change psalm level to 2, add more type hints + return types to Crypt, ensure we treat "" as a null hash

DavidGoodwin · DavidGoodwin · commit b3d0bb28636f · 2025-02-21T13:18:03.000Z
diff --git a/psalm.xml b/psalm.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <psalm
-    errorLevel="3"
+    errorLevel="2"
     resolveFromConfigFile="true"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns="https://getpsalm.org/schema/config"
diff --git a/src/Crypt.php b/src/Crypt.php
@@ -46,14 +46,18 @@ public function __construct(string $algorithm)
      *
      * If the return value matches $pw_db, then the plain text password ('pw') is correct.
      *
-     * @param string $pw - plain text password
-     * @param string $pw_db - hash from e.g. database (what we're comparing $pw to).
+     * @param string $clearText - plain text password
+     * @param ?string $passwordHash - hash from e.g. database (what we're comparing $pw to).
      * @return string if $pw is correct (hashes to $pw_db) then we return $pw_db. Else we return a new hash.
      *
      * @throws Exception
      */
-    public function crypt(string $clearText, string $passwordHash = null): string
+    public function crypt(string $clearText, ?string $passwordHash = null): string
     {
+        if (is_string($passwordHash) && empty($passwordHash)) {
+            $passwordHash = null;
+        }
+
         $algorithm = $this->algorithm;
 
         switch ($this->algorithm) {
@@ -114,11 +118,11 @@ public function crypt(string $clearText, string $passwordHash = null): string
 
             case 'CRYPT':
                 $prefix = false;
-                if (!empty($passwordHash)) {
+                if (!is_null($passwordHash)) {
                     $prefix = (substr($passwordHash, 0, 7) == '{CRYPT}');
                     $passwordHash = preg_replace('/^{CRYPT}/', '', $passwordHash);
                 }
-                if (empty($passwordHash)) {
+                if (is_null($passwordHash)) {
                     $passwordHash = '$2y$10$' . substr(sha1(random_bytes(8)), 0, 22);
                 }
                 $str = crypt($clearText, $passwordHash);
@@ -159,27 +163,31 @@ public function hashSha1(string $clearText, string $algorithm = 'SHA1'): string
         return "{{$algorithm}}{$hash}";
     }
 
-    public function hashSha1Salted(string $clearText, string $hash = null): string
+    public function hashSha1Salted(string $clearText, ?string $hash = null): string
     {
-        if (empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_null($hash)) {
             $salt = base64_encode(random_bytes(3)); // 4 char salt.
         } else {
             $salt = substr(base64_decode(substr($hash, 6)), 20);
         }
         return '{SSHA}' . base64_encode(sha1($clearText . $salt, true) . $salt);
     }
 
-    public function hashSha512Salted(string $clearText, string $hash = null): string
+    public function hashSha512Salted(string $clearText, ?string $hash = null): string
     {
-        if (empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_null($hash)) {
             $salt = base64_encode(random_bytes(16));
         } else {
             $salt = substr(base64_decode(substr($hash, 9)), 64);
         }
         return '{SSHA512}' . base64_encode(hash('sha512', $clearText . $salt, true) . $salt);
     }
 
-    public function hashSha512(string $clearText, string $algorithm = 'SHA512')
+    public function hashSha512(string $clearText, string $algorithm = 'SHA512'): string
     {
         $prefix = '{SHA512}';
 
@@ -203,20 +211,24 @@ public function hashSha256(string $clearText): string
         return '{SHA256}' . base64_encode(hash('sha256', $clearText, true));
     }
 
-    public function cryptMd5(string $clearText, string $hash = null, $algorithm = 'MD5-CRYPT')
+    public function cryptMd5(string $clearText, ?string $hash = null, string $algorithm = 'MD5-CRYPT'): string
     {
-        if (!empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_string($hash)) {
             $hash = preg_replace('/^{MD5.*}/', '', $hash);
         }
-        if (empty($hash)) {
+        if (is_null($hash)) {
             $hash = '$1$' . substr(sha1(random_bytes(8)), 0, 16);
         }
         return "{{$algorithm}}" . crypt($clearText, $hash);
     }
 
