Rev 1116 | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1116 | Rev 1212 | ||
|---|---|---|---|
| 1 | <?php |
1 | <?php |
| 2 | 2 | ||
| 3 | /* |
3 | /* |
| 4 | * OIDplus 2.0 |
4 | * OIDplus 2.0 |
| 5 | * Copyright 2019 - 2023 Daniel Marschall, ViaThinkSoft |
5 | * Copyright 2019 - 2023 Daniel Marschall, ViaThinkSoft |
| 6 | * |
6 | * |
| 7 | * Licensed under the Apache License, Version 2.0 (the "License"); |
7 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 8 | * you may not use this file except in compliance with the License. |
8 | * you may not use this file except in compliance with the License. |
| 9 | * You may obtain a copy of the License at |
9 | * You may obtain a copy of the License at |
| 10 | * |
10 | * |
| 11 | * http://www.apache.org/licenses/LICENSE-2.0 |
11 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 12 | * |
12 | * |
| 13 | * Unless required by applicable law or agreed to in writing, software |
13 | * Unless required by applicable law or agreed to in writing, software |
| 14 | * distributed under the License is distributed on an "AS IS" BASIS, |
14 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 16 | * See the License for the specific language governing permissions and |
16 | * See the License for the specific language governing permissions and |
| 17 | * limitations under the License. |
17 | * limitations under the License. |
| 18 | */ |
18 | */ |
| 19 | 19 | ||
| 20 | namespace ViaThinkSoft\OIDplus; |
20 | namespace ViaThinkSoft\OIDplus; |
| 21 | 21 | ||
| 22 | // phpcs:disable PSR1.Files.SideEffects |
22 | // phpcs:disable PSR1.Files.SideEffects |
| 23 | \defined('INSIDE_OIDPLUS') or die; |
23 | \defined('INSIDE_OIDPLUS') or die; |
| 24 | // phpcs:enable PSR1.Files.SideEffects |
24 | // phpcs:enable PSR1.Files.SideEffects |
| 25 | 25 | ||
| 26 | class OIDplusAuthPluginArgon2 extends OIDplusAuthPlugin { |
26 | class OIDplusAuthPluginArgon2 extends OIDplusAuthPlugin { |
| 27 | 27 | ||
| 28 | /** |
28 | /** |
| - | 29 | * @return string |
|
| - | 30 | */ |
|
| - | 31 | public function id(): string { |
|
| - | 32 | return 'A4_argon2'; |
|
| - | 33 | } |
|
| - | 34 | ||
| - | 35 | /** |
|
| 29 | * @param bool $html |
36 | * @param bool $html |
| 30 | * @return void |
37 | * @return void |
| 31 | */ |
38 | */ |
| 32 | public function init(bool $html=true) { |
39 | public function init(bool $html=true) { |
| 33 | // TODO: Let the admin decide about the memory, iterations, and parallelism options |
40 | // TODO: Let the admin decide about the memory, iterations, and parallelism options |
| 34 | } |
41 | } |
| 35 | 42 | ||
| 36 | /** |
43 | /** |
| 37 | * @param string $authKey |
44 | * @param string $authKey |
| 38 | * @return bool |
45 | * @return bool |
| 39 | */ |
46 | */ |
| 40 | private function supportedCryptAlgo(string $authKey): bool { |
47 | private function supportedCryptAlgo(string $authKey): bool { |
| 41 | return str_starts_with($authKey, '$argon2i$') || |
48 | return str_starts_with($authKey, '$argon2i$') || |
| 42 | str_starts_with($authKey, '$argon2id$'); |
49 | str_starts_with($authKey, '$argon2id$'); |
| 43 | } |
50 | } |
| 44 | 51 | ||
| 45 | /** |
52 | /** |
| 46 | * @param OIDplusRAAuthInfo $authInfo |
53 | * @param OIDplusRAAuthInfo $authInfo |
| 47 | * @param string $check_password |
54 | * @param string $check_password |
| 48 | * @return bool |
55 | * @return bool |
| 49 | */ |
56 | */ |
| 50 | public function verify(OIDplusRAAuthInfo $authInfo, string $check_password): bool { |
57 | public function verify(OIDplusRAAuthInfo $authInfo, string $check_password): bool { |
| 51 | $authKey = $authInfo->getAuthKey(); |
58 | $authKey = $authInfo->getAuthKey(); |
| 52 | 59 | ||
| 53 | if (!$this->supportedCryptAlgo($authKey)) { |
60 | if (!$this->supportedCryptAlgo($authKey)) { |
| 54 | // Unsupported algorithm |
61 | // Unsupported algorithm |
| 55 | return false; |
62 | return false; |
| 56 | } |
63 | } |
| 57 | 64 | ||
| 58 | // $argon2i$v=19$m=1024,t=2,p=2$MEhSZkJLQXUxRzljNE5hMw$33pvelMsxqOn/1VV2pnjmKJUECBhilzOZ2+Gq/FxCP4 |
65 | // $argon2i$v=19$m=1024,t=2,p=2$MEhSZkJLQXUxRzljNE5hMw$33pvelMsxqOn/1VV2pnjmKJUECBhilzOZ2+Gq/FxCP4 |
| 59 | // \_____/ \__/ \____________/ \____________________/ \_________________________________________/ |
66 | // \_____/ \__/ \____________/ \____________________/ \_________________________________________/ |
| 60 | // Algo Vers Cost options Salt Hash |
67 | // Algo Vers Cost options Salt Hash |
| 61 | 68 | ||
| 62 | return password_verify($check_password, $authKey); |
