BAW More Secure Login modified by HacKan

1. Wordpress plugin BAW More Secure Login (https://wordpress.org/extend/plugins/baw-more-secure-login/)
2. modified by HacKan
3. //==== BEGIN ====
4. <?php
5. /*
6. Plugin Name: Ballast Security Hashing
7. Plugin URI:  http://wordpress.org/extend/plugins/ballast-security-securing-hashing/
8. Description: Replaces the login hash of the WordPress with 2048 iterations of a modified PBKDF2 using SHA-256 and 16 bytes of salt the SHA1'd to be shortened
9. Author: <a href="https://www.twitter.com/bwallHatesTwits/" target="_blank">@bwallHatesTwits</a>
10. Version: 1.2.1
11. License: GPLv2
12. Colaborator: HacKan (<a href="https://www.twitter.com/HacKanCuBa/" target="_blank">@hackancuba</a>) solved issue when php v < 5.3.0 and problem with line 358
13. */
14.  
15. //My own modification of ARC4
16. class ARC4bwall
17. {
18.     protected $state;
19.     protected $i = 0;
20.     protected $j = 0;
21.     protected $k = 0;
22.    
23.     //Swaps i, j, k
24.     function Swap()
25.     {
26.         $temp = $this->state[$this->i];
27.         $this->state[$this->i] = $this->state[$this->j];
28.         $this->state[$this->j] = $this->state[$this->k];
29.         $this->state[$this->k] = $temp;
30.     }
31.    
32.     function Init($data)
33.     {
34.         $this->state = array();
35.         for($this->i = 0; $this->i < 256; $this->i++)
36.         {
37.             $this->state[$this->i] = $this->i;
38.         }
39.         $this->j = 0;
40.         $this->k = 0;
41.         for($this->i = 0; $this->i < 256; $this->i++)
42.         {
43.             $this->j = ($this->j + $this->state[$this->i] + ord($data[$this->i % strlen($data)])) % 256;
44.             $this->k = pow($this->k + $this->j, 2) % 256;
45.             $this->Swap();
46.         }
47.         $this->i = 0;
48.         $this->j = 0;
49.         $this->k = 0;
50.     }
51.    
52.     function GetByte()
53.     {
54.         $this->i = ($this->i + 1) % 256;
55.         $this->j = ($this->j + $this->state[$this->i]) % 256;
56.         $this->k = pow($this->k + $this->j, 2) % 256;
57.         $this->Swap();
58.         return $this->state[($this->i + $this->j + $this->k) % 256];
59.     }
60.    
61.     public function Crypt($data)
62.     {
63.         $ret = "";
64.         for($x = 0; $x < strlen($data); $x++)
65.         {
66.             $ret .= chr(ord($data[$x]) ^ $this->GetByte());
67.         }
68.         return $ret;
69.     }
70.    
71.     public function __construct($key = "bwallRocks")
72.     {
73.         $this->Init($key);
74.     }
75. }
76.  
77. class BallastPHPHash
78. {
79.     function ARC4PBKDF2($plain, $salt, $iterations = 2048, $algo = 'sha256')
80.     {
81.         $rc4 = new ARC4bwall($plain);
82.         $derivedkey = $b = $rc4->Crypt(hash_hmac($algo, $salt, $plain, true));
83.         for ( $i = 0; $i < $iterations; $i++ )
84.         {
85.             $derivedkey ^= ($b = $rc4->Crypt(hash_hmac($algo, $b, $plain, true)));
86.         }
87.         return sha1($derivedkey, true);
88.     }
89.    
90.     function PBKDF2($plain, $salt, $iterations = 2048, $algo = 'sha256' )
91.     {
92.         $derivedkey = $b = hash_hmac($algo, $salt, $plain, true);
93.         for ( $i = 0; $i < $iterations; $i++ )
94.         {
95.             $derivedkey ^= ($b = hash_hmac($algo, $b, $plain, true));
96.         }
97.         return sha1($derivedkey, true);
98.     }
99.    
