * password_hash()
    88. 

  88. 	 *
    89. 

  89. 	 * @link	http://php.net/password_hash
    90. 

  90. 	 * @param	string	$password
    91. 

  91. 	 * @param	int	$algo
    92. 

  92. 	 * @param	array	$options
    93. 

  93. 	 * @return	mixed
    94. 

  94. 	 */
    95. 

  95. 	function password_hash($password, $algo, array $options = array())
    96. 

  96. 	{
    97. 

  97. 		static $func_overload;
    98. 

  98. 		isset($func_overload) OR $func_overload = (extension_loaded('mbstring') && ini_get('mbstring.func_overload'));
    99. 

  99. 

  100. 		if ($algo !== 1)
    101. 

  101. 		{
    102. 

  102. 			trigger_error('password_hash(): Unknown hashing algorithm: '.(int) $algo, E_USER_WARNING);
    103. 

  103. 			return NULL;
    104. 

  104. 		}
    105. 

  105. 

  106. 		if (isset($options['cost']) && ($options['cost'] < 4 OR $options['cost'] > 31))
    107. 

  107. 		{
    108. 

  108. 			trigger_error('password_hash(): Invalid bcrypt cost parameter specified: '.(int) $options['cost'], E_USER_WARNING);
    109. 

  109. 			return NULL;
    110. 

  110. 		}
    111. 

  111. 

  112. 		if (isset($options['salt']) && ($saltlen = ($func_overload ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))) < 22)
    113. 

  113. 		{
    114. 

  114. 			trigger_error('password_hash(): Provided salt is too short: '.$saltlen.' expecting 22', E_USER_WARNING);
    115. 

  115. 			return NULL;
    116. 

  116. 		}
    117. 

  117. 		elseif ( ! isset($options['salt']))
    118. 

  118. 		{
    119. 

  119. 			if (function_exists('random_bytes'))
    120. 

  120. 			{
    121. 

  121. 				try
    122. 

  122. 				{
    123. 

  123. 					$options['salt'] = random_bytes(16);
    124. 

  124. 				}
    125. 

  125. 				catch (Exception $e)
    126. 

  126. 				{
    127. 

  127. 					log_message('error', 'compat/password: Error while trying to use random_bytes(): '.$e->getMessage());
    128. 

  128. 					return FALSE;
    129. 

  129. 				}
    130. 

  130. 			}
    131. 

  131. 			elseif (defined('MCRYPT_DEV_URANDOM'))
    132. 

  132. 			{
    133. 

  133. 				$options['salt'] = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
    134. 

  134. 			}
    135. 

  135. 			elseif (DIRECTORY_SEPARATOR === '/' && (is_readable($dev = '/dev/arandom') OR is_readable($dev = '/dev/urandom')))
    136. 

  136. 			{
    137. 

  137. 				if (($fp = fopen($dev, 'rb')) === FALSE)
    138. 

  138. 				{
    139. 

  139. 					log_message('error', 'compat/password: Unable to open '.$dev.' for reading.');
    140. 

  140. 					return FALSE;
    141. 

  141. 				}
    142. 

  142. 

  143. 				// Try not to waste entropy ...
    144. 

  144. 				is_php('5.4') && stream_set_chunk_size($fp, 16);
    145. 

  145. 

  146. 				$options['salt'] = '';
    147. 

  147. 				for ($read = 0; $read < 16; $read = ($func_overload) ? mb_strlen($options['salt'], '8bit') : strlen($options['salt']))
    148. 

  148. 				{
    149. 

  149. 					if (($read = fread($fp, 16 - $read)) === FALSE)
    150. 

  150. 					{
    151. 

  151. 						log_message('error', 'compat/password: Error while reading from '.$dev.'.');
    152. 

  152. 						return FALSE;
    153. 

  153. 					}
    154. 

  154. 					$options['salt'] .= $read;
    155. 

  155. 				}
    156. 

  156. 

  157. 				fclose($fp);
    158. 

  158. 			}
    159. 

  159. 			elseif (function_exists('openssl_random_pseudo_bytes'))
    160. 

  160. 			{
    161. 

  161. 				$is_secure = NULL;
    162. 

  162. 				$options['salt'] = openssl_random_pseudo_bytes(16, $is_secure);
    163. 

