From e6ea7172774a71264968dd29b2830a7c21729b7f Mon Sep 17 00:00:00 2001 From: desrosj Date: Tue, 25 May 2021 18:47:59 +0000 Subject: [PATCH] External Libraries: Update the phpass library to version `0.5`. This updates the phpass library from version `0.3` to the latest version of `0.5`. This is a minor update that includes some adjustments to be more friendly with newer versions of PHP. The changes made in [30466] have also been applied to the new version of the library. This should now be the only WordPress specific modification do this library. Props ayeshrajans, dd32, otto42, desrosj. Fixes #51549. Built from https://develop.svn.wordpress.org/trunk@51008 git-svn-id: http://core.svn.wordpress.org/trunk@50617 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-phpass.php | 104 +++++++++++++---------------------- wp-includes/version.php | 2 +- 2 files changed, 40 insertions(+), 66 deletions(-) diff --git a/wp-includes/class-phpass.php b/wp-includes/class-phpass.php index 8fcab44ad1..5411b36483 100644 --- a/wp-includes/class-phpass.php +++ b/wp-includes/class-phpass.php @@ -3,16 +3,24 @@ * Portable PHP password hashing framework. * @package phpass * @since 2.5.0 - * @version 0.3 / WordPress + * @version 0.5 / WordPress * @link https://www.openwall.com/phpass/ */ +# +# Portable PHP password hashing framework. +# +# Version 0.5 / WordPress. # # Written by Solar Designer in 2004-2006 and placed in # the public domain. Revised in subsequent years, still public domain. # # There's absolutely no warranty. # +# The homepage URL for this framework is: +# +# http://www.openwall.com/phpass/ +# # Please be sure to update the Version line if you edit this file in any way. # It is suggested that you leave the main version number intact, but indicate # your project name (after the slash) and add your own revision information. @@ -29,7 +37,7 @@ * Portable PHP password hashing framework. * * @package phpass - * @version 0.3 / WordPress + * @version 0.5 / WordPress * @link https://www.openwall.com/phpass/ * @since 2.5.0 */ @@ -39,10 +47,7 @@ class PasswordHash { var $portable_hashes; var $random_state; - /** - * PHP5 constructor. - */ - function __construct( $iteration_count_log2, $portable_hashes ) + function __construct($iteration_count_log2, $portable_hashes) { $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; @@ -52,20 +57,20 @@ class PasswordHash { $this->portable_hashes = $portable_hashes; - $this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons + $this->random_state = microtime(); + if (function_exists('getmypid')) + $this->random_state .= getmypid(); } - /** - * PHP4 constructor. - */ - public function PasswordHash( $iteration_count_log2, $portable_hashes ) { - self::__construct( $iteration_count_log2, $portable_hashes ); + function PasswordHash($iteration_count_log2, $portable_hashes) + { + self::__construct($iteration_count_log2, $portable_hashes); } function get_random_bytes($count) { $output = ''; - if ( @is_readable('/dev/urandom') && + if (@is_readable('/dev/urandom') && ($fh = @fopen('/dev/urandom', 'rb'))) { $output = fread($fh, $count); fclose($fh); @@ -76,8 +81,7 @@ class PasswordHash { for ($i = 0; $i < $count; $i += 16) { $this->random_state = md5(microtime() . $this->random_state); - $output .= - pack('H*', md5($this->random_state)); + $output .= md5($this->random_state, TRUE); } $output = substr($output, 0, $count); } @@ -121,12 +125,12 @@ class PasswordHash { function crypt_private($password, $setting) { $output = '*0'; - if (substr($setting, 0, 2) == $output) + if (substr($setting, 0, 2) === $output) $output = '*1'; $id = substr($setting, 0, 3); # We use "$P$", phpBB3 uses "$H$" for the same thing - if ($id != '$P$' && $id != '$H$') + if ($id !== '$P$' && $id !== '$H$') return $output; $count_log2 = strpos($this->itoa64, $setting[3]); @@ -136,26 +140,19 @@ class PasswordHash { $count = 1 << $count_log2; $salt = substr($setting, 4, 8); - if (strlen($salt) != 8) + if (strlen($salt) !== 8) return $output; - # We're kind of forced to use MD5 here since it's the only - # cryptographic primitive available in all versions of PHP - # currently in use. To implement our own low-level crypto - # in PHP would result in much worse performance and + # We were kind of forced to use MD5 here since it's the only + # cryptographic primitive that was available in all versions + # of PHP in use. To implement our own low-level crypto in PHP + # would have resulted in much worse performance and # consequently in lower iteration counts and hashes that are # quicker to crack (by non-PHP code). - if (PHP_VERSION >= '5') { - $hash = md5($salt . $password, TRUE); - do { - $hash = md5($hash . $password, TRUE); - } while (--$count); - } else { - $hash = pack('H*', md5($salt . $password)); - do { - $hash = pack('H*', md5($hash . $password)); - } while (--$count); - } + $hash = md5($salt . $password, TRUE); + do { + $hash = md5($hash . $password, TRUE); + } while (--$count); $output = substr($setting, 0, 12); $output .= $this->encode64($hash, 16); @@ -163,24 +160,6 @@ class PasswordHash { return $output; } - function gensalt_extended($input) - { - $count_log2 = min($this->iteration_count_log2 + 8, 24); - # This should be odd to not reveal weak DES keys, and the - # maximum valid value is (2**24 - 1) which is odd anyway. - $count = (1 << $count_log2) - 1; - - $output = '_'; - $output .= $this->itoa64[$count & 0x3f]; - $output .= $this->itoa64[($count >> 6) & 0x3f]; - $output .= $this->itoa64[($count >> 12) & 0x3f]; - $output .= $this->itoa64[($count >> 18) & 0x3f]; - - $output .= $this->encode64($input, 3); - - return $output; - } - function gensalt_blowfish($input) { # This one needs to use a different order of characters and a @@ -230,20 +209,11 @@ class PasswordHash { $random = ''; - if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { + if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) { $random = $this->get_random_bytes(16); $hash = crypt($password, $this->gensalt_blowfish($random)); - if (strlen($hash) == 60) - return $hash; - } - - if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) { - if (strlen($random) < 3) - $random = $this->get_random_bytes(3); - $hash = - crypt($password, $this->gensalt_extended($random)); - if (strlen($hash) == 20) + if (strlen($hash) === 60) return $hash; } @@ -252,7 +222,7 @@ class PasswordHash { $hash = $this->crypt_private($password, $this->gensalt_private($random)); - if (strlen($hash) == 34) + if (strlen($hash) === 34) return $hash; # Returning '*' on error is safe here, but would _not_ be safe @@ -268,9 +238,13 @@ class PasswordHash { } $hash = $this->crypt_private($password, $stored_hash); - if ($hash[0] == '*') + if ($hash[0] === '*') $hash = crypt($password, $stored_hash); + # This is not constant-time. In order to keep the code simple, + # for timing safety we currently rely on the salts being + # unpredictable, which they are at least in the non-fallback + # cases (that is, when we use /dev/urandom and bcrypt). return $hash === $stored_hash; } -} \ No newline at end of file +} diff --git a/wp-includes/version.php b/wp-includes/version.php index 1d621af242..3defd2fe94 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.8-alpha-51007'; +$wp_version = '5.8-alpha-51008'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.