100.     function BSPBKDF2($plain, $salt, $iterations = 2048, $algo = 'sha256' )
101.     {
102.         $derivedkey = $b = hash_hmac($algo, $salt, $plain, true);
103.         for ( $i = 0; $i < $iterations; $i++ )
104.         {
105.             $derivedkey = hash_hmac($algo, $b, $plain, true);
106.         }
107.         return sha1($derivedkey, true);
108.     }
109.    
110.     function rstrstr($haystack,$needle, $start=0)
111.     {  
112.         // Added by HacKan, replacement for strstr() compat php v < 5.3.0
113.         // http://www.php.net/manual/es/function.strstr.php#103577
114.         // credits to gruessle at gmail dot com for the idea
115.         return substr($haystack, $start,strpos($haystack, $needle));
116.     }
117.  
118.     //Hash Format - $BPBK$Iterations$Salt$Hash
119.     public function HashUpToDate($hash)
120.     {
121.         $type = get_option("BallastSecurityHashType");
122.         if($type === false)
123.         {
124.             //option is not defined
125.             add_option("BallastSecurityHashType", '$BPBK$2048$', "", "yes");
126.             $type = get_option("BallastSecurityHashType");
127.         }
128.         //Default WordPress is '$P$'
129.         return (substr($hash, 0, strlen($type)) == $type);
130.     }
131.    
132.     function StartsWith($hash, $type)
133.     {
134.         return (substr($hash, 0, strlen($type)) == $type);
135.     }
136.    
137.     public function CheckPassword($password, $hash)
138.     {
139.         if($this->StartsWith($hash, '$BPBK$2048$'))
140.         {
141.             $saltAndhash = substr($hash, 11);
142.             //$salt = strstr($saltAndhash, '$', true);
143.             $salt = $this->rstrstr($saltAndhash, '$');
144.             $hash = substr(strstr($saltAndhash, '$'), 1);
145.             $realHash = base64_encode($this->BSPBKDF2($password, base64_decode($salt)));
146.             return ($hash == $realHash);
147.         }
148.         else if($this->StartsWith($hash, '$BPBK$10k$'))
149.         {
150.             $saltAndhash = substr($hash, 10);
151.             //$salt = strstr($saltAndhash, '$', true);
152.             $salt = $this->rstrstr($saltAndhash, '$');
153.             $hash = substr(strstr($saltAndhash, '$'), 1);
154.             $realHash = base64_encode($this->BSPBKDF2($password, base64_decode($salt), 10000));
155.             return ($hash == $realHash);
156.         }
157.         else if($this->StartsWith($hash, '$BPBK$100k$'))
158.         {
159.             $saltAndhash = substr($hash, 11);
160.             //$salt = strstr("$saltAndhash", '$');
161.             $salt = $this->rstrstr($saltAndhash, '$');
162.             $salt = $this->rstrstr($saltAndhash, '$');
163.             $hash = substr(strstr($saltAndhash, '$'), 1);
164.             $realHash = base64_encode($this->BSPBKDF2($password, base64_decode($salt), 100000));
165.             return ($hash == $realHash);
166.         }
167.         else if($this->StartsWith($hash, '$PBK$2048$'))
168.         {
169.             $saltAndhash = substr($hash, 10);
170.             //$salt = strstr($saltAndhash, '$', true);
171.             $salt = $this->rstrstr($saltAndhash, '$');
172.             $hash = substr(strstr($saltAndhash, '$'), 1);
173.             $realHash = base64_encode($this->PBKDF2($password, base64_decode($salt)));
174.             return ($hash == $realHash);
175.         }
176.         else if($this->StartsWith($hash, '$PBK$10k$'))
177.         {
178.             $saltAndhash = substr($hash, 9);
179.             //$salt = strstr($saltAndhash, '$', true);
180.             $salt = $this->rstrstr($saltAndhash, '$');
181.             $hash = substr(strstr($saltAndhash, '$'), 1);
182.             $realHash = base64_encode($this->PBKDF2($password, base64_decode($salt), 10000));
183.             return ($hash == $realHash);
184.         }
185.         else if($this->StartsWith($hash, '$PBK$100k$'))
186.         {
187.             $saltAndhash = substr($hash, 10);
188.             //$salt = strstr($saltAndhash, '$', true);