  163. 				if ($is_secure !== TRUE)
    164. 

  164. 				{
    165. 

  165. 					log_message('error', 'compat/password: openssl_random_pseudo_bytes() set the $cryto_strong flag to FALSE');
    166. 

  166. 					return FALSE;
    167. 

  167. 				}
    168. 

  168. 			}
    169. 

  169. 			else
    170. 

  170. 			{
    171. 

  171. 				log_message('error', 'compat/password: No CSPRNG available.');
    172. 

  172. 				return FALSE;
    173. 

  173. 			}
    174. 

  174. 

  175. 			$options['salt'] = str_replace('+', '.', rtrim(base64_encode($options['salt']), '='));
    176. 

  176. 		}
    177. 

  177. 		elseif ( ! preg_match('#^[a-zA-Z0-9./]+$#D', $options['salt']))
    178. 

  178. 		{
    179. 

  179. 			$options['salt'] = str_replace('+', '.', rtrim(base64_encode($options['salt']), '='));
    180. 

  180. 		}
    181. 

  181. 

  182. 		isset($options['cost']) OR $options['cost'] = 10;
    183. 

  183. 

  184. 		return (strlen($password = crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt']))) === 60)
    185. 

  185. 			? $password
    186. 

  186. 			: FALSE;
    187. 

  187. 	}
    188. 

  188. }
    189. 

  189. 

  190. // ------------------------------------------------------------------------
    191. 

  191. 

  192. if ( ! function_exists('password_needs_rehash'))
    193. 

  193. {
    194. 

  194. 	/**
    195. 

  195. 	 * password_needs_rehash()
    196. 

  196. 	 *
    197. 

  197. 	 * @link	http://php.net/password_needs_rehash
    198. 

  198. 	 * @param	string	$hash
    199. 

  199. 	 * @param	int	$algo
    200. 

  200. 	 * @param	array	$options
    201. 

  201. 	 * @return	bool
    202. 

  202. 	 */
    203. 

  203. 	function password_needs_rehash($hash, $algo, array $options = array())
    204. 

  204. 	{
    205. 

  205. 		$info = password_get_info($hash);
    206. 

  206. 

  207. 		if ($algo !== $info['algo'])
    208. 

  208. 		{
    209. 

  209. 			return TRUE;
    210. 

  210. 		}
    211. 

  211. 		elseif ($algo === 1)
    212. 

  212. 		{
    213. 

  213. 			$options['cost'] = isset($options['cost']) ? (int) $options['cost'] : 10;
    214. 

  214. 			return ($info['options']['cost'] !== $options['cost']);
    215. 

  215. 		}
    216. 

  216. 

  217. 		// Odd at first glance, but according to a comment in PHP's own unit tests,
    218. 

  218. 		// because it is an unknown algorithm - it's valid and therefore doesn't
    219. 

  219. 		// need rehashing.
    220. 

  220. 		return FALSE;
    221. 

  221. 	}
    222. 

  222. }
    223. 

  223. 

  224. // ------------------------------------------------------------------------
    225. 

  225. 

  226. if ( ! function_exists('password_verify'))
    227. 

  227. {
    228. 

  228. 	/**
    229. 

  229. 	 * password_verify()
    230. 

  230. 	 *
    231. 

  231. 	 * @link	http://php.net/password_verify
    232. 

  232. 	 * @param	string	$password
    233. 

  233. 	 * @param	string	$hash
    234. 

  234. 	 * @return	bool
    235. 

  235. 	 */
    236. 

  236. 	function password_verify($password, $hash)
    237. 

  237. 	{
    238. 

  238. 		if (strlen($hash) !== 60 OR strlen($password = crypt($password, $hash)) !== 60)
    239. 

  239. 		{
    240. 

  240. 			return FALSE;
    241. 

  241. 		}
    242. 

  242. 

  243. 		$compare = 0;
    244. 

  244. 		for ($i = 0; $i < 60; $i++)
    245. 

  245. 		{
    246. 

  246. 			$compare |= (ord($password[$i]) ^ ord($hash[$i]));
    247. 

  247. 		}
    248. 

  248. 

  249. 		return ($compare === 0);
    250. 

  250. 	}
    251. 

  251. }
    252.