Port functionality from https://www.drupal.org/node/1845004#new

87610213 · James Gilliland · 87610213 · 87610213 · 87610213 · 87610213
Commit 87610213 authored 9 years ago by James Gilliland
--- a/php_password.info.yml
+++ b/php_password.info.yml
+name: PHP Password hashes
+type: module
+core: 8.x
+description: "Use PHP's native password hashing algorythm."
+package: "Security"
--- a/php_password.services.yml
+++ b/php_password.services.yml
+parameters:
+  password_hash_cost: 10
+services:
+  # The first argument of the hashing service (constructor of PhpPassword) is
+  # the 'cost' option of password_hash(). In Drupal 8 the 'cost' has the default
+  # value used by password_hash() which is 10. Future versions of Drupal may
+  # increase this value in order to counteract increases in the speed and power
+  # of computers available to crack the hashes. Note that an increase of 1 will
+  # double the time needed for password hashing.
+  password:
+    class: Drupal\php_password\Password\Drupal8Password
+    arguments: ['@password.php', '@password.drupal7']
+    lazy: true
+  password.php:
+    class: Drupal\php_password\Password\PhpPassword
+    arguments: ['%password_hash_cost%']
+  password.drupal7:
+    class: Drupal\Core\Password\PhpassHashedPassword
--- a/src/Password/Drupal8Password.php
+++ b/src/Password/Drupal8Password.php
+<?php
+/**
+ * @file
+ * Contains \Drupal\php_password\Password\Drupal8Password.
+ */
+
+namespace Drupal\php_password\Password;
+
+use Drupal\Core\Password\PasswordInterface;
+
+class Drupal8Password implements PasswordInterface {
+
+  /**
+   * The Drupal 7 password hashing service.
+   *
+   * @var \Drupal\Core\Password\PhpassHashedPassword
+   */
+  protected $drupal7Password;
+
+  /**
+   * The PHP password hashing service.
+   *
+   * @var \Drupal\php_password\Password\PHPPassword
+   */
+  protected $phpPassword;
+
+  /**
+   * Constructs a new password hashing instance.
+   *
+   * @param \Drupal\Core\Password\PasswordInterface $php_password
+   *   The PHP password hashing service.
+   * @param \Drupal\Core\Password\PasswordInterface $drupal7_password
+   *   The Drupal7 password hashing service.
+   */
+  function __construct(PasswordInterface $php_password, PasswordInterface $drupal7_password) {
+    $this->phpPassword = $php_password;
+    $this->drupal7Password = $drupal7_password;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function hash($password) {
+    return $this->phpPassword->hash($password);
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function check($password, $hash) {
+
+    // MD5 migrated password (Drupal 6).
+    if (substr($hash, 0, 2) == 'U$') {
+      $hash = substr($hash, 1);
+      $password = md5($password);
+    }
+
+    switch (substr($hash, 0, 2)) {
+      case '$S':
+      case '$H':
+      case '$P':
+        return $this->drupal7Password->check($password, $hash);
+
+      default:
+        return $this->phpPassword->check($password, $hash);
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function needsRehash($hash) {
+    return $this->phpPassword->needsRehash($hash);
+  }
+
+}
--- a/src/Password/PhpPassword.php
+++ b/src/Password/PhpPassword.php
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\php_password\Password\PhpPassword.
+ */
+
+namespace Drupal\php_password\Password;
+use Drupal\Core\Password\PasswordInterface;
+
+/**
+ * Secure password hashing functions based on PHP (>=5.5.0) password hashing
+ * functions.
+ *
+ * @see http://php.net/manual/en/ref.password.php
+ */
+class PhpPassword implements PasswordInterface {
+
+  /**
+   * The algorithmic cost that should be used. This is the same 'cost' option as
+   * is used by the PHP (>= 5.5.0) password_hash() function.
+   *
+   * @var int
+   *
+   * @see password_hash().
+   * @see http://php.net/manual/en/ref.password.php
+   */
+  protected $cost;
+
+  /**
+   * Constructs a new password hashing instance.
+   *
+   * @param int $cost
+   *   The algorithmic cost that should be used.
+   */
+  function __construct($cost) {
+    $this->cost = $cost;
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function hash($password) {
+    // Prevent DoS attacks by refusing to hash large passwords.
+    if (strlen($password) > static::PASSWORD_MAX_LENGTH) {
+      return FALSE;
+    }
+
+    return password_hash($password, PASSWORD_DEFAULT, $this->getOptions());
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function check($password, $hash) {
+    return password_verify($password, $hash);
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function needsRehash($hash) {
+    // The PHP 5.5 password_needs_rehash() will return TRUE in two cases:
+    // - The password is a Drupal 6 or 7 password and it has been rehashed
+    //   during the migration. In this case the rehashed legacy hash is prefixed
+    //   to indicate an old Drupal hash and will not comply with the expected
+    //   password_needs_rehash() format.
+    // - The parameters of hashing engine were changed. For example the
+    //   parameter 'password_hash_cost' (the hashing cost) has been increased in
+    //   core.services.yml.
+    return password_needs_rehash($hash, PASSWORD_DEFAULT, $this->getOptions());
+  }
+
+  /**
+   * Returns password options.
+   *
+   * @return array
+   *   Associative array with password options.
+   */
+  protected function getOptions() {
+    return ['cost' => $this->cost];
+  }
+
+}