diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-02-05 20:34:51 +0100 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2020-02-07 07:52:33 +0100 |
| commit | 12e1c469cf579dc5d22e2ca8159cf9f4b9a82ff5 (patch) | |
| tree | a3a4f58358a3df48b51516b288dc27dbd09f1cae /lib/private | |
| parent | 1afe8906bc10247fcabf1651da881e027b3d8279 (diff) | |
| download | nextcloud-server-12e1c469cf579dc5d22e2ca8159cf9f4b9a82ff5.tar.gz nextcloud-server-12e1c469cf579dc5d22e2ca8159cf9f4b9a82ff5.zip | |
Add Argon2id support
When available we should use argon2id for hashing.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib/private')
| -rw-r--r-- | lib/private/Security/Hasher.php | 34 |
1 files changed, 13 insertions, 21 deletions
diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php index 882f80ea2bf..21271fffbd7 100644 --- a/lib/private/Security/Hasher.php +++ b/lib/private/Security/Hasher.php @@ -94,6 +94,10 @@ class Hasher implements IHasher { public function hash(string $message): string { $alg = $this->getPrefferedAlgorithm(); + if (\defined('PASSWORD_ARGON2ID') && $alg === PASSWORD_ARGON2ID) { + return 3 . '|' . password_hash($message, PASSWORD_ARGON2ID, $this->options); + } + if (\defined('PASSWORD_ARGON2I') && $alg === PASSWORD_ARGON2I) { return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options); } @@ -142,32 +146,16 @@ class Hasher implements IHasher { /** * Verify V1 (blowfish) hashes - * @param string $message Message to verify - * @param string $hash Assumed hash of the message - * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. - * @return bool Whether $hash is a valid hash of $message - */ - protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool { - if(password_verify($message, $hash)) { - if ($this->needsRehash($hash)) { - $newHash = $this->hash($message); - } - return true; - } - - return false; - } - - /** * Verify V2 (argon2i) hashes + * Verify V3 (argon2id) hashes * @param string $message Message to verify * @param string $hash Assumed hash of the message * @param null|string &$newHash Reference will contain the updated hash if necessary. Update the existing hash with this one. * @return bool Whether $hash is a valid hash of $message */ - protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool { + protected function verifyHash(string $message, string $hash, &$newHash = null): bool { if(password_verify($message, $hash)) { - if($this->needsRehash($hash)) { + if ($this->needsRehash($hash)) { $newHash = $this->hash($message); } return true; @@ -187,10 +175,10 @@ class Hasher implements IHasher { if(isset($splittedHash['version'])) { switch ($splittedHash['version']) { + case 3: case 2: - return $this->verifyHashV2($message, $splittedHash['hash'], $newHash); case 1: - return $this->verifyHashV1($message, $splittedHash['hash'], $newHash); + return $this->verifyHash($message, $splittedHash['hash'], $newHash); } } else { return $this->legacyHashVerify($message, $hash, $newHash); @@ -211,6 +199,10 @@ class Hasher implements IHasher { $default = PASSWORD_ARGON2I; } + if (\defined('PASSWORD_ARGON2ID')) { + $default = PASSWORD_ARGON2ID; + } + // Check if we should use PASSWORD_DEFAULT if ($this->config->getSystemValue('hashing_default_password', false) === true) { $default = PASSWORD_DEFAULT; |