nextcloud / server

lib/private/Security/Hasher.php

Indentation +168 added lines, -168 removed lines

@@ -50,173 +50,173 @@
  * @package OC\Security
  */
 class Hasher implements IHasher {
-	/** @var IConfig */
-	private $config;
-	/** @var array Options passed to password_hash and password_needs_rehash */
-	private $options = [];
-	/** @var string Salt used for legacy passwords */
-	private $legacySalt = null;
-
-	/**
-	 * @param IConfig $config
-	 */
-	public function __construct(IConfig $config) {
-		$this->config = $config;
-
-		if (\defined('PASSWORD_ARGON2I')) {
-			// password_hash fails, when the minimum values are undershot.
-			// In this case, ignore and revert to default
-			if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) {
-				$this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST);
-			}
-			if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
-				$this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST);
-			}
-			if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
-				$this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS);
-			}
-		}
-
-		$hashingCost = $this->config->getSystemValue('hashingCost', null);
-		if(!\is_null($hashingCost)) {
-			$this->options['cost'] = $hashingCost;
-		}
-	}
-
-	/**
-	 * Hashes a message using PHP's `password_hash` functionality.
-	 * Please note that the size of the returned string is not guaranteed
-	 * and can be up to 255 characters.
-	 *
-	 * @param string $message Message to generate hash from
-	 * @return string Hash of the message with appended version parameter
-	 */
-	public function hash(string $message): string {
-		$alg = $this->getPrefferedAlgorithm();
-
-		if (\defined('PASSWORD_ARGON2I') && $alg === PASSWORD_ARGON2I) {
-			return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
-		}
-
-		return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
-	}
-
-	/**
-	 * Get the version and hash from a prefixedHash
-	 * @param string $prefixedHash
-	 * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
-	 */
-	protected function splitHash(string $prefixedHash) {
-		$explodedString = explode('|', $prefixedHash, 2);
-		if(\count($explodedString) === 2) {
-			if((int)$explodedString[0] > 0) {
-				return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
-			}
-		}
-
-		return null;
-	}
-
-	/**
-	 * Verify legacy hashes
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
-		if(empty($this->legacySalt)) {
-			$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
-		}
-
-		// Verify whether it matches a legacy PHPass or SHA1 string
-		$hashLength = \strlen($hash);
-		if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
-			($hashLength === 40 && hash_equals($hash, sha1($message)))) {
-			$newHash = $this->hash($message);
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * Verify V1 (blowfish) hashes
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
-		if(password_verify($message, $hash)) {
-			if ($this->needsRehash($hash)) {
-				$newHash = $this->hash($message);
-			}
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * Verify V2 (argon2i) hashes
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
-		if(password_verify($message, $hash)) {
-			if($this->needsRehash($hash)) {
-				$newHash = $this->hash($message);
-			}
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	public function verify(string $message, string $hash, &$newHash = null): bool {
-		$splittedHash = $this->splitHash($hash);
-
-		if(isset($splittedHash['version'])) {
-			switch ($splittedHash['version']) {
-				case 2:
-					return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);
-				case 1:
-					return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
-			}
-		} else {
-			return $this->legacyHashVerify($message, $hash, $newHash);
-		}
-
-		return false;
-	}
-
-	private function needsRehash(string $hash): bool {
-		$algorithm = $this->getPrefferedAlgorithm();
-
-		return password_needs_rehash($hash, $algorithm, $this->options);
-	}
-
-	private function getPrefferedAlgorithm() {
-		$default = PASSWORD_BCRYPT;
-		if (\defined('PASSWORD_ARGON2I')) {
-			$default = PASSWORD_ARGON2I;
-		}
-
-		// Check if we should use PASSWORD_DEFAULT
-		if ($this->config->getSystemValue('hashing_default_password', false) === true) {
-			$default = PASSWORD_DEFAULT;
-		}
-
-		return $default;
-	}
+    /** @var IConfig */
+    private $config;
+    /** @var array Options passed to password_hash and password_needs_rehash */
+    private $options = [];
+    /** @var string Salt used for legacy passwords */
+    private $legacySalt = null;
+
+    /**
+     * @param IConfig $config
+     */
+    public function __construct(IConfig $config) {
+        $this->config = $config;
+
+        if (\defined('PASSWORD_ARGON2I')) {
+            // password_hash fails, when the minimum values are undershot.
+            // In this case, ignore and revert to default
+            if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) {
+                $this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST);
+            }
+            if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
+                $this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST);
+            }
+            if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
+                $this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS);
+            }
+        }
+
+        $hashingCost = $this->config->getSystemValue('hashingCost', null);
+        if(!\is_null($hashingCost)) {
+            $this->options['cost'] = $hashingCost;
+        }
+    }
+
+    /**
+     * Hashes a message using PHP's `password_hash` functionality.
+     * Please note that the size of the returned string is not guaranteed
+     * and can be up to 255 characters.
+     *
+     * @param string $message Message to generate hash from
+     * @return string Hash of the message with appended version parameter
+     */
+    public function hash(string $message): string {
+        $alg = $this->getPrefferedAlgorithm();
+
+        if (\defined('PASSWORD_ARGON2I') && $alg === PASSWORD_ARGON2I) {
+            return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
+        }
+
+        return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
+    }
+
+    /**
+     * Get the version and hash from a prefixedHash
+     * @param string $prefixedHash
+     * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
+     */
+    protected function splitHash(string $prefixedHash) {
+        $explodedString = explode('|', $prefixedHash, 2);
+        if(\count($explodedString) === 2) {
+            if((int)$explodedString[0] > 0) {
+                return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * Verify legacy hashes
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
+        if(empty($this->legacySalt)) {
+            $this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
+        }
+
+        // Verify whether it matches a legacy PHPass or SHA1 string
+        $hashLength = \strlen($hash);
+        if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
+            ($hashLength === 40 && hash_equals($hash, sha1($message)))) {
+            $newHash = $this->hash($message);
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Verify V1 (blowfish) hashes
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
+        if(password_verify($message, $hash)) {
+            if ($this->needsRehash($hash)) {
+                $newHash = $this->hash($message);
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Verify V2 (argon2i) hashes
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
+        if(password_verify($message, $hash)) {
+            if($this->needsRehash($hash)) {
+                $newHash = $this->hash($message);
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    public function verify(string $message, string $hash, &$newHash = null): bool {
+        $splittedHash = $this->splitHash($hash);
+
+        if(isset($splittedHash['version'])) {
+            switch ($splittedHash['version']) {
+                case 2:
+                    return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);
+                case 1:
+                    return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
+            }
+        } else {
+            return $this->legacyHashVerify($message, $hash, $newHash);
+        }
+
+        return false;
+    }
+
+    private function needsRehash(string $hash): bool {
+        $algorithm = $this->getPrefferedAlgorithm();
+
+        return password_needs_rehash($hash, $algorithm, $this->options);
+    }
+
+    private function getPrefferedAlgorithm() {
+        $default = PASSWORD_BCRYPT;
+        if (\defined('PASSWORD_ARGON2I')) {
+            $default = PASSWORD_ARGON2I;
+        }
+
+        // Check if we should use PASSWORD_DEFAULT
+        if ($this->config->getSystemValue('hashing_default_password', false) === true) {
+            $default = PASSWORD_DEFAULT;
+        }
+
+        return $default;
+    }
 
