includes/password/BcryptPassword.php

   1 <?php
   2 /**
   3  * Implements the BcryptPassword class for the MediaWiki software.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 /**
  24  * A Bcrypt-hashed password
  25  *
  26  * This is a computationally complex password hash for use in modern applications.
  27  * The number of rounds can be configured by $wgPasswordConfig['bcrypt']['cost'].
  28  *
  29  * @since 1.24
  30  */
  31 class BcryptPassword extends ParameterizedPassword {
  32         protected function getDefaultParams() {
  33                 return [
  34                         'rounds' => $this->config['cost'],
  35                 ];
  36         }
  37
  38         protected function getDelimiter() {
  39                 return '$';
  40         }
  41
  42         protected function parseHash( $hash ) {
  43                 parent::parseHash( $hash );
  44
  45                 $this->params['rounds'] = (int)$this->params['rounds'];
  46         }
  47
  48         /**
  49          * @param string $password Password to encrypt
  50          *
  51          * @throws PasswordError If bcrypt has an unknown error
  52          * @throws MWException If bcrypt is not supported by PHP
  53          */
  54         public function crypt( $password ) {
  55                 if ( !defined( 'CRYPT_BLOWFISH' ) ) {
  56                         throw new MWException( 'Bcrypt is not supported.' );
  57                 }
  58
  59                 // Either use existing hash or make a new salt
  60                 // Bcrypt expects 22 characters of base64-encoded salt
  61                 // Note: bcrypt does not use MIME base64. It uses its own base64 without any '=' padding.
  62                 //       It expects a 128 bit salt, so it will ignore anything after the first 128 bits
  63                 if ( !isset( $this->args[0] ) ) {
  64                         $this->args[] = substr(
  65                                 // Replace + with ., because bcrypt uses a non-MIME base64 format
  66                                 strtr(
  67                                         // Random base64 encoded string
  68                                         base64_encode( MWCryptRand::generate( 16, true ) ),
  69                                         '+', '.'
  70                                 ),
  71                                 0, 22
  72                         );
  73                 }
  74
  75                 $hash = crypt( $password,
  76                         sprintf( '$2y$%02d$%s', (int)$this->params['rounds'], $this->args[0] ) );
  77
  78                 if ( !is_string( $hash ) || strlen( $hash ) <= 13 ) {
  79                         throw new PasswordError( 'Error when hashing password.' );
  80                 }
  81
  82                 // Strip the $2y$
  83                 $parts = explode( $this->getDelimiter(), substr( $hash, 4 ) );
  84                 $this->params['rounds'] = (int)$parts[0];
  85                 $this->args[0] = substr( $parts[1], 0, 22 );
  86                 $this->hash = substr( $parts[1], 22 );
  87         }
  88 }