aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/phpbb/passwords
diff options
context:
space:
mode:
authorMaat <maat-pub@mageia.biz>2020-05-08 18:29:30 +0200
committerMaat <maat-pub@mageia.biz>2020-05-08 21:36:04 +0200
commit36bc1870f21fac04736a1049c1d5b8e127d729f4 (patch)
tree9d102331eeaf1ef3cd23e656320d7c08e65757ed /phpBB/phpbb/passwords
parent8875d385d0579b451dac4d9bda465172b4f69ee0 (diff)
parent149375253685b3a38996f63015a74b7a0f53aa14 (diff)
downloadforums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.gz
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.bz2
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.tar.xz
forums-36bc1870f21fac04736a1049c1d5b8e127d729f4.zip
Merge remote-tracking branch 'upstream/prep-release-3.1.11'
Diffstat (limited to 'phpBB/phpbb/passwords')
-rw-r--r--phpBB/phpbb/passwords/driver/base.php62
-rw-r--r--phpBB/phpbb/passwords/driver/bcrypt.php105
-rw-r--r--phpBB/phpbb/passwords/driver/bcrypt_2y.php35
-rw-r--r--phpBB/phpbb/passwords/driver/bcrypt_wcf2.php84
-rw-r--r--phpBB/phpbb/passwords/driver/convert_password.php43
-rw-r--r--phpBB/phpbb/passwords/driver/driver_interface.php69
-rw-r--r--phpBB/phpbb/passwords/driver/helper.php177
-rw-r--r--phpBB/phpbb/passwords/driver/md5_mybb.php60
-rw-r--r--phpBB/phpbb/passwords/driver/md5_phpbb2.php123
-rw-r--r--phpBB/phpbb/passwords/driver/md5_vb.php60
-rw-r--r--phpBB/phpbb/passwords/driver/phpass.php27
-rw-r--r--phpBB/phpbb/passwords/driver/salted_md5.php169
-rw-r--r--phpBB/phpbb/passwords/driver/sha1.php52
-rw-r--r--phpBB/phpbb/passwords/driver/sha1_smf.php51
-rw-r--r--phpBB/phpbb/passwords/driver/sha1_wcf1.php60
-rw-r--r--phpBB/phpbb/passwords/driver/sha_xf1.php68
-rw-r--r--phpBB/phpbb/passwords/helper.php104
-rw-r--r--phpBB/phpbb/passwords/manager.php366
18 files changed, 1715 insertions, 0 deletions
diff --git a/phpBB/phpbb/passwords/driver/base.php b/phpBB/phpbb/passwords/driver/base.php
new file mode 100644
index 0000000000..fd07a61bf4
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/base.php
@@ -0,0 +1,62 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+abstract class base implements driver_interface
+{
+ /** @var \phpbb\config\config */
+ protected $config;
+
+ /** @var \phpbb\passwords\driver\helper */
+ protected $helper;
+
+ /** @var driver name */
+ protected $name;
+
+ /**
+ * Constructor of passwords driver object
+ *
+ * @param \phpbb\config\config $config phpBB config
+ * @param \phpbb\passwords\driver\helper $helper Password driver helper
+ */
+ public function __construct(\phpbb\config\config $config, helper $helper)
+ {
+ $this->config = $config;
+ $this->helper = $helper;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_supported()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_settings_only($hash, $full = false)
+ {
+ return false;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php
new file mode 100644
index 0000000000..eab1c3d569
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/bcrypt.php
@@ -0,0 +1,105 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class bcrypt extends base
+{
+ const PREFIX = '$2a$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $salt = '')
+ {
+ // The 2x and 2y prefixes of bcrypt might not be supported
+ // Revert to 2a if this is the case
+ $prefix = (!$this->is_supported()) ? '$2a$' : $this->get_prefix();
+
+ // Do not support 8-bit characters with $2a$ bcrypt
+ // Also see http://www.php.net/security/crypt_blowfish.php
+ if ($prefix === self::PREFIX)
+ {
+ if (ord($password[strlen($password)-1]) & 128)
+ {
+ return false;
+ }
+ }
+
+ if ($salt == '')
+ {
+ $salt = $prefix . '10$' . $this->get_random_salt();
+ }
+
+ $hash = crypt($password, $salt);
+ if (strlen($hash) < 60)
+ {
+ return false;
+ }
+ return $hash;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ $salt = substr($hash, 0, 29);
+ if (strlen($salt) != 29)
+ {
+ return false;
+ }
+
+ if ($this->helper->string_compare($hash, $this->hash($password, $salt)))
+ {
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Get a random salt value with a length of 22 characters
+ *
+ * @return string Salt for password hashing
+ */
+ protected function get_random_salt()
+ {
+ return $this->helper->hash_encode64($this->helper->get_random_salt(22), 22);
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_settings_only($hash, $full = false)
