PhpassPassword - Code Metrics - Inspection of "Add a more robust salt generator for crypt." - vanilla/garden - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( b3af43...6273ca )

by Todd

created 2016-01-04 16:46 UTC

PhpassPassword B

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	322
Duplicated Lines	9.01 %

Coupling/Cohesion

Components	1
Dependencies	0

Test Coverage

Coverage

88.57%

Importance

Changes	4
Bugs	0	Features	1

Metric	Value
wmc	48
c	4
b	0
f	1
lcom	1
cbo	0
dl	29
loc	322
ccs	124
cts	140
cp	0.8857
rs	8.4865

12 Methods

Rating	Name	Duplication	Size	Complexity
A	needsRehash()	0	6	2
B	gensaltBlowfish()	0	39	3
A	gensaltExtended()	0	16	1
A	gensaltPrivate()	0	7	2
A	getHashMethod()	0	3	1
A	setHashMethod()	0	4	1
A	__construct()	0	14	4
D	hash()	18	39	10
B	getRandomBytes()	0	22	5
B	encode64()	0	25	6
C	cryptPrivate()	11	47	10
A	verify()	0	11	3

How to fix Duplicated Code Complexity

Duplicated Code

Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.

Common duplication problems, and corresponding solutions are:

If you have the same expression in different places: Extract expression to a method
If you have the same method in different sub-classes: Extract method, and pull up field to the parent class
If you have the same code in unrelated classes: Consider extracting the code to a new class, and injecting that class

Complex Class

Tip: Before tackling complexity, make sure that you eliminate any duplication first. This often can reduce the size of classes significantly.

Complex classes like PhpassPassword often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.

Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.

While breaking up the class, it is a good idea to analyze how other classes use PhpassPassword, and based on these observations, apply Extract Interface, too.

<?php
/**
 * @author Todd Burry <[email protected]>
 * @copyright 2009-2014 Vanilla Forums Inc.
 * @license MIT
 */

namespace Garden\Password;

/**
 * Implements the portable PHP password hashing framework.
 *
 * The code in this class is copied from the phppass library version 0.3 located at http://www.openwall.com/phpass/.
 * Any code copied from the phppass library is copyright the original owner.
 */
class PhpassPassword implements IPassword {
    const HASH_PHPASS = 0x00;
    const HASH_BLOWFISH = 0x01;
    const HASH_EXTDES = 0x02;
    const HASH_BEST = 0x03;

    protected $itoa64;
    protected $iteration_count_log2;
    protected $portable;
    protected $random_state;

    protected $hashMethod;

    /**
     * Initializes an instance of the of the {@link PhpPass} class.
     *
     * @param int $hashMethod The hash method to use when hashing passwords.
     * @param int $iteration_count_log2 The number of times to iterate when generating the passwords.
     */
    public function __construct($hashMethod = PhpassPassword::HASH_PHPASS, $iteration_count_log2 = 8) {
        $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

        if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) {
            $iteration_count_log2 = 8;
        }
        $this->iteration_count_log2 = $iteration_count_log2;
        $this->hashMethod = $hashMethod;

        $this->random_state = microtime();
        if (function_exists('getmypid')) {
            $this->random_state .= getmypid();
        }
    }

    /**
     * {@inheritdoc}
     */
    public function needsRehash($hash) {
        $id = substr($hash, 0, 3);
        $portable = ($id != '$P$' && $id != '$H$');

        return $portable;
    }

    /**
     * {@inheritdoc}
     */
    public function hash($password) {
        $random = '';

        if (CRYPT_BLOWFISH == 1 && ($this->hashMethod & self::HASH_BLOWFISH)) {

            $random = $this->getRandomBytes(16);
            $hash =
                crypt($password, $this->gensaltBlowfish($random));
            if (strlen($hash) == 60) {
                return $hash;
            }
        }

        if (CRYPT_EXT_DES == 1 && ($this->hashMethod & self::HASH_EXTDES)) {

            if (strlen($random) < 3) {
                $random = $this->getRandomBytes(3);
            }
            $hash =
                crypt($password, $this->gensaltExtended($random));
            if (strlen($hash) == 20) {
                return $hash;
            }
        }

        if (strlen($random) < 6) {
            $random = $this->getRandomBytes(6);
        }
        $hash = $this->cryptPrivate(
            $password,
            $this->gensaltPrivate($random)
        );
        if (strlen($hash) == 34) {
            return $hash;
        }

        # Returning '*' on error is safe here, but would _not_ be safe
        # in a crypt(3)-like function used _both_ for generating new
        # hashes and for validating passwords against existing hashes.
        return '*';
    }

