9.5/_phpass_password_hash_8php_source.html

<?php

declare(strict_types = 1);

namespace ‪TYPO3\CMS\Core\Crypto\PasswordHashing;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use ‪TYPO3\CMS\Core\Compatibility\PublicMethodDeprecationTrait;

use ‪TYPO3\CMS\Core\Crypto\Random;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;


class ‪PhpassPasswordHash implements ‪PasswordHashInterface

{

    use ‪PublicMethodDeprecationTrait;


    private ‪$deprecatedPublicMethods = [

        'isValidSalt' => 'Using PhpassPasswordHash::isValidSalt() is deprecated and will not be possible anymore in TYPO3 v10.0.',

        'base64Encode' => 'Using PhpassPasswordHash::base64Encode() is deprecated and will not be possible anymore in TYPO3 v10.0.',

    ];


    protected const ‪PREFIX = '$P$';


    protected ‪$options = [

        'hash_count' => 14

    ];


    const ‪ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';


    const ‪HASH_COUNT = 14;


    const ‪MAX_HASH_COUNT = 24;


    const ‪MIN_HASH_COUNT = 7;


    public function ‪__construct(array ‪$options = [])

    {

        $newOptions = ‪$this->options;

        if (isset(‪$options['hash_count'])) {

            if ((int)‪$options['hash_count'] < 7 || (int)‪$options['hash_count'] > 24) {

                throw new \InvalidArgumentException(

                    'hash_count must not be lower than 7 or bigger than 24',

                    1533940454

                );

            }

            $newOptions['hash_count'] = (int)‪$options['hash_count'];

        }

        $this->options = $newOptions;

    }


    public function ‪checkPassword(string $plainPW, string $saltedHashPW): bool

    {

        $hash = $this->‪cryptPassword($plainPW, $saltedHashPW);

        return $hash && hash_equals($hash, $saltedHashPW);

    }


    public function ‪isAvailable(): bool

    {

        return true;

    }


    public function ‪getHashedPassword(string $password, string $salt = null)

    {

        if ($salt !== null) {

            trigger_error(static::class . ': using a custom salt is deprecated.', E_USER_DEPRECATED);

        }

        $saltedPW = null;

        if (!empty($password)) {

            if (empty($salt) || !$this->‪isValidSalt($salt)) {

                $salt = $this->‪getGeneratedSalt();

            }

            $saltedPW = $this->‪cryptPassword($password, $this->‪applySettingsToSalt($salt));

        }

        return $saltedPW;

    }


    public function ‪isHashUpdateNeeded(string $passString): bool

    {

        // Check whether this was an updated password.

        if (strncmp($passString, '$P$', 3) || strlen($passString) != 34) {

            return true;

        }

        // Check whether the iteration count used differs from the standard number.

        return $this->‪getCountLog2($passString) < $this->options['hash_count'];

    }


    public function ‪isValidSaltedPW(string $saltedPW): bool

    {

        $isValid = !strncmp(self::PREFIX, $saltedPW, strlen(self::PREFIX));

        if ($isValid) {

            $isValid = $this->‪isValidSalt($saltedPW);

        }

        return $isValid;

    }


    protected function ‪applySettingsToSalt(string $salt): string

    {

        $saltWithSettings = $salt;

        $reqLenBase64 = $this->‪getLengthBase64FromBytes(6);

        // Salt without setting

        if (strlen($salt) == $reqLenBase64) {

            // We encode the final log2 iteration count in base 64.

            $itoa64 = $this->‪getItoa64();

            $saltWithSettings = self::PREFIX . $itoa64[$this->options['hash_count']];

            $saltWithSettings .= $salt;

        }

        return $saltWithSettings;

    }


    protected function ‪cryptPassword(string $password, string $setting)

    {

        $saltedPW = null;

        $reqLenBase64 = $this->‪getLengthBase64FromBytes(6);

        // Retrieving settings with salt

        $setting = substr($setting, 0, strlen(self::PREFIX) + 1 + $reqLenBase64);

        $count_log2 = $this->‪getCountLog2($setting);

        // Hashes may be imported from elsewhere, so we allow != HASH_COUNT

        if ($count_log2 >= 7 && $count_log2 <= 24) {

            $salt = substr($setting, strlen(self::PREFIX) + 1, $reqLenBase64);

            // We must use md5() or sha1() here since they are the only cryptographic

            // primitives always available in PHP 5. To implement our own low-level

            // cryptographic function in PHP would result in much worse performance and

            // consequently in lower iteration counts and hashes that are quicker to crack

            // (by non-PHP code).

