Inspection of "Merge pull request #19023 from nextcloud/enh+fix/1..." - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 8eefb5...2f27f1 )

by Blizzz

created 2020-01-23 10:48 UTC

Status

Indentation +152 added lines, -152 removed lines patch added patch discarded remove patch

@@ -50,157 +50,157 @@
 block discarded – undo
  * @package OC\Security
  */
 class Hasher implements IHasher {
-	/** @var IConfig */
-	private $config;
-	/** @var array Options passed to password_hash and password_needs_rehash */
-	private $options = [];
-	/** @var string Salt used for legacy passwords */
-	private $legacySalt = null;
-
-	/**
-	 * @param IConfig $config
-	 */
-	public function __construct(IConfig $config) {
-		$this->config = $config;
-
-		if (\defined('PASSWORD_ARGON2I')) {
-			// password_hash fails, when the minimum values are undershot.
-			// In this case, ignore and revert to default
-			if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) {
-				$this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST);
-			}
-			if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
-				$this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST);
-			}
-			if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
-				$this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS);
-			}
-		}
-
-		$hashingCost = $this->config->getSystemValue('hashingCost', null);
-		if(!\is_null($hashingCost)) {
-			$this->options['cost'] = $hashingCost;
-		}
-	}
-
-	/**
-	 * Hashes a message using PHP's `password_hash` functionality.
-	 * Please note that the size of the returned string is not guaranteed
-	 * and can be up to 255 characters.
-	 *
-	 * @param string $message Message to generate hash from
-	 * @return string Hash of the message with appended version parameter
-	 */
-	public function hash(string $message): string {
-		if (\defined('PASSWORD_ARGON2I')) {
-			return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
-		} else {
-			return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
-		}
-	}
-
-	/**
-	 * Get the version and hash from a prefixedHash
-	 * @param string $prefixedHash
-	 * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
-	 */
-	protected function splitHash(string $prefixedHash) {
-		$explodedString = explode('|', $prefixedHash, 2);
-		if(\count($explodedString) === 2) {
-			if((int)$explodedString[0] > 0) {
-				return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
-			}
-		}
-
-		return null;
-	}
-
-	/**
-	 * Verify legacy hashes
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
-		if(empty($this->legacySalt)) {
-			$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
-		}
-
-		// Verify whether it matches a legacy PHPass or SHA1 string
-		$hashLength = \strlen($hash);
-		if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
-			($hashLength === 40 && hash_equals($hash, sha1($message)))) {
-			$newHash = $this->hash($message);
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * Verify V1 (blowfish) hashes
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
-		if(password_verify($message, $hash)) {
-			$algo = PASSWORD_BCRYPT;
-			if (\defined('PASSWORD_ARGON2I')) {
-				$algo = PASSWORD_ARGON2I;
-			}
-
-			if(password_needs_rehash($hash, $algo, $this->options)) {
-				$newHash = $this->hash($message);
-			}
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * Verify V2 (argon2i) hashes
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
-		if(password_verify($message, $hash)) {
-			if(password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
-				$newHash = $this->hash($message);
-			}
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * @param string $message Message to verify
-	 * @param string $hash Assumed hash of the message
-	 * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
-	 * @return bool Whether $hash is a valid hash of $message
-	 */
-	public function verify(string $message, string $hash, &$newHash = null): bool {
-		$splittedHash = $this->splitHash($hash);
-
-		if(isset($splittedHash['version'])) {
-			switch ($splittedHash['version']) {
-				case 2:
-					return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);
-				case 1:
-					return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
-			}
-		} else {
-			return $this->legacyHashVerify($message, $hash, $newHash);
-		}
-
-
-		return false;
-	}
+    /** @var IConfig */
+    private $config;
+    /** @var array Options passed to password_hash and password_needs_rehash */
+    private $options = [];
+    /** @var string Salt used for legacy passwords */
+    private $legacySalt = null;
+
+    /**
+     * @param IConfig $config
+     */
+    public function __construct(IConfig $config) {
+        $this->config = $config;
+
+        if (\defined('PASSWORD_ARGON2I')) {
+            // password_hash fails, when the minimum values are undershot.
+            // In this case, ignore and revert to default
+            if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) {
+                $this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST);
+            }
+            if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
+                $this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST);
+            }
+            if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
+                $this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS);
+            }
+        }
+
+        $hashingCost = $this->config->getSystemValue('hashingCost', null);
+        if(!\is_null($hashingCost)) {
+            $this->options['cost'] = $hashingCost;
+        }
+    }
+
+    /**
+     * Hashes a message using PHP's `password_hash` functionality.
+     * Please note that the size of the returned string is not guaranteed
+     * and can be up to 255 characters.
+     *
+     * @param string $message Message to generate hash from
+     * @return string Hash of the message with appended version parameter
+     */
+    public function hash(string $message): string {
+        if (\defined('PASSWORD_ARGON2I')) {
+            return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
+        } else {
+            return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
+        }
+    }
+
+    /**
+     * Get the version and hash from a prefixedHash
+     * @param string $prefixedHash
+     * @return null|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
+     */
+    protected function splitHash(string $prefixedHash) {
+        $explodedString = explode('|', $prefixedHash, 2);
+        if(\count($explodedString) === 2) {
+            if((int)$explodedString[0] > 0) {
+                return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * Verify legacy hashes
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
+        if(empty($this->legacySalt)) {
+            $this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
+        }
+
+        // Verify whether it matches a legacy PHPass or SHA1 string
+        $hashLength = \strlen($hash);
+        if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
+            ($hashLength === 40 && hash_equals($hash, sha1($message)))) {
+            $newHash = $this->hash($message);
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Verify V1 (blowfish) hashes
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
+        if(password_verify($message, $hash)) {
+            $algo = PASSWORD_BCRYPT;
+            if (\defined('PASSWORD_ARGON2I')) {
+                $algo = PASSWORD_ARGON2I;
+            }
+
+            if(password_needs_rehash($hash, $algo, $this->options)) {
+                $newHash = $this->hash($message);
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Verify V2 (argon2i) hashes
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
+        if(password_verify($message, $hash)) {
+            if(password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
+                $newHash = $this->hash($message);
+            }
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * @param string $message Message to verify
+     * @param string $hash Assumed hash of the message
+     * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
+     * @return bool Whether $hash is a valid hash of $message
+     */
+    public function verify(string $message, string $hash, &$newHash = null): bool {
+        $splittedHash = $this->splitHash($hash);
+
+        if(isset($splittedHash['version'])) {
+            switch ($splittedHash['version']) {
+                case 2:
+                    return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);
+                case 1:
+                    return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
+            }
+        } else {
+            return $this->legacyHashVerify($message, $hash, $newHash);
+        }
+
+
+        return false;
+    }
 
