WordPress.org

Make WordPress Core

Ticket #51549: 51549.patch

File 51549.patch, 6.3 KB (added by ayeshrajans, 12 months ago)

Updated to phpass 0.5 from upstream, and applied wp-specific customizations

  • src/wp-includes/class-phpass.php

    diff --git a/src/wp-includes/class-phpass.php b/src/wp-includes/class-phpass.php
    index 8fcab44ad1..2d03f361ba 100644
    a b  
    33 * Portable PHP password hashing framework.
    44 * @package phpass
    55 * @since 2.5.0
    6  * @version 0.3 / WordPress
     6 * @version 0.5 / WordPress
    77 * @link https://www.openwall.com/phpass/
    88 */
    99
     10#
     11# Portable PHP password hashing framework.
     12#
     13# Version 0.5 / WordPress.
    1014#
    1115# Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
    1216# the public domain.  Revised in subsequent years, still public domain.
    1317#
    1418# There's absolutely no warranty.
    1519#
     20# The homepage URL for this framework is:
     21#
     22#       http://www.openwall.com/phpass/
     23#
    1624# Please be sure to update the Version line if you edit this file in any way.
    1725# It is suggested that you leave the main version number intact, but indicate
    1826# your project name (after the slash) and add your own revision information.
     
    2937 * Portable PHP password hashing framework.
    3038 *
    3139 * @package phpass
    32  * @version 0.3 / WordPress
     40 * @version 0.5 / WordPress
    3341 * @link https://www.openwall.com/phpass/
    3442 * @since 2.5.0
    3543 */
    function __construct( $iteration_count_log2, $portable_hashes ) 
    5260
    5361                $this->portable_hashes = $portable_hashes;
    5462
    55                 $this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons
     63                $this->random_state = microtime();
     64                if (function_exists('getmypid'))
     65                        $this->random_state .= getmypid();
    5666        }
    5767
    5868        /**
    5969         * PHP4 constructor.
    6070         */
    61         public function PasswordHash( $iteration_count_log2, $portable_hashes ) {
    62                 self::__construct( $iteration_count_log2, $portable_hashes );
     71        function PasswordHash($iteration_count_log2, $portable_hashes)
     72        {
     73                self::__construct($iteration_count_log2, $portable_hashes);
    6374        }
    6475
    6576        function get_random_bytes($count)
    6677        {
    6778                $output = '';
    68                 if ( @is_readable('/dev/urandom') &&
     79                if (@is_readable('/dev/urandom') &&
    6980                    ($fh = @fopen('/dev/urandom', 'rb'))) {
    7081                        $output = fread($fh, $count);
    7182                        fclose($fh);
    function get_random_bytes($count) 
    7687                        for ($i = 0; $i < $count; $i += 16) {
    7788                                $this->random_state =
    7889                                    md5(microtime() . $this->random_state);
    79                                 $output .=
    80                                     pack('H*', md5($this->random_state));
     90                                $output .= md5($this->random_state, TRUE);
    8191                        }
    8292                        $output = substr($output, 0, $count);
    8393                }
    function gensalt_private($input) 
    121131        function crypt_private($password, $setting)
    122132        {
    123133                $output = '*0';
    124                 if (substr($setting, 0, 2) == $output)
     134                if (substr($setting, 0, 2) === $output)
    125135                        $output = '*1';
    126136
    127137                $id = substr($setting, 0, 3);
    128138                # We use "$P$", phpBB3 uses "$H$" for the same thing
    129                 if ($id != '$P$' && $id != '$H$')
     139                if ($id !== '$P$' && $id !== '$H$')
    130140                        return $output;
    131141
    132142                $count_log2 = strpos($this->itoa64, $setting[3]);
    function crypt_private($password, $setting) 
    136146                $count = 1 << $count_log2;
    137147
    138148                $salt = substr($setting, 4, 8);
    139                 if (strlen($salt) != 8)
     149                if (strlen($salt) !== 8)
    140150                        return $output;
    141151
    142                 # We're kind of forced to use MD5 here since it's the only
    143                 # cryptographic primitive available in all versions of PHP
    144                 # currently in use.  To implement our own low-level crypto
    145                 # in PHP would result in much worse performance and
     152                # We were kind of forced to use MD5 here since it's the only