    /**
     * Get a string of random bytes.
     *
     * @param int $count The number of bytes to get.
     * @return string Returns a string of the generated random bytes.
     */
    protected function getRandomBytes($count) {
        $output = '';
        if (is_readable('/dev/urandom') &&
            ($fh = @fopen('/dev/urandom', 'rb'))
        ) {
            $output = fread($fh, $count);
            fclose($fh);
        }

        if (strlen($output) < $count) {
            $output = '';
            for ($i = 0; $i < $count; $i += 16) {
                $this->random_state =
                    md5(microtime().$this->random_state);
                $output .=
                    pack('H*', md5($this->random_state));
            }
            $output = substr($output, 0, $count);
        }

        return $output;
    }

    /**
     * Generate a password salt appropriate for blowfish.
     *
     * @param string $input The random input to generate the salt from.
     * @return string The generated salt.
     */
    protected function gensaltBlowfish($input) {
        # This one needs to use a different order of characters and a
        # different encoding scheme from the one in encode64() above.
        # We care because the last character in our encoded string will
        # only represent 2 bits.  While two known implementations of
        # bcrypt will happily accept and correct a salt string which
        # has the 4 unused bits set to non-zero, we do not want to take
        # chances and we also do not want to waste an additional byte
        # of entropy.
        $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

        $output = '$2a$';
        $output .= chr(ord('0') + $this->iteration_count_log2 / 10);
        $output .= chr(ord('0') + $this->iteration_count_log2 % 10);
        $output .= '$';

        $i = 0;
        do {
            $c1 = ord($input[$i++]);
            $output .= $itoa64[$c1 >> 2];
            $c1 = ($c1 & 0x03) << 4;
            if ($i >= 16) {
                $output .= $itoa64[$c1];
                break;
            }

            $c2 = ord($input[$i++]);
            $c1 |= $c2 >> 4;
            $output .= $itoa64[$c1];
            $c1 = ($c2 & 0x0f) << 2;

            $c2 = ord($input[$i++]);
            $c1 |= $c2 >> 6;
            $output .= $itoa64[$c1];
            $output .= $itoa64[$c2 & 0x3f];
        } while (1);

        return $output;
    }

    /**
     * Generate a password salt based on the input.
     *
     * @param string $input The string to generate the salt from.
     * @return string The generated salt.
     */
    private function gensaltExtended($input) {
        $count_log2 = min($this->iteration_count_log2 + 8, 24);
        # This should be odd to not reveal weak DES keys, and the
        # maximum valid value is (2**24 - 1) which is odd anyway.
        $count = (1 << $count_log2) - 1;

        $output = '_';
        $output .= $this->itoa64[$count & 0x3f];
        $output .= $this->itoa64[($count >> 6) & 0x3f];
        $output .= $this->itoa64[($count >> 12) & 0x3f];
        $output .= $this->itoa64[($count >> 18) & 0x3f];

        $output .= $this->encode64($input, 3);

        return $output;
    }

    /**
     * A custom base64 encoding function.
     *
     * @param string $input The string to encode.
     * @param int $count The number of characters to encode.
     * @return string Returns the encoded string.
     */
    protected function encode64($input, $count) {
        $output = '';
        $i = 0;
        do {
            $value = ord($input[$i++]);
            $output .= $this->itoa64[$value & 0x3f];
            if ($i < $count) {
                $value |= ord($input[$i]) << 8;
            }
            $output .= $this->itoa64[($value >> 6) & 0x3f];
            if ($i++ >= $count) {
                break;
            }
            if ($i < $count) {
                $value |= ord($input[$i]) << 16;
            }
            $output .= $this->itoa64[($value >> 12) & 0x3f];
            if ($i++ >= $count) {
                break;
            }
            $output .= $this->itoa64[($value >> 18) & 0x3f];
        } while ($i < $count);

        return $output;
    }

    /**
     * A portable version of a crypt-like algorithm.
     *
     * @param string $password The plaintext password to encrypt.
     * @param string $setting The hash prefix that defines what kind of algorithm to use.
     * @return string Returns the encrypted string.
     */
    private function cryptPrivate($password, $setting) {
        $output = '*0';
        if (substr($setting, 0, 2) == $output) {
            $output = '*1';
        }

        $id = substr($setting, 0, 3);
        # We use "$P$", phpBB3 uses "$H$" for the same thing
        if ($id != '$P$' && $id != '$H$') {
            return $output;
        }

