search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update code_sniffer build.xml file to be executable on our system
[phpbb.git] / phpBB / includes / core / security.php
blobf5aca65e8d9202e6f967d3d7719de7ea7af282cf
1 <?php
2 /**
3 *
4 * @package core
5 * @version $Id$
6 * @copyright (c) 2008 phpBB Group
7 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
8 *
9 */
10
11 /**
12 * @ignore
13 */
14 if (!defined('IN_PHPBB'))
15 {
16 exit();
17 }
18 /**
19 * Class for generating random numbers, unique ids, unique keys, seeds, hashes...
20 * @package core
21 */
22 class phpbb_security extends phpbb_plugin_support
23 {
24 /**
25 * @var array required phpBB objects
26 */
27 public $phpbb_required = array();
28
29 /**
30 * @var array Optional phpBB objects
31 */
32 public $phpbb_optional = array('config');
33
34 /**
35 * @var string Used hash type. The default type is $P$, phpBB uses a different one.
36 */
37 public $hash_type = '$H$';
38
39 /**
40 * @var bool Is true if random seed got updated.
41 */
42 private $dss_seeded = false;
43
44 /**
45 * Constructor
46 * @access public
47 */
48 public function __construct() {}
49
50 /**
51 * Generates an alphanumeric random string of given length
52 *
53 * @param int $num_chars Number of characters to return
54 * @return string Random string of $num_chars characters.
55 * @access public
56 */
57 public function gen_rand_string($num_chars = 8)
58 {
59 $rand_str = $this->unique_id();
60 $rand_str = str_replace('0', 'Z', strtoupper(base_convert($rand_str, 16, 35)));
61
62 return substr($rand_str, 0, $num_chars);
63 }
64
65 /**
66 * Return unique id
67 *
68 * @param string $extra Additional entropy
69 * @return string Unique id
70 * @access public
71 */
72 public function unique_id($extra = 'c')
73 {
74 if (!isset(phpbb::$config['rand_seed']))
75 {
76 $val = md5(md5($extra) . microtime());
77 $val = md5(md5($extra) . $val . $extra);
78 return substr($val, 4, 16);
79 }
80
81
82 $val = phpbb::$config['rand_seed'] . microtime();
83 $val = md5($val);
84 phpbb::$config['rand_seed'] = md5(phpbb::$config['rand_seed'] . $val . $extra);
85
86 if (!$this->dss_seeded && phpbb::$config['rand_seed_last_update'] < time() - rand(1, 10))
87 {
88 set_config('rand_seed', phpbb::$config['rand_seed'], true);
89 set_config('rand_seed_last_update', time(), true);
90
91 $this->dss_seeded = true;
92 }
93
94 return substr($val, 4, 16);
95 }
96
97 /**
98 * Hash passwords
99 *
100 * @version Version 0.1
101 *
102 * Portable PHP password hashing framework.
103 *
104 * Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
105 * the public domain.
106 *
107 * There's absolutely no warranty.
108 *
109 * The homepage URL for this framework is:
110 *
111 * http://www.openwall.com/phpass/
112 *
113 * Please be sure to update the Version line if you edit this file in any way.
114 * It is suggested that you leave the main version number intact, but indicate
115 * your project name (after the slash) and add your own revision information.
116 *
117 * Please do not change the "private" password hashing method implemented in
118 * here, thereby making your hashes incompatible. However, if you must, please
119 * change the hash type identifier (the "$P$") to something different.
120 *
121 * Obviously, since this code is in the public domain, the above are not
122 * requirements (there can be none), but merely suggestions.
