‪TYPO3CMS  10.4
PhpassPasswordHash.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
18 namespace ‪TYPO3\CMS\Core\Crypto\PasswordHashing;
19 
20 use ‪TYPO3\CMS\Core\Crypto\Random;
21 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
22 
34 class ‪PhpassPasswordHash implements ‪PasswordHashInterface
35 {
39  protected const ‪PREFIX = '$P$';
40 
44  protected ‪$options = [
45  'hash_count' => 14
46  ];
47 
53  public function ‪__construct(array ‪$options = [])
54  {
55  $newOptions = ‪$this->options;
56  if (isset(‪$options['hash_count'])) {
57  if ((int)‪$options['hash_count'] < 7 || (int)‪$options['hash_count'] > 24) {
58  throw new \InvalidArgumentException(
59  'hash_count must not be lower than 7 or bigger than 24',
60  1533940454
61  );
62  }
63  $newOptions['hash_count'] = (int)‪$options['hash_count'];
64  }
65  $this->options = $newOptions;
66  }
67 
76  public function ‪checkPassword(string $plainPW, string $saltedHashPW): bool
77  {
78  $hash = $this->‪cryptPassword($plainPW, $saltedHashPW);
79  return $hash && hash_equals($hash, $saltedHashPW);
80  }
81 
87  public function ‪isAvailable(): bool
88  {
89  return true;
90  }
91 
98  public function ‪getHashedPassword(string $password)
99  {
100  $saltedPW = null;
101  if (!empty($password)) {
102  $salt = $this->‪getGeneratedSalt();
103  $saltedPW = $this->‪cryptPassword($password, $this->‪applySettingsToSalt($salt));
104  }
105  return $saltedPW;
106  }
107 
118  public function ‪isHashUpdateNeeded(string $passString): bool
119  {
120  // Check whether this was an updated password.
121  if (strncmp($passString, '$P$', 3) || strlen($passString) != 34) {
122  return true;
123  }
124  // Check whether the iteration count used differs from the standard number.
125  return $this->‪getCountLog2($passString) < $this->options['hash_count'];
126  }
127 
134  public function ‪isValidSaltedPW(string $saltedPW): bool
135  {
136  $isValid = !strncmp(self::PREFIX, $saltedPW, strlen(self::PREFIX));
137  if ($isValid) {
138  $isValid = $this->‪isValidSalt($saltedPW);
139  }
140  return $isValid;
141  }
142 
149  protected function ‪applySettingsToSalt(string $salt): string
150  {
151  $saltWithSettings = $salt;
152  $reqLenBase64 = $this->‪getLengthBase64FromBytes(6);
153  // Salt without setting
154  if (strlen($salt) == $reqLenBase64) {
155  // We encode the final log2 iteration count in base 64.
156  $itoa64 = $this->‪getItoa64();
157  $saltWithSettings = self::PREFIX . $itoa64[$this->options['hash_count']];
158  $saltWithSettings .= $salt;
159  }
160  return $saltWithSettings;
161  }
162 
175  protected function ‪cryptPassword(string $password, string $setting)
176  {
177  $saltedPW = null;
178  $reqLenBase64 = $this->‪getLengthBase64FromBytes(6);
179  // Retrieving settings with salt
180  $setting = substr($setting, 0, strlen(self::PREFIX) + 1 + $reqLenBase64);
181  $count_log2 = $this->‪getCountLog2($setting);
182  // Hashes may be imported from elsewhere, so we allow != HASH_COUNT
183  if ($count_log2 >= 7 && $count_log2 <= 24) {
184  $salt = substr($setting, strlen(self::PREFIX) + 1, $reqLenBase64);
185  // We must use md5() or sha1() here since they are the only cryptographic
186  // primitives always available in PHP 5. To implement our own low-level
187  // cryptographic function in PHP would result in much worse performance and
188  // consequently in lower iteration counts and hashes that are quicker to crack
189  // (by non-PHP code).
190  $count = 1 << $count_log2;
191  $hash = md5($salt . $password, true);
192  do {
193  $hash = md5($hash . $password, true);
194  } while (--$count);
195  $saltedPW = $setting . $this->‪base64Encode($hash, 16);
196  // base64Encode() of a 16 byte MD5 will always be 22 characters.
