search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
fix: faxsms psr7 vendor fix (#7794)
[openemr.git] / portal / patient / fwk / libs / util / password.php
blobef1bcad3a13bdb19e3eb205da55c9eed2ab98e71
1 <?php
2
3 /**
4 * This is a compatibility file for password_hash and password_verify for
5 * php systems prior to 5.5 that do not have password hashing built-in.
6 * This will export these two functions to the global namespace
7 */
8
9 defined('PASSWORD_BCRYPT') or define('PASSWORD_BCRYPT', 1);
10
11 defined('PASSWORD_DEFAULT') or define('PASSWORD_DEFAULT', PASSWORD_BCRYPT);
12
13 if (! function_exists('password_hash')) {
14 /**
15 * Hash the password using the specified algorithm
16 *
17 * @param string $password
18 * The password to hash
19 * @param int $algo
20 * The algorithm to use (Defined by PASSWORD_* constants)
21 * @param array $options
22 * The options for the algorithm to use
23 *
24 * @return s string|false The hashed password, or false on error.
25 */
26 function password_hash($password, $algo, $options = array())
27 {
28 if (! function_exists('crypt')) {
29 trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING);
30 return null;
31 }
32
33 if (! is_string($password)) {
34 trigger_error("password_hash(): Password must be a string", E_USER_WARNING);
35 return null;
36 }
37
38 if (! is_int($algo)) {
39 trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING);
40 return null;
41 }
42
43 switch ($algo) {
44 case PASSWORD_BCRYPT:
45 // Note that this is a C constant, but not exposed to PHP, so we don't define it here.
46 $cost = 10;
47 if (isset($options ['cost'])) {
48 $cost = $options ['cost'];
49 if ($cost < 4 || $cost > 31) {
50 trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING);
51 return null;
52 }
53 }
54
55 $required_salt_len = 22;
56 $hash_format = sprintf("$2y$%02d$", $cost);
57 break;
58 default:
59 trigger_error(sprintf("password_hash(): Unknown password hashing algorithm: %s", $algo), E_USER_WARNING);
60 return null;
61 }
62
63 if (isset($options ['salt'])) {
64 switch (gettype($options ['salt'])) {
65 case 'NULL':
66 case 'boolean':
67 case 'integer':
68 case 'double':
69 case 'string':
70 $salt = (string) $options ['salt'];
71 break;
72 case 'object':
73 if (method_exists($options ['salt'], '__tostring')) {
74 $salt = (string) $options ['salt'];
75 break;
76 }
77
78 //NOTE FALL-THROUGH CASE HERE. POSSIBLE BUG.
79 case 'array':
80 case 'resource':
81 default:
82 trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING);
83 return null;
84 }
85
86 if (strlen($salt) < $required_salt_len) {
87 trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", strlen($salt), $required_salt_len), E_USER_WARNING);
88 return null;
89 } elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) {
90 $salt = str_replace('+', '.', base64_encode($salt));
91 }
92 } else {
93 $salt = __password_make_salt($required_salt_len);
94 }
95
96 $salt = substr($salt, 0, $required_salt_len);
97
98 $hash = $hash_format . $salt;
99
100 $ret = crypt($password, $hash);
101
102 if (! is_string($ret) || strlen($ret) < 13) {
103 return false;
104 }
105
106 return $ret;
107 }
108 }
109
110 if (! function_exists('password_get_info')) {
111 /**
112 * Get information about the password hash.
113 * Returns an array of the information
114 * that was used to generate the password hash.
115 *
116 * array(
117 * 'algo' => 1,
118 * 'algoName' => 'bcrypt',
119 * 'options' => array(
120 * 'cost' => 10,
121 * ),
122 * )
123 *
124 * @param string $hash
125 * The password hash to extract info from
126 *
127 * @return array The array of information about the hash.