 }

Please login to merge, or discard this patch.

Spacing +13 added lines, -13 removed lines patch added patch discarded remove patch

@@ -78,7 +78,7 @@  discard block
 block discarded – undo
 		}
 
 		$hashingCost = $this->config->getSystemValue('hashingCost', null);
-		if(!\is_null($hashingCost)) {
+		if (!\is_null($hashingCost)) {
 			$this->options['cost'] = $hashingCost;
 		}
 	}
@@ -93,9 +93,9 @@  discard block
 block discarded – undo
 	 */
 	public function hash(string $message): string {
 		if (\defined('PASSWORD_ARGON2I')) {
-			return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
+			return 2.'|'.password_hash($message, PASSWORD_ARGON2I, $this->options);
 		} else {
-			return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
+			return 1.'|'.password_hash($message, PASSWORD_BCRYPT, $this->options);
 		}
 	}
 
@@ -106,9 +106,9 @@  discard block
 block discarded – undo
 	 */
 	protected function splitHash(string $prefixedHash) {
 		$explodedString = explode('|', $prefixedHash, 2);
-		if(\count($explodedString) === 2) {
-			if((int)$explodedString[0] > 0) {
-				return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
+		if (\count($explodedString) === 2) {
+			if ((int) $explodedString[0] > 0) {
+				return ['version' => (int) $explodedString[0], 'hash' => $explodedString[1]];
 			}
 		}
 
@@ -123,13 +123,13 @@  discard block
 block discarded – undo
 	 * @return bool Whether $hash is a valid hash of $message
 	 */
 	protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
-		if(empty($this->legacySalt)) {
+		if (empty($this->legacySalt)) {
 			$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
 		}
 