-    public function blowfishCrypt(string $clearText, string $hash = null, string $algorithm = 'BLF-CRYPT'): string
+    public function blowfishCrypt(string $clearText, ?string $hash = null, string $algorithm = 'BLF-CRYPT'): string
     {
-        if (!empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_string($hash)) {
             if ($algorithm == 'BLF-CRYPT') {
                 $hash = preg_replace('/^{BLF-CRYPT}/', '', $hash);
             }
@@ -244,17 +256,19 @@ public function blowfishCrypt(string $clearText, string $hash = null, string $al
         return '{BLF-CRYPT}' . $r;
     }
 
-    public function sha256Crypt(string $clearText, string $hash = null, string $algorithm = 'SHA256-CRYPT'): string
+    public function sha256Crypt(string $clearText, ?string $hash = null, string $algorithm = 'SHA256-CRYPT'): string
     {
-        if (!empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_string($hash)) {
             $hash = preg_replace('/^{SHA256-CRYPT(\.B64)?}/', '', $hash);
 
             if ($algorithm == 'SHA256-CRYPT.B64') {
                 $hash = base64_decode($hash);
             }
         }
 
-        if (empty($hash)) {
+        if (is_null($hash)) {
             $hash = '$5$' . substr(sha1(random_bytes(8)), 0, 16);
         }
 
@@ -266,17 +280,19 @@ public function sha256Crypt(string $clearText, string $hash = null, string $algo
         return "{SHA256-CRYPT}" . $generated;
     }
 
-    public function sha512Crypt(string $pw, string $hash = null, string $algorithm = 'SHA512-CRYPT'): string
+    public function sha512Crypt(string $pw, ?string $hash = null, string $algorithm = 'SHA512-CRYPT'): string
     {
-        if (!empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_string($hash)) {
             $hash = preg_replace('/^{SHA512-CRYPT(\.B64)?}/', '', $hash);
 
             if ($algorithm == 'SHA512-CRYPT.B64') {
                 $hash = base64_decode($hash);
             }
         }
 
-        if (empty($hash)) {
+        if (is_null($hash)) {
             $hash = '$6$' . substr(sha1(random_bytes(8)), 0, 16);
         }
 
@@ -290,9 +306,17 @@ public function sha512Crypt(string $pw, string $hash = null, string $algorithm =
         return "{SHA512-CRYPT}$generated";
     }
 
-    public function argon2ICrypt(string $clearText, string $hash = null, $algorithm = 'ARGON2I'): string
+    /**
+     * @param string $clearText
+     * @param string|null $hash
+     * @param $algorithm
+     * @return string
+     */
+    public function argon2ICrypt(string $clearText, ?string $hash = null, string $algorithm = 'ARGON2I'): string
     {
-        if (!empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_string($hash)) {
             $hash = preg_replace('/^{ARGON2I(\.B64)?}/', '', $hash);
             $orig_pwdb = $hash;
             if ($algorithm == 'ARGON2I.B64') {
@@ -325,13 +349,15 @@ public function argon2ICrypt(string $clearText, string $hash = null, $algorithm
         return "{ARGON2I.B64}" . base64_encode($generated);
     }
 
-    public function argon2idCrypt(string $clearText, string $hash = null, string $algorithm = 'ARGON2ID'): string
+    public function argon2idCrypt(string $clearText, ?string $hash = null, string $algorithm = 'ARGON2ID'): string
     {
         if (!defined('PASSWORD_ARGON2ID')) {
             throw new Exception("$algorithm is not supported; requires PHP 7.3+");
         }
 
-        if (!empty($hash)) {
+        $hash = $this->changeEmptyHashToNull($hash);
+
+        if (is_string($hash)) {
             $hash = preg_replace('/^{ARGON2ID(\.B64)?}/', '', $hash);
 