+ {
+ if ($full)
+ {
+ $pos = stripos($hash, '$', 1) + 1;
+ $length = 22 + (strripos($hash, '$') + 1 - $pos);
+ }
+ else
+ {
+ $pos = strripos($hash, '$') + 1;
+ $length = 22;
+ }
+ return substr($hash, $pos, $length);
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/bcrypt_2y.php b/phpBB/phpbb/passwords/driver/bcrypt_2y.php
new file mode 100644
index 0000000000..c710e0d04a
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/bcrypt_2y.php
@@ -0,0 +1,35 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class bcrypt_2y extends bcrypt
+{
+ const PREFIX = '$2y$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_supported()
+ {
+ return (version_compare(PHP_VERSION, '5.3.7', '<')) ? false : true;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php
new file mode 100644
index 0000000000..0eee98d7b7
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php
@@ -0,0 +1,84 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class bcrypt_wcf2 extends base
+{
+ const PREFIX = '$wcf2$';
+
+ /** @var \phpbb\passwords\driver\bcrypt */
+ protected $bcrypt;
+
+ /** @var \phpbb\passwords\driver\helper */
+ protected $helper;
+
+ /**
+ * Constructor of passwords driver object
+ *
+ * @param \phpbb\passwords\driver\bcrypt $bcrypt Salted md5 driver
+ * @param \phpbb\passwords\driver\helper $helper Password driver helper
+ */
+ public function __construct(\phpbb\passwords\driver\bcrypt $bcrypt, helper $helper)
+ {
+ $this->bcrypt = $bcrypt;
+ $this->helper = $helper;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ // Do not support hashing
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (empty($hash) || strlen($hash) != 60)
+ {
+ return false;
+ }
+ else
+ {
+ $salt = substr($hash, 0, 29);
+
+ if (strlen($salt) != 29)
+ {
+ return false;
+ }
+ // Works for standard WCF 2.x, i.e. WBB4 and similar
+ return $this->helper->string_compare($hash, $this->bcrypt->hash($this->bcrypt->hash($password, $salt), $salt));
+ }
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/convert_password.php b/phpBB/phpbb/passwords/driver/convert_password.php
new file mode 100644
index 0000000000..eb70434df2
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/convert_password.php
@@ -0,0 +1,43 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class convert_password extends base
+{
+ const PREFIX = '$CP$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ return false;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/driver_interface.php b/phpBB/phpbb/passwords/driver/driver_interface.php
new file mode 100644
index 0000000000..3974484f13
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/driver_interface.php
@@ -0,0 +1,69 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+interface driver_interface
+{
+ /**
+ * Check if hash type is supported
+ *
+ * @return bool True if supported, false if not
+ */
+ public function is_supported();
+
+ /**
+ * Check if hash type is a legacy hash type
+ *
+ * @return bool True if it's a legacy hash type, false if not
+ */
+ public function is_legacy();
+
+ /**
+ * Returns the hash prefix
+ *
+ * @return string Hash prefix
+ */
+ public function get_prefix();
+
+ /**
+ * Hash the password
+ *
+ * @param string $password The password that should be hashed
+ *
+ * @return bool|string Password hash or false if something went wrong
+ * during hashing
+ */
+ public function hash($password);
+
+ /**
+ * Check the password against the supplied hash
+ *
+ * @param string $password The password to check
+ * @param string $hash The password hash to check against
+ * @param array $user_row User's row in users table
+ *
+ * @return bool True if password is correct, else false
+ */
+ public function check($password, $hash, $user_row = array());
+
+ /**
+ * Get only the settings of the specified hash
+ *
+ * @param string $hash Password hash
+ * @param bool $full Return full settings or only settings
+ * related to the salt
+ * @return string String containing the hash settings
+ */
+ public function get_settings_only($hash, $full = false);
+}
diff --git a/phpBB/phpbb/passwords/driver/helper.php b/phpBB/phpbb/passwords/driver/helper.php
new file mode 100644
index 0000000000..f80c3e3df6
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/helper.php
@@ -0,0 +1,177 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class helper
