Change default hash cost back to 10 and fix legacy hash detection issue

alexweissman · alexweissman · commit 3b0df57c1cd2 · 2017-12-13T16:19:08.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Change Log
 
+## v4.1.15-alpha
+- Change default hash cost back to 10 and fix legacy hash detection issue
+
 ## v4.1.14-alpha
 - Fix issue with scopes being applied twice in `Unique::getPaginatedQuery` (https://github.com/userfrosting/extend-user/issues/2)
 - Update Bower dependencies in core Sprinkle
diff --git a/app/sprinkles/account/src/Util/Password.php b/app/sprinkles/account/src/Util/Password.php
@@ -19,22 +19,21 @@ class Password
      *
      * @var int
      */
-    protected static $rounds = 12;
+    protected static $rounds = 10;
 
     /**
      * Returns the hashing type for a specified password hash.
      *
      * Automatically detects the hash type: "sha1" (for UserCake legacy accounts), "legacy" (for 0.1.x accounts), and "modern" (used for new accounts).
      * @param string $password the hashed password.
-     * @param array  $options
      * @return string "sha1"|"legacy"|"modern".
      */
-    public static function getHashType($password, array $options = [])
+    public static function getHashType($password)
     {
         // If the password in the db is 65 characters long, we have an sha1-hashed password.
         if (strlen($password) == 65) {
             return 'sha1';
-        } elseif (substr($password, 0, 7) == '$2y$' . static::cost($options) . '$') {
+        } elseif (strlen($password) == 82) {
             return 'legacy';
         }
 
@@ -67,33 +66,29 @@ public static function hash($password, array $options = [])
      *
      * @param string $password The plaintext password to verify.
      * @param string $hash The hash to compare against.
+     * @param array  $options
      * @return boolean True if the password matches, false otherwise.
      */
     public static function verify($password, $hash, array $options = [])
     {
-        $hashType = static::getHashType($hash, $options);
+        $hashType = static::getHashType($hash);
 
         if ($hashType == 'sha1') {
             // Legacy UserCake passwords
             $salt = substr($hash, 0, 25);		// Extract the salt from the hash
-            $hashInput = $salt . sha1($salt . $password);
-            if (hash_equals($hashInput, $hash) === true) {
-                return true;
-            }
+            $inputHash = $salt . sha1($salt . $password);
 
-            return false;
+            return (hash_equals($inputHash, $hash) === true);
 
         } elseif ($hashType == 'legacy') {
             // Homegrown implementation (assuming that current install has been using a cost parameter of 12)
             // Used for manual implementation of bcrypt.
-            $extract = substr($hash, 0, 60);
-            $compare = crypt($password, '$2y$' . static::cost($options) . '$' . substr($hash, 60));
-
-            if (hash_equals($extract, $compare) === true) {
-                return true;
-            }
+            // Note that this legacy hashing put the salt at the _end_ for some reason.
+            $salt = substr($hash, 60);
+            $inputHash = crypt($password, '$2y$12$' . $salt);
+            $correctHash = substr($hash, 0, 60);
 
-            return false;
+            return (hash_equals($inputHash, $correctHash) === true);
         }
 
         // Modern implementation
