9.5/_bcrypt_password_hash_8php_source.html

<?php

declare(strict_types = 1);

namespace ‪TYPO3\CMS\Core\Crypto\PasswordHashing;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


class ‪BcryptPasswordHash implements ‪PasswordHashInterface

{

    protected const ‪PREFIX = '$2y$';


    protected ‪$options = [

        'cost' => 12,

    ];


    public function ‪__construct(array ‪$options = [])

    {

        $newOptions = ‪$this->options;

        // Check options for validity

        if (isset(‪$options['cost'])) {

            if (!$this->‪isValidBcryptCost((int)‪$options['cost'])) {

                throw new \InvalidArgumentException(

                    'cost must not be lower than ' . PASSWORD_BCRYPT_DEFAULT_COST . ' or higher than 31',

                    1533902002

                );

            }

            $newOptions['cost'] = (int)‪$options['cost'];

        }

        $this->options = $newOptions;

    }


    public function ‪isAvailable(): bool

    {

        return defined('PASSWORD_BCRYPT')

            && PASSWORD_BCRYPT

            && function_exists('hash')

            && function_exists('hash_algos')

            && in_array('sha384', hash_algos());

    }


    public function ‪checkPassword(string $plainPW, string $saltedHashPW): bool

    {

        return password_verify($this->‪processPlainPassword($plainPW), $saltedHashPW);

    }


    public function ‪getHashedPassword(string $password, string $salt = null)

    {

        if ($salt !== null) {

            trigger_error(static::class . ': using a custom salt is deprecated in PHP password api and thus ignored.', E_USER_DEPRECATED);

        }

        $hashedPassword = null;

        if ($password !== '') {

            $password = $this->‪processPlainPassword($password);

            $hashedPassword = password_hash($password, PASSWORD_BCRYPT, $this->options);

            if (!is_string($hashedPassword) || empty($hashedPassword)) {

                throw new InvalidPasswordHashException('Cannot generate password, probably invalid options', 1517174114);

            }

        }

        return $hashedPassword;

    }


    public function ‪isValidSaltedPW(string $saltedPW): bool

    {

        $result = false;

        $passwordInfo = password_get_info($saltedPW);

        // Validate the cost value, password_get_info() does not check it

        $cost = (int)substr($saltedPW, 4, 2);

        if (isset($passwordInfo['algo'])

            && $passwordInfo['algo'] === PASSWORD_BCRYPT

            && strncmp($saltedPW, static::PREFIX, strlen(static::PREFIX)) === 0

            && $this->‪isValidBcryptCost($cost)

        ) {

            $result = true;

        }

        return $result;

    }

    public function ‪isHashUpdateNeeded(string $passString): bool

    {

        return password_needs_rehash($passString, PASSWORD_BCRYPT, $this->options);

    }


    protected function ‪processPlainPassword(string $password): string

    {

        return base64_encode(hash('sha384', $password, true));

    }


    protected function ‪isValidBcryptCost(int $cost): bool

    {

        return $cost >= PASSWORD_BCRYPT_DEFAULT_COST && $cost <= 31;

    }


    public function ‪getOptions(): array

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return ‪$this->options;

    }


    public function ‪setOptions(array ‪$options): void

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        $newOptions = [];


        // Check options for validity, else use hard coded defaults

        if (isset(‪$options['cost'])) {

            if (!$this->‪isValidBcryptCost((int)$options['cost'])) {

                throw new \InvalidArgumentException(

                    'cost must not be lower than ' . PASSWORD_BCRYPT_DEFAULT_COST . ' or higher than 31',

                    1526042084

                );

            }

            $newOptions['cost'] = (int)‪$options['cost'];

        } else {

            $newOptions['cost'] = 12;

        }


        $this->options = $newOptions;

    }

}