69 | return password_verify($check_password, $authKey); |
| 63 | } |
70 | } |
| 64 | 71 | ||
| 65 | /** |
72 | /** |
| 66 | * @return string|int|false |
73 | * @return string|int|false |
| 67 | */ |
74 | */ |
| 68 | private function getBestHashAlgo() { /* @phpstan-ignore-line */ |
75 | private function getBestHashAlgo() { /* @phpstan-ignore-line */ |
| 69 | if ($this->supportsArgon2id()) { |
76 | if ($this->supportsArgon2id()) { |
| 70 | $hashalgo = PASSWORD_ARGON2ID; |
77 | $hashalgo = PASSWORD_ARGON2ID; |
| 71 | } else if ($this->supportsArgon2i()) { |
78 | } else if ($this->supportsArgon2i()) { |
| 72 | $hashalgo = PASSWORD_ARGON2I; |
79 | $hashalgo = PASSWORD_ARGON2I; |
| 73 | } else { |
80 | } else { |
| 74 | $hashalgo = false; |
81 | $hashalgo = false; |
| 75 | } |
82 | } |
| 76 | return $hashalgo; |
83 | return $hashalgo; |
| 77 | } |
84 | } |
| 78 | 85 | ||
| 79 | /** |
86 | /** |
| 80 | * @param string $password |
87 | * @param string $password |
| 81 | * @return OIDplusRAAuthInfo |
88 | * @return OIDplusRAAuthInfo |
| 82 | * @throws OIDplusException |
89 | * @throws OIDplusException |
| 83 | */ |
90 | */ |
| 84 | public function generate(string $password): OIDplusRAAuthInfo { |
91 | public function generate(string $password): OIDplusRAAuthInfo { |
| 85 | $hashalgo = $this->getBestHashAlgo(); |
92 | $hashalgo = $this->getBestHashAlgo(); |
| 86 | assert($hashalgo !== false); // Should not happen if we called available() before! |
93 | assert($hashalgo !== false); // Should not happen if we called available() before! |
| 87 | $calc_authkey = password_hash($password, $hashalgo); |
94 | $calc_authkey = password_hash($password, $hashalgo); |
| 88 | if (!$calc_authkey) throw new OIDplusException(_L('Error creating password hash')); |
95 | if (!$calc_authkey) throw new OIDplusException(_L('Error creating password hash')); |
| 89 | assert($this->supportedCryptAlgo($calc_authkey)); |
96 | assert($this->supportedCryptAlgo($calc_authkey)); |
| 90 | return new OIDplusRAAuthInfo($calc_authkey); |
97 | return new OIDplusRAAuthInfo($calc_authkey); |
| 91 | } |
98 | } |
| 92 | 99 | ||
| 93 | /** |
100 | /** |
| 94 | * @return bool |
101 | * @return bool |
| 95 | */ |
102 | */ |
| 96 | private function supportsArgon2i(): bool { |
103 | private function supportsArgon2i(): bool { |
| 97 | if (version_compare(PHP_VERSION, '7.4.0') >= 0) { |
104 | if (version_compare(PHP_VERSION, '7.4.0') >= 0) { |
| 98 | return in_array('argon2i', password_algos()); |
105 | return in_array('argon2i', password_algos()); |
| 99 | } else { |
106 | } else { |
| 100 | return defined('PASSWORD_ARGON2I'); |
107 | return defined('PASSWORD_ARGON2I'); |
| 101 | } |
108 | } |
| 102 | } |
109 | } |
| 103 | 110 | ||
| 104 | /** |
111 | /** |
| 105 | * @return bool |
112 | * @return bool |
| 106 | */ |
113 | */ |
| 107 | private function supportsArgon2id(): bool { |
114 | private function supportsArgon2id(): bool { |
| 108 | if (version_compare(PHP_VERSION, '7.4.0') >= 0) { |
115 | if (version_compare(PHP_VERSION, '7.4.0') >= 0) { |
| 109 | return in_array('argon2id', password_algos()); |
116 | return in_array('argon2id', password_algos()); |
| 110 | } else { |
117 | } else { |
| 111 | return defined('PASSWORD_ARGON2ID'); |
118 | return defined('PASSWORD_ARGON2ID'); |
| 112 | } |
119 | } |
| 113 | } |
120 | } |
| 114 | 121 | ||
| 115 | /** |
122 | /** |
| 116 | * @param string $reason |
123 | * @param string $reason |
| 117 | * @return bool |
124 | * @return bool |
| 118 | */ |
125 | */ |
| 119 | public function availableForHash(string &$reason): bool { |
126 | public function availableForHash(string &$reason): bool { |
| 120 | if (!$this->supportsArgon2i() && !$this->supportsArgon2id()) { |
127 | if (!$this->supportsArgon2i() && !$this->supportsArgon2id()) { |
| 121 | $reason = _L('No fitting hash algorithm found'); |
128 | $reason = _L('No fitting hash algorithm found'); |
| 122 | return false; |
129 | return false; |
| 123 | } else { |
130 | } else { |
| 124 | return true; |
131 | return true; |
| 125 | } |
132 | } |
| 126 | } |
133 | } |
| 127 | 134 | ||
| 128 | /** |
135 | /** |
| 129 | * @param string $reason |
136 | * @param string $reason |
| 130 | * @return bool |
137 | * @return bool |
| 131 | */ |
138 | */ |
| 132 | public function availableForVerify(string &$reason): bool { |
139 | public function availableForVerify(string &$reason): bool { |
| 133 | return $this->availableForHash($reason); |
140 | return $this->availableForHash($reason); |
| 134 | } |
141 | } |
| 135 | 142 | ||
| 136 | } |
143 | } |
| 137 | 144 | ||