+{
+ /**
+ * @var \phpbb\config\config
+ */
+ protected $config;
+
+ /**
+ * base64 alphabet
+ * @var string
+ */
+ public $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
+
+ /**
+ * Construct a driver helper object
+ *
+ * @param \phpbb\config\config $config phpBB configuration
+ */
+ public function __construct(\phpbb\config\config $config)
+ {
+ $this->config = $config;
+ }
+
+ /**
+ * Base64 encode hash
+ *
+ * @param string $input Input string
+ * @param int $count Input string length
+ *
+ * @return string base64 encoded string
+ */
+ public function hash_encode64($input, $count)
+ {
+ $output = '';
+ $i = 0;
+
+ do
+ {
+ $value = ord($input[$i++]);
+ $output .= $this->itoa64[$value & 0x3f];
+
+ if ($i < $count)
+ {
+ $value |= ord($input[$i]) << 8;
+ }
+
+ $output .= $this->itoa64[($value >> 6) & 0x3f];
+
+ if ($i++ >= $count)
+ {
+ break;
+ }
+
+ if ($i < $count)
+ {
+ $value |= ord($input[$i]) << 16;
+ }
+
+ $output .= $this->itoa64[($value >> 12) & 0x3f];
+
+ if ($i++ >= $count)
+ {
+ break;
+ }
+
+ $output .= $this->itoa64[($value >> 18) & 0x3f];
+ }
+ while ($i < $count);
+
+ return $output;
+ }
+
+ /**
+ * Return unique id
+ *
+ * @param string $extra Additional entropy
+ *
+ * @return string Unique id
+ */
+ public function unique_id($extra = 'c')
+ {
+ static $dss_seeded = false;
+
+ $val = $this->config['rand_seed'] . microtime();
+ $val = md5($val);
+ $this->config['rand_seed'] = md5($this->config['rand_seed'] . $val . $extra);
+
+ if ($dss_seeded !== true && ($this->config['rand_seed_last_update'] < time() - rand(1,10)))
+ {
+ $this->config->set('rand_seed_last_update', time(), true);
+ $this->config->set('rand_seed', $this->config['rand_seed'], true);
+ $dss_seeded = true;
+ }
+
+ return substr($val, 4, 16);
+ }
+
+ /**
+ * Get random salt with specified length
+ *
+ * @param int $length Salt length
+ * @param string $rand_seed Seed for random data (optional). For tests.
+ *
+ * @return string Random salt with specified length
+ */
+ public function get_random_salt($length, $rand_seed = '/dev/urandom')
+ {
+ $random = '';
+
+ if (($fh = @fopen($rand_seed, 'rb')))
+ {
+ $random = fread($fh, $length);
+ fclose($fh);
+ }
+
+ if (strlen($random) < $length)
+ {
+ $random = '';
+ $random_state = $this->unique_id();
+
+ for ($i = 0; $i < $length; $i += 16)
+ {
+ $random_state = md5($this->unique_id() . $random_state);
+ $random .= pack('H*', md5($random_state));
+ }
+ $random = substr($random, 0, $length);
+ }
+ return $random;
+ }
+
+ /**
+ * Compare two strings byte by byte
+ *
+ * @param string $string_a The first string
+ * @param string $string_b The second string
+ *
+ * @return bool True if strings are the same, false if not
+ */
+ public function string_compare($string_a, $string_b)
+ {
+ // Return if input variables are not strings or if length does not match
+ if (!is_string($string_a) || !is_string($string_b) || strlen($string_a) != strlen($string_b))
+ {
+ return false;
+ }
+
+ // Use hash_equals() if it's available
+ if (function_exists('hash_equals'))
+ {
+ return hash_equals($string_a, $string_b);
+ }
+
+ $difference = 0;
+
+ for ($i = 0; $i < strlen($string_a) && $i < strlen($string_b); $i++)
+ {
+ $difference |= ord($string_a[$i]) ^ ord($string_b[$i]);
+ }
+
+ return $difference === 0;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php
new file mode 100644
index 0000000000..f631ceae78
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/md5_mybb.php
@@ -0,0 +1,60 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class md5_mybb extends base
+{
+ const PREFIX = '$md5_mybb$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ // Do not support hashing
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt']))
+ {
+ return false;
+ }
+ else
+ {
+ // Works for myBB 1.1.x, 1.2.x, 1.4.x, 1.6.x
+ return $this->helper->string_compare($hash, md5(md5($user_row['user_passwd_salt']) . md5($password)));
+ }
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/md5_phpbb2.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php
new file mode 100644
index 0000000000..bd8cc51e5a
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php
@@ -0,0 +1,123 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class md5_phpbb2 extends base
+{
+ const PREFIX = '$md5_phpbb2$';
+
