You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

254 lines
6.7 KiB

7 years ago
  1. <?php
  2. /**
  3. * CodeIgniter
  4. *
  5. * An open source application development framework for PHP
  6. *
  7. * This content is released under the MIT License (MIT)
  8. *
  9. * Copyright (c) 2014 - 2017, British Columbia Institute of Technology
  10. *
  11. * Permission is hereby granted, free of charge, to any person obtaining a copy
  12. * of this software and associated documentation files (the "Software"), to deal
  13. * in the Software without restriction, including without limitation the rights
  14. * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  15. * copies of the Software, and to permit persons to whom the Software is
  16. * furnished to do so, subject to the following conditions:
  17. *
  18. * The above copyright notice and this permission notice shall be included in
  19. * all copies or substantial portions of the Software.
  20. *
  21. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  22. * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  23. * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  24. * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  25. * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  26. * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  27. * THE SOFTWARE.
  28. *
  29. * @package CodeIgniter
  30. * @author EllisLab Dev Team
  31. * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/)
  32. * @copyright Copyright (c) 2014 - 2017, British Columbia Institute of Technology (http://bcit.ca/)
  33. * @license http://opensource.org/licenses/MIT MIT License
  34. * @link https://codeigniter.com
  35. * @since Version 3.0.0
  36. * @filesource
  37. */
  38. defined('BASEPATH') OR exit('No direct script access allowed');
  39. /**
  40. * PHP ext/hash compatibility package
  41. *
  42. * @package CodeIgniter
  43. * @subpackage CodeIgniter
  44. * @category Compatibility
  45. * @author Andrey Andreev
  46. * @link https://codeigniter.com/user_guide/
  47. * @link http://php.net/hash
  48. */
  49. // ------------------------------------------------------------------------
  50. if (is_php('5.6'))
  51. {
  52. return;
  53. }
  54. // ------------------------------------------------------------------------
  55. if ( ! function_exists('hash_equals'))
  56. {
  57. /**
  58. * hash_equals()
  59. *
  60. * @link http://php.net/hash_equals
  61. * @param string $known_string
  62. * @param string $user_string
  63. * @return bool
  64. */
  65. function hash_equals($known_string, $user_string)
  66. {
  67. if ( ! is_string($known_string))
  68. {
  69. trigger_error('hash_equals(): Expected known_string to be a string, '.strtolower(gettype($known_string)).' given', E_USER_WARNING);
  70. return FALSE;
  71. }
  72. elseif ( ! is_string($user_string))
  73. {
  74. trigger_error('hash_equals(): Expected user_string to be a string, '.strtolower(gettype($user_string)).' given', E_USER_WARNING);
  75. return FALSE;
  76. }
  77. elseif (($length = strlen($known_string)) !== strlen($user_string))
  78. {
  79. return FALSE;
  80. }
  81. $diff = 0;
  82. for ($i = 0; $i < $length; $i++)
  83. {
  84. $diff |= ord($known_string[$i]) ^ ord($user_string[$i]);
  85. }
  86. return ($diff === 0);
  87. }
  88. }
  89. // ------------------------------------------------------------------------
  90. if (is_php('5.5'))
  91. {
  92. return;
  93. }
  94. // ------------------------------------------------------------------------
  95. if ( ! function_exists('hash_pbkdf2'))
  96. {
  97. /**
  98. * hash_pbkdf2()
  99. *
  100. * @link http://php.net/hash_pbkdf2
  101. * @param string $algo
  102. * @param string $password
  103. * @param string $salt
  104. * @param int $iterations
  105. * @param int $length
  106. * @param bool $raw_output
  107. * @return string