            $count = 1 << $count_log2;

            $hash = md5($salt . $password, true);

            do {

                $hash = md5($hash . $password, true);

            } while (--$count);

            $saltedPW = $setting . $this->‪base64Encode($hash, 16);

            // base64Encode() of a 16 byte MD5 will always be 22 characters.

            return strlen($saltedPW) == 34 ? $saltedPW : false;

        }

        return $saltedPW;

    }


    protected function ‪getCountLog2(string $setting): int

    {

        return strpos($this->‪getItoa64(), $setting[strlen(self::PREFIX)]);

    }


    protected function ‪getGeneratedSalt(): string

    {

        $randomBytes = GeneralUtility::makeInstance(Random::class)->generateRandomBytes(6);

        return $this->‪base64Encode($randomBytes, 6);

    }


    protected function ‪getItoa64(): string

    {

        return './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

    }


    protected function ‪isValidSalt(string $salt): bool

    {

        $isValid = ($skip = false);

        $reqLenBase64 = $this->‪getLengthBase64FromBytes(6);

        if (strlen($salt) >= $reqLenBase64) {

            // Salt with prefixed setting

            if (!strncmp('$', $salt, 1)) {

                if (!strncmp(self::PREFIX, $salt, strlen(self::PREFIX))) {

                    $isValid = true;

                    $salt = substr($salt, strrpos($salt, '$') + 2);

                } else {

                    $skip = true;

                }

            }

            // Checking base64 characters

            if (!$skip && strlen($salt) >= $reqLenBase64) {

                if (preg_match('/^[' . preg_quote($this->‪getItoa64(), '/') . ']{' . $reqLenBase64 . ',' . $reqLenBase64 . '}$/', substr($salt, 0, $reqLenBase64))) {

                    $isValid = true;

                }

            }

        }

        return $isValid;

    }


    protected function ‪base64Encode(string $input, int $count): string

    {

        ‪$output = '';

        $i = 0;

        $itoa64 = $this->‪getItoa64();

        do {

            $value = ord($input[$i++]);

            ‪$output .= $itoa64[$value & 63];

            if ($i < $count) {

                $value |= ord($input[$i]) << 8;

            }

            ‪$output .= $itoa64[$value >> 6 & 63];

            if ($i++ >= $count) {

                break;

            }

            if ($i < $count) {

                $value |= ord($input[$i]) << 16;

            }

            ‪$output .= $itoa64[$value >> 12 & 63];

            if ($i++ >= $count) {

                break;

            }

            ‪$output .= $itoa64[$value >> 18 & 63];

        } while ($i < $count);

        return ‪$output;

    }


    protected function ‪getLengthBase64FromBytes(int $byteLength): int

    {

        // Calculates bytes in bits in base64

        return (int)ceil($byteLength * 8 / 6);

    }


    public function ‪getHashCount(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return $this->options['hash_count'];

    }


    public function ‪getMaxHashCount(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return 24;

    }


    public function ‪getMinHashCount(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return 7;

    }


    public function ‪getSaltLength(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return 6;

    }


    public function ‪getSetting(): string

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return ‪self::PREFIX;

    }


    public function ‪setHashCount(int $hashCount = null)

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        if ($hashCount >= 7 && $hashCount <= 24) {

            $this->options['hash_count'] = $hashCount;

        }

    }


    public function ‪setMaxHashCount(int $maxHashCount = null)

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        // Empty, max hash count is hard coded to 24

    }


    public function ‪setMinHashCount(int $minHashCount = null)

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        // Empty, max hash count is hard coded to 7

    }

}