diff --git a/src/wp-includes/class-phpass.php b/src/wp-includes/class-phpass.php
index 8fcab44ad1..2d03f361ba 100644
a
|
b
|
|
3 | 3 | * Portable PHP password hashing framework. |
4 | 4 | * @package phpass |
5 | 5 | * @since 2.5.0 |
6 | | * @version 0.3 / WordPress |
| 6 | * @version 0.5 / WordPress |
7 | 7 | * @link https://www.openwall.com/phpass/ |
8 | 8 | */ |
9 | 9 | |
| 10 | # |
| 11 | # Portable PHP password hashing framework. |
| 12 | # |
| 13 | # Version 0.5 / WordPress. |
10 | 14 | # |
11 | 15 | # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in |
12 | 16 | # the public domain. Revised in subsequent years, still public domain. |
13 | 17 | # |
14 | 18 | # There's absolutely no warranty. |
15 | 19 | # |
| 20 | # The homepage URL for this framework is: |
| 21 | # |
| 22 | # http://www.openwall.com/phpass/ |
| 23 | # |
16 | 24 | # Please be sure to update the Version line if you edit this file in any way. |
17 | 25 | # It is suggested that you leave the main version number intact, but indicate |
18 | 26 | # your project name (after the slash) and add your own revision information. |
… |
… |
|
29 | 37 | * Portable PHP password hashing framework. |
30 | 38 | * |
31 | 39 | * @package phpass |
32 | | * @version 0.3 / WordPress |
| 40 | * @version 0.5 / WordPress |
33 | 41 | * @link https://www.openwall.com/phpass/ |
34 | 42 | * @since 2.5.0 |
35 | 43 | */ |
… |
… |
function __construct( $iteration_count_log2, $portable_hashes ) |
52 | 60 | |
53 | 61 | $this->portable_hashes = $portable_hashes; |
54 | 62 | |
55 | | $this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons |
| 63 | $this->random_state = microtime(); |
| 64 | if (function_exists('getmypid')) |
| 65 | $this->random_state .= getmypid(); |
56 | 66 | } |
57 | 67 | |
58 | 68 | /** |
59 | 69 | * PHP4 constructor. |
60 | 70 | */ |
61 | | public function PasswordHash( $iteration_count_log2, $portable_hashes ) { |
62 | | self::__construct( $iteration_count_log2, $portable_hashes ); |
| 71 | function PasswordHash($iteration_count_log2, $portable_hashes) |
| 72 | { |
| 73 | self::__construct($iteration_count_log2, $portable_hashes); |
63 | 74 | } |
64 | 75 | |
65 | 76 | function get_random_bytes($count) |
66 | 77 | { |
67 | 78 | $output = ''; |
68 | | if ( @is_readable('/dev/urandom') && |
| 79 | if (@is_readable('/dev/urandom') && |
69 | 80 | ($fh = @fopen('/dev/urandom', 'rb'))) { |
70 | 81 | $output = fread($fh, $count); |
71 | 82 | fclose($fh); |
… |
… |
function get_random_bytes($count) |
76 | 87 | for ($i = 0; $i < $count; $i += 16) { |
77 | 88 | $this->random_state = |
78 | 89 | md5(microtime() . $this->random_state); |
79 | | $output .= |
80 | | pack('H*', md5($this->random_state)); |
| 90 | $output .= md5($this->random_state, TRUE); |
81 | 91 | } |
82 | 92 | $output = substr($output, 0, $count); |
83 | 93 | } |
… |
… |
function gensalt_private($input) |
121 | 131 | function crypt_private($password, $setting) |
122 | 132 | { |
123 | 133 | $output = '*0'; |
124 | | if (substr($setting, 0, 2) == $output) |
| 134 | if (substr($setting, 0, 2) === $output) |
125 | 135 | $output = '*1'; |
126 | 136 | |
127 | 137 | $id = substr($setting, 0, 3); |
128 | 138 | # We use "$P$", phpBB3 uses "$H$" for the same thing |
129 | | if ($id != '$P$' && $id != '$H$') |
| 139 | if ($id !== '$P$' && $id !== '$H$') |
130 | 140 | return $output; |
131 | 141 | |
132 | 142 | $count_log2 = strpos($this->itoa64, $setting[3]); |
… |
… |
function crypt_private($password, $setting) |
136 | 146 | $count = 1 << $count_log2; |
137 | 147 | |
138 | 148 | $salt = substr($setting, 4, 8); |
139 | | if (strlen($salt) != 8) |
| 149 | if (strlen($salt) !== 8) |
140 | 150 | return $output; |
141 | 151 | |
142 | | # We're kind of forced to use MD5 here since it's the only |
143 | | # cryptographic primitive available in all versions of PHP |
144 | | # currently in use. To implement our own low-level crypto |