 }

Spacing +12 added lines, -12 removed lines

@@ -78,7 +78,7 @@ 
 		}
 
 		$hashingCost = $this->config->getSystemValue('hashingCost', null);
-		if(!\is_null($hashingCost)) {
+		if (!\is_null($hashingCost)) {
 			$this->options['cost'] = $hashingCost;
 		}
 	}
@@ -95,10 +95,10 @@ 
 		$alg = $this->getPrefferedAlgorithm();
 
 		if (\defined('PASSWORD_ARGON2I') && $alg === PASSWORD_ARGON2I) {
-			return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
+			return 2.'|'.password_hash($message, PASSWORD_ARGON2I, $this->options);
 		}
 
-		return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
+		return 1.'|'.password_hash($message, PASSWORD_BCRYPT, $this->options);
 	}
 
 	/**
@@ -108,9 +108,9 @@ 
 	 */
 	protected function splitHash(string $prefixedHash) {
 		$explodedString = explode('|', $prefixedHash, 2);
-		if(\count($explodedString) === 2) {
-			if((int)$explodedString[0] > 0) {
-				return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
+		if (\count($explodedString) === 2) {
+			if ((int) $explodedString[0] > 0) {
+				return ['version' => (int) $explodedString[0], 'hash' => $explodedString[1]];
 			}
 		}
 
@@ -125,13 +125,13 @@ 
 	 * @return bool Whether $hash is a valid hash of $message
 	 */
 	protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
-		if(empty($this->legacySalt)) {
+		if (empty($this->legacySalt)) {
 			$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
 		}
 
 		// Verify whether it matches a legacy PHPass or SHA1 string
 		$hashLength = \strlen($hash);
-		if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
+		if (($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
 			($hashLength === 40 && hash_equals($hash, sha1($message)))) {
 			$newHash = $this->hash($message);
 			return true;
@@ -148,7 +148,7 @@ 
 	 * @return bool Whether $hash is a valid hash of $message
 	 */
 	protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
-		if(password_verify($message, $hash)) {
+		if (password_verify($message, $hash)) {
 			if ($this->needsRehash($hash)) {
 				$newHash = $this->hash($message);
 			}
@@ -166,8 +166,8 @@ 
 	 * @return bool Whether $hash is a valid hash of $message
 	 */
 	protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
-		if(password_verify($message, $hash)) {
-			if($this->needsRehash($hash)) {
+		if (password_verify($message, $hash)) {
+			if ($this->needsRehash($hash)) {
 				$newHash = $this->hash($message);
 			}
 			return true;
@@ -185,7 +185,7 @@ 
 	public function verify(string $message, string $hash, &$newHash = null): bool {
 		$splittedHash = $this->splitHash($hash);
 
-		if(isset($splittedHash['version'])) {
+		if (isset($splittedHash['version'])) {
 			switch ($splittedHash['version']) {
 				case 2:
 					return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);