password_hash()

Complexity

Conditions	41
Paths	2839

Size

Total Lines	133
Code Lines	97

Duplication

Lines	0
Ratio	0 %

Importance

Changes

0

<?php
		function password_hash($password, $algo, array $options = array()) {
			if (!function_exists('crypt')) {
				trigger_error("Crypt must be loaded for password_hash to function", E_USER_WARNING);
				return null;
			}
			if (!is_string($password)) {

The condition is_string($password) is always true.

				trigger_error("password_hash(): Password must be a string", E_USER_WARNING);
				return null;
			}
			if (!is_int($algo)) {

The condition is_int($algo) is always true.

				trigger_error("password_hash() expects parameter 2 to be long, " . gettype($algo) . " given", E_USER_WARNING);
				return null;
			}
			if (PasswordCompat\binary\_strlen($password) > 72) {
				$password = PasswordCompat\binary\_substr($password, 0, 72);
			}
			switch ($algo) {
				case PASSWORD_BCRYPT:
					// Note that this is a C constant, but not exposed to PHP, so we don't define it here.
					$cost = 10;
					if (isset($options['cost'])) {
						$cost = $options['cost'];
						if ($cost < 4 || $cost > 31) {
							trigger_error(sprintf("password_hash(): Invalid bcrypt cost parameter specified: %d", $cost), E_USER_WARNING);
							return null;
						}
					}
					// The length of salt to generate
					$raw_salt_len = 16;
					// The length required in the final serialization
					$required_salt_len = 22;
					$hash_format = sprintf("$2y$%02d$", $cost);
					// The expected length of the final crypt() output
					$resultLength = 60;
					break;
				default:
					trigger_error(sprintf("password_hash(): Unknown password hashing algorithm: %s", $algo), E_USER_WARNING);
					return null;
			}
			$salt_requires_encoding = false;
			if (isset($options['salt'])) {
				switch (gettype($options['salt'])) {
					case 'NULL':
					case 'boolean':
					case 'integer':
					case 'double':
					case 'string':
						$salt = (string) $options['salt'];
						break;
					case 'object':
						if (method_exists($options['salt'], '__tostring')) {
							$salt = (string) $options['salt'];
							break;
						}
					case 'array':
					case 'resource':
					default:
						trigger_error('password_hash(): Non-string salt parameter supplied', E_USER_WARNING);
						return null;
				}
				if (PasswordCompat\binary\_strlen($salt) < $required_salt_len) {
					trigger_error(sprintf("password_hash(): Provided salt is too short: %d expecting %d", PasswordCompat\binary\_strlen($salt), $required_salt_len), E_USER_WARNING);
					return null;
				} elseif (0 == preg_match('#^[a-zA-Z0-9./]+$#D', $salt)) {
					$salt_requires_encoding = true;
				}
			} else {
				$buffer = '';
				$buffer_valid = false;
				if (function_exists('random_bytes')) {
					$buffer = random_bytes($raw_salt_len);
					if ($buffer) {
						$buffer_valid = true;
					}
				}
				if (!$buffer_valid && function_exists('mcrypt_create_iv') && !defined('PHALANGER')) {
					$buffer = mcrypt_create_iv($raw_salt_len, MCRYPT_DEV_URANDOM);

The function mcrypt_create_iv() has been deprecated: 7.1

					if ($buffer) {
						$buffer_valid = true;
					}
				}
				if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) {
					$buffer = openssl_random_pseudo_bytes($raw_salt_len);
					if ($buffer) {
						$buffer_valid = true;
					}
				}
				if (!$buffer_valid && @is_readable('/dev/urandom')) {
					$f = fopen('/dev/urandom', 'r');
					$read = PasswordCompat\binary\_strlen($buffer);
					while ($read < $raw_salt_len) {
						$buffer .= fread($f, $raw_salt_len - $read);

It seems like $f can also be of type false; however, parameter $handle of fread() does only seem to accept resource, maybe add an additional type check?

						$read = PasswordCompat\binary\_strlen($buffer);
					}
					fclose($f);

It seems like $f can also be of type false; however, parameter $handle of fclose() does only seem to accept resource, maybe add an additional type check?

					if ($read >= $raw_salt_len) {
						$buffer_valid = true;
					}
				}
				if (!$buffer_valid || PasswordCompat\binary\_strlen($buffer) < $raw_salt_len) {
					$bl = PasswordCompat\binary\_strlen($buffer);
					for ($i = 0; $i < $raw_salt_len; $i++) {
						if ($i < $bl) {
							$buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));
						} else {
							$buffer .= chr(mt_rand(0, 255));
						}
					}
				}
				$salt = $buffer;
				$salt_requires_encoding = true;
			}
			if ($salt_requires_encoding) {
				// encode string with the Base64 variant used by crypt
				$base64_digits =
					'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
				$bcrypt64_digits =
					'./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

				$base64_string = base64_encode($salt);
				$salt = strtr(rtrim($base64_string, '='), $base64_digits, $bcrypt64_digits);
			}
			$salt = PasswordCompat\binary\_substr($salt, 0, $required_salt_len);

			$hash = $hash_format . $salt;

			$ret = crypt($password, $hash);

			if (!is_string($ret) || PasswordCompat\binary\_strlen($ret) != $resultLength) {

The condition is_string($ret) is always true.

				return false;
			}

			return $ret;
		}
?>