189.             $salt = $this->rstrstr($saltAndhash, '$');
190.             $hash = substr(strstr($saltAndhash, '$'), 1);
191.             $realHash = base64_encode($this->PBKDF2($password, base64_decode($salt), 100000));
192.             return ($hash == $realHash);
193.         }
194.         else if($this->StartsWith($hash, '$APBK$2048$'))
195.         {
196.             $saltAndhash = substr($hash, 11);
197.             //$salt = strstr($saltAndhash, '$', true);
198.             $salt = $this->rstrstr($saltAndhash, '$');
199.             $hash = substr(strstr($saltAndhash, '$'), 1);
200.             $realHash = base64_encode($this->ARC4PBKDF2($password, base64_decode($salt)));
201.             return ($hash == $realHash);
202.         }
203.         else if($this->StartsWith($hash, '$APBK$10k$'))
204.         {
205.             $saltAndhash = substr($hash, 10);
206.             //$salt = strstr($saltAndhash, '$', true);
207.             $salt = $this->rstrstr($saltAndhash, '$');
208.             $hash = substr(strstr($saltAndhash, '$'), 1);
209.             $realHash = base64_encode($this->ARC4PBKDF2($password, base64_decode($salt), 10000));
210.             return ($hash == $realHash);
211.         }
212.         else if($this->StartsWith($hash, '$APBK$100k$'))
213.         {
214.             $saltAndhash = substr($hash, 11);
215.             //$salt = strstr($saltAndhash, '$', true);
216.             $salt = $this->rstrstr($saltAndhash, '$');
217.             $hash = substr(strstr($saltAndhash, '$'), 1);
218.             $realHash = base64_encode($this->ARC4PBKDF2($password, base64_decode($salt), 100000));
219.             return ($hash == $realHash);
220.         }
221.         else if($this->StartsWith($hash, '$P$'))
222.         {
223.             require_once(ABSPATH.'wp-includes/class-phpass.php');
224.             $ph = new PasswordHash(8, TRUE);
225.             return $ph->CheckPassword($password, $hash);
226.         }
227.     }
228.    
229.     public function HashPassword($password)
230.     {
231.         $type = get_option("BallastSecurityHashType");
232.         if($type === false)
233.         {
234.             //option is not defined
235.             add_option("BallastSecurityHashType", '$BPBK$2048$', "", "yes");
236.             $type = get_option("BallastSecurityHashType");
237.         }
238.         if($type === '$BPBK$2048$')
239.         {
240.             $hash = '$BPBK$2048$';
241.             $salt = "";
242.             for($i = 0; $i < 16; $i++)
243.             {
244.                 $salt .= chr(rand(0, 256));
245.             }
246.             $hash .= base64_encode($salt).'$'.base64_encode($this->BSPBKDF2($password, $salt));
247.             return $hash;
248.         }
249.         else if($type === '$BPBK$10k$')
250.         {
251.             $hash = '$BPBK$10k$';
252.             $salt = "";
253.             for($i = 0; $i < 16; $i++)
254.             {
255.                 $salt .= chr(rand(0, 256));
256.             }
257.             $hash .= base64_encode($salt).'$'.base64_encode($this->BSPBKDF2($password, $salt, 10000));
258.             return $hash;
259.         }
260.         else if($type === '$BPBK$100k$')
261.         {
262.             $hash = '$BPBK$100k$';
263.             $salt = "";
264.             for($i = 0; $i < 16; $i++)
265.             {
266.                 $salt .= chr(rand(0, 256));
267.             }
268.             $hash .= base64_encode($salt).'$'.base64_encode($this->BSPBKDF2($password, $salt, 100000));
269.             return $hash;
270.         }
271.         else if($type === '$PBK$2048$')
272.         {
273.             $hash = '$PBK$2048$';
274.             $salt = "";
275.             for($i = 0; $i < 16; $i++)
276.             {
277.                 $salt .= chr(rand(0, 256));
278.             }
279.             $hash .= base64_encode($salt).'$'.base64_encode($this->PBKDF2($password, $salt));
280.             return $hash;
281.         }
282.         else if($type === '$PBK$10k$')
283.         {
