1: | <?php |
2: | |
3: | declare(strict_types=1); |
4: | |
5: | |
6: | |
7: | |
8: | |
9: | |
10: | |
11: | |
12: | |
13: | |
14: | namespace Nexus\Password\Hash; |
15: | |
16: | use Nexus\Password\Algorithm; |
17: | use Nexus\Password\HashException; |
18: | |
19: | final readonly class SodiumHash extends AbstractHash |
20: | { |
21: | |
22: | |
23: | |
24: | |
25: | |
26: | |
27: | |
28: | |
29: | |
30: | |
31: | |
32: | |
33: | private int $opslimit; |
34: | |
35: | |
36: | |
37: | |
38: | |
39: | |
40: | |
41: | |
42: | |
43: | |
44: | |
45: | private int $memlimit; |
46: | |
47: | |
48: | |
49: | |
50: | public function __construct( |
51: | public Algorithm $algorithm, |
52: | array $options = [], |
53: | ) { |
54: | if (Algorithm::Sodium !== $algorithm) { |
55: | throw new HashException(\sprintf( |
56: | 'Algorithm expected to be Algorithm::Sodium, Algorithm::%s given.', |
57: | $algorithm->name, |
58: | )); |
59: | } |
60: | |
61: | $validatedOptions = self::validatedOptions( |
62: | $options, |
63: | SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE, |
64: | SODIUM_CRYPTO_PWHASH_MEMLIMIT_MODERATE, |
65: | ); |
66: | |
67: | $this->opslimit = $validatedOptions['opslimit']; |
68: | $this->memlimit = $validatedOptions['memlimit']; |
69: | } |
70: | |
71: | |
72: | |
73: | |
74: | #[\Override] |
75: | public function hash(#[\SensitiveParameter] string $password, array $options = []): string |
76: | { |
77: | if (! $this->isValidPassword($password)) { |
78: | throw new HashException('Invalid password provided.'); |
79: | } |
80: | |
81: | $validatedOptions = self::validatedOptions($options, $this->opslimit, $this->memlimit); |
82: | |
83: | return sodium_crypto_pwhash_str($password, $validatedOptions['opslimit'], $validatedOptions['memlimit']); |
84: | } |
85: | |
86: | |
87: | |
88: | |
89: | #[\Override] |
90: | public function needsRehash(string $hash, array $options = []): bool |
91: | { |
92: | $validatedOptions = self::validatedOptions($options, $this->opslimit, $this->memlimit); |
93: | |
94: | return sodium_crypto_pwhash_str_needs_rehash($hash, $validatedOptions['opslimit'], $validatedOptions['memlimit']); |
95: | } |
96: | |
97: | #[\Override] |
98: | public function verify(#[\SensitiveParameter] string $password, string $hash): bool |
99: | { |
100: | if (! $this->isValidPassword($password)) { |
101: | return false; |
102: | } |
103: | |
104: | return sodium_crypto_pwhash_str_verify($hash, $password); |
105: | } |
106: | |
107: | #[\Override] |
108: | public function valid(): bool |
109: | { |
110: | return \extension_loaded('sodium') |
111: | && version_compare(SODIUM_LIBRARY_VERSION, '1.0.14', '>='); |
112: | } |
113: | |
114: | |
115: | |
116: | |
117: | |
118: | |
119: | |
120: | |
121: | |
122: | |
123: | |
124: | private static function validatedOptions(array $options, int $opslimit, int $memlimit): array |
125: | { |
126: | $opslimit = $options['opslimit'] ?? $opslimit; |
127: | $memlimit = $options['memlimit'] ?? $memlimit; |
128: | |
129: | if ($opslimit < SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE) { |
130: | throw new HashException(\sprintf( |
131: | 'Operations limit should be %d or greater, %d given.', |
132: | SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, |
133: | $opslimit, |
134: | )); |
135: | } |
136: | |
137: | if ($memlimit < SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE) { |
138: | throw new HashException(\sprintf( |
139: | 'Memory limit should be %sMiB or greater (expressed in bytes), %sMiB given.', |
140: | number_format(SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE / 1024 ** 2), |
141: | number_format($memlimit / 1024 ** 2), |
142: | )); |
143: | } |
144: | |
145: | return compact('opslimit', 'memlimit'); |
146: | } |
147: | } |
148: | |