             $orig_pwdb = $hash;
@@ -366,4 +392,11 @@ public function argon2idCrypt(string $clearText, string $hash = null, string $al
         }
         return '{ARGON2ID.B64}' . base64_encode($generated);
     }
+
+    private function changeEmptyHashToNull(?string $hash) : ?string {
+        if (is_string($hash) && empty($hash)) {
+            return $hash;
+        }
+        return $hash;
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -46,14 +46,18 @@ public function __construct(string $algorithm)`
`46`	`46`	`*`
`47`	`47`	`* If the return value matches $pw_db, then the plain text password ('pw') is correct.`
`48`	`48`	`*`
`49`		`- * @param string $pw - plain text password`
`50`		`- * @param string $pw_db - hash from e.g. database (what we're comparing $pw to).`
	`49`	`+ * @param string $clearText - plain text password`
	`50`	`+ * @param ?string $passwordHash - hash from e.g. database (what we're comparing $pw to).`
`51`	`51`	`* @return string if $pw is correct (hashes to $pw_db) then we return $pw_db. Else we return a new hash.`
`52`	`52`	`*`
`53`	`53`	`* @throws Exception`
`54`	`54`	`*/`
`55`		`- public function crypt(string $clearText, string $passwordHash = null): string`
	`55`	`+ public function crypt(string $clearText, ?string $passwordHash = null): string`
`56`	`56`	`{`
	`57`	`+ if (is_string($passwordHash) && empty($passwordHash)) {`
	`58`	`+ $passwordHash = null;`
	`59`	`+ }`
	`60`	`+`
`57`	`61`	`$algorithm = $this->algorithm;`
`58`	`62`
`59`	`63`	`switch ($this->algorithm) {`
`@@ -114,11 +118,11 @@ public function crypt(string $clearText, string $passwordHash = null): string`
`114`	`118`
`115`	`119`	`case 'CRYPT':`
`116`	`120`	`$prefix = false;`
`117`		`- if (!empty($passwordHash)) {`
	`121`	`+ if (!is_null($passwordHash)) {`
`118`	`122`	`$prefix = (substr($passwordHash, 0, 7) == '{CRYPT}');`
`119`	`123`	`$passwordHash = preg_replace('/^{CRYPT}/', '', $passwordHash);`
`120`	`124`	`}`
`121`		`- if (empty($passwordHash)) {`
	`125`	`+ if (is_null($passwordHash)) {`
`122`	`126`	`$passwordHash = '$2y$10$' . substr(sha1(random_bytes(8)), 0, 22);`
`123`	`127`	`}`
`124`	`128`	`$str = crypt($clearText, $passwordHash);`
`@@ -159,27 +163,31 @@ public function hashSha1(string $clearText, string $algorithm = 'SHA1'): string`
`159`	`163`	`return "{{$algorithm}}{$hash}";`
`160`	`164`	`}`
`161`	`165`
`162`		`- public function hashSha1Salted(string $clearText, string $hash = null): string`
	`166`	`+ public function hashSha1Salted(string $clearText, ?string $hash = null): string`
`163`	`167`	`{`
`164`		`- if (empty($hash)) {`
	`168`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`169`	`+`
	`170`	`+ if (is_null($hash)) {`
`165`	`171`	`$salt = base64_encode(random_bytes(3)); // 4 char salt.`
`166`	`172`	`} else {`
`167`	`173`	`$salt = substr(base64_decode(substr($hash, 6)), 20);`
`168`	`174`	`}`
`169`	`175`	`return '{SSHA}' . base64_encode(sha1($clearText . $salt, true) . $salt);`
`170`	`176`	`}`
`171`	`177`
`172`		`- public function hashSha512Salted(string $clearText, string $hash = null): string`