284.             $hash = '$PBK$10k$';
285.             $salt = "";
286.             for($i = 0; $i < 16; $i++)
287.             {
288.                 $salt .= chr(rand(0, 256));
289.             }
290.             $hash .= base64_encode($salt).'$'.base64_encode($this->PBKDF2($password, $salt, 10000));
291.             return $hash;
292.         }
293.         else if($type === '$PBK$100k$')
294.         {
295.             $hash = '$PBK$100k$';
296.             $salt = "";
297.             for($i = 0; $i < 16; $i++)
298.             {
299.                 $salt .= chr(rand(0, 256));
300.             }
301.             $hash .= base64_encode($salt).'$'.base64_encode($this->PBKDF2($password, $salt, 100000));
302.             return $hash;
303.         }
304.         else if($type === '$APBK$2048$')
305.         {
306.             $hash = '$APBK$2048$';
307.             $salt = "";
308.             for($i = 0; $i < 16; $i++)
309.             {
310.                 $salt .= chr(rand(0, 256));
311.             }
312.             $hash .= base64_encode($salt).'$'.base64_encode($this->ARC4PBKDF2($password, $salt));
313.             return $hash;
314.         }
315.         else if($type === '$APBK$10k$')
316.         {
317.             $hash = '$APBK$10k$';
318.             $salt = "";
319.             for($i = 0; $i < 16; $i++)
320.             {
321.                 $salt .= chr(rand(0, 256));
322.             }
323.             $hash .= base64_encode($salt).'$'.base64_encode($this->ARC4PBKDF2($password, $salt, 10000));
324.             return $hash;
325.         }
326.         else if($type === '$APBK$100k$')
327.         {
328.             $hash = '$APBK$100k$';
329.             $salt = "";
330.             for($i = 0; $i < 16; $i++)
331.             {
332.                 $salt .= chr(rand(0, 256));
333.             }
334.             $hash .= base64_encode($salt).'$'.base64_encode($this->ARC4PBKDF2($password, $salt, 100000));
335.             return $hash;
336.         }
337.         else if($type === '$P$')
338.         {
339.             require_once(ABSPATH.'wp-includes/class-phpass.php');
340.             $ph = new PasswordHash(8, TRUE);
341.             return $ph->HashPassword($password);
342.         }
343.     }
344. }
345. if (!function_exists('wp_hash_password'))
346. {
347.     function wp_hash_password($password)
348.     {
349.         global $wp_hasher;
350.         if ( empty($wp_hasher) )
351.         {
352.             $wp_hasher = new BallastPHPHash();
353.         }
354.         return $wp_hasher->HashPassword($password);
355.     }
356. }
357.  
358. if (!function_exists('wp_check_password'))
359. {
360.     function wp_check_password($password, $hash, $user_id = '')
361.     {
362.         //file_put_contents("/var/www/wordpress/hashBWALL", "hash = $hash\n", FILE_APPEND);
363.         // commented out by HacKan, seems to be no use; please check if correct
364.         global $wp_hasher;
365.         $wp_hasher = new BallastPHPHash(); 
366.         if ( strlen($hash) <= 32 )
367.         {
368.             $check = ( $hash == md5($password) );
369.             if ( $check && $user_id )
370.             {
371.                 wp_set_password($password, $user_id);
372.                 $hash = wp_hash_password($password);
373.             }
374.             return apply_filters('check_password', $check, $password, $hash, $user_id);
375.         }
376.        
377.         if(!$wp_hasher->HashUpToDate($hash))
378.         {
379.             $check = $wp_hasher->CheckPassword($password, $hash);
380.             if($check && $user_id)
381.             {
382.                 wp_set_password($password, $user_id);
383.                 $hash = wp_hash_password($password);
384.             }
385.             return apply_filters('check_password', $check, $password, $hash, $user_id);
386.         }
387.         $check = $wp_hasher->CheckPassword($password, $hash);  
388.         return apply_filters('check_password', $check, $password, $hash, $user_id);
389.     }
390. }
391.  