  108. */
  109. function hash_pbkdf2($algo, $password, $salt, $iterations, $length = 0, $raw_output = FALSE)
  110. {
  111. if ( ! in_array(strtolower($algo), hash_algos(), TRUE))
  112. {
  113. trigger_error('hash_pbkdf2(): Unknown hashing algorithm: '.$algo, E_USER_WARNING);
  114. return FALSE;
  115. }
  116. if (($type = gettype($iterations)) !== 'integer')
  117. {
  118. if ($type === 'object' && method_exists($iterations, '__toString'))
  119. {
  120. $iterations = (string) $iterations;
  121. }
  122. if (is_string($iterations) && is_numeric($iterations))
  123. {
  124. $iterations = (int) $iterations;
  125. }
  126. else
  127. {
  128. trigger_error('hash_pbkdf2() expects parameter 4 to be long, '.$type.' given', E_USER_WARNING);
  129. return NULL;
  130. }
  131. }
  132. if ($iterations < 1)
  133. {
  134. trigger_error('hash_pbkdf2(): Iterations must be a positive integer: '.$iterations, E_USER_WARNING);
  135. return FALSE;
  136. }
  137. if (($type = gettype($length)) !== 'integer')
  138. {
  139. if ($type === 'object' && method_exists($length, '__toString'))
  140. {
  141. $length = (string) $length;
  142. }
  143. if (is_string($length) && is_numeric($length))
  144. {
  145. $length = (int) $length;
  146. }
  147. else
  148. {
  149. trigger_error('hash_pbkdf2() expects parameter 5 to be long, '.$type.' given', E_USER_WARNING);
  150. return NULL;
  151. }
  152. }
  153. if ($length < 0)
  154. {
  155. trigger_error('hash_pbkdf2(): Length must be greater than or equal to 0: '.$length, E_USER_WARNING);
  156. return FALSE;
  157. }
  158. $hash_length = defined('MB_OVERLOAD_STRING')
  159. ? mb_strlen(hash($algo, NULL, TRUE), '8bit')
  160. : strlen(hash($algo, NULL, TRUE));
  161. empty($length) && $length = $hash_length;
  162. // Pre-hash password inputs longer than the algorithm's block size
  163. // (i.e. prepare HMAC key) to mitigate potential DoS attacks.
  164. static $block_sizes;
  165. empty($block_sizes) && $block_sizes = array(
  166. 'gost' => 32,
  167. 'haval128,3' => 128,
  168. 'haval160,3' => 128,
  169. 'haval192,3' => 128,
  170. 'haval224,3' => 128,
  171. 'haval256,3' => 128,
  172. 'haval128,4' => 128,
  173. 'haval160,4' => 128,
  174. 'haval192,4' => 128,
  175. 'haval224,4' => 128,
  176. 'haval256,4' => 128,
  177. 'haval128,5' => 128,
  178. 'haval160,5' => 128,
  179. 'haval192,5' => 128,
  180. 'haval224,5' => 128,
  181. 'haval256,5' => 128,
  182. 'md2' => 16,
  183. 'md4' => 64,
  184. 'md5' => 64,
  185. 'ripemd128' => 64,
  186. 'ripemd160' => 64,
  187. 'ripemd256' => 64,
  188. 'ripemd320' => 64,
  189. 'salsa10' => 64,
  190. 'salsa20' => 64,
  191. 'sha1' => 64,
  192. 'sha224' => 64,
  193. 'sha256' => 64,
  194. 'sha384' => 128,
  195. 'sha512' => 128,
  196. 'snefru' => 32,
  197. 'snefru256' => 32,
  198. 'tiger128,3' => 64,
  199. 'tiger160,3' => 64,
  200. 'tiger192,3' => 64,
  201. 'tiger128,4' => 64,
  202. 'tiger160,4' => 64,
  203. 'tiger192,4' => 64,
  204. 'whirlpool' => 64
  205. );
  206. if (isset($block_sizes[$algo], $password[$block_sizes[$algo]]))
  207. {
  208. $password = hash($algo, $password, TRUE);
  209. }
  210. $hash = '';
  211. // Note: Blocks are NOT 0-indexed
  212. for ($bc = (int) ceil($length / $hash_length), $bi = 1; $bi <= $bc; $bi++)
  213. {
  214. $key = $derived_key = hash_hmac($algo, $salt.pack('N', $bi), $password, TRUE);
  215. for ($i = 1; $i < $iterations; $i++)
  216. {
  217. $derived_key ^= $key = hash_hmac($algo, $key, $password, TRUE);
  218. }
  219. $hash .= $derived_key;
  220. }
  221. // This is not RFC-compatible, but we're aiming for natural PHP compatibility
  222. if ( ! $raw_output)
  223. {
  224. $hash = bin2hex($hash);
  225. }
  226. return defined('MB_OVERLOAD_STRING')
  227. ? mb_substr($hash, 0, $length, '8bit')
  228. : substr($hash, 0, $length);
  229. }
  230. }