 		// Verify whether it matches a legacy PHPass or SHA1 string
 		$hashLength = \strlen($hash);
-		if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
+		if (($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) ||
 			($hashLength === 40 && hash_equals($hash, sha1($message)))) {
 			$newHash = $this->hash($message);
 			return true;
@@ -146,13 +146,13 @@  discard block
 block discarded – undo
 	 * @return bool Whether $hash is a valid hash of $message
 	 */
 	protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
-		if(password_verify($message, $hash)) {
+		if (password_verify($message, $hash)) {
 			$algo = PASSWORD_BCRYPT;
 			if (\defined('PASSWORD_ARGON2I')) {
 				$algo = PASSWORD_ARGON2I;
 			}
 
-			if(password_needs_rehash($hash, $algo, $this->options)) {
+			if (password_needs_rehash($hash, $algo, $this->options)) {
 				$newHash = $this->hash($message);
 			}
 			return true;
@@ -169,8 +169,8 @@  discard block
 block discarded – undo
 	 * @return bool Whether $hash is a valid hash of $message
 	 */
 	protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
-		if(password_verify($message, $hash)) {
-			if(password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
+		if (password_verify($message, $hash)) {
+			if (password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
 				$newHash = $this->hash($message);
 			}
 			return true;
@@ -188,7 +188,7 @@  discard block
 block discarded – undo
 	public function verify(string $message, string $hash, &$newHash = null): bool {
 		$splittedHash = $this->splitHash($hash);
 
-		if(isset($splittedHash['version'])) {
+		if (isset($splittedHash['version'])) {
 			switch ($splittedHash['version']) {
 				case 2:
 					return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);

Please login to merge, or discard this patch.

		@@ -78,7 +78,7 @@ discard block
		block discarded – undo
78	78	}
79	79
80	80	$hashingCost = $this->config->getSystemValue('hashingCost', null);
81		- if(!\is_null($hashingCost)) {
	81	+ if (!\is_null($hashingCost)) {
82	82	$this->options['cost'] = $hashingCost;
83	83	}
84	84	}
		@@ -93,9 +93,9 @@ discard block
		block discarded – undo
93	93	*/
94	94	public function hash(string $message): string {
95	95	if (\defined('PASSWORD_ARGON2I')) {
96		- return 2 . '\|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
	96	+ return 2.'\|'.password_hash($message, PASSWORD_ARGON2I, $this->options);
97	97	} else {
98		- return 1 . '\|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
	98	+ return 1.'\|'.password_hash($message, PASSWORD_BCRYPT, $this->options);
99	99	}
100	100	}
101	101
		@@ -106,9 +106,9 @@ discard block
		block discarded – undo
106	106	*/
107	107	protected function splitHash(string $prefixedHash) {
108	108	$explodedString = explode('\|', $prefixedHash, 2);
109		- if(\count($explodedString) === 2) {
110		- if((int)$explodedString[0] > 0) {
111		- return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
	109	+ if (\count($explodedString) === 2) {
	110	+ if ((int) $explodedString[0] > 0) {
	111	+ return ['version' => (int) $explodedString[0], 'hash' => $explodedString[1]];
112	112	}
113	113	}
114	114
		@@ -123,13 +123,13 @@ discard block
		block discarded – undo
123	123	* @return bool Whether $hash is a valid hash of $message
124	124	*/
125	125	protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
126		- if(empty($this->legacySalt)) {
	126	+ if (empty($this->legacySalt)) {
127	127	$this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
128	128	}
129	129
130	130	// Verify whether it matches a legacy PHPass or SHA1 string
131	131	$hashLength = \strlen($hash);
132		- if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) \|\|
	132	+ if (($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) \|\|
133	133	($hashLength === 40 && hash_equals($hash, sha1($message)))) {
134	134	$newHash = $this->hash($message);
135	135	return true;
		@@ -146,13 +146,13 @@ discard block
		block discarded – undo
146	146	* @return bool Whether $hash is a valid hash of $message
147	147	*/
148	148	protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
149		- if(password_verify($message, $hash)) {
	149	+ if (password_verify($message, $hash)) {
150	150	$algo = PASSWORD_BCRYPT;
151	151	if (\defined('PASSWORD_ARGON2I')) {
152	152	$algo = PASSWORD_ARGON2I;
153	153	}
154	154
155		- if(password_needs_rehash($hash, $algo, $this->options)) {
	155	+ if (password_needs_rehash($hash, $algo, $this->options)) {
156	156	$newHash = $this->hash($message);
157	157	}
158	158	return true;
		@@ -169,8 +169,8 @@ discard block
		block discarded – undo
169	169	* @return bool Whether $hash is a valid hash of $message
170	170	*/
171	171	protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
172		- if(password_verify($message, $hash)) {
173		- if(password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
	172	+ if (password_verify($message, $hash)) {
	173	+ if (password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
174	174	$newHash = $this->hash($message);
175	175	}
176	176	return true;
		@@ -188,7 +188,7 @@ discard block
		block discarded – undo
188	188	public function verify(string $message, string $hash, &$newHash = null): bool {
189	189	$splittedHash = $this->splitHash($hash);
190	190
191		- if(isset($splittedHash['version'])) {
	191	+ if (isset($splittedHash['version'])) {
192	192	switch ($splittedHash['version']) {
193	193	case 2:
194	194	return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);

