你现在的位置:首页 > PHP网站建设知识库 > WordPress > 正文

wordpress密码生成与登录密码验证

一、研究wordpress时wordpess的密码密码生成与登录密码验证方式对wordpress开发很重要

WordPress密码已成为整合的首要目标,如何征服整合,就得了解WordPress密码算法。
WordPress系统的用户密码是保存在wp_users数据表的user_pass字段,密码是通过Portable PHP password hashing framework类产生的,密码的形式是随机且不可逆,同一个明文的密码在不同时间,产生的密文也不一样,相对来说较为安全。

二、密码生成方式

> 随机产生一个salt 并将salt和password相加
> 进行了count次md5 然后和encode64的hash数值累加
> 最后得到一个以$P$开头的密码,这个密码每次产生的结果都不一样
以下为在wordpress中调用密码生成的代码

 $password = 'abc';  
 global $wp_hasher;  
 if ( empty($wp_hasher) ) {  
  require_once( './wp-includes/class-phpass.php');  
  $wp_hasher = new PasswordHash(8, TRUE);  
 }  
 echo $wp_hasher->HashPassword($password);  
?>  

三、wordpress密码生成与登录验证
wordpress中位置为\wp-includes\class-phpass.php
以下是wordpress中生成密码的代码直接运行可查看密码的生成以及验证过程

  
class PasswordHash {  
    var $itoa64;  
    var $iteration_count_log2;  
    var $portable_hashes;  
    var $random_state;  
  
    function PasswordHash($iteration_count_log2, $portable_hashes)  
    {  
        $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';  
  
        if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)  
            $iteration_count_log2 = 8;  
        $this->iteration_count_log2 = $iteration_count_log2;  
  
        $this->portable_hashes = $portable_hashes;  
  
        $this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compability reasons  
    }  
  
    function get_random_bytes($count)  
    {  
        $output = '';  
        if ( @is_readable('/dev/urandom') &&  
            ($fh = @fopen('/dev/urandom', 'rb'))) {  
            $output = fread($fh, $count);  
            fclose($fh);  
        }  
  
        if (strlen($output) < $count) {  
            $output = '';  
            for ($i = 0; $i < $count; $i += 16) {  
                $this->random_state =  
                    md5(microtime() . $this->random_state);  
                $output .=  
                    pack('H*', md5($this->random_state));  
            }  
            $output = substr($output, 0, $count);  
        }  
  
        return $output;  
    }  
  
    function encode64($input, $count)  
    {  
        $output = '';  
        $i = 0;  
        do {  
            $value = ord($input[$i++]);  
            $output .= $this->itoa64[$value & 0x3f];  
            if ($i < $count)  
                $value |= ord($input[$i]) << 8;  
            $output .= $this->itoa64[($value >> 6) & 0x3f];  
            if ($i++ >= $count)  
                break;  
            if ($i < $count)  
                $value |= ord($input[$i]) << 16;  
            $output .= $this->itoa64[($value >> 12) & 0x3f];  
            if ($i++ >= $count)  
                break;  
            $output .= $this->itoa64[($value >> 18) & 0x3f];  
        } while ($i < $count);  
  
        return $output;  
    }  
  
    function gensalt_private($input)  
    {  
        $output = '$PXXXXX;  
        $output .= $this->itoa64[min($this->iteration_count_log2 +  
            ((PHP_VERSION >= '5') ? 5 : 3), 30)];  
        $output .= $this->encode64($input, 6);  
  
        return $output;  
    }  
  
    function crypt_private($password, $setting)  
    {  
        $output = '*0';  
        if (substr($setting, 0, 2) == $output)  
            $output = '*1';  
  
        $id = substr($setting, 0, 3);  
        # We use "$P{1}quot;, phpBB3 uses "$H{1}quot; for the same thing  
        if ($id != '$PXXXXX && $id != '$HXXXXX)  
            return $output;  
  
        $count_log2 = strpos($this->itoa64, $setting[3]);  
        if ($count_log2 < 7 || $count_log2 > 30)  
            return $output;  
  
        $count = 1 << $count_log2;  
  
        $salt = substr($setting, 4, 8);  
        if (strlen($salt) != 8)  
            return $output;  
  
        # We're kind of forced to use MD5 here since it's the only  
        # cryptographic primitive available in all versions of PHP  
        # currently in use.  To implement our own low-level crypto  
        # in PHP would result in much worse performance and  
        # consequently in lower iteration counts and hashes that are  
        # quicker to crack (by non-PHP code).  
        if (PHP_VERSION >= '5') {  
            $hash = md5($salt . $password, TRUE);  
            do {  
                $hash = md5($hash . $password, TRUE);  
            } while (--$count);  
        } else {  
            $hash = pack('H*', md5($salt . $password));  
            do {  
                $hash = pack('H*', md5($hash . $password));  
            } while (--$count);  
        }  
  
