Added additional password hashing functions

2025-01-18 16:42:03 +11:00
parent 77a139016b
commit d3d7881e3b
25 changed files with 383 additions and 434 deletions
--- a/app/Classes/LDAP/Attribute/Password/Argon2i.php
+++ b/app/Classes/LDAP/Attribute/Password/Argon2i.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class Argon2i extends Base
+{
+	public const key = 'ARGON2';
+	protected const subkey = 'i';
+	protected const identifier = '$argon2i';
+
+	public static function subid(string $password): bool
+	{
+		return str_starts_with(base64_decode(self::password($password)),self::identifier.'$');
+	}
+
+	public function compare(string $source,string $compare): bool
+	{
+		return password_verify($compare,base64_decode($this->password($source)));
+	}
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(password_hash($password,PASSWORD_ARGON2I)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/Argon2id.php
+++ b/app/Classes/LDAP/Attribute/Password/Argon2id.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class Argon2id extends Base
+{
+	public const key = 'ARGON2';
+	protected const subkey = 'id';
+	protected const identifier = '$argon2id';
+
+	public static function subid(string $password): bool
+	{
+		return str_starts_with(base64_decode(self::password($password)),self::identifier.'$');
+	}
+
+	public function compare(string $source,string $compare): bool
+	{
+		return password_verify($compare,base64_decode($this->password($source)));
+	}
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(password_hash($password,PASSWORD_ARGON2ID)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/Base.php
+++ b/app/Classes/LDAP/Attribute/Password/Base.php
@@ -4,11 +4,65 @@ namespace App\Classes\LDAP\Attribute\Password;

 abstract class Base
 {
-	abstract public function compare(string $source,string $compare): bool;
+	protected const subkey = '';
+
 	abstract public function encode(string $password): string;

 	public static function id(): string
+	{
+		return static::key.(static::subkey ? ':'.static::subkey : '');
+	}
+
+	/**
+	 * Remove the hash {TEXT}xxxx from the password
+	 *
+	 * @param string $password
+	 * @return string
+	 */
+	protected static function password(string $password): string
+	{
+		return preg_replace('/^{'.static::key.'}/','',$password);
+	}
+
+	public static function shortid(): string
 	{
 		return static::key;
 	}
+
+	/**
+	 * When multiple passwords share the same ID, this determines which hash is responsible for the presented password
+	 *
+	 * @param string $password
+	 * @return bool
+	 */
+	public static function subid(string $password): bool
+	{
+		return FALSE;
+	}
+
+	/**
+	 * Compare our password to see if it is the same as that stored
+	 *
+	 * @param string $source Encoded source password
+	 * @param string $compare Password entered by user
+	 * @return bool
+	 */
+	public function compare(string $source,string $compare): bool
+	{
+		return $source === $this->encode($compare);
+	}
+
+	protected function salted_hash(string $password,string $algo,int $salt_size=8,string $salt=NULL): string
+	{
+		if (is_null($salt))
+			$salt = hex2bin(random_salt($salt_size));
+
+		return base64_encode(hash($algo,$password.$salt,true).$salt);
+	}
+
+	protected function salted_salt(string $source): string
+	{
+		$hash = base64_decode(substr($source,strlen(static::key)+2));
+		return substr($hash,strlen($hash)-static::salt/2);
+	}
 }
--- a/app/Classes/LDAP/Attribute/Password/Bcrypt.php
+++ b/app/Classes/LDAP/Attribute/Password/Bcrypt.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class Bcrypt extends Base
+{
+	public const key = 'BCRYPT';
+
+	private const options = [
+		'cost' => 8,
+	];
+
+	public function compare(string $source,string $compare): bool
+	{
+		return password_verify($compare,base64_decode($this->password($source)));
+	}
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(password_hash($password,PASSWORD_BCRYPT,self::options)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/Clear.php
+++ b/app/Classes/LDAP/Attribute/Password/Clear.php
@@ -4,12 +4,7 @@ namespace App\Classes\LDAP\Attribute\Password;

 final class Clear extends Base
 {
-	public const key = 'Clear';
-
-	public function compare(string $source,string $compare): bool
-	{
-		return $source === $compare;
-	}
+	public const key = '*clear*';