		@@ -50,157 +50,157 @@
		block discarded – undo
50	50	* @package OC\Security
51	51	*/
52	52	class Hasher implements IHasher {
53		- /** @var IConfig */
54		- private $config;
55		- /** @var array Options passed to password_hash and password_needs_rehash */
56		- private $options = [];
57		- /** @var string Salt used for legacy passwords */
58		- private $legacySalt = null;
59		-
60		- /**
61		- * @param IConfig $config
62		- */
63		- public function __construct(IConfig $config) {
64		- $this->config = $config;
65		-
66		- if (\defined('PASSWORD_ARGON2I')) {
67		- // password_hash fails, when the minimum values are undershot.
68		- // In this case, ignore and revert to default
69		- if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) {
70		- $this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST);
71		- }
72		- if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
73		- $this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST);
74		- }
75		- if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
76		- $this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS);
77		- }
78		- }
79		-
80		- $hashingCost = $this->config->getSystemValue('hashingCost', null);
81		- if(!\is_null($hashingCost)) {
82		- $this->options['cost'] = $hashingCost;
83		- }
84		- }
85		-
86		- /**
87		- * Hashes a message using PHP's `password_hash` functionality.
88		- * Please note that the size of the returned string is not guaranteed
89		- * and can be up to 255 characters.
90		- *
91		- * @param string $message Message to generate hash from
92		- * @return string Hash of the message with appended version parameter
93		- */
94		- public function hash(string $message): string {
95		- if (\defined('PASSWORD_ARGON2I')) {
96		- return 2 . '\|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
97		- } else {
98		- return 1 . '\|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
99		- }
100		- }
101		-
102		- /**
103		- * Get the version and hash from a prefixedHash
104		- * @param string $prefixedHash
105		- * @return null\|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
106		- */
107		- protected function splitHash(string $prefixedHash) {
108		- $explodedString = explode('\|', $prefixedHash, 2);
109		- if(\count($explodedString) === 2) {
110		- if((int)$explodedString[0] > 0) {
111		- return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
112		- }
113		- }
114		-
115		- return null;
116		- }
117		-
118		- /**
119		- * Verify legacy hashes
120		- * @param string $message Message to verify
121		- * @param string $hash Assumed hash of the message
122		- * @param null\|string &$newHash Reference will contain the updated hash
123		- * @return bool Whether $hash is a valid hash of $message
124		- */
125		- protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
126		- if(empty($this->legacySalt)) {
127		- $this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
128		- }
129		-
130		- // Verify whether it matches a legacy PHPass or SHA1 string
131		- $hashLength = \strlen($hash);
132		- if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) \|\|
133		- ($hashLength === 40 && hash_equals($hash, sha1($message)))) {
134		- $newHash = $this->hash($message);
135		- return true;
136		- }
137		-
138		- return false;
139		- }
140		-
141		- /**
142		- * Verify V1 (blowfish) hashes
143		- * @param string $message Message to verify
144		- * @param string $hash Assumed hash of the message
145		- * @param null\|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
146		- * @return bool Whether $hash is a valid hash of $message
147		- */
148		- protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
149		- if(password_verify($message, $hash)) {
150		- $algo = PASSWORD_BCRYPT;
151		- if (\defined('PASSWORD_ARGON2I')) {
152		- $algo = PASSWORD_ARGON2I;