+ /** @var \phpbb\request\request phpBB request object */
+ protected $request;
+
+ /** @var \phpbb\passwords\driver\salted_md5 */
+ protected $salted_md5;
+
+ /** @var \phpbb\passwords\driver\helper */
+ protected $helper;
+
+ /** @var string phpBB root path */
+ protected $phpbb_root_path;
+
+ /** @var string php file extension */
+ protected $php_ext;
+
+ /**
+ * Constructor of passwords driver object
+ *
+ * @param \phpbb\request\request $request phpBB request object
+ * @param \phpbb\passwords\driver\salted_md5 $salted_md5 Salted md5 driver
+ * @param \phpbb\passwords\driver\helper $helper Driver helper
+ * @param string $phpbb_root_path phpBB root path
+ * @param string $php_ext PHP file extension
+ */
+ public function __construct($request, salted_md5 $salted_md5, helper $helper, $phpbb_root_path, $php_ext)
+ {
+ $this->request = $request;
+ $this->salted_md5 = $salted_md5;
+ $this->helper = $helper;
+ $this->phpbb_root_path = $phpbb_root_path;
+ $this->php_ext = $php_ext;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ // Do not support hashing
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (strlen($hash) != 32 && strlen($hash) != 34)
+ {
+ return false;
+ }
+
+ // enable super globals to get literal value
+ // this is needed to prevent unicode normalization
+ $super_globals_disabled = $this->request->super_globals_disabled();
+ if ($super_globals_disabled)
+ {
+ $this->request->enable_super_globals();
+ }
+
+ // in phpBB2 passwords were used exactly as they were sent, with addslashes applied
+ $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
+ $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
+ $password_new_format = $this->request->variable('password', '', true);
+
+ if ($super_globals_disabled)
+ {
+ $this->request->disable_super_globals();
+ }
+
+ if ($password == $password_new_format)
+ {
+ if (!function_exists('utf8_to_cp1252'))
+ {
+ include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext);
+ }
+
+ if ($this->helper->string_compare(md5($password_old_format), $hash) || $this->helper->string_compare(md5(\utf8_to_cp1252($password_old_format)), $hash)
+ || $this->salted_md5->check(md5($password_old_format), $hash) === true
+ || $this->salted_md5->check(md5(\utf8_to_cp1252($password_old_format)), $hash) === true)
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php
new file mode 100644
index 0000000000..280b7114c7
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/md5_vb.php
@@ -0,0 +1,60 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class md5_vb extends base
+{
+ const PREFIX = '$md5_vb$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ // Do not support hashing
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt']))
+ {
+ return false;
+ }
+ else
+ {
+ // Works for vB 3.8.x, 4.x.x, 5.0.x
+ return $this->helper->string_compare($hash, md5(md5($password) . $user_row['user_passwd_salt']));
+ }
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/phpass.php b/phpBB/phpbb/passwords/driver/phpass.php
new file mode 100644
index 0000000000..bef8355276
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/phpass.php
@@ -0,0 +1,27 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class phpass extends salted_md5
+{
+ const PREFIX = '$P$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php
new file mode 100644
index 0000000000..38d6d9cd2c
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/salted_md5.php
@@ -0,0 +1,169 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+/**
+*
+* @version Version 0.1 / slightly modified for phpBB 3.1.x (using $H$ as hash type identifier)
+*
+* Portable PHP password hashing framework.
+*
+* Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
+* the public domain.
+*
+* There's absolutely no warranty.
+*
+* The homepage URL for this framework is:
+*
+* http://www.openwall.com/phpass/
+*
+* Please be sure to update the Version line if you edit this file in any way.
+* It is suggested that you leave the main version number intact, but indicate
+* your project name (after the slash) and add your own revision information.
+*
+* Please do not change the "private" password hashing method implemented in
+* here, thereby making your hashes incompatible. However, if you must, please
+* change the hash type identifier (the "$P$") to something different.