	`178`	`+ public function hashSha512Salted(string $clearText, ?string $hash = null): string`
`173`	`179`	`{`
`174`		`- if (empty($hash)) {`
	`180`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`181`	`+`
	`182`	`+ if (is_null($hash)) {`
`175`	`183`	`$salt = base64_encode(random_bytes(16));`
`176`	`184`	`} else {`
`177`	`185`	`$salt = substr(base64_decode(substr($hash, 9)), 64);`
`178`	`186`	`}`
`179`	`187`	`return '{SSHA512}' . base64_encode(hash('sha512', $clearText . $salt, true) . $salt);`
`180`	`188`	`}`
`181`	`189`
`182`		`- public function hashSha512(string $clearText, string $algorithm = 'SHA512')`
	`190`	`+ public function hashSha512(string $clearText, string $algorithm = 'SHA512'): string`
`183`	`191`	`{`
`184`	`192`	`$prefix = '{SHA512}';`
`185`	`193`
`@@ -203,20 +211,24 @@ public function hashSha256(string $clearText): string`
`203`	`211`	`return '{SHA256}' . base64_encode(hash('sha256', $clearText, true));`
`204`	`212`	`}`
`205`	`213`
`206`		`- public function cryptMd5(string $clearText, string $hash = null, $algorithm = 'MD5-CRYPT')`
	`214`	`+ public function cryptMd5(string $clearText, ?string $hash = null, string $algorithm = 'MD5-CRYPT'): string`
`207`	`215`	`{`
`208`		`- if (!empty($hash)) {`
	`216`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`217`	`+`
	`218`	`+ if (is_string($hash)) {`
`209`	`219`	`$hash = preg_replace('/^{MD5.*}/', '', $hash);`
`210`	`220`	`}`
`211`		`- if (empty($hash)) {`
	`221`	`+ if (is_null($hash)) {`
`212`	`222`	`$hash = '$1$' . substr(sha1(random_bytes(8)), 0, 16);`
`213`	`223`	`}`
`214`	`224`	`return "{{$algorithm}}" . crypt($clearText, $hash);`
`215`	`225`	`}`
`216`	`226`
`217`		`- public function blowfishCrypt(string $clearText, string $hash = null, string $algorithm = 'BLF-CRYPT'): string`
	`227`	`+ public function blowfishCrypt(string $clearText, ?string $hash = null, string $algorithm = 'BLF-CRYPT'): string`
`218`	`228`	`{`
`219`		`- if (!empty($hash)) {`
	`229`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`230`	`+`
	`231`	`+ if (is_string($hash)) {`
`220`	`232`	`if ($algorithm == 'BLF-CRYPT') {`
`221`	`233`	`$hash = preg_replace('/^{BLF-CRYPT}/', '', $hash);`
`222`	`234`	`}`
`@@ -244,17 +256,19 @@ public function blowfishCrypt(string $clearText, string $hash = null, string $al`
`244`	`256`	`return '{BLF-CRYPT}' . $r;`
`245`	`257`	`}`
`246`	`258`
`247`		`- public function sha256Crypt(string $clearText, string $hash = null, string $algorithm = 'SHA256-CRYPT'): string`
	`259`	`+ public function sha256Crypt(string $clearText, ?string $hash = null, string $algorithm = 'SHA256-CRYPT'): string`
`248`	`260`	`{`
`249`		`- if (!empty($hash)) {`
	`261`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`262`	`+`
	`263`	`+ if (is_string($hash)) {`
`250`	`264`	`$hash = preg_replace('/^{SHA256-CRYPT(\.B64)?}/', '', $hash);`
`251`	`265`
`252`	`266`	`if ($algorithm == 'SHA256-CRYPT.B64') {`
`253`	`267`	`$hash = base64_decode($hash);`
`254`	`268`	`}`
`255`	`269`	`}`
`256`	`270`
`257`		`- if (empty($hash)) {`
	`271`	`+ if (is_null($hash)) {`