153		- }
154		-
155		- if(password_needs_rehash($hash, $algo, $this->options)) {
156		- $newHash = $this->hash($message);
157		- }
158		- return true;
159		- }
160		-
161		- return false;
162		- }
163		-
164		- /**
165		- * Verify V2 (argon2i) hashes
166		- * @param string $message Message to verify
167		- * @param string $hash Assumed hash of the message
168		- * @param null\|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
169		- * @return bool Whether $hash is a valid hash of $message
170		- */
171		- protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
172		- if(password_verify($message, $hash)) {
173		- if(password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
174		- $newHash = $this->hash($message);
175		- }
176		- return true;
177		- }
178		-
179		- return false;
180		- }
181		-
182		- /**
183		- * @param string $message Message to verify
184		- * @param string $hash Assumed hash of the message
185		- * @param null\|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
186		- * @return bool Whether $hash is a valid hash of $message
187		- */
188		- public function verify(string $message, string $hash, &$newHash = null): bool {
189		- $splittedHash = $this->splitHash($hash);
190		-
191		- if(isset($splittedHash['version'])) {
192		- switch ($splittedHash['version']) {
193		- case 2:
194		- return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);
195		- case 1:
196		- return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
197		- }
198		- } else {
199		- return $this->legacyHashVerify($message, $hash, $newHash);
200		- }
201		-
202		-
203		- return false;
204		- }
	53	+ /** @var IConfig */
	54	+ private $config;
	55	+ /** @var array Options passed to password_hash and password_needs_rehash */
	56	+ private $options = [];
	57	+ /** @var string Salt used for legacy passwords */
	58	+ private $legacySalt = null;
	59	+
	60	+ /**
	61	+ * @param IConfig $config
	62	+ */
	63	+ public function __construct(IConfig $config) {
	64	+ $this->config = $config;
	65	+
	66	+ if (\defined('PASSWORD_ARGON2I')) {
	67	+ // password_hash fails, when the minimum values are undershot.
	68	+ // In this case, ignore and revert to default
	69	+ if ($this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 8) {
	70	+ $this->options['memory_cost'] = $this->config->getSystemValueInt('hashingMemoryCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST);
	71	+ }
	72	+ if ($this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
	73	+ $this->options['time_cost'] = $this->config->getSystemValueInt('hashingTimeCost', PASSWORD_ARGON2_DEFAULT_TIME_COST);
	74	+ }
	75	+ if ($this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_MEMORY_COST) >= 1) {
	76	+ $this->options['threads'] = $this->config->getSystemValueInt('hashingThreads', PASSWORD_ARGON2_DEFAULT_THREADS);
	77	+ }
	78	+ }
	79	+
	80	+ $hashingCost = $this->config->getSystemValue('hashingCost', null);
	81	+ if(!\is_null($hashingCost)) {
	82	+ $this->options['cost'] = $hashingCost;
	83	+ }
	84	+ }
	85	+
	86	+ /**
	87	+ * Hashes a message using PHP's `password_hash` functionality.
	88	+ * Please note that the size of the returned string is not guaranteed
	89	+ * and can be up to 255 characters.
	90	+ *
	91	+ * @param string $message Message to generate hash from
	92	+ * @return string Hash of the message with appended version parameter
	93	+ */
	94	+ public function hash(string $message): string {
	95	+ if (\defined('PASSWORD_ARGON2I')) {
	96	+ return 2 . '\|' . password_hash($message, PASSWORD_ARGON2I, $this->options);
	97	+ } else {
	98	+ return 1 . '\|' . password_hash($message, PASSWORD_BCRYPT, $this->options);
	99	+ }
	100	+ }
	101	+
	102	+ /**
	103	+ * Get the version and hash from a prefixedHash
	104	+ * @param string $prefixedHash