 	public function encode(string $password): string
 	{
--- a/app/Classes/LDAP/Attribute/Password/MD5.php
+++ b/app/Classes/LDAP/Attribute/Password/MD5.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class MD5 extends Base
+{
+	public const key = 'MD5';
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(hash('md5',$password,true)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SHA.php
+++ b/app/Classes/LDAP/Attribute/Password/SHA.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SHA extends Base
+{
+	public const key = 'SHA';
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(hash('sha1',$password,true)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SHA256.php
+++ b/app/Classes/LDAP/Attribute/Password/SHA256.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SHA256 extends Base
+{
+	public const key = 'SHA256';
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(hash('sha256',$password,true)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SHA384.php
+++ b/app/Classes/LDAP/Attribute/Password/SHA384.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SHA384 extends Base
+{
+	public const key = 'SHA384';
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(hash('sha384',$password,true)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SHA512.php
+++ b/app/Classes/LDAP/Attribute/Password/SHA512.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SHA512 extends Base
+{
+	public const key = 'SHA512';
+
+	public function encode(string $password): string
+	{
+		return sprintf('{%s}%s',self::key,base64_encode(hash('sha512',$password,true)));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SMD5.php
+++ b/app/Classes/LDAP/Attribute/Password/SMD5.php
@@ -0,0 +1,22 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SMD5 extends Base
+{
+	public const key = 'SMD5';
+	protected const salt = 8;
+
+	public function compare(string $source,string $compare): bool
+	{
+		return $source === $this->encode($compare,$this->salted_salt($source));
+	}
+
+	public function encode(string $password,string $salt=NULL): string
+	{
+		if (is_null($salt))
+			$salt = hex2bin(random_salt(self::salt));
+
+		return sprintf('{%s}%s',self::key,$this->salted_hash($password,'md5',self::salt,$salt));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SSHA.php
+++ b/app/Classes/LDAP/Attribute/Password/SSHA.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SSHA extends Base
+{
+	public const key = 'SSHA';
+	protected const salt = 8;
+
+	public function compare(string $source,string $compare): bool
+	{
+		return $source === $this->encode($compare,$this->salted_salt($source));
+	}
+
+	public function encode(string $password,string $salt=NULL): string
+	{
+		return sprintf('{%s}%s',self::key,$this->salted_hash($password,'sha1',self::salt,$salt));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SSHA256.php
+++ b/app/Classes/LDAP/Attribute/Password/SSHA256.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SSHA256 extends Base
+{
+	public const key = 'SSHA256';
+	protected const salt = 8;
+
+	public function compare(string $source,string $compare): bool
+	{
+		return $source === $this->encode($compare,$this->salted_salt($source));
+	}
+
+	public function encode(string $password,string $salt=NULL): string
+	{
+		return sprintf('{%s}%s',self::key,$this->salted_hash($password,'sha256',self::salt,$salt));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SSHA384.php
+++ b/app/Classes/LDAP/Attribute/Password/SSHA384.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SSHA384 extends Base
+{
+	public const key = 'SSHA384';
+	protected const salt = 8;
+
+	public function compare(string $source,string $compare): bool
+	{
+		return $source === $this->encode($compare,$this->salted_salt($source));
+	}
+
+	public function encode(string $password,string $salt=NULL): string
+	{
+		return sprintf('{%s}%s',self::key,$this->salted_hash($password,'sha384',self::salt,$salt));
+	}
+}
--- a/app/Classes/LDAP/Attribute/Password/SSHA512.php
+++ b/app/Classes/LDAP/Attribute/Password/SSHA512.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Classes\LDAP\Attribute\Password;
+
+final class SSHA512 extends Base
+{
+	public const key = 'SSHA512';
+	protected const salt = 8;
+
+	public function compare(string $source,string $compare): bool
+	{
+		return $source === $this->encode($compare,$this->salted_salt($source));
+	}
+
+	public function encode(string $password,string $salt=NULL): string
+	{
+		return sprintf('{%s}%s',self::key,$this->salted_hash($password,'sha512',self::salt,$salt));
+	}
+}