`258`	`272`	`$hash = '$5$' . substr(sha1(random_bytes(8)), 0, 16);`
`259`	`273`	`}`
`260`	`274`
`@@ -266,17 +280,19 @@ public function sha256Crypt(string $clearText, string $hash = null, string $algo`
`266`	`280`	`return "{SHA256-CRYPT}" . $generated;`
`267`	`281`	`}`
`268`	`282`
`269`		`- public function sha512Crypt(string $pw, string $hash = null, string $algorithm = 'SHA512-CRYPT'): string`
	`283`	`+ public function sha512Crypt(string $pw, ?string $hash = null, string $algorithm = 'SHA512-CRYPT'): string`
`270`	`284`	`{`
`271`		`- if (!empty($hash)) {`
	`285`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`286`	`+`
	`287`	`+ if (is_string($hash)) {`
`272`	`288`	`$hash = preg_replace('/^{SHA512-CRYPT(\.B64)?}/', '', $hash);`
`273`	`289`
`274`	`290`	`if ($algorithm == 'SHA512-CRYPT.B64') {`
`275`	`291`	`$hash = base64_decode($hash);`
`276`	`292`	`}`
`277`	`293`	`}`
`278`	`294`
`279`		`- if (empty($hash)) {`
	`295`	`+ if (is_null($hash)) {`
`280`	`296`	`$hash = '$6$' . substr(sha1(random_bytes(8)), 0, 16);`
`281`	`297`	`}`
`282`	`298`
`@@ -290,9 +306,17 @@ public function sha512Crypt(string $pw, string $hash = null, string $algorithm =`
`290`	`306`	`return "{SHA512-CRYPT}$generated";`
`291`	`307`	`}`
`292`	`308`
`293`		`- public function argon2ICrypt(string $clearText, string $hash = null, $algorithm = 'ARGON2I'): string`
	`309`	`+ /**`
	`310`	`+ * @param string $clearText`
	`311`	`+ * @param string\|null $hash`
	`312`	`+ * @param $algorithm`
	`313`	`+ * @return string`
	`314`	`+ */`
	`315`	`+ public function argon2ICrypt(string $clearText, ?string $hash = null, string $algorithm = 'ARGON2I'): string`
`294`	`316`	`{`
`295`		`- if (!empty($hash)) {`
	`317`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`318`	`+`
	`319`	`+ if (is_string($hash)) {`
`296`	`320`	`$hash = preg_replace('/^{ARGON2I(\.B64)?}/', '', $hash);`
`297`	`321`	`$orig_pwdb = $hash;`
`298`	`322`	`if ($algorithm == 'ARGON2I.B64') {`
`@@ -325,13 +349,15 @@ public function argon2ICrypt(string $clearText, string $hash = null, $algorithm`
`325`	`349`	`return "{ARGON2I.B64}" . base64_encode($generated);`
`326`	`350`	`}`
`327`	`351`
`328`		`- public function argon2idCrypt(string $clearText, string $hash = null, string $algorithm = 'ARGON2ID'): string`
	`352`	`+ public function argon2idCrypt(string $clearText, ?string $hash = null, string $algorithm = 'ARGON2ID'): string`
`329`	`353`	`{`
`330`	`354`	`if (!defined('PASSWORD_ARGON2ID')) {`
`331`	`355`	`throw new Exception("$algorithm is not supported; requires PHP 7.3+");`
`332`	`356`	`}`
`333`	`357`
`334`		`- if (!empty($hash)) {`
	`358`	`+ $hash = $this->changeEmptyHashToNull($hash);`
	`359`	`+`
	`360`	`+ if (is_string($hash)) {`
`335`	`361`	`$hash = preg_replace('/^{ARGON2ID(\.B64)?}/', '', $hash);`
`336`	`362`
`337`	`363`	`$orig_pwdb = $hash;`
`@@ -366,4 +392,11 @@ public function argon2idCrypt(string $clearText, string $hash = null, string $al`
`366`	`392`	`}`
`367`	`393`	`return '{ARGON2ID.B64}' . base64_encode($generated);`
`368`	`394`	`}`
	`395`	`+`
	`396`	`+ private function changeEmptyHashToNull(?string $hash) : ?