-
-
Notifications
You must be signed in to change notification settings - Fork 188
/
BCryptHashingStrategy.php
75 lines (67 loc) · 2.54 KB
/
BCryptHashingStrategy.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<?php
namespace Neos\Flow\Security\Cryptography;
/*
* This file is part of the Neos.Flow package.
*
* (c) Contributors of the Neos Project - www.neos.io
*
* This package is Open Source Software. For the full copyright and license
* information, please view the LICENSE file which was distributed with this
* source code.
*/
use Neos\Flow\Utility\Algorithms as UtilityAlgorithms;
/**
* Hashing passwords using BCrypt
*/
class BCryptHashingStrategy implements PasswordHashingStrategyInterface
{
/**
* Number of rounds to use with BCrypt for hashing passwords, must be between 4 and 31
* @var integer
*/
protected $cost;
/**
* Construct a PBKDF2 hashing strategy with the given parameters
*
* @param integer $cost
* @throws \InvalidArgumentException
*/
public function __construct($cost)
{
if ($cost < 4 || $cost > 31) {
throw new \InvalidArgumentException('BCrypt cost must be between 4 and 31.', 1318447710);
}
$this->cost = sprintf('%02d', $cost);
}
/**
* Creates a BCrypt hash
*
* @param string $password The plaintext password to hash
* @param string $staticSalt Optional static salt that will not be stored in the hashed password
* @return string the result of the crypt() call
*/
public function hashPassword($password, $staticSalt = null)
{
$dynamicSalt = UtilityAlgorithms::generateRandomString(22, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./');
return crypt($password, '$2a$' . $this->cost . '$' . $dynamicSalt);
}
/**
* Validate a password against a derived key (hashed password) and salt using BCrypt
*
* Passwords hashed with a different cost can be validated by using the cost parameter of the
* hashed password and salt.
*
* @param string $password The cleartext password
* @param string $hashedPasswordAndSalt The derived key and salt in as returned by crypt() for verification
* @param string $staticSalt Optional static salt that will be appended to the dynamic salt
* @return boolean true if the given password matches the hashed password
*/
public function validatePassword($password, $hashedPasswordAndSalt, $staticSalt = null)
{
if (strlen($hashedPasswordAndSalt) < 29 || strpos($hashedPasswordAndSalt, '$2a$') !== 0) {
return false;
}
$cryptSalt = '$2a$' . substr($hashedPasswordAndSalt, 4, 26);
return crypt($password, $cryptSalt) === $hashedPasswordAndSalt;
}
}