197  return strlen($saltedPW) == 34 ? $saltedPW : false;
198  }
199  return $saltedPW;
200  }
201 
208  protected function ‪getCountLog2(string $setting): int
209  {
210  return strpos($this->‪getItoa64(), $setting[strlen(self::PREFIX)]);
211  }
212 
224  protected function ‪getGeneratedSalt(): string
225  {
226  $randomBytes = GeneralUtility::makeInstance(Random::class)->generateRandomBytes(6);
227  return $this->‪base64Encode($randomBytes, 6);
228  }
229 
235  protected function ‪getItoa64(): string
236  {
237  return './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
238  }
239 
246  protected function ‪isValidSalt(string $salt): bool
247  {
248  $isValid = ($skip = false);
249  $reqLenBase64 = $this->‪getLengthBase64FromBytes(6);
250  if (strlen($salt) >= $reqLenBase64) {
251  // Salt with prefixed setting
252  if (!strncmp('$', $salt, 1)) {
253  if (!strncmp(self::PREFIX, $salt, strlen(self::PREFIX))) {
254  $isValid = true;
255  $salt = substr($salt, (int)strrpos($salt, '$') + 2);
256  } else {
257  $skip = true;
258  }
259  }
260  // Checking base64 characters
261  if (!$skip && strlen($salt) >= $reqLenBase64) {
262  if (preg_match('/^[' . preg_quote($this->‪getItoa64(), '/') . ']{' . $reqLenBase64 . ',' . $reqLenBase64 . '}$/', substr($salt, 0, $reqLenBase64))) {
263  $isValid = true;
264  }
265  }
266  }
267  return $isValid;
268  }
269 
277  protected function ‪base64Encode(string $input, int $count): string
278  {
279  ‪$output = '';
280  $i = 0;
281  $itoa64 = $this->‪getItoa64();
282  do {
283  $value = ord($input[$i++]);
284  ‪$output .= $itoa64[$value & 63];
285  if ($i < $count) {
286  $value |= ord($input[$i]) << 8;
287  }
288  ‪$output .= $itoa64[$value >> 6 & 63];
289  if ($i++ >= $count) {
290  break;
291  }
292  if ($i < $count) {
293  $value |= ord($input[$i]) << 16;
294  }
295  ‪$output .= $itoa64[$value >> 12 & 63];
296  if ($i++ >= $count) {
297  break;
298  }
299  ‪$output .= $itoa64[$value >> 18 & 63];
300  } while ($i < $count);
301  return ‪$output;
302  }
303 
311  protected function ‪getLengthBase64FromBytes(int $byteLength): int
312  {
313  // Calculates bytes in bits in base64
314  return (int)ceil($byteLength * 8 / 6);
315  }
316 }
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\isValidSalt
‪bool isValidSalt(string $salt)
Definition: PhpassPasswordHash.php:245
‪TYPO3\CMS\Core\Crypto\PasswordHashing
Definition: AbstractArgon2PasswordHash.php:18
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\checkPassword
‪bool checkPassword(string $plainPW, string $saltedHashPW)
Definition: PhpassPasswordHash.php:75
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\applySettingsToSalt
‪string applySettingsToSalt(string $salt)
Definition: PhpassPasswordHash.php:148
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\getItoa64
‪string getItoa64()
Definition: PhpassPasswordHash.php:234
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\isValidSaltedPW
‪bool isValidSaltedPW(string $saltedPW)
Definition: PhpassPasswordHash.php:133
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\getLengthBase64FromBytes
‪int getLengthBase64FromBytes(int $byteLength)
Definition: PhpassPasswordHash.php:310
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\cryptPassword
‪mixed cryptPassword(string $password, string $setting)
Definition: PhpassPasswordHash.php:174
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\getCountLog2
‪int getCountLog2(string $setting)
Definition: PhpassPasswordHash.php:207
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\__construct
‪__construct(array $options=[])
Definition: PhpassPasswordHash.php:52
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\$options
‪array $options
Definition: PhpassPasswordHash.php:43
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash
Definition: PhpassPasswordHash.php:35
‪$output
‪$output
Definition: annotationChecker.php:119
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\isHashUpdateNeeded
‪bool isHashUpdateNeeded(string $passString)
Definition: PhpassPasswordHash.php:117
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\PREFIX
‪const PREFIX
Definition: PhpassPasswordHash.php:39
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\getGeneratedSalt
‪string getGeneratedSalt()
Definition: PhpassPasswordHash.php:223
‪TYPO3\CMS\Core\Crypto\Random
Definition: Random.php:24
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\getHashedPassword
‪string null getHashedPassword(string $password)
Definition: PhpassPasswordHash.php:97
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:46
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface
Definition: PasswordHashInterface.php:25
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\isAvailable
‪bool isAvailable()
Definition: PhpassPasswordHash.php:86
‪TYPO3\CMS\Core\Crypto\PasswordHashing\PhpassPasswordHash\base64Encode
‪string base64Encode(string $input, int $count)
Definition: PhpassPasswordHash.php:276