Code Coverage |
||||||||||
Classes and Traits |
Functions and Methods |
Lines |
||||||||
Total | |
100.00% |
1 / 1 |
|
100.00% |
10 / 10 |
CRAP | |
100.00% |
104 / 104 |
manager | |
100.00% |
1 / 1 |
|
100.00% |
10 / 10 |
46 | |
100.00% |
104 / 104 |
__construct | |
100.00% |
1 / 1 |
1 | |
100.00% |
5 / 5 |
|||
initialize | |
100.00% |
1 / 1 |
2 | |
100.00% |
5 / 5 |
|||
register_default_type | |
100.00% |
1 / 1 |
3 | |
100.00% |
5 / 5 |
|||
fill_type_map | |
100.00% |
1 / 1 |
3 | |
100.00% |
5 / 5 |
|||
get_algorithm | |
100.00% |
1 / 1 |
2 | |
100.00% |
3 / 3 |
|||
detect_algorithm | |
100.00% |
1 / 1 |
7 | |
100.00% |
14 / 14 |
|||
hash | |
100.00% |
1 / 1 |
8 | |
100.00% |
12 / 12 |
|||
check | |
100.00% |
1 / 1 |
12 | |
100.00% |
23 / 23 |
|||
combined_hash_password | |
100.00% |
1 / 1 |
4 | |
100.00% |
18 / 18 |
|||
check_combined_hash | |
100.00% |
1 / 1 |
4 | |
100.00% |
14 / 14 |
<?php | |
/** | |
* | |
* This file is part of the phpBB Forum Software package. | |
* | |
* @copyright (c) phpBB Limited <https://www.phpbb.com> | |
* @license GNU General Public License, version 2 (GPL-2.0) | |
* | |
* For full copyright and license information, please see | |
* the docs/CREDITS.txt file. | |
* | |
*/ | |
namespace phpbb\passwords; | |
class manager | |
{ | |
/** | |
* Default hashing method | |
*/ | |
protected $type = false; | |
/** | |
* Hashing algorithm type map | |
* Will be used to map hash prefix to type | |
*/ | |
protected $type_map = false; | |
/** | |
* Service collection of hashing algorithms | |
* Needs to be public for passwords helper | |
*/ | |
public $algorithms = false; | |
/** | |
* Password convert flag. Signals that password should be converted | |
*/ | |
public $convert_flag = false; | |
/** | |
* Passwords helper | |
* @var \phpbb\passwords\helper | |
*/ | |
protected $helper; | |
/** | |
* phpBB configuration | |
* @var \phpbb\config\config | |
*/ | |
protected $config; | |
/** | |
* @var bool Whether or not initialized() has been called | |
*/ | |
private $initialized = false; | |
/** | |
* @var array Hashing driver service collection | |
*/ | |
private $hashing_algorithms; | |
/** | |
* @var array List of default driver types | |
*/ | |
private $defaults; | |
/** | |
* Construct a passwords object | |
* | |
* @param \phpbb\config\config $config phpBB configuration | |
* @param array $hashing_algorithms Hashing driver service collection | |
* @param \phpbb\passwords\helper $helper Passwords helper object | |
* @param array $defaults List of default driver types | |
*/ | |
public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults) | |
{ | |
$this->config = $config; | |
$this->helper = $helper; | |
$this->hashing_algorithms = $hashing_algorithms; | |
$this->defaults = $defaults; | |
} | |
/** | |
* Initialize the internal state | |
*/ | |
protected function initialize() | |
{ | |
if (!$this->initialized) | |
{ | |
$this->initialized = true; | |
$this->fill_type_map($this->hashing_algorithms); | |
$this->register_default_type($this->defaults); | |
} | |
} | |
/** | |
* Register default type | |
* Will register the first supported type from the list of default types | |
* | |
* @param array $defaults List of default types in order from first to | |
* use to last to use | |
*/ | |
protected function register_default_type($defaults) | |
{ | |
foreach ($defaults as $type) | |
{ | |
if ($this->algorithms[$type]->is_supported()) | |
{ | |
$this->type = $this->algorithms[$type]->get_prefix(); | |
break; | |
} | |
} | |
} | |
/** | |
* Fill algorithm type map | |
* | |
* @param \phpbb\di\service_collection $hashing_algorithms | |
*/ | |
protected function fill_type_map($hashing_algorithms) | |
{ | |
foreach ($hashing_algorithms as $algorithm) | |
{ | |
if (!isset($this->type_map[$algorithm->get_prefix()])) | |
{ | |
$this->type_map[$algorithm->get_prefix()] = $algorithm; | |
} | |
} | |
$this->algorithms = $hashing_algorithms; | |
} | |
/** | |
* Get the algorithm specified by a specific prefix | |
* | |
* @param string $prefix Password hash prefix | |
* | |
* @return object|bool The hash type object or false if prefix is not | |
* supported | |