+*
+* Obviously, since this code is in the public domain, the above are not
+* requirements (there can be none), but merely suggestions.
+*
+*/
+
+class salted_md5 extends base
+{
+ const PREFIX = '$H$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $setting = '')
+ {
+ if ($setting)
+ {
+ if (($settings = $this->get_hash_settings($setting)) === false)
+ {
+ // Return md5 of password if settings do not
+ // comply with our standards. This will only
+ // happen if pre-determined settings are
+ // directly passed to the driver. The manager
+ // will not do this. Same as the old hashing
+ // implementation in phpBB 3.0
+ return md5($password);
+ }
+ }
+ else
+ {
+ $settings = $this->get_hash_settings($this->generate_salt());
+ }
+
+ $hash = md5($settings['salt'] . $password, true);
+ do
+ {
+ $hash = md5($hash . $password, true);
+ }
+ while (--$settings['count']);
+
+ $output = $settings['full'];
+ $output .= $this->helper->hash_encode64($hash, 16);
+
+ return $output;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (strlen($hash) !== 34)
+ {
+ return md5($password) === $hash;
+ }
+
+ return $this->helper->string_compare($hash, $this->hash($password, $hash));
+ }
+
+ /**
+ * Generate salt for hashing method
+ *
+ * @return string Salt for hashing method
+ */
+ protected function generate_salt()
+ {
+ $count = 6;
+
+ $random = $this->helper->get_random_salt($count);
+
+ $salt = $this->get_prefix();
+ $salt .= $this->helper->itoa64[min($count + 5, 30)];
+ $salt .= $this->helper->hash_encode64($random, $count);
+
+ return $salt;
+ }
+
+ /**
+ * Get hash settings
+ *
+ * @param string $hash The hash that contains the settings
+ *
+ * @return bool|array Array containing the count_log2, salt, and full
+ * hash settings string or false if supplied hash is empty
+ * or contains incorrect settings
+ */
+ public function get_hash_settings($hash)
+ {
+ if (empty($hash))
+ {
+ return false;
+ }
+
+ $count_log2 = strpos($this->helper->itoa64, $hash[3]);
+ $salt = substr($hash, 4, 8);
+
+ if ($count_log2 < 7 || $count_log2 > 30 || strlen($salt) != 8)
+ {
+ return false;
+ }
+
+ return array(
+ 'count' => 1 << $count_log2,
+ 'salt' => $salt,
+ 'full' => substr($hash, 0, 12),
+ );
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_settings_only($hash, $full = false)
+ {
+ return substr($hash, 3, 9);
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php
new file mode 100644
index 0000000000..1abead42cd
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/sha1.php
@@ -0,0 +1,52 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class sha1 extends base
+{
+ const PREFIX = '$sha1$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ // Do not support hashing
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ return (strlen($hash) == 40) ? $this->helper->string_compare($hash, sha1($password)) : false;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php
new file mode 100644
index 0000000000..b30d87265e
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/sha1_smf.php
@@ -0,0 +1,51 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class sha1_smf extends base
+{
+ const PREFIX = '$smf$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ return (isset($user_row['login_name'])) ? sha1(strtolower($user_row['login_name']) . $password) : false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ return (strlen($hash) == 40) ? $this->helper->string_compare($hash, $this->hash($password, $user_row)) : false;
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php
new file mode 100644
index 0000000000..68006486c4
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php
@@ -0,0 +1,60 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class sha1_wcf1 extends base
+{
+ const PREFIX = '$wcf1$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ // Do not support hashing
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (empty($hash) || strlen($hash) != 40 || !isset($user_row['user_passwd_salt']))
+ {
+ return false;
+ }
+ else
+ {
+ // Works for standard WCF 1.x, i.e. WBB3 and similar
+ return $this->helper->string_compare($hash, sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password))));