     153                # cryptographic primitive that was available in all versions
     154                # of PHP in use.  To implement our own low-level crypto in PHP
     155                # would have resulted in much worse performance and
    146156                # consequently in lower iteration counts and hashes that are
    147157                # quicker to crack (by non-PHP code).
    148                 if (PHP_VERSION >= '5') {
    149                         $hash = md5($salt . $password, TRUE);
    150                         do {
    151                                 $hash = md5($hash . $password, TRUE);
    152                         } while (--$count);
    153                 } else {
    154                         $hash = pack('H*', md5($salt . $password));
    155                         do {
    156                                 $hash = pack('H*', md5($hash . $password));
    157                         } while (--$count);
    158                 }
     158                $hash = md5($salt . $password, TRUE);
     159                do {
     160                        $hash = md5($hash . $password, TRUE);
     161                } while (--$count);
    159162
    160163                $output = substr($setting, 0, 12);
    161164                $output .= $this->encode64($hash, 16);
    function crypt_private($password, $setting) 
    163166                return $output;
    164167        }
    165168
    166         function gensalt_extended($input)
    167         {
    168                 $count_log2 = min($this->iteration_count_log2 + 8, 24);
    169                 # This should be odd to not reveal weak DES keys, and the
    170                 # maximum valid value is (2**24 - 1) which is odd anyway.
    171                 $count = (1 << $count_log2) - 1;
    172 
    173                 $output = '_';
    174                 $output .= $this->itoa64[$count & 0x3f];
    175                 $output .= $this->itoa64[($count >> 6) & 0x3f];
    176                 $output .= $this->itoa64[($count >> 12) & 0x3f];
    177                 $output .= $this->itoa64[($count >> 18) & 0x3f];
    178 
    179                 $output .= $this->encode64($input, 3);
    180 
    181                 return $output;
    182         }
    183 
    184169        function gensalt_blowfish($input)
    185170        {
    186171                # This one needs to use a different order of characters and a
    function HashPassword($password) 
    230215
    231216                $random = '';
    232217
    233                 if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
     218                if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) {
    234219                        $random = $this->get_random_bytes(16);
    235220                        $hash =
    236221                            crypt($password, $this->gensalt_blowfish($random));
    237                         if (strlen($hash) == 60)
    238                                 return $hash;
    239                 }
    240 
    241                 if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
    242                         if (strlen($random) < 3)
    243                                 $random = $this->get_random_bytes(3);
    244                         $hash =
    245                             crypt($password, $this->gensalt_extended($random));
    246                         if (strlen($hash) == 20)
     222                        if (strlen($hash) === 60)
    247223                                return $hash;
    248224                }
    249225
    function HashPassword($password) 
    252228                $hash =
    253229                    $this->crypt_private($password,
    254230                    $this->gensalt_private($random));
    255                 if (strlen($hash) == 34)
     231                if (strlen($hash) === 34)
    256232                        return $hash;
    257233
    258234                # Returning '*' on error is safe here, but would _not_ be safe
    function CheckPassword($password, $stored_hash) 
    268244                }
    269245
    270246                $hash = $this->crypt_private($password, $stored_hash);
    271                 if ($hash[0] == '*')
     247                if ($hash[0] === '*')
    272248                        $hash = crypt($password, $stored_hash);
    273249
     250                # This is not constant-time.  In order to keep the code simple,
     251                # for timing safety we currently rely on the salts being
     252                # unpredictable, which they are at least in the non-fallback
     253                # cases (that is, when we use /dev/urandom and bcrypt).
    274254                return $hash === $stored_hash;
    275255        }
    276 }
    277  No newline at end of file
     256}