‪TYPO3CMS  11.5
TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash Class Reference
Inheritance diagram for TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash:
TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface

Public Member Functions

 __construct (array $options=[])
 
bool isAvailable ()
 
bool checkPassword (string $plainPW, string $saltedHashPW)
 
string getHashedPassword (string $password)
 
bool isValidSaltedPW (string $saltedPW)
 
bool isHashUpdateNeeded (string $passString)
 

Protected Member Functions

string processPlainPassword (string $password)
 
bool isValidBcryptCost (int $cost)
 

Protected Attributes

const PREFIX = '$2y$'
 
array $options
 

Detailed Description

This class implements the 'bcrypt' flavour of the php password api.

Hashes are identified by the prefix '$2y$'.

To workaround the limitations of bcrypt (accepts not more than 72 chars and truncates on NUL bytes), the plain password is pre-hashed before the actual password-hash is generated/verified.

See also
‪PASSWORD_BCRYPT in https://secure.php.net/manual/en/password.constants.php

Definition at line 31 of file BcryptPasswordHash.php.

Constructor & Destructor Documentation

◆ __construct()

TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::__construct ( array  $options = [])

Constructor sets options if given

Parameters
array$options
Exceptions

Definition at line 53 of file BcryptPasswordHash.php.

References TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\$options, and TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\isValidBcryptCost().

Member Function Documentation

◆ checkPassword()

bool TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::checkPassword ( string  $plainPW,
string  $saltedHashPW 
)

Checks if a given plaintext password is correct by comparing it with a given salted hashed password.

Parameters
string$plainPW‪plain text password to compare with salted hash
string$saltedHashPW‪Salted hash to compare plain-text password with
Returns
‪bool

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 90 of file BcryptPasswordHash.php.

References TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\processPlainPassword().

◆ getHashedPassword()

string TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::getHashedPassword ( string  $password)

Extend parent method to workaround bcrypt limitations.

Parameters
string$password‪Plaintext password to create a salted hash from
Returns
‪string Salted hashed password

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 101 of file BcryptPasswordHash.php.

References TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\processPlainPassword().

Referenced by TYPO3\CMS\Core\Tests\Unit\Crypto\PasswordHashing\BcryptPasswordHashTest\isHashUpdateNeededReturnsTrueForHashGeneratedWithOldOptions().

◆ isAvailable()

bool TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isAvailable ( )

Returns true if sha384 for pre-hashing and bcrypt itself is available.

Returns
‪bool

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 74 of file BcryptPasswordHash.php.

◆ isHashUpdateNeeded()

bool TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isHashUpdateNeeded ( string  $passString)

Checks whether a user's hashed password needs to be replaced with a new hash.

Parameters
string$passString‪Salted hash to check if it needs an update
Returns
‪bool TRUE if salted hash needs an update, otherwise FALSE

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 141 of file BcryptPasswordHash.php.

Referenced by TYPO3\CMS\Core\Tests\Unit\Crypto\PasswordHashing\BcryptPasswordHashTest\isHashUpdateNeededReturnsTrueForHashGeneratedWithOldOptions().

◆ isValidBcryptCost()

bool TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isValidBcryptCost ( int  $cost)
protected

◆ isValidSaltedPW()

bool TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::isValidSaltedPW ( string  $saltedPW)

Determines if a given string is a valid salted hashed password.

Parameters
string$saltedPW‪String to check
Returns
‪bool TRUE if it's valid salted hashed password, otherwise FALSE

Implements TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashInterface.

Definition at line 120 of file BcryptPasswordHash.php.

References TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\isValidBcryptCost().

◆ processPlainPassword()

string TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::processPlainPassword ( string  $password)
protected

The plain password is processed through sha384 and then base64 encoded. This will produce a 64 characters input to use with password_* functions, which has some advantages:

  1. ‪It is close to the (bcrypt-) maximum of 72 character keyspace
  2. ‪base64 will never produce NUL bytes (bcrypt truncates on NUL bytes)
  3. ‪sha384 is resistant to length extension attacks
Parameters
string$password
Returns
‪string

Definition at line 157 of file BcryptPasswordHash.php.

Referenced by TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\checkPassword(), and TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\getHashedPassword().

Member Data Documentation

◆ $options

array TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::$options
protected
Initial value:
= array(
'cost' => 12,
)

Set default PHP cost: Default is 10 with PHP <8.4, 12 since PHP 8.4. At the time of this writing, this leads to 150-200ms computing time on a casual I7 CPU.

Definition at line 43 of file BcryptPasswordHash.php.

Referenced by TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash\__construct().

◆ PREFIX

const TYPO3\CMS\Core\Crypto\PasswordHashing\BcryptPasswordHash::PREFIX = '$2y$'
protected

Prefix for the password hash

Definition at line 36 of file BcryptPasswordHash.php.