        $count_log2 = strpos($this->itoa64, $setting[3]);
        if ($count_log2 < 7 || $count_log2 > 30) {
            return $output;
        }

        $count = 1 << $count_log2;

        $salt = substr($setting, 4, 8);
        if (strlen($salt) != 8) {
            return $output;
        }

        # We're kind of forced to use MD5 here since it's the only
        # cryptographic primitive available in all versions of PHP
        # currently in use.  To implement our own low-level crypto
        # in PHP would result in much worse performance and
        # consequently in lower iteration counts and hashes that are
        # quicker to crack (by non-PHP code).
        if (PHP_VERSION >= '5') {

            $hash = md5($salt.$password, true);
            do {
                $hash = md5($hash.$password, false);
            } while (--$count);
        } else {
            $hash = pack('H*', md5($salt.$password));
            do {
                $hash = pack('H*', md5($hash.$password));
            } while (--$count);
        }

        $output = substr($setting, 0, 12);
        $output .= $this->encode64($hash, 16);

        return $output;
    }

    /**
     * Generate a password salt based on the given input string.
     *
     * @param string $input The input string to generate the salt from.
     * @return string Returns the password salt prefixed with `$P$`.
     */
    private function gensaltPrivate($input) {
        $output = '$P$';
        $output .= $this->itoa64[min($this->iteration_count_log2 + ((PHP_VERSION >= '5') ? 5 : 3), 30)];
        $output .= $this->encode64($input, 6);

        return $output;
    }

    /**
     * {@inheritdoc}
     */
    public function verify($password, $hash) {
        if (!$hash) {
            return false;
        }
        $calc_hash = $this->cryptPrivate($password, $hash);
        if ($calc_hash[0] === '*') {
            $calc_hash = crypt($password, $hash);
        }

        return $calc_hash === $hash;
    }

    /**
     * Get the current hash method.
     *
     * @return int Returns the current hash method.
     */
    public function getHashMethod() {
        return $this->hashMethod;
    }

    /**
     * Set the current hash method.
     *
     * @param int $hashMethod The new hash mathod.
     * @return PhpassPassword Returns $this for fluent calls.
     */
    public function setHashMethod($hashMethod) {
        $this->hashMethod = $hashMethod;
        return $this;
    }
}