145 | | # in PHP would result in much worse performance and |
| 152 | # We were kind of forced to use MD5 here since it's the only |
| 153 | # cryptographic primitive that was available in all versions |
| 154 | # of PHP in use. To implement our own low-level crypto in PHP |
| 155 | # would have resulted in much worse performance and |
146 | 156 | # consequently in lower iteration counts and hashes that are |
147 | 157 | # quicker to crack (by non-PHP code). |
148 | | if (PHP_VERSION >= '5') { |
149 | | $hash = md5($salt . $password, TRUE); |
150 | | do { |
151 | | $hash = md5($hash . $password, TRUE); |
152 | | } while (--$count); |
153 | | } else { |
154 | | $hash = pack('H*', md5($salt . $password)); |
155 | | do { |
156 | | $hash = pack('H*', md5($hash . $password)); |
157 | | } while (--$count); |
158 | | } |
| 158 | $hash = md5($salt . $password, TRUE); |
| 159 | do { |
| 160 | $hash = md5($hash . $password, TRUE); |
| 161 | } while (--$count); |
159 | 162 | |
160 | 163 | $output = substr($setting, 0, 12); |
161 | 164 | $output .= $this->encode64($hash, 16); |
… |
… |
function crypt_private($password, $setting) |
163 | 166 | return $output; |
164 | 167 | } |
165 | 168 | |
166 | | function gensalt_extended($input) |
167 | | { |
168 | | $count_log2 = min($this->iteration_count_log2 + 8, 24); |
169 | | # This should be odd to not reveal weak DES keys, and the |
170 | | # maximum valid value is (2**24 - 1) which is odd anyway. |
171 | | $count = (1 << $count_log2) - 1; |
172 | | |
173 | | $output = '_'; |
174 | | $output .= $this->itoa64[$count & 0x3f]; |
175 | | $output .= $this->itoa64[($count >> 6) & 0x3f]; |
176 | | $output .= $this->itoa64[($count >> 12) & 0x3f]; |
177 | | $output .= $this->itoa64[($count >> 18) & 0x3f]; |
178 | | |
179 | | $output .= $this->encode64($input, 3); |
180 | | |
181 | | return $output; |
182 | | } |
183 | | |
184 | 169 | function gensalt_blowfish($input) |
185 | 170 | { |
186 | 171 | # This one needs to use a different order of characters and a |
… |
… |
function HashPassword($password) |
230 | 215 | |
231 | 216 | $random = ''; |
232 | 217 | |
233 | | if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { |
| 218 | if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) { |
234 | 219 | $random = $this->get_random_bytes(16); |
235 | 220 | $hash = |
236 | 221 | crypt($password, $this->gensalt_blowfish($random)); |
237 | | if (strlen($hash) == 60) |
238 | | return $hash; |
239 | | } |
240 | | |
241 | | if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) { |
242 | | if (strlen($random) < 3) |
243 | | $random = $this->get_random_bytes(3); |
244 | | $hash = |
245 | | crypt($password, $this->gensalt_extended($random)); |
246 | | if (strlen($hash) == 20) |
| 222 | if (strlen($hash) === 60) |
247 | 223 | return $hash; |
248 | 224 | } |
249 | 225 | |
… |
… |
function HashPassword($password) |
252 | 228 | $hash = |
253 | 229 | $this->crypt_private($password, |
254 | 230 | $this->gensalt_private($random)); |
255 | | if (strlen($hash) == 34) |
| 231 | if (strlen($hash) === 34) |
256 | 232 | return $hash; |
257 | 233 | |
258 | 234 | # Returning '*' on error is safe here, but would _not_ be safe |
… |
… |
function CheckPassword($password, $stored_hash) |
268 | 244 | } |
269 | 245 | |
270 | 246 | $hash = $this->crypt_private($password, $stored_hash); |
271 | | if ($hash[0] == '*') |
| 247 | if ($hash[0] === '*') |
272 | 248 | $hash = crypt($password, $stored_hash); |
273 | 249 | |
| 250 | # This is not constant-time. In order to keep the code simple, |
| 251 | # for timing safety we currently rely on the salts being |
| 252 | # unpredictable, which they are at least in the non-fallback |
| 253 | # cases (that is, when we use /dev/urandom and bcrypt). |
274 | 254 | return $hash === $stored_hash; |
275 | 255 | } |
276 | | } |
277 | | No newline at end of file |
| 256 | } |