123 *
124 * @param string $password Password to hash
125 * @return string Hashed password
126 * @access public
127 */
128 public function hash_password($password)
129 {
130 $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
131
132 $random_state = $this->unique_id();
133 $random = '';
134 $count = 6;
135
136 if (($fh = @fopen('/dev/urandom', 'rb')))
137 {
138 $random = fread($fh, $count);
139 fclose($fh);
140 }
141
142 if (strlen($random) < $count)
143 {
144 $random = '';
145
146 for ($i = 0; $i < $count; $i += 16)
147 {
148 $random_state = md5($this->unique_id() . $random_state);
149 $random .= pack('H*', md5($random_state));
150 }
151 $random = substr($random, 0, $count);
152 }
153
154 $hash = $this->_hash_crypt_private($password, $this->_hash_gensalt_private($random, $itoa64), $itoa64);
155 $result = (strlen($hash) == 34) ? $hash : md5($password);
156
157 return $result;
158 }
159
160 /**
161 * Check for correct password
162 *
163 * If the hash length is != 34, then a md5($password) === $hash comparison is done. The correct hash length is 34.
164 *
165 * @param string $password The password in plain text
166 * @param string $hash The stored password hash
167 *
168 * @return bool Returns true if the password is correct, false if not.
169 * @access public
170 */
171 public function check_password($password, $hash)
172 {
173 $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
174 if (strlen($hash) == 34)
175 {
176 $result = ($this->_hash_crypt_private($password, $hash, $itoa64) === $hash) ? true : false;
177 }
178 else
179 {
180 $result = (md5($password) === $hash) ? true : false;
181 }
182
183 return $result;
184 }
185
186 /**
187 * Generate salt for hash generation
188 * @access private
189 */
190 private function _hash_gensalt_private($input, &$itoa64, $iteration_count_log2 = 6)
191 {
192 if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
193 {
194 $iteration_count_log2 = 8;
195 }
196
197 $output = $this->hash_type;
198 $output .= $itoa64[min($iteration_count_log2 + 5, 30)];
199 $output .= $this->_hash_encode64($input, 6, $itoa64);
200
201 return $output;
202 }
203
204 /**
205 * Encode hash
206 * @access private
207 */
208 private function _hash_encode64($input, $count, &$itoa64)
209 {
210 $output = '';
211 $i = 0;
212
213 do
214 {
215 $value = ord($input[$i++]);
216 $output .= $itoa64[$value & 0x3f];
217
218 if ($i < $count)
219 {
220 $value |= ord($input[$i]) << 8;
221 }
222
223 $output .= $itoa64[($value >> 6) & 0x3f];
224
225 if ($i++ >= $count)
226 {
227 break;
228 }
229
230 if ($i < $count)
231 {
232 $value |= ord($input[$i]) << 16;
233 }
234
235 $output .= $itoa64[($value >> 12) & 0x3f];
236
237 if ($i++ >= $count)
238 {
239 break;
240 }
241
242 $output .= $itoa64[($value >> 18) & 0x3f];
243 }
244 while ($i < $count);
245
246 return $output;
247 }
248
249 /**
250 * The crypt function/replacement
251 * @access private
252 */
253 private function _hash_crypt_private($password, $setting, &$itoa64)
254 {
255 $output = '*';
256
257 // Check for correct hash
258 if (substr($setting, 0, 3) != $this->hash_type)
259 {
260 return $output;
261 }
262
263 $count_log2 = strpos($itoa64, $setting[3]);
264
265 if ($count_log2 < 7 || $count_log2 > 30)
266 {
267 return $output;
268 }
269
270 $count = 1 << $count_log2;
271 $salt = substr($setting, 4, 8);
272
273 if (strlen($salt) != 8)
274 {
275 return $output;
276 }
277
278 /**
279 * We're kind of forced to use MD5 here since it's the only
280 * cryptographic primitive available in all versions of PHP
281 * currently in use. To implement our own low-level crypto
282 * in PHP would result in much worse performance and
283 * consequently in lower iteration counts and hashes that are
284 * quicker to crack (by non-PHP code).
285 */
286 $hash = md5($salt . $password, true);
287 do
288 {
289 $hash = md5($hash . $password, true);
290 }
291 while (--$count);
292
293 $output = substr($setting, 0, 12);
294 $output .= $this->_hash_encode64($hash, 16, $itoa64);
295
296 return $output;
297 }
298 }
299
300 ?>
phpbb is a php-based BBS (buletin board system)