*/ | |
protected function get_algorithm($prefix) | |
{ | |
if (isset($this->type_map[$prefix])) | |
{ | |
return $this->type_map[$prefix]; | |
} | |
else | |
{ | |
return false; | |
} | |
} | |
/** | |
* Detect the hash type of the supplied hash | |
* | |
* @param string $hash Password hash that should be checked | |
* | |
* @return object|bool The hash type object or false if the specified | |
* type is not supported | |
*/ | |
public function detect_algorithm($hash) | |
{ | |
/* | |
* preg_match() will also show hashing algos like $2a\H$, which | |
* is a combination of bcrypt and phpass. Legacy algorithms | |
* like md5 will not be matched by this and need to be treated | |
* differently. | |
*/ | |
if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) | |
{ | |
return false; | |
} | |
$this->initialize(); | |
// Be on the lookout for multiple hashing algorithms | |
// 2 is correct: H\2a > 2, H\P > 2 | |
if (strlen($match[1]) > 2 && strpos($match[1], '\\') !== false) | |
{ | |
$hash_types = explode('\\', $match[1]); | |
$return_ary = array(); | |
foreach ($hash_types as $type) | |
{ | |
// we do not support the same hashing | |
// algorithm more than once | |
if (isset($return_ary[$type])) | |
{ | |
return false; | |
} | |
$return_ary[$type] = $this->get_algorithm('$' . $type . '$'); | |
if (empty($return_ary[$type])) | |
{ | |
return false; | |
} | |
} | |
return $return_ary; | |
} | |
// get_algorithm() will automatically return false if prefix | |
// is not supported | |
return $this->get_algorithm($match[0]); | |
} | |
/** | |
* Hash supplied password | |
* | |
* @param string $password Password that should be hashed | |
* @param string $type Hash type. Will default to standard hash type if | |
* none is supplied | |
* @return string|bool Password hash of supplied password or false if | |
* if something went wrong during hashing | |
*/ | |
public function hash($password, $type = '') | |
{ | |
if (strlen($password) > 4096) | |
{ | |
// If the password is too huge, we will simply reject it | |
// and not let the server try to hash it. | |
return false; | |
} | |
$this->initialize(); | |
// Try to retrieve algorithm by service name if type doesn't | |
// start with dollar sign | |
if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type])) | |
{ | |
$type = $this->algorithms[$type]->get_prefix(); | |
} | |
$type = ($type === '') ? $this->type : $type; | |
if (is_array($type)) | |
{ | |
return $this->combined_hash_password($password, $type); | |
} | |
if (isset($this->type_map[$type])) | |
{ | |
$hashing_algorithm = $this->type_map[$type]; | |
} | |
else | |
{ | |
return false; | |
} | |
return $hashing_algorithm->hash($password); | |
} | |
/** | |
* Check supplied password against hash and set convert_flag if password | |
* needs to be converted to different format (preferably newer one) | |
* | |
* @param string $password Password that should be checked | |
* @param string $hash Stored hash | |
* @param array $user_row User's row in users table | |
* @return string|bool True if password is correct, false if not | |
*/ | |
public function check($password, $hash, $user_row = array()) | |
{ | |
if (strlen($password) > 4096) | |
{ | |
// If the password is too huge, we will simply reject it | |
// and not let the server try to hash it. | |
return false; | |
} | |
// Empty hashes can't be checked | |
if (empty($hash)) | |
{ | |
return false; | |
} | |
$this->initialize(); | |
// First find out what kind of hash we're dealing with | |
$stored_hash_type = $this->detect_algorithm($hash); | |
if ($stored_hash_type == false) | |
{ | |
// Still check MD5 hashes as that is what the installer | |
// will default to for the admin user | |
return $this->get_algorithm('$H$')->check($password, $hash); | |
} | |
// Multiple hash passes needed | |
if (is_array($stored_hash_type)) | |
{ | |
$correct = $this->check_combined_hash($password, $stored_hash_type, $hash); | |
$this->convert_flag = ($correct === true) ? true : false; | |
return $correct; | |
} | |
if ($stored_hash_type->get_prefix() !== $this->type) | |
{ | |
$this->convert_flag = true; | |
} | |
else | |