128 */
129 function password_get_info($hash)
130 {
131 $return = array (
132 'algo' => 0,
133 'algoName' => 'unknown',
134 'options' => array ()
135 );
136 if (substr($hash, 0, 4) == '$2y$' && strlen($hash) == 60) {
137 $return ['algo'] = PASSWORD_BCRYPT;
138 $return ['algoName'] = 'bcrypt';
139 list ( $cost ) = sscanf($hash, "$2y$%d$");
140 $return ['options'] ['cost'] = $cost;
141 }
142
143 return $return;
144 }
145 }
146
147 if (! function_exists('password_needs_rehash')) {
148 /**
149 * Determine if the password hash needs to be rehashed according to the options provided
150 *
151 * If the answer is true, after validating the password using password_verify, rehash it.
152 *
153 * @param string $hash
154 * The hash to test
155 * @param int $algo
156 * The algorithm used for new password hashes
157 * @param array $options
158 * The options array passed to password_hash
159 *
160 * @return boolean True if the password needs to be rehashed.
161 */
162 function password_needs_rehash($hash, $algo, array $options = array())
163 {
164 $info = password_get_info($hash);
165 if ($info ['algo'] != $algo) {
166 return true;
167 }
168
169 switch ($algo) {
170 case PASSWORD_BCRYPT:
171 $cost = isset($options ['cost']) ? $options ['cost'] : 10;
172 if ($cost != $info ['options'] ['cost']) {
173 return true;
174 }
175 break;
176 }
177
178 return false;
179 }
180 }
181
182 if (! function_exists('password_verify')) {
183 /**
184 * Verify a password against a hash using a timing attack resistant approach
185 *
186 * @param string $password
187 * The password to verify
188 * @param string $hash
189 * The hash to verify against
190 *
191 * @return boolean If the password matches the hash
192 */
193 function password_verify($password, $hash)
194 {
195 if (! function_exists('crypt')) {
196 trigger_error("Crypt must be loaded for password_create to function", E_USER_WARNING);
197 return false;
198 }
199
200 $ret = crypt($password, $hash);
201 if (! is_string($ret) || strlen($ret) != strlen($hash)) {
202 return false;
203 }
204
205 $status = 0;
206 for ($i = 0; $i < strlen($ret); $i++) {
207 $status |= (ord($ret [$i]) ^ ord($hash [$i]));
208 }
209
210 return $status === 0;
211 }
212 }
213
214 /**
215 * Function to make a salt
216 *
217 * DO NOT USE THIS FUNCTION DIRECTLY
218 *
219 * @internal
220 *
221 */
222 function __password_make_salt($length)
223 {
224 if ($length <= 0) {
225 trigger_error(sprintf("Length cannot be less than or equal zero: %d", $length), E_USER_WARNING);
226 return false;
227 }
228
229 $buffer = '';
230 $raw_length = (int) ($length * 3 / 4 + 1);
231 $buffer_valid = false;
232 if (function_exists('mcrypt_create_iv')) {
233 $buffer = mcrypt_create_iv($raw_length, MCRYPT_DEV_URANDOM);
234 if ($buffer) {
235 $buffer_valid = true;
236 }
237 }
238
239 if (! $buffer_valid && function_exists('openssl_random_pseudo_bytes')) {
240 $buffer = openssl_random_pseudo_bytes($raw_length);
241 if ($buffer) {
242 $buffer_valid = true;
243 }
244 }
245
246 if (! $buffer_valid && file_exists('/dev/urandom')) {
247 $f = @fopen('/dev/urandom', 'r');
248 if ($f) {
249 $read = strlen($buffer);
250 while ($read < $raw_length) {
251 $buffer .= fread($f, $raw_length - $read);
252 $read = strlen($buffer);
253 }
254
255 fclose($f);
256 if ($read >= $raw_length) {
257 $buffer_valid = true;
258 }
259 }
260 }
261
262 if (! $buffer_valid) {
263 for ($i = 0; $i < $raw_length; $i++) {
264 $buffer .= chr(mt_rand(0, 255));
265 }
266 }
267
268 $buffer = str_replace('+', '.', base64_encode($buffer));
269 return substr($buffer, 0, $length);
270 }
Mirror of official OpenEMR Sourceforge repository