1			<?php
2			/**
3			* @author Todd Burry <[email protected]>
4			* @copyright 2009-2014 Vanilla Forums Inc.
5			* @license MIT
6			*/
7
8			namespace Garden\Password;
9
10			/**
11			* Implements the portable PHP password hashing framework.
12			*
13			* The code in this class is copied from the phppass library version 0.3 located at http://www.openwall.com/phpass/.
14			* Any code copied from the phppass library is copyright the original owner.
15			*/
16			class PhpassPassword implements IPassword {
17			const HASH_PHPASS = 0x00;
18			const HASH_BLOWFISH = 0x01;
19			const HASH_EXTDES = 0x02;
20			const HASH_BEST = 0x03;
21
22			protected $itoa64;
23			protected $iteration_count_log2;
24			protected $portable;
25			protected $random_state;
26
27			protected $hashMethod;
28
29			/**
30			* Initializes an instance of the of the {@link PhpPass} class.
31			*
32			* @param int $hashMethod The hash method to use when hashing passwords.
33			* @param int $iteration_count_log2 The number of times to iterate when generating the passwords.
34			*/
35	6		public function __construct($hashMethod = PhpassPassword::HASH_PHPASS, $iteration_count_log2 = 8) {
36	6		$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
37
38	6		if ($iteration_count_log2 < 4 \|\| $iteration_count_log2 > 31) {
39	4		$iteration_count_log2 = 8;
40			}
41	6		$this->iteration_count_log2 = $iteration_count_log2;
42	6		$this->hashMethod = $hashMethod;
43
44	6		$this->random_state = microtime();
45	6		if (function_exists('getmypid')) {
46	6		$this->random_state .= getmypid();
47			}
48	6		}
49
50			/**
51			* {@inheritdoc}
52			*/
53	1		public function needsRehash($hash) {
54	1		$id = substr($hash, 0, 3);
55	1		$portable = ($id != '$P$' && $id != '$H$');
56
57	1		return $portable;
58			}
59
60			/**
61			* {@inheritdoc}
62			*/
63	8		public function hash($password) {
64	8		$random = '';
65
66	8	View Code Duplication	if (CRYPT_BLOWFISH == 1 && ($this->hashMethod & self::HASH_BLOWFISH)) {
			1 ignored issue – show Duplication introduced 2015-11-24 19:27 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
67	3		$random = $this->getRandomBytes(16);
68			$hash =
69	3		crypt($password, $this->gensaltBlowfish($random));
70	3		if (strlen($hash) == 60) {
71	3		return $hash;
72			}
73			}
74
75	6	View Code Duplication	if (CRYPT_EXT_DES == 1 && ($this->hashMethod & self::HASH_EXTDES)) {
			1 ignored issue – show Duplication introduced 2015-11-24 19:27 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
76	2		if (strlen($random) < 3) {
77	2		$random = $this->getRandomBytes(3);
78			}
79			$hash =
80	2		crypt($password, $this->gensaltExtended($random));
81	2		if (strlen($hash) == 20) {
82	2		return $hash;
83			}
84			}
85
86	5		if (strlen($random) < 6) {
87	5		$random = $this->getRandomBytes(6);
88			}
89	5		$hash = $this->cryptPrivate(
90			$password,
91	5		$this->gensaltPrivate($random)
92			);
93	5		if (strlen($hash) == 34) {
94	5		return $hash;
95			}
96
97			# Returning '*' on error is safe here, but would _not_ be safe
98			# in a crypt(3)-like function used _both_ for generating new
99			# hashes and for validating passwords against existing hashes.
100			return '*';
101			}
102
103			/**
104			* Get a string of random bytes.
105			*
106			* @param int $count The number of bytes to get.
107			* @return string Returns a string of the generated random bytes.
108			*/
109	8		protected function getRandomBytes($count) {
110	8		$output = '';
111	8		if (is_readable('/dev/urandom') &&
112	8		($fh = @fopen('/dev/urandom', 'rb'))
113			) {
114	8		$output = fread($fh, $count);
115	8		fclose($fh);
116			}
117
118	8		if (strlen($output) < $count) {
119			$output = '';
120			for ($i = 0; $i < $count; $i += 16) {
121			$this->random_state =
122			md5(microtime().$this->random_state);
123			$output .=
124			pack('H*', md5($this->random_state));
125			}
126			$output = substr($output, 0, $count);
127			}
128
129	8		return $output;
130			}
131
132			/**
133			* Generate a password salt appropriate for blowfish.
134			*
135			* @param string $input The random input to generate the salt from.
136			* @return string The generated salt.
137			*/
138	3		protected function gensaltBlowfish($input) {
139			# This one needs to use a different order of characters and a
140			# different encoding scheme from the one in encode64() above.
141			# We care because the last character in our encoded string will
142			# only represent 2 bits. While two known implementations of
143			# bcrypt will happily accept and correct a salt string which
144			# has the 4 unused bits set to non-zero, we do not want to take
145			# chances and we also do not want to waste an additional byte
146			# of entropy.
147	3		$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
148
149	3		$output = '$2a$';
150	3		$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
151	3		$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
152	3		$output .= '$';
153
154	3		$i = 0;
155			do {
156	3		$c1 = ord($input[$i++]);
157	3		$output .= $itoa64[$c1 >> 2];
158	3		$c1 = ($c1 & 0x03) << 4;
159	3		if ($i >= 16) {
160	3		$output .= $itoa64[$c1];
161	3		break;
162			}
163
164	3		$c2 = ord($input[$i++]);
165	3		$c1 \|= $c2 >> 4;
