diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-01-29 21:39:58 +0100 |
|---|---|---|
| committer | Backportbot <backportbot-noreply@rullzer.com> | 2020-02-04 10:32:42 +0000 |
| commit | 9687febed7fba22ef749e9530d531101bb64e07f (patch) | |
| tree | 3724176c2a85f7b52203756bc1609f479d449502 /lib | |
| parent | 9bd432255800fa8566b04f3e7351c254d757ec9c (diff) | |
| download | nextcloud-server-9687febed7fba22ef749e9530d531101bb64e07f.tar.gz nextcloud-server-9687febed7fba22ef749e9530d531101bb64e07f.zip | |
Allow selecting the hashing algorithm
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/Security/Hasher.php | 38 |
1 files changed, 27 insertions, 11 deletions
diff --git a/lib/private/Security/Hasher.php b/lib/private/Security/Hasher.php index 5f8529c7828..882f80ea2bf 100644 --- a/lib/private/Security/Hasher.php +++ b/lib/private/Security/Hasher.php @@ -92,11 +92,13 @@ class Hasher implements IHasher { * @return string Hash of the message with appended version parameter */ public function hash(string $message): string { - if (\defined('PASSWORD_ARGON2I')) { + $alg = $this->getPrefferedAlgorithm(); + + if (\defined('PASSWORD_ARGON2I') && $alg === PASSWORD_ARGON2I) { return 2 . '|' . password_hash($message, PASSWORD_ARGON2I, $this->options); - } else { - return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options); } + + return 1 . '|' . password_hash($message, PASSWORD_BCRYPT, $this->options); } /** @@ -147,12 +149,7 @@ class Hasher implements IHasher { */ protected function verifyHashV1(string $message, string $hash, &$newHash = null): bool { if(password_verify($message, $hash)) { - $algo = PASSWORD_BCRYPT; - if (\defined('PASSWORD_ARGON2I')) { - $algo = PASSWORD_ARGON2I; - } - - if(password_needs_rehash($hash, $algo, $this->options)) { + if ($this->needsRehash($hash)) { $newHash = $this->hash($message); } return true; @@ -170,7 +167,7 @@ class Hasher implements IHasher { */ protected function verifyHashV2(string $message, string $hash, &$newHash = null) : bool { if(password_verify($message, $hash)) { - if(password_needs_rehash($hash, PASSWORD_ARGON2I, $this->options)) { + if($this->needsRehash($hash)) { $newHash = $this->hash($message); } return true; @@ -199,8 +196,27 @@ class Hasher implements IHasher { return $this->legacyHashVerify($message, $hash, $newHash); } - return false; } + private function needsRehash(string $hash): bool { + $algorithm = $this->getPrefferedAlgorithm(); + + return password_needs_rehash($hash, $algorithm, $this->options); + } + + private function getPrefferedAlgorithm() { + $default = PASSWORD_BCRYPT; + if (\defined('PASSWORD_ARGON2I')) { + $default = PASSWORD_ARGON2I; + } + + // Check if we should use PASSWORD_DEFAULT + if ($this->config->getSystemValue('hashing_default_password', false) === true) { + $default = PASSWORD_DEFAULT; + } + + return $default; + } + } |