+ }
+ }
+}
diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php
new file mode 100644
index 0000000000..9d8f01796e
--- /dev/null
+++ b/phpBB/phpbb/passwords/driver/sha_xf1.php
@@ -0,0 +1,68 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords\driver;
+
+class sha_xf1 extends base
+{
+ const PREFIX = '$xf1$';
+
+ /**
+ * {@inheritdoc}
+ */
+ public function get_prefix()
+ {
+ return self::PREFIX;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function is_legacy()
+ {
+ return true;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function hash($password, $user_row = '')
+ {
+ // Do not support hashing
+ return false;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (empty($hash) || (strlen($hash) != 40 && strlen($hash) != 64) || !isset($user_row['user_passwd_salt']))
+ {
+ return false;
+ }
+ else
+ {
+ // Works for xenforo 1.0, 1.1
+ if ($this->helper->string_compare($hash, sha1(sha1($password) . $user_row['user_passwd_salt']))
+ || $this->helper->string_compare($hash, hash('sha256', hash('sha256', $password) . $user_row['user_passwd_salt'])))
+ {
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+ }
+ }
+}
diff --git a/phpBB/phpbb/passwords/helper.php b/phpBB/phpbb/passwords/helper.php
new file mode 100644
index 0000000000..c2a49202cd
--- /dev/null
+++ b/phpBB/phpbb/passwords/helper.php
@@ -0,0 +1,104 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords;
+
+class helper
+{
+ /**
+ * Get hash settings from combined hash
+ *
+ * @param string $hash Password hash of combined hash
+ *
+ * @return array An array containing the hash settings for the hash
+ * types in successive order as described by the combined
+ * password hash or an empty array if hash does not
+ * properly fit the combined hash format
+ */
+ public function get_combined_hash_settings($hash)
+ {
+ $output = array();
+
+ preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match);
+ $hash_settings = substr($hash, strpos($hash, $match[1]) + strlen($match[1]) + 1);
+ $matches = explode('\\', $match[1]);
+ foreach ($matches as $cur_type)
+ {
+ $dollar_position = strpos($hash_settings, '$');
+ $output[] = substr($hash_settings, 0, ($dollar_position != false) ? $dollar_position : strlen($hash_settings));
+ $hash_settings = substr($hash_settings, $dollar_position + 1);
+ }
+
+ return $output;
+ }
+
+ /**
+ * Combine hash prefixes, settings, and actual hash
+ *
+ * @param array $data Array containing the keys 'prefix' and 'settings'.
+ * It will hold the prefixes and settings
+ * @param string $type Data type of the supplied value
+ * @param string $value Value that should be put into the data array
+ *
+ * @return string|null Return complete combined hash if type is neither
+ * 'prefix' nor 'settings', nothing if it is
+ */
+ public function combine_hash_output(&$data, $type, $value)
+ {
+ if ($type == 'prefix')
+ {
+ $data[$type] .= ($data[$type] !== '$') ? '\\' : '';
+ $data[$type] .= str_replace('$', '', $value);
+ }
+ else if ($type == 'settings')
+ {
+ $data[$type] .= ($data[$type] !== '$') ? '$' : '';
+ $data[$type] .= $value;
+ }
+ else
+ {
+ // Return full hash
+ return $data['prefix'] . $data['settings'] . '$' . $value;
+ }
+ }
+
+ /**
+ * Rebuild hash for hashing functions
+ *
+ * @param string $prefix Hash prefix
+ * @param string $settings Hash settings
+ *
+ * @return string Rebuilt hash for hashing functions
+ */
+ public function rebuild_hash($prefix, $settings)
+ {
+ $rebuilt_hash = $prefix;
+ if (strpos($settings, '\\') !== false)
+ {
+ $settings = str_replace('\\', '$', $settings);
+ }
+ $rebuilt_hash .= $settings;
+ return $rebuilt_hash;
+ }
+
+ /**
+ * Obtain only the actual hash after the prefixes
+ *
+ * @param string $hash The full password hash
+ * @return string Actual hash (incl. settings)
+ */
+ public function obtain_hash_only($hash)
+ {
+ return substr($hash, strripos($hash, '$') + 1);
+ }
+}
diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php
new file mode 100644
index 0000000000..aa9147ecf4
--- /dev/null
+++ b/phpBB/phpbb/passwords/manager.php