392. function ballastsec_hash_menu()
393. {
394.     add_menu_page('Ballast Security Secure Hasher', 'Secure Hasher Configuration', 'add_users','bssh_config', 'display_bssh_config' );
395. }
396.  
397. add_action('admin_menu', 'ballastsec_hash_menu');
398.  
399. function display_bssh_config()
400. {  
401.     if(isset($_POST['hashtype']) && check_admin_referer('ballastsec_hash-change-type'))
402.     {
403.         $type = get_option("BallastSecurityHashType");
404.         if($_POST['hashtype'] == "1")
405.         {
406.             if($type === false)
407.             {
408.                 add_option("BallastSecurityHashType", '$BPBK$2048$', "", "yes");
409.             }
410.             else
411.             {
412.                 update_option("BallastSecurityHashType", '$BPBK$2048$');
413.             }
414.         }
415.         else if($_POST['hashtype'] == "2")
416.         {
417.             if($type === false)
418.             {
419.                 add_option("BallastSecurityHashType", '$P$', "", "yes");
420.             }
421.             else
422.             {
423.                 update_option("BallastSecurityHashType", '$P$');
424.             }
425.         }
426.         else if($_POST['hashtype'] == "3")
427.         {
428.             if($type === false)
429.             {
430.                 add_option("BallastSecurityHashType", '$BPBK$10k$', "", "yes");
431.             }
432.             else
433.             {
434.                 update_option("BallastSecurityHashType", '$BPBK$10k$');
435.             }
436.         }
437.         else if($_POST['hashtype'] == "4")
438.         {
439.             if($type === false)
440.             {
441.                 add_option("BallastSecurityHashType", '$BPBK$100k$', "", "yes");
442.             }
443.             else
444.             {
445.                 update_option("BallastSecurityHashType", '$BPBK$100k$');
446.             }
447.         }
448.         else if($_POST['hashtype'] == "5")
449.         {
450.             if($type === false)
451.             {
452.                 add_option("BallastSecurityHashType", '$PBK$2048$', "", "yes");
453.             }
454.             else
455.             {
456.                 update_option("BallastSecurityHashType", '$PBK$2048$');
457.             }
458.         }
459.         else if($_POST['hashtype'] == "6")
460.         {
461.             if($type === false)
462.             {
463.                 add_option("BallastSecurityHashType", '$PBK$10k$', "", "yes");
464.             }
465.             else
466.             {
467.                 update_option("BallastSecurityHashType", '$PBK$10k$');
468.             }
469.         }
470.         else if($_POST['hashtype'] == "7")
471.         {
472.             if($type === false)
473.             {
474.                 add_option("BallastSecurityHashType", '$PBK$100k$', "", "yes");
475.             }
476.             else
477.             {
478.                 update_option("BallastSecurityHashType", '$PBK$100k$');
479.             }
480.         }
481.         else if($_POST['hashtype'] == "8")
482.         {
483.             if($type === false)
484.             {
485.                 add_option("BallastSecurityHashType", '$APBK$2048$', "", "yes");
486.             }
487.             else
488.             {
489.                 update_option("BallastSecurityHashType", '$APBK$2048$');
490.             }
491.         }
492.         else if($_POST['hashtype'] == "9")
493.         {
494.             if($type === false)
495.             {
496.                 add_option("BallastSecurityHashType", '$APBK$10k$', "", "yes");
497.             }
498.             else
499.             {
500.                 update_option("BallastSecurityHashType", '$APBK$10k$');
501.             }
502.         }
503.         else if($_POST['hashtype'] == "10")
504.         {
505.             if($type === false)
506.             {
507.                 add_option("BallastSecurityHashType", '$APBK$100k$', "", "yes");
508.             }
