0x1949 Team - FAZEMRX - MANAGER
Edit File: manager.php
<?php /** * * This file is part of the phpBB Forum Software package. * * @copyright (c) phpBB Limited <https://www.phpbb.com> * @license GNU General Public License, version 2 (GPL-2.0) * * For full copyright and license information, please see * the docs/CREDITS.txt file. * */ namespace phpbb\passwords; class manager { /** * Default hashing method */ protected $type = false; /** * Hashing algorithm type map * Will be used to map hash prefix to type */ protected $type_map = false; /** * Service collection of hashing algorithms * Needs to be public for passwords helper */ public $algorithms = false; /** * Password convert flag. Signals that password should be converted */ public $convert_flag = false; /** * Passwords helper * @var \phpbb\passwords\helper */ protected $helper; /** * phpBB configuration * @var \phpbb\config\config */ protected $config; /** * @var bool Whether or not initialized() has been called */ private $initialized = false; /** * @var array Hashing driver service collection */ private $hashing_algorithms; /** * @var array List of default driver types */ private $defaults; /** * Construct a passwords object * * @param \phpbb\config\config $config phpBB configuration * @param array $hashing_algorithms Hashing driver service collection * @param \phpbb\passwords\helper $helper Passwords helper object * @param array $defaults List of default driver types */ public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) { $this->config = $config; $this->helper = $helper; $this->hashing_algorithms = $hashing_algorithms; $this->defaults = $defaults; } /** * Initialize the internal state */ protected function initialize() { if (!$this->initialized) { $this->initialized = true; $this->fill_type_map($this->hashing_algorithms); $this->register_default_type($this->defaults); } } /** * Register default type * Will register the first supported type from the list of default types * * @param array $defaults List of default types in order from first to * use to last to use */ protected function register_default_type($defaults) { foreach ($defaults as $type) { if ($this->algorithms[$type]->is_supported()) { $this->type = $this->algorithms[$type]->get_prefix(); break; } } } /** * Fill algorithm type map * * @param \phpbb\di\service_collection $hashing_algorithms */ protected function fill_type_map($hashing_algorithms) { foreach ($hashing_algorithms as $algorithm) { if (!isset($this->type_map[$algorithm->get_prefix()])) { $this->type_map[$algorithm->get_prefix()] = $algorithm; } } $this->algorithms = $hashing_algorithms; } /** * Get the algorithm specified by a specific prefix * * @param string $prefix Password hash prefix * * @return object|bool The hash type object or false if prefix is not * supported */ protected function get_algorithm($prefix) { if (isset($this->type_map[$prefix])) { return $this->type_map[$prefix]; } else { return false; } } /** * Detect the hash type of the supplied hash * * @param string $hash Password hash that should be checked * * @return object|bool The hash type object or false if the specified * type is not supported */ public function detect_algorithm($hash) { /* * preg_match() will also show hashing algos like $2a\H$, which * is a combination of bcrypt and phpass. Legacy algorithms * like md5 will not be matched by this and need to be treated * differently. */ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) { return false; } $this->initialize(); // Be on the lookout for multiple hashing algorithms // 2 is correct: H\2a > 2, H\P > 2 if (strlen($match[1]) > 2 && strpos($match[1], '\\') !== false) { $hash_types = explode('\\', $match[1]); $return_ary = array(); foreach ($hash_types as $type) { // we do not support the same hashing // algorithm more than once if (isset($return_ary[$type])) { return false; } $return_ary[$type] = $this->get_algorithm('$' . $type . '$'); if (empty($return_ary[$type])) { return false; } } return $return_ary; } // get_algorithm() will automatically return false if prefix // is not supported return $this->get_algorithm($match[0]); } /** * Hash supplied password * * @param string $password Password that should be hashed * @param string $type Hash type. Will default to standard hash type if * none is supplied * @return string|bool Password hash of supplied password or false if * if something went wrong during hashing */ public function hash($password, $type = '') { if (strlen($password) > 4096) { // If the password is too huge, we will simply reject it // and not let the server try to hash it. return false; } $this->initialize(); // Try to retrieve algorithm by service name if type doesn't // start with dollar sign if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type])) { $type = $this->algorithms[$type]->get_prefix(); } $type = ($type === '') ? $this->type : $type; if (is_array($type)) { return $this->combined_hash_password($password, $type); } if (isset($this->type_map[$type])) { $hashing_algorithm = $this->type_map[$type]; } else { return false; } return $hashing_algorithm->hash($password); } /** * Check supplied password against hash and set convert_flag if password * needs to be converted to different format (preferably newer one) * * @param string $password Password that should be checked * @param string $hash Stored hash * @param array $user_row User's row in users table * @return string|bool True if password is correct, false if not */ public function check($password, $hash, $user_row = array()) { if (strlen($password) > 4096) { // If the password is too huge, we will simply reject it // and not let the server try to hash it. return false; } // Empty hashes can't be checked if (empty($hash)) { return false; } $this->initialize(); // First find out what kind of hash we're dealing with $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { // Still check MD5 hashes as that is what the installer // will default to for the admin user return $this->get_algorithm('$H$')->check($password, $hash); } // Multiple hash passes needed if (is_array($stored_hash_type)) { $correct = $this->check_combined_hash($password, $stored_hash_type, $hash); $this->convert_flag = ($correct === true) ? true : false; return $correct; } if ($stored_hash_type->get_prefix() !== $this->type) { $this->convert_flag = true; } else { if ($stored_hash_type instanceof driver\rehashable_driver_interface) { $this->convert_flag = $stored_hash_type->needs_rehash($hash); } else { $this->convert_flag = false; } } // Check all legacy hash types if prefix is $CP$ if ($stored_hash_type->get_prefix() === '$CP$') { // Remove $CP$ prefix for proper checking $hash = substr($hash, 4); foreach ($this->type_map as $algorithm) { if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) { return true; } } } return $stored_hash_type->check($password, $hash); } /** * Create combined hash from already hashed password * * @param string $password_hash Complete current password hash * @param string $type Type of the hashing algorithm the password hash * should be combined with * @return string|bool Combined password hash if combined hashing was * successful, else false */ public function combined_hash_password($password_hash, $type) { $this->initialize(); $data = array( 'prefix' => '$', 'settings' => '$', ); $hash_settings = $this->helper->get_combined_hash_settings($password_hash); $hash = $hash_settings[0]; // Put settings of current hash into data array $stored_hash_type = $this->detect_algorithm($password_hash); $this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix()); $this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash)); // Hash current hash with the defined types foreach ($type as $cur_type) { if (isset($this->algorithms[$cur_type])) { $new_hash_type = $this->algorithms[$cur_type]; } else { $new_hash_type = $this->get_algorithm($cur_type); } if (!$new_hash_type) { return false; } $new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash)); $this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix()); $this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0)); $hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash)); } return $this->helper->combine_hash_output($data, 'hash', $hash); } /** * Check combined password hash against the supplied password * * @param string $password Password entered by user * @param array $stored_hash_type An array containing the hash types * as described by stored password hash * @param string $hash Stored password hash * @param bool $skip_phpbb2_check True if phpBB2 password check should be skipped * * @return bool True if password is correct, false if not */ public function check_combined_hash($password, $stored_hash_type, $hash, bool $skip_phpbb2_check = false) { // Special case for passwords converted from phpBB2: // These could be phpass(md5(password)) and hence already be double // hashed. For these, try to also check combined hash output of // md5 version of supplied password. $is_valid_phpbb2_pass = false; if (!$skip_phpbb2_check) { $is_valid_phpbb2_pass = $this->check_combined_hash(md5($password), $stored_hash_type, $hash, true); } $i = 0; $data = array( 'prefix' => '$', 'settings' => '$', ); $hash_settings = $this->helper->get_combined_hash_settings($hash); foreach ($stored_hash_type as $key => $hash_type) { $rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]); $this->helper->combine_hash_output($data, 'prefix', $key); $this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]); $cur_hash = $hash_type->hash($password, $rebuilt_hash); $password = str_replace($rebuilt_hash, '', $cur_hash); $i++; } return hash_equals($hash, $this->helper->combine_hash_output($data, 'hash', $password)) || $is_valid_phpbb2_pass; } }