From 9c0354bbf13b0e87f3f0544ddcc932cf387475d3 Mon Sep 17 00:00:00 2001 From: Daniel Supernault Date: Sun, 18 Mar 2018 21:21:03 -0600 Subject: [PATCH] [CORE] Remove function_exists() calls and add up default bcrypt cost to 12. --- plugins/AuthCrypt/AuthCryptPlugin.php | 47 +++++++++++++-------------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/plugins/AuthCrypt/AuthCryptPlugin.php b/plugins/AuthCrypt/AuthCryptPlugin.php index 388040bd4d..763cf64ca3 100644 --- a/plugins/AuthCrypt/AuthCryptPlugin.php +++ b/plugins/AuthCrypt/AuthCryptPlugin.php @@ -53,17 +53,10 @@ class AuthCryptPlugin extends AuthenticationPlugin return false; } - // Timing safe password verification on supported PHP versions - if (function_exists('password_verify')) { - if (password_verify($password, $user->password)) { - return $user; - } - } - // crypt understands what the salt part of $user->password is if ($user->password === crypt($password, $user->password)) { // and update password hash entry to password_hash() compatible - if ($this->overwrite && function_exists('password_hash')) { + if ($this->overwrite) { $this->changePassword($user->nickname, null, $password); } return $user; @@ -72,12 +65,17 @@ class AuthCryptPlugin extends AuthenticationPlugin // If we check StatusNet hash, for backwards compatibility and migration if ($this->statusnet && $user->password === md5($password . $user->id)) { // and update password hash entry to crypt() compatible - if ($this->overwrite && function_exists('password_hash')) { + if ($this->overwrite) { $this->changePassword($user->nickname, null, $password); } return $user; } + // Timing safe password verification on supported PHP versions + if (password_verify($password, $user->password)) { + return $user; + } + return false; } @@ -98,7 +96,7 @@ class AuthCryptPlugin extends AuthenticationPlugin { $username = Nickname::normalize($username); - if (!$this->password_changeable) { + if($this->overwrite == false) { return false; } @@ -115,22 +113,21 @@ class AuthCryptPlugin extends AuthenticationPlugin public function hashPassword($password, Profile $profile=null) { - if(function_exists('password_hash')) { + $algorithm = PASSWORD_DEFAULT; + $options = ['cost' => 12]; - $algorithm = PASSWORD_DEFAULT; - - if($this->argon && version_compare(PHP_VERSION, '7.2.0') == 1) { - $algorithm = PASSWORD_ARGON2I; - } - // Use the modern password hashing algorithm - // http://php.net/manual/en/function.password-hash.php - // Uses PASSWORD_BCRYPT by default, with PASSWORD_ARGON2I being the next possible default in future versions - return password_hash($password, $algorithm); - } else { - // Fallback to previous hashing function if phpversion() < 5.5 - // A new, unique salt per new record stored... - return crypt($password, $this->hash . self::cryptSalt()); + if($this->argon == true && version_compare(PHP_VERSION, '7.2.0') == 1) { + $algorithm = PASSWORD_ARGON2I; + $options = [ + 'memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST, + 'time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST, + 'threads' => PASSWORD_ARGON2_DEFAULT_THREADS + ]; } + // Use the modern password hashing algorithm + // http://php.net/manual/en/function.password-hash.php + // Uses PASSWORD_BCRYPT by default, with PASSWORD_ARGON2I being the next possible default in future versions + return password_hash($password, $algorithm, $options); } /* @@ -188,4 +185,4 @@ class AuthCryptPlugin extends AuthenticationPlugin _m('Authentication and password hashing with crypt()')); return true; } -} +} \ No newline at end of file