        $output = substr($setting, 0, 12);  
        $output .= $this->encode64($hash, 16);  
  
        return $output;  
    }  
  
    function gensalt_extended($input)  
    {  
        $count_log2 = min($this->iteration_count_log2 + 8, 24);  
        # This should be odd to not reveal weak DES keys, and the  
        # maximum valid value is (2**24 - 1) which is odd anyway.  
        $count = (1 << $count_log2) - 1;  
  
        $output = '_';  
        $output .= $this->itoa64[$count & 0x3f];  
        $output .= $this->itoa64[($count >> 6) & 0x3f];  
        $output .= $this->itoa64[($count >> 12) & 0x3f];  
        $output .= $this->itoa64[($count >> 18) & 0x3f];  
  
        $output .= $this->encode64($input, 3);  
  
        return $output;  
    }  
  
    function gensalt_blowfish($input)  
    {  
        # This one needs to use a different order of characters and a  
        # different encoding scheme from the one in encode64() above.  
        # We care because the last character in our encoded string will  
        # only represent 2 bits.  While two known implementations of  
        # bcrypt will happily accept and correct a salt string which  
        # has the 4 unused bits set to non-zero, we do not want to take  
        # chances and we also do not want to waste an additional byte  
        # of entropy.  
        $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';  
  
        $output = '$2aXXXXX;  
        $output .= chr(ord('0') + $this->iteration_count_log2 / 10);  
        $output .= chr(ord('0') + $this->iteration_count_log2 % 10);  
        $output .= 'XXXXX;  
  
        $i = 0;  
        do {  
            $c1 = ord($input[$i++]);  
            $output .= $itoa64[$c1 >> 2];  
            $c1 = ($c1 & 0x03) << 4;  
            if ($i >= 16) {  
                $output .= $itoa64[$c1];  
                break;  
            }  
  
            $c2 = ord($input[$i++]);  
            $c1 |= $c2 >> 4;  
            $output .= $itoa64[$c1];  
            $c1 = ($c2 & 0x0f) << 2;  
  
            $c2 = ord($input[$i++]);  
            $c1 |= $c2 >> 6;  
            $output .= $itoa64[$c1];  
            $output .= $itoa64[$c2 & 0x3f];  
        } while (1);  
  
        return $output;  
    }  
  
    function HashPassword($password)  
    {  
        $random = '';  
  
        if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {  
            $random = $this->get_random_bytes(16);  
            $hash =  
                crypt($password, $this->gensalt_blowfish($random));  
            if (strlen($hash) == 60)  
                return $hash;  
        }  
  
        if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {  
            if (strlen($random) < 3)  
                $random = $this->get_random_bytes(3);  
            $hash =  
                crypt($password, $this->gensalt_extended($random));  
            if (strlen($hash) == 20)  
                return $hash;  
        }  
  
        if (strlen($random) < 6)  
            $random = $this->get_random_bytes(6);  
        $hash =  
            $this->crypt_private($password,  
            $this->gensalt_private($random));  
        if (strlen($hash) == 34)  
            return $hash;  
  
        # Returning '*' on error is safe here, but would _not_ be safe  
        # in a crypt(3)-like function used _both_ for generating new  
        # hashes and for validating passwords against existing hashes.  
        return '*';  
    }  
  
    function CheckPassword($password, $stored_hash)  
    {  
        $hash = $this->crypt_private($password, $stored_hash);  
        if ($hash[0] == '*')  
            $hash = crypt($password, $stored_hash);  
  
        return $hash == $stored_hash;  
    }  
}  
  
//原始密码  
$passwordValue = "123456";  
  
//生成密码  
$wp_hasher = new PasswordHash(8, TRUE);  
$sigPassword = $wp_hasher->HashPassword($passwordValue);  
echo "生成的密码为:".$sigPassword;  
echo "\n";  
  
//验证密码  
$data = $wp_hasher->CheckPassword($passwordValue,$sigPassword);  
if($data){  
    echo '密码正确';  
}else{  
    echo '密码错误';  
}  
  
?>  

此为一个wordpres密码生成与登录验证实例,其中HashPassword为生成密码,CheckPassword为验证密码
itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 为以上提到的生成salt的基础字符串。 

备注:由于csdn代码显示插件对特殊字符的限制。 请将以上代码中 XXXXX替换为 $'  注意有单引号,代码中一共有5处