[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Joomla! Content Management System
   5   *
   6   * @copyright  (C) 2017 Open Source Matters, Inc. <https://www.joomla.org>
   7   * @license    GNU General Public License version 2 or later; see LICENSE.txt
   8   */
   9  
  10  namespace Joomla\CMS\Authentication\Password;
  11  
  12  use Joomla\Authentication\Password\HandlerInterface;
  13  use Joomla\CMS\Crypt\Crypt;
  14  use Joomla\CMS\User\UserHelper;
  15  
  16  // phpcs:disable PSR1.Files.SideEffects
  17  \defined('JPATH_PLATFORM') or die;
  18  // phpcs:enable PSR1.Files.SideEffects
  19  
  20  /**
  21   * Password handler for MD5 hashed passwords
  22   *
  23   * @since       4.0.0
  24   * @deprecated  5.0  Support for MD5 hashed passwords will be removed
  25   */
  26  class MD5Handler implements HandlerInterface, CheckIfRehashNeededHandlerInterface
  27  {
  28      /**
  29       * Check if the password requires rehashing
  30       *
  31       * @param   string  $hash  The password hash to check
  32       *
  33       * @return  boolean
  34       *
  35       * @since   4.0.0
  36       */
  37      public function checkIfRehashNeeded(string $hash): bool
  38      {
  39          return true;
  40      }
  41  
  42      /**
  43       * Generate a hash for a plaintext password
  44       *
  45       * @param   string  $plaintext  The plaintext password to validate
  46       * @param   array   $options    Options for the hashing operation
  47       *
  48       * @return  string
  49       *
  50       * @since   4.0.0
  51       */
  52      public function hashPassword($plaintext, array $options = [])
  53      {
  54          $salt    = UserHelper::genRandomPassword(32);
  55          $crypted = md5($plaintext . $salt);
  56  
  57          return $crypted . ':' . $salt;
  58      }
  59  
  60      /**
  61       * Check that the password handler is supported in this environment
  62       *
  63       * @return  boolean
  64       *
  65       * @since   4.0.0
  66       */
  67      public static function isSupported()
  68      {
  69          return true;
  70      }
  71  
  72      /**
  73       * Validate a password
  74       *
  75       * @param   string  $plaintext  The plain text password to validate
  76       * @param   string  $hashed     The password hash to validate against
  77       *
  78       * @return  boolean
  79       *
  80       * @since   4.0.0
  81       */
  82      public function validatePassword($plaintext, $hashed)
  83      {
  84          // Check the password
  85          $parts = explode(':', $hashed);
  86          $salt  = @$parts[1];
  87  
  88          // Compile the hash to compare
  89          // If the salt is empty AND there is a ':' in the original hash, we must append ':' at the end
  90          $testcrypt = md5($plaintext . $salt) . ($salt ? ':' . $salt : (strpos($hashed, ':') !== false ? ':' : ''));
  91  
  92          return Crypt::timingSafeCompare($hashed, $testcrypt);
  93      }
  94  }