PhpassSalt.php

Go to the documentation of this file.

<?php
namespace TYPO3\CMS\Saltedpasswords\Salt;

class PhpassSalt extends \TYPO3\CMS\Saltedpasswords\Salt\AbstractSalt implements \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface {

    const ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
    const HASH_COUNT = 14;
    const MAX_HASH_COUNT = 24;
    const MIN_HASH_COUNT = 7;
    static protected $hashCount;

    static protected $maxHashCount;

    static protected $minHashCount;

    static protected $saltLengthPhpass = 6;

    static protected $settingPhpass = '$P$';

    protected function applySettingsToSalt($salt) {
        $saltWithSettings = $salt;
        $reqLenBase64 = $this->getLengthBase64FromBytes($this->getSaltLength());
        // Salt without setting
        if (strlen($salt) == $reqLenBase64) {
            // We encode the final log2 iteration count in base 64.
            $itoa64 = $this->getItoa64();
            $saltWithSettings = $this->getSetting() . $itoa64[$this->getHashCount()];
            $saltWithSettings .= $salt;
        }
        return $saltWithSettings;
    }

    public function checkPassword($plainPW, $saltedHashPW) {
        $hash = $this->cryptPassword($plainPW, $saltedHashPW);
        return $hash && $saltedHashPW === $hash;
    }

    public function isAvailable() {
        return TRUE;
    }

    protected function cryptPassword($password, $setting) {
        $saltedPW = NULL;
        $reqLenBase64 = $this->getLengthBase64FromBytes($this->getSaltLength());
        // Retrieving settings with salt
        $setting = substr($setting, 0, strlen($this->getSetting()) + 1 + $reqLenBase64);
        $count_log2 = $this->getCountLog2($setting);
        // Hashes may be imported from elsewhere, so we allow != HASH_COUNT
        if ($count_log2 >= $this->getMinHashCount() && $count_log2 <= $this->getMaxHashCount()) {
            $salt = substr($setting, strlen($this->getSetting()) + 1, $reqLenBase64);
            // We must use md5() or sha1() here since they are the only cryptographic
            // primitives always available in PHP 5. To implement our own low-level
            // cryptographic function in PHP would result in much worse performance and
            // consequently in lower iteration counts and hashes that are quicker to crack
            // (by non-PHP code).
            $count = 1 << $count_log2;
            $hash = md5($salt . $password, TRUE);
            do {
                $hash = md5($hash . $password, TRUE);
            } while (--$count);
            $saltedPW = $setting . $this->base64Encode($hash, 16);
            // base64Encode() of a 16 byte MD5 will always be 22 characters.
            return strlen($saltedPW) == 34 ? $saltedPW : FALSE;
        }
        return $saltedPW;
    }

    protected function getCountLog2($setting) {
        return strpos($this->getItoa64(), $setting[strlen($this->getSetting())]);
    }

    protected function getGeneratedSalt() {
        $randomBytes = \TYPO3\CMS\Core\Utility\GeneralUtility::generateRandomBytes($this->getSaltLength());
        return $this->base64Encode($randomBytes, $this->getSaltLength());
    }

    public function getHashCount() {
        return isset(self::$hashCount) ? self::$hashCount : self::HASH_COUNT;
    }

    public function getHashedPassword($password, $salt = NULL) {
        $saltedPW = NULL;
        if (!empty($password)) {
            if (empty($salt) || !$this->isValidSalt($salt)) {
                $salt = $this->getGeneratedSalt();
            }
            $saltedPW = $this->cryptPassword($password, $this->applySettingsToSalt($salt));
        }
        return $saltedPW;
    }

    protected function getItoa64() {
        return self::ITOA64;
    }

    public function getMaxHashCount() {
        return isset(self::$maxHashCount) ? self::$maxHashCount : self::MAX_HASH_COUNT;
    }

    public function getMinHashCount() {
        return isset(self::$minHashCount) ? self::$minHashCount : self::MIN_HASH_COUNT;
    }

    public function getSaltLength() {
        return self::$saltLengthPhpass;
    }

    public function getSetting() {
        return self::$settingPhpass;
    }

    public function isHashUpdateNeeded($passString) {
        // Check whether this was an updated password.
        if (strncmp($passString, '$P$', 3) || strlen($passString) != 34) {
            return TRUE;
        }
        // Check whether the iteration count used differs from the standard number.
        return $this->getCountLog2($passString) < $this->getHashCount();
    }

    public function isValidSalt($salt) {
        $isValid = ($skip = FALSE);
        $reqLenBase64 = $this->getLengthBase64FromBytes($this->getSaltLength());
        if (strlen($salt) >= $reqLenBase64) {
            // Salt with prefixed setting
            if (!strncmp('$', $salt, 1)) {
                if (!strncmp($this->getSetting(), $salt, strlen($this->getSetting()))) {
                    $isValid = TRUE;
                    $salt = substr($salt, strrpos($salt, '$') + 2);
                } else {
                    $skip = TRUE;
                }
            }
            // Checking base64 characters
            if (!$skip && strlen($salt) >= $reqLenBase64) {
                if (preg_match('/^[' . preg_quote($this->getItoa64(), '/') . ']{' . $reqLenBase64 . ',' . $reqLenBase64 . '}$/', substr($salt, 0, $reqLenBase64))) {
                    $isValid = TRUE;
                }
            }
        }
        return $isValid;
    }

    public function isValidSaltedPW($saltedPW) {
        $isValid = FALSE;
        $isValid = !strncmp($this->getSetting(), $saltedPW, strlen($this->getSetting())) ? TRUE : FALSE;
        if ($isValid) {
            $isValid = $this->isValidSalt($saltedPW);
        }
        return $isValid;
    }

    public function setHashCount($hashCount = NULL) {
        self::$hashCount = !is_NULL($hashCount) && is_int($hashCount) && $hashCount >= $this->getMinHashCount() && $hashCount <= $this->getMaxHashCount() ? $hashCount : self::HASH_COUNT;
    }

    public function setMaxHashCount($maxHashCount = NULL) {
        self::$maxHashCount = !is_NULL($maxHashCount) && is_int($maxHashCount) ? $maxHashCount : self::MAX_HASH_COUNT;
    }

    public function setMinHashCount($minHashCount = NULL) {
        self::$minHashCount = !is_NULL($minHashCount) && is_int($minHashCount) ? $minHashCount : self::MIN_HASH_COUNT;
    }

}