166	3		$output .= $itoa64[$c1];
167	3		$c1 = ($c2 & 0x0f) << 2;
168
169	3		$c2 = ord($input[$i++]);
170	3		$c1 \|= $c2 >> 6;
171	3		$output .= $itoa64[$c1];
172	3		$output .= $itoa64[$c2 & 0x3f];
173	3		} while (1);
174
175	3		return $output;
176			}
177
178			/**
179			* Generate a password salt based on the input.
180			*
181			* @param string $input The string to generate the salt from.
182			* @return string The generated salt.
183			*/
184	2		private function gensaltExtended($input) {
185	2		$count_log2 = min($this->iteration_count_log2 + 8, 24);
186			# This should be odd to not reveal weak DES keys, and the
187			# maximum valid value is (2**24 - 1) which is odd anyway.
188	2		$count = (1 << $count_log2) - 1;
189
190	2		$output = '_';
191	2		$output .= $this->itoa64[$count & 0x3f];
192	2		$output .= $this->itoa64[($count >> 6) & 0x3f];
193	2		$output .= $this->itoa64[($count >> 12) & 0x3f];
194	2		$output .= $this->itoa64[($count >> 18) & 0x3f];
195
196	2		$output .= $this->encode64($input, 3);
197
198	2		return $output;
199			}
200
201			/**
202			* A custom base64 encoding function.
203			*
204			* @param string $input The string to encode.
205			* @param int $count The number of characters to encode.
206			* @return string Returns the encoded string.
207			*/
208	6		protected function encode64($input, $count) {
209	6		$output = '';
210	6		$i = 0;
211			do {
212	6		$value = ord($input[$i++]);
213	6		$output .= $this->itoa64[$value & 0x3f];
214	6		if ($i < $count) {
215	6		$value \|= ord($input[$i]) << 8;
216			}
217	6		$output .= $this->itoa64[($value >> 6) & 0x3f];
218	6		if ($i++ >= $count) {
219	5		break;
220			}
221	6		if ($i < $count) {
222	6		$value \|= ord($input[$i]) << 16;
223			}
224	6		$output .= $this->itoa64[($value >> 12) & 0x3f];
225	6		if ($i++ >= $count) {
226			break;
227			}
228	6		$output .= $this->itoa64[($value >> 18) & 0x3f];
229	6		} while ($i < $count);
230
231	6		return $output;
232			}
233
234			/**
235			* A portable version of a crypt-like algorithm.
236			*
237			* @param string $password The plaintext password to encrypt.
238			* @param string $setting The hash prefix that defines what kind of algorithm to use.
239			* @return string Returns the encrypted string.
240			*/
241	10		private function cryptPrivate($password, $setting) {
242	10		$output = '*0';
243	10		if (substr($setting, 0, 2) == $output) {
244			$output = '*1';
245			}
246
247	10		$id = substr($setting, 0, 3);
248			# We use "$P$", phpBB3 uses "$H$" for the same thing
249	10		if ($id != '$P$' && $id != '$H$') {
250	6		return $output;
251			}
252
253	5		$count_log2 = strpos($this->itoa64, $setting[3]);
254	5		if ($count_log2 < 7 \|\| $count_log2 > 30) {
255			return $output;
256			}
257
258	5		$count = 1 << $count_log2;
259
260	5		$salt = substr($setting, 4, 8);
261	5		if (strlen($salt) != 8) {
262			return $output;
263			}
264
265			# We're kind of forced to use MD5 here since it's the only
266			# cryptographic primitive available in all versions of PHP
267			# currently in use. To implement our own low-level crypto
268			# in PHP would result in much worse performance and
269			# consequently in lower iteration counts and hashes that are
270			# quicker to crack (by non-PHP code).
271	5	View Code Duplication	if (PHP_VERSION >= '5') {
			1 ignored issue – show Duplication introduced 2015-11-24 19:27 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
272	5		$hash = md5($salt.$password, true);
273			do {
274	5		$hash = md5($hash.$password, false);
275	5		} while (--$count);
276			} else {
277			$hash = pack('H*', md5($salt.$password));
278			do {
279			$hash = pack('H*', md5($hash.$password));
280			} while (--$count);
281			}
282
283	5		$output = substr($setting, 0, 12);
284	5		$output .= $this->encode64($hash, 16);
285
286	5		return $output;
287			}
288
289			/**
290			* Generate a password salt based on the given input string.
291			*
292			* @param string $input The input string to generate the salt from.
293			* @return string Returns the password salt prefixed with `$P$`.
294			*/
295	5		private function gensaltPrivate($input) {
296	5		$output = '$P$';
297	5		$output .= $this->itoa64[min($this->iteration_count_log2 + ((PHP_VERSION >= '5') ? 5 : 3), 30)];
298	5		$output .= $this->encode64($input, 6);
299
300	5		return $output;
301			}
302
303			/**
304			* {@inheritdoc}
305			*/
306	10		public function verify($password, $hash) {
307	10		if (!$hash) {
308	1		return false;
309			}
310	9		$calc_hash = $this->cryptPrivate($password, $hash);
311	9		if ($calc_hash[0] === '*') {
312	6		$calc_hash = crypt($password, $hash);
313			}
314
315	9		return $calc_hash === $hash;
316			}
317
318			/**
319			* Get the current hash method.
320			*
321			* @return int Returns the current hash method.
322			*/
323			public function getHashMethod() {
324			return $this->hashMethod;
325			}
326
327			/**
328			* Set the current hash method.
329			*
330			* @param int $hashMethod The new hash mathod.
331			* @return PhpassPassword Returns $this for fluent calls.
332			*/
333	1		public function setHashMethod($hashMethod) {
334	1		$this->hashMethod = $hashMethod;
335	1		return $this;
336			}
337			}
338

vanilla / garden