Home Explore Help
Sign In
dima
/
balticrest
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
balticrest
/
vendor
/
symfony
/
security-core
/
Encoder
/
NativePasswordEncoder.php

NativePasswordEncoder.php 3.9 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123 
  1. <?php
    2. 

  2. 

  3. /*
    4. 

  4.  * This file is part of the Symfony package.
    5. 

  5.  *
    6. 

  6.  * (c) Fabien Potencier <fabien@symfony.com>
    7. 

  7.  *
    8. 

  8.  * For the full copyright and license information, please view the LICENSE
    9. 

  9.  * file that was distributed with this source code.
    10. 

  10.  */
    11. 

  11. 

  12. namespace Symfony\Component\Security\Core\Encoder;
    13. 

  13. 

  14. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
    15. 

  15. 

  16. /**
    17. 

  17.  * Hashes passwords using password_hash().
    18. 

  18.  *
    19. 

  19.  * @author Elnur Abdurrakhimov <elnur@elnur.pro>
    20. 

  20.  * @author Terje Bråten <terje@braten.be>
    21. 

  21.  * @author Nicolas Grekas <p@tchwork.com>
    22. 

  22.  */
    23. 

  23. final class NativePasswordEncoder implements PasswordEncoderInterface, SelfSaltingEncoderInterface
    24. 

  24. {
    25. 

  25.     private const MAX_PASSWORD_LENGTH = 4096;
    26. 

  26. 

  27.     private $algo = \PASSWORD_BCRYPT;
    28. 

  28.     private $options;
    29. 

  29. 

  30.     /**
    31. 

  31.      * @param string|null $algo An algorithm supported by password_hash() or null to use the stronger available algorithm
    32. 

  32.      */
    33. 

  33.     public function __construct(int $opsLimit = null, int $memLimit = null, int $cost = null, string $algo = null)
    34. 

  34.     {
    35. 

  35.         $cost = $cost ?? 13;
    36. 

  36.         $opsLimit = $opsLimit ?? max(4, \defined('SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE') ? \SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE : 4);
    37. 

  37.         $memLimit = $memLimit ?? max(64 * 1024 * 1024, \defined('SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE') ? \SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE : 64 * 1024 * 1024);
    38. 

  38. 

  39.         if (3 > $opsLimit) {
    40. 

  40.             throw new \InvalidArgumentException('$opsLimit must be 3 or greater.');
    41. 

  41.         }
    42. 

  42. 

  43.         if (10 * 1024 > $memLimit) {
    44. 

  44.             throw new \InvalidArgumentException('$memLimit must be 10k or greater.');
    45. 

  45.         }
    46. 

  46. 

  47.         if ($cost < 4 || 31 < $cost) {
    48. 

  48.             throw new \InvalidArgumentException('$cost must be in the range of 4-31.');
    49. 

  49.         }
    50. 

  50. 

  51.         $algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];
    52. 

  52. 

  53.         if (\defined('PASSWORD_ARGON2I')) {
    54. 

  54.             $this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
    55. 

  55.         }
    56. 

  56. 

  57.         if (\defined('PASSWORD_ARGON2ID')) {
    58. 

  58.             $this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
    59. 

  59.         }
    60. 

  60. 

  61.         if (null !== $algo) {
    62. 

  62.             $this->algo = $algos[$algo] ?? $algo;
    63. 

  63.         }
    64. 

  64. 

  65.         $this->options = [
    66. 

  66.             'cost' => $cost,
    67. 

  67.             'time_cost' => $opsLimit,
    68. 

  68.             'memory_cost' => $memLimit >> 10,
    69. 

  69.             'threads' => 1,
    70. 

  70.         ];
    71. 

  71.     }
    72. 

  72. 

  73.     /**
    74. 

  74.      * {@inheritdoc}
    75. 

  75.      */
    76. 

  76.     public function encodePassword(string $raw, ?string $salt): string
    77. 

  77.     {
    78. 

  78.         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH || ((string) \PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {
    79. 

  79.             throw new BadCredentialsException('Invalid password.');
    80. 

  80.         }
    81. 

  81. 

  82.         // Ignore $salt, the auto-generated one is always the best
    83. 

  83. 

  84.         return password_hash($raw, $this->algo, $this->options);
    85. 

  85.     }
    86. 

  86. 

  87.     /**
    88. 

  88.      * {@inheritdoc}
    89. 

  89.      */
    90. 

  90.     public function isPasswordValid(string $encoded, string $raw, ?string $salt): bool
    91. 

  91.     {
    92. 

  92.         if ('' === $raw) {
    93. 

  93.             return false;
    94. 

  94.         }
    95. 

  95. 

  96.         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
    97. 

  97.             return false;
    98. 

  98.         }
    99. 

  99. 

  100.         if (0 !== strpos($encoded, '$argon')) {
    101. 

  101.             // BCrypt encodes only the first 72 chars
    102. 

  102.             return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
    103. 

  103.         }
    104. 

  104. 

  105.         if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) {
    106. 

  106.             return sodium_crypto_pwhash_str_verify($encoded, $raw);
    107. 

  107.         }
    108. 

  108. 

  109.         if (\extension_loaded('libsodium') && version_compare(phpversion('libsodium'), '1.0.14', '>=')) {
    110. 

  110.             return \Sodium\crypto_pwhash_str_verify($encoded, $raw);
    111. 

  111.         }
    112. 

  112. 

  113.         return password_verify($raw, $encoded);
    114. 

  114.     }
    115. 

  115. 

  116.     /**
    117. 

  117.      * {@inheritdoc}
    118. 

  118.      */
    119. 

  119.     public function needsRehash(string $encoded): bool
    120. 

  120.     {
    121. 

  121.         return password_needs_rehash($encoded, $this->algo, $this->options);
    122. 

  122.     }
    123. 

  123. }
    124.