{ | |
if ($stored_hash_type instanceof driver\rehashable_driver_interface) | |
{ | |
$this->convert_flag = $stored_hash_type->needs_rehash($hash); | |
} | |
else | |
{ | |
$this->convert_flag = false; | |
} | |
} | |
// Check all legacy hash types if prefix is $CP$ | |
if ($stored_hash_type->get_prefix() === '$CP$') | |
{ | |
// Remove $CP$ prefix for proper checking | |
$hash = substr($hash, 4); | |
foreach ($this->type_map as $algorithm) | |
{ | |
if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) | |
{ | |
return true; | |
} | |
} | |
} | |
return $stored_hash_type->check($password, $hash); | |
} | |
/** | |
* Create combined hash from already hashed password | |
* | |
* @param string $password_hash Complete current password hash | |
* @param string $type Type of the hashing algorithm the password hash | |
* should be combined with | |
* @return string|bool Combined password hash if combined hashing was | |
* successful, else false | |
*/ | |
public function combined_hash_password($password_hash, $type) | |
{ | |
$this->initialize(); | |
$data = array( | |
'prefix' => '$', | |
'settings' => '$', | |
); | |
$hash_settings = $this->helper->get_combined_hash_settings($password_hash); | |
$hash = $hash_settings[0]; | |
// Put settings of current hash into data array | |
$stored_hash_type = $this->detect_algorithm($password_hash); | |
$this->helper->combine_hash_output($data, 'prefix', $stored_hash_type->get_prefix()); | |
$this->helper->combine_hash_output($data, 'settings', $stored_hash_type->get_settings_only($password_hash)); | |
// Hash current hash with the defined types | |
foreach ($type as $cur_type) | |
{ | |
if (isset($this->algorithms[$cur_type])) | |
{ | |
$new_hash_type = $this->algorithms[$cur_type]; | |
} | |
else | |
{ | |
$new_hash_type = $this->get_algorithm($cur_type); | |
} | |
if (!$new_hash_type) | |
{ | |
return false; | |
} | |
$new_hash = $new_hash_type->hash(str_replace($stored_hash_type->get_settings_only($password_hash), '', $hash)); | |
$this->helper->combine_hash_output($data, 'prefix', $new_hash_type->get_prefix()); | |
$this->helper->combine_hash_output($data, 'settings', substr(str_replace('$', '\\', $new_hash_type->get_settings_only($new_hash, true)), 0)); | |
$hash = str_replace($new_hash_type->get_settings_only($new_hash), '', $this->helper->obtain_hash_only($new_hash)); | |
} | |
return $this->helper->combine_hash_output($data, 'hash', $hash); | |
} | |
/** | |
* Check combined password hash against the supplied password | |
* | |
* @param string $password Password entered by user | |
* @param array $stored_hash_type An array containing the hash types | |
* as described by stored password hash | |
* @param string $hash Stored password hash | |
* @param bool $skip_phpbb2_check True if phpBB2 password check should be skipped | |
* | |
* @return bool True if password is correct, false if not | |
*/ | |
public function check_combined_hash($password, $stored_hash_type, $hash, bool $skip_phpbb2_check = false) | |
{ | |
// Special case for passwords converted from phpBB2: | |
// These could be phpass(md5(password)) and hence already be double | |
// hashed. For these, try to also check combined hash output of | |
// md5 version of supplied password. | |
$is_valid_phpbb2_pass = false; | |
if (!$skip_phpbb2_check) | |
{ | |
$is_valid_phpbb2_pass = $this->check_combined_hash(md5($password), $stored_hash_type, $hash, true); | |
} | |
$i = 0; | |
$data = array( | |
'prefix' => '$', | |
'settings' => '$', | |
); | |
$hash_settings = $this->helper->get_combined_hash_settings($hash); | |
foreach ($stored_hash_type as $key => $hash_type) | |
{ | |
$rebuilt_hash = $this->helper->rebuild_hash($hash_type->get_prefix(), $hash_settings[$i]); | |
$this->helper->combine_hash_output($data, 'prefix', $key); | |
$this->helper->combine_hash_output($data, 'settings', $hash_settings[$i]); | |
$cur_hash = $hash_type->hash($password, $rebuilt_hash); | |
$password = str_replace($rebuilt_hash, '', $cur_hash); | |
$i++; | |
} | |
return hash_equals($hash, $this->helper->combine_hash_output($data, 'hash', $password)) || $is_valid_phpbb2_pass; | |
} | |
} |