@@ -0,0 +1,366 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\passwords;
+
+class manager
+{
+ /**
+ * Default hashing method
+ */
+ protected $type = false;
+
+ /**
+ * Hashing algorithm type map
+ * Will be used to map hash prefix to type
+ */
+ protected $type_map = false;
+
+ /**
+ * Service collection of hashing algorithms
+ * Needs to be public for passwords helper
+ */
+ public $algorithms = false;
+
+ /**
+ * Password convert flag. Signals that password should be converted
+ */
+ public $convert_flag = false;
+
+ /**
+ * Passwords helper
+ * @var \phpbb\passwords\helper
+ */
+ protected $helper;
+
+ /**
+ * phpBB configuration
+ * @var \phpbb\config\config
+ */
+ protected $config;
+
+ /**
+ * Construct a passwords object
+ *
+ * @param \phpbb\config\config $config phpBB configuration
+ * @param array $hashing_algorithms Hashing driver
+ * service collection
+ * @param \phpbb\passwords\helper $helper Passwords helper object
+ * @param array $defaults List of default driver types
+ */
+ public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults)
+ {
+ $this->config = $config;
+ $this->helper = $helper;
+
+ $this->fill_type_map($hashing_algorithms);
+ $this->register_default_type($defaults);
+ }
+
+ /**
+ * Register default type
+ * Will register the first supported type from the list of default types
+ *
+ * @param array $defaults List of default types in order from first to
+ * use to last to use
+ */
+ protected function register_default_type($defaults)
+ {
+ foreach ($defaults as $type)
+ {
+ if ($this->algorithms[$type]->is_supported())
+ {
+ $this->type = $this->algorithms[$type]->get_prefix();
+ break;
+ }
+ }
+ }
+
+ /**
+ * Fill algorithm type map
+ *
+ * @param \phpbb\di\service_collection $hashing_algorithms
+ */
+ protected function fill_type_map($hashing_algorithms)
+ {
+ foreach ($hashing_algorithms as $algorithm)
+ {
+ if (!isset($this->type_map[$algorithm->get_prefix()]))
+ {
+ $this->type_map[$algorithm->get_prefix()] = $algorithm;
+ }
+ }
+ $this->algorithms = $hashing_algorithms;
+ }
+
+ /**
+ * Get the algorithm specified by a specific prefix
+ *
+ * @param string $prefix Password hash prefix
+ *
+ * @return object|bool The hash type object or false if prefix is not
+ * supported
+ */
+ protected function get_algorithm($prefix)
+ {
+ if (isset($this->type_map[$prefix]))
+ {
+ return $this->type_map[$prefix];
+ }
+ else
+ {
+ return false;
+ }
+ }
+
+ /**
+ * Detect the hash type of the supplied hash
+ *
+ * @param string $hash Password hash that should be checked
+ *
+ * @return object|bool The hash type object or false if the specified
+ * type is not supported
+ */
+ public function detect_algorithm($hash)
+ {
+ /*
+ * preg_match() will also show hashing algos like $2a\H$, which
+ * is a combination of bcrypt and phpass. Legacy algorithms
+ * like md5 will not be matched by this and need to be treated
+ * differently.
+ */
+ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
+ {
+ return false;
+ }
+
+ // Be on the lookout for multiple hashing algorithms
+ // 2 is correct: H\2a > 2, H\P > 2
+ if (strlen($match[1]) > 2)
+ {
+ $hash_types = explode('\\', $match[1]);
+ $return_ary = array();
+ foreach ($hash_types as $type)
+ {
+ // we do not support the same hashing
+ // algorithm more than once
+ if (isset($return_ary[$type]))
+ {
+ return false;
+ }
+
+ $return_ary[$type] = $this->get_algorithm('$' . $type . '$');
+
+ if (empty($return_ary[$type]))
+ {
+ return false;
+ }
+ }
+ return $return_ary;
+ }
+
+ // get_algorithm() will automatically return false if prefix
+ // is not supported
+ return $this->get_algorithm($match[0]);
+ }
+
+ /**
+ * Hash supplied password
+ *
+ * @param string $password Password that should be hashed
+ * @param string $type Hash type. Will default to standard hash type if
+ * none is supplied
+ * @return string|bool Password hash of supplied password or false if
+ * if something went wrong during hashing
+ */
+ public function hash($password, $type = '')
+ {
+ if (strlen($password) > 4096)
+ {
+ // If the password is too huge, we will simply reject it
+ // and not let the server try to hash it.
