Search moodle.org's
Developer Documentation
Developer Documentation
See Release Notes
Long Term Support Release
- Bug fixes for general core bugs in 3.9.x will end* 10 May 2021 (12 months).
- Bug fixes for security issues in 3.9.x will end* 8 May 2023 (36 months).
- PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.
<?php namespace PhpOffice\PhpSpreadsheet\Shared;> use PhpOffice\PhpSpreadsheet\Exception as SpException; class PasswordHasher > use PhpOffice\PhpSpreadsheet\Worksheet\Protection; { >/**> const MAX_PASSWORD_LENGTH = 255; * Create a password hash from a given string. > * > /** * This method is based on the algorithm provided by > * Get algorithm name for PHP. * Daniel Rentz of OpenOffice and the PEAR package > */ * Spreadsheet_Excel_Writer by Xavier Noguer <xnoguer@rezebra.com>. > private static function getAlgorithm(string $algorithmName): string * > { * @param string $pPassword Password to hash > if (!$algorithmName) { * > return ''; * @return string Hashed password > } */ > public static function hashPassword($pPassword) > // Mapping between algorithm name in Excel and algorithm name in PHP { > $mapping = [ $password = 0x0000; > Protection::ALGORITHM_MD2 => 'md2', $charPos = 1; // char position > Protection::ALGORITHM_MD4 => 'md4', > Protection::ALGORITHM_MD5 => 'md5', // split the plain text password in its component characters > Protection::ALGORITHM_SHA_1 => 'sha1', $chars = preg_split('//', $pPassword, -1, PREG_SPLIT_NO_EMPTY); > Protection::ALGORITHM_SHA_256 => 'sha256', foreach ($chars as $char) { > Protection::ALGORITHM_SHA_384 => 'sha384', $value = ord($char) << $charPos++; // shifted ASCII value > Protection::ALGORITHM_SHA_512 => 'sha512', $rotated_bits = $value >> 15; // rotated bits beyond bit 15 > Protection::ALGORITHM_RIPEMD_128 => 'ripemd128', $value &= 0x7fff; // first 15 bits > Protection::ALGORITHM_RIPEMD_160 => 'ripemd160', $password ^= ($value | $rotated_bits); > Protection::ALGORITHM_WHIRLPOOL => 'whirlpool', } > ]; > $password ^= strlen($pPassword); > if (array_key_exists($algorithmName, $mapping)) { $password ^= 0xCE4B; > return $mapping[$algorithmName]; > } return strtoupper(dechex($password)); > } > throw new SpException('Unsupported password algorithm: ' . $algorithmName); } > } >< * This method is based on the algorithm provided by> * This method is based on the spec at: > * https://interoperability.blob.core.windows.net/files/MS-OFFCRYPTO/[MS-OFFCRYPTO].pdf > * 2.3.7.1 Binary Document Password Verifier Derivation Method 1 > * > * It replaces a method based on the algorithm provided by< * @param string $pPassword Password to hash> * Scrutinizer will squawk at the use of bitwise operations here, > * but it should ultimately pass.< * @return string Hashed password> * @param string $password Password to hash< public static function hashPassword($pPassword)> private static function defaultHashPassword(string $password): string< $password = 0x0000; < $charPos = 1; // char position> $verifier = 0; > $pwlen = strlen($password); > $passwordArray = pack('c', $pwlen) . $password; > for ($i = $pwlen; $i >= 0; --$i) { > $intermediate1 = (($verifier & 0x4000) === 0) ? 0 : 1; > $intermediate2 = 2 * $verifier; > $intermediate2 = $intermediate2 & 0x7fff; > $intermediate3 = $intermediate1 | $intermediate2; > $verifier = $intermediate3 ^ ord($passwordArray[$i]); > } > $verifier ^= 0xCE4B; > > return strtoupper(dechex($verifier)); > }< // split the plain text password in its component characters < $chars = preg_split('//', $pPassword, -1, PREG_SPLIT_NO_EMPTY); < foreach ($chars as $char) { < $value = ord($char) << $charPos++; // shifted ASCII value < $rotated_bits = $value >> 15; // rotated bits beyond bit 15 < $value &= 0x7fff; // first 15 bits < $password ^= ($value | $rotated_bits);> /** > * Create a password hash from a given string by a specific algorithm. > * > * 2.4.2.4 ISO Write Protection Method > * > * @see https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/1357ea58-646e-4483-92ef-95d718079d6f > * > * @param string $password Password to hash > * @param string $algorithm Hash algorithm used to compute the password hash value > * @param string $salt Pseudorandom string > * @param int $spinCount Number of times to iterate on a hash of a password > * > * @return string Hashed password > */ > public static function hashPassword(string $password, string $algorithm = '', string $salt = '', int $spinCount = 10000): string > { > if (strlen($password) > self::MAX_PASSWORD_LENGTH) { > throw new SpException('Password exceeds ' . self::MAX_PASSWORD_LENGTH . ' characters');> $phpAlgorithm = self::getAlgorithm($algorithm); > if (!$phpAlgorithm) { > return self::defaultHashPassword($password); > } > > $saltValue = base64_decode($salt); > $encodedPassword = mb_convert_encoding($password, 'UCS-2LE', 'UTF-8');< $password ^= strlen($pPassword); < $password ^= 0xCE4B;> $hashValue = hash($phpAlgorithm, $saltValue . $encodedPassword, true); > for ($i = 0; $i < $spinCount; ++$i) { > $hashValue = hash($phpAlgorithm, $hashValue . pack('L', $i), true); > }< return strtoupper(dechex($password));> return base64_encode($hashValue);