509.             else
510.             {
511.                 update_option("BallastSecurityHashType", '$APBK$100k$');
512.             }
513.         }
514.     }
515.     $type = get_option("BallastSecurityHashType");
516.     if($type === false)
517.     {
518.         //option is not defined
519.         add_option("BallastSecurityHashType", '$BPBK$2048$', "", "yes");
520.         $type = get_option("BallastSecurityHashType");
521.     }
522.     $bpk = "";
523.     $bpk10k = "";
524.     $bpk100k = "";
525.     $apk = "";
526.     $apk10k = "";
527.     $apk100k = "";
528.     $pk = "";
529.     $pk10k = "";
530.     $pk100k = "";
531.     $wp = "";
532.     if($type == '$BPBK$2048$')
533.     {
534.         $bpk = "checked=\"true\"";
535.     }
536.     else if($type == '$BPBK$10k$')
537.     {
538.         $bpk10k = "checked=\"true\"";
539.     }
540.     else if($type == '$BPBK$100k$')
541.     {
542.         $bpk100k = "checked=\"true\"";
543.     }
544.     else if($type == '$PBK$2048$')
545.     {
546.         $pk = "checked=\"true\"";
547.     }
548.     else if($type == '$PBK$10k$')
549.     {
550.         $pk10k = "checked=\"true\"";
551.     }
552.     else if($type == '$PBK$100k$')
553.     {
554.         $pk100k = "checked=\"true\"";
555.     }
556.     else if($type == '$APBK$2048$')
557.     {
558.         $apk = "checked=\"true\"";
559.     }
560.     else if($type == '$APBK$10k$')
561.     {
562.         $apk10k = "checked=\"true\"";
563.     }
564.     else if($type == '$APBK$100k$')
565.     {
566.         $apk100k = "checked=\"true\"";
567.     }
568.     else if($type == '$P$')
569.     {
570.         $wp = "checked=\"true\"";
571.     }
572.    
573.     echo "<h2>Pick your hash type</h2><br />";
574.     echo "<p>The larger number of iterations means the longer it will take to process your login credentials, but also mean increased security.  The ARC4PBKDF2 with 100000 iterations is the strongest hash here but can take a while to run.</p><br/>";
575.     echo "<form method='POST'>";
576.     if ( function_exists('wp_nonce_field') )
577.         wp_nonce_field('ballastsec_hash-change-type');
578.     echo "<input type=\"radio\" name=\"hashtype\" value=\"1\" ".$bpk."/> Use Ballast Security's modified PBKDF2 with 2048 iterations<br />";
579.     echo "<input type=\"radio\" name=\"hashtype\" value=\"3\" ".$bpk10k."/> Use Ballast Security's modified PBKDF2 with 10000 iterations<br />";
580.     echo "<input type=\"radio\" name=\"hashtype\" value=\"4\" ".$bpk100k."/> Use Ballast Security's modified PBKDF2 with 100000 iterations<br />";
581.     echo "<input type=\"radio\" name=\"hashtype\" value=\"5\" ".$pk."/> Use the classic PBKDF2 with 2048 iterations<br />";
582.     echo "<input type=\"radio\" name=\"hashtype\" value=\"6\" ".$pk10k."/> Use the classic PBKDF2 with 10000 iterations<br />";
583.     echo "<input type=\"radio\" name=\"hashtype\" value=\"7\" ".$pk100k."/> Use the classic PBKDF2 with 100000 iterations<br />";
584.     echo "<input type=\"radio\" name=\"hashtype\" value=\"8\" ".$apk."/> Use the Ballast Security original ARC4PBKDF2 with 2048 iterations<br />";
585.     echo "<input type=\"radio\" name=\"hashtype\" value=\"9\" ".$apk10k."/> Use the Ballast Security original ARC4PBKDF2 with 10000 iterations<br />";
586.     echo "<input type=\"radio\" name=\"hashtype\" value=\"10\" ".$apk100k."/> Use the Ballast Security original ARC4PBKDF2 with 100000 iterations<br />";
587.     echo "<input type=\"radio\" name=\"hashtype\" value=\"2\" ".$wp."/> Use default that comes with WordPress<br />";
588.     echo "<input type=\"submit\" value=\"Save Hash Type\" /><br /></form>";
589.     echo "<br />Note: If you want to deactive this plugin, you must change your settings over to use the default, and make sure all your users login in again so their hashes can be converted back.<br />";
590.     echo "Follow me at <a href='https://twitter.com/bwallHatesTwits'>bwallHatesTwits</a> or <a href='https://twitter.com/BallastSec'>BallastSec</a>";
591. }
592. ?>
593. //==== END ====