+ return false;
+ }
+
+ // Try to retrieve algorithm by service name if type doesn't
+ // start with dollar sign
+ if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type]))
+ {
+ $type = $this->algorithms[$type]->get_prefix();
+ }
+
+ $type = ($type === '') ? $this->type : $type;
+
+ if (is_array($type))
+ {
+ return $this->combined_hash_password($password, $type);
+ }
+
+ if (isset($this->type_map[$type]))
+ {
+ $hashing_algorithm = $this->type_map[$type];
+ }
+ else
+ {
+ return false;
+ }
+
+ return $hashing_algorithm->hash($password);
+ }
+
+ /**
+ * Check supplied password against hash and set convert_flag if password
+ * needs to be converted to different format (preferrably newer one)
+ *
+ * @param string $password Password that should be checked
+ * @param string $hash Stored hash
+ * @param array $user_row User's row in users table
+ * @return string|bool True if password is correct, false if not
+ */
+ public function check($password, $hash, $user_row = array())
+ {
+ if (strlen($password) > 4096)
+ {
+ // If the password is too huge, we will simply reject it
+ // and not let the server try to hash it.
+ return false;
+ }
+
+ // Empty hashes can't be checked
+ if (empty($hash))
+ {
+ return false;
+ }
+
+ // First find out what kind of hash we're dealing with
+ $stored_hash_type = $this->detect_algorithm($hash);
+ if ($stored_hash_type == false)
+ {
+ // Still check MD5 hashes as that is what the installer
+ // will default to for the admin user
+ return $this->get_algorithm('$H$')->check($password, $hash);
+ }
+
+ // Multiple hash passes needed
+ if (is_array($stored_hash_type))
+ {
+ $correct = $this->check_combined_hash($password, $stored_hash_type, $hash);
+ $this->convert_flag = ($correct === true) ? true : false;
+ return $correct;
+ }
+
+ if ($stored_hash_type->get_prefix() !== $this->type)
+ {
+ $this->convert_flag = true;
+ }
+ else
+ {
+ $this->convert_flag = false;
+ }
+
+ // Check all legacy hash types if prefix is $CP$
+ if ($stored_hash_type->get_prefix() === '$CP$')
+ {
+ // Remove $CP$ prefix for proper checking
+ $hash = substr($hash, 4);
+
+ foreach ($this->type_map as $algorithm)
+ {
+ if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true)
+ {
+ return true;
+ }
+ }
+ }
+
+ return $stored_hash_type->check($password, $hash);
+ }
+
+ /**
+ * Create combined hash from already hashed password
+ *
+ * @param string $password_hash Complete current password hash
+ * @param string $type Type of the hashing algorithm the password hash
+ * should be combined with
+ * @return string|bool Combined password hash if combined hashing was
+ * successful, else false
+ */
+ public function combined_hash_password($password_hash, $type)
+ {
+ $data = array(
+ 'prefix' => '$',
+ 'settings' => '$',
+ );
+ $hash_settings = $this->helper->get_combined_hash_settings($password_hash);
+ $hash = $hash_settings[0];
+
+ // Put settings of current hash into data array
+ $stored_hash_type = $this->detect_algorithm($password_hash);
+ $this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix());
+ $this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash));
+
+ // Hash current hash with the defined types
+ foreach ($type as $cur_type)
+ {
+ if (isset($this->algorithms[$cur_type]))
+ {
+ $new_hash_type = $this->algorithms[$cur_type];
+ }
+ else
+ {
+ $new_hash_type = $this->get_algorithm($cur_type);
+ }
+
+ if (!$new_hash_type)
+ {
+ return false;
+ }
+
+ $new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash));
+ $this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix());
+ $this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0));
+ $hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash));
+ }
+ return $this->helper->combine_hash_output($data, 'hash', $hash);
+ }
+
+ /**
+ * Check combined password hash against the supplied password
+ *
+ * @param string $password Password entered by user
+ * @param array $stored_hash_type An array containing the hash types
+ * as described by stored password hash
+ * @param string $hash Stored password hash
+ *
+ * @return bool True if password is correct, false if not
+ */
+ public function check_combined_hash($password, $stored_hash_type, $hash)
+ {
+ $i = 0;
+ $data = array(
+ 'prefix' => '$',
+ 'settings' => '$',
+ );
+ $hash_settings = $this->helper->get_combined_hash_settings($hash);
+ foreach ($stored_hash_type as $key => $hash_type)
+ {
+ $rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]);
+ $this->helper->combine_hash_output($data, 'prefix', $key);
+ $this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]);
+ $cur_hash = $hash_type->hash($password, $rebuilt_hash);
+ $password = str_replace($rebuilt_hash, '', $cur_hash);
+ $i++;
+ }
+ return ($hash === $this->helper->combine_hash_output($data, 'hash', $password));
+ }
+}