	105	+ * @return null\|array Null if the hash is not prefixed, otherwise array('version' => 1, 'hash' => 'foo')
	106	+ */
	107	+ protected function splitHash(string $prefixedHash) {
	108	+ $explodedString = explode('\|', $prefixedHash, 2);
	109	+ if(\count($explodedString) === 2) {
	110	+ if((int)$explodedString[0] > 0) {
	111	+ return ['version' => (int)$explodedString[0], 'hash' => $explodedString[1]];
	112	+ }
	113	+ }
	114	+
	115	+ return null;
	116	+ }
	117	+
	118	+ /**
	119	+ * Verify legacy hashes
	120	+ * @param string $message Message to verify
	121	+ * @param string $hash Assumed hash of the message
	122	+ * @param null\|string &$newHash Reference will contain the updated hash
	123	+ * @return bool Whether $hash is a valid hash of $message
	124	+ */
	125	+ protected function legacyHashVerify($message, $hash, &$newHash = null): bool {
	126	+ if(empty($this->legacySalt)) {
	127	+ $this->legacySalt = $this->config->getSystemValue('passwordsalt', '');
	128	+ }
	129	+
	130	+ // Verify whether it matches a legacy PHPass or SHA1 string
	131	+ $hashLength = \strlen($hash);
	132	+ if(($hashLength === 60 && password_verify($message.$this->legacySalt, $hash)) \|\|
	133	+ ($hashLength === 40 && hash_equals($hash, sha1($message)))) {
	134	+ $newHash = $this->hash($message);
	135	+ return true;
	136	+ }
	137	+
	138	+ return false;
	139	+ }
	140	+
	141	+ /**
	142	+ * Verify V1 (blowfish) hashes
	143	+ * @param string $message Message to verify
	144	+ * @param string $hash Assumed hash of the message
	145	+ * @param null\|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
	146	+ * @return bool Whether $hash is a valid hash of $message
	147	+ */
	148	+ protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool {
	149	+ if(password_verify($message, $hash)) {
	150	+ $algo = PASSWORD_BCRYPT;
	151	+ if (\defined('PASSWORD_ARGON2I')) {
	152	+ $algo = PASSWORD_ARGON2I;
	153	+ }
	154	+
	155	+ if(password_needs_rehash($hash, $algo, $this->options)) {
	156	+ $newHash = $this->hash($message);
	157	+ }
	158	+ return true;
	159	+ }
	160	+
	161	+ return false;
	162	+ }
	163	+
	164	+ /**
	165	+ * Verify V2 (argon2i) hashes
	166	+ * @param string $message Message to verify
	167	+ * @param string $hash Assumed hash of the message
	168	+ * @param null\|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
	169	+ * @return bool Whether $hash is a valid hash of $message
	170	+ */
	171	+ protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool {
	172	+ if(password_verify($message, $hash)) {
	173	+ if(password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) {
	174	+ $newHash = $this->hash($message);
	175	+ }
	176	+ return true;
	177	+ }
	178	+
	179	+ return false;
	180	+ }
	181	+
	182	+ /**
	183	+ * @param string $message Message to verify
	184	+ * @param string $hash Assumed hash of the message
	185	+ * @param null\|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one.
	186	+ * @return bool Whether $hash is a valid hash of $message
	187	+ */
	188	+ public function verify(string $message, string $hash, &$newHash = null): bool {
	189	+ $splittedHash = $this->splitHash($hash);
	190	+
	191	+ if(isset($splittedHash['version'])) {
	192	+ switch ($splittedHash['version']) {
	193	+ case 2:
	194	+ return $this->verifyHashV2($message, $splittedHash['hash'], $newHash);
	195	+ case 1:
	196	+ return $this->verifyHashV1($message, $splittedHash['hash'], $newHash);
	197	+ }
	198	+ } else {
	199	+ return $this->legacyHashVerify($message, $hash, $newHash);
	200	+ }
	201	+
	202	+
	203	+ return false;
	204	+ }
205	205
206	206	}

nextcloud / server

Push — master ( 8eefb5...2f27f1 )

Status

Category

Indentation +152 added lines, -152 removed lines patch added patch discarded remove patch

Spacing +13 added lines, -13 removed lines patch added patch discarded remove patch