Password script

1.  
2. <?php
3.  
4. define("PBKDF2_HASH_ALGORITHM", "sha512");
5. define("PBKDF2_ITERATIONS", 1000);
6. define("PBKDF2_SALT_BYTE_SIZE", 24);
7. define("PBKDF2_HASH_BYTE_SIZE", 24);
8.  
9. define("HASH_SECTIONS", 2);
10. define("HASH_ALGORITHM_INDEX", 0);
11. define("HASH_ITERATION_INDEX", 1);
12. define("HASH_SALT_INDEX", 0);
13. define("HASH_PBKDF2_INDEX", 1);
14.  
15. function create_hash($password)
16. {
17.     // format: algorithm:iterations:salt:hash
18.     $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
19.     return  $salt . ":" .
20.         base64_encode(pbkdf2(
21.             PBKDF2_HASH_ALGORITHM,
22.             $password,
23.             $salt,
24.             PBKDF2_ITERATIONS,
25.             PBKDF2_HASH_BYTE_SIZE,
26.             true
27.         ));
28. }
29.  
30. function validate_password($password, $correct_hash)
31. {
32.     $params = explode(":", $correct_hash);
33.     if(count($params) < HASH_SECTIONS)
34.        return false;
35.     $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
36.     return slow_equals(
37.         $pbkdf2,
38.         pbkdf2(
39.             PBKDF2_HASH_ALGORITHM,
40.             $password,
41.             $params[HASH_SALT_INDEX],
42.             (int)PBKDF2_ITERATIONS,
43.             strlen($pbkdf2),
44.             true
45.         )
46.     );
47. }
48.  
49. // Compares two strings $a and $b in length-constant time.
50. function slow_equals($a, $b)
51. {
52.     $diff = strlen($a) ^ strlen($b);
53.     for($i = 0; $i < strlen($a) && $i < strlen($b); $i++)
54.     {
55.         $diff |= ord($a[$i]) ^ ord($b[$i]);
56.     }
57.     return $diff === 0;
58. }
59.  
60. function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false)
61. {
62.     $algorithm = strtolower($algorithm);
63.     if(!in_array($algorithm, hash_algos(), true))
64.         trigger_error('PBKDF2 ERROR: Invalid hash algorithm.', E_USER_ERROR);
65.     if($count <= 0 || $key_length <= 0)
66.         trigger_error('PBKDF2 ERROR: Invalid parameters.', E_USER_ERROR);
67.  
68.     if (function_exists("hash_pbkdf2")) {
69.         // The output length is in NIBBLES (4-bits) if $raw_output is false!
70.         if (!$raw_output) {
71.             $key_length = $key_length * 2;
72.         }
73.         return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
74.     }
75.  
76.     $hash_length = strlen(hash($algorithm, "", true));
77.     $block_count = ceil($key_length / $hash_length);
78.  
79.     $output = "";
80.     for($i = 1; $i <= $block_count; $i++) {
81.         // $i encoded as 4 bytes, big endian.
82.         $last = $salt . pack("N", $i);
83.         // first iteration
84.         $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
85.         // perform the other $count - 1 iterations
86.         for ($j = 1; $j < $count; $j++) {
87.             $xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
88.         }
89.         $output .= $xorsum;
90.     }
91.  
92.     if($raw_output)
93.         return substr($output, 0, $key_length);
94.     else
95.         return bin2hex(substr($output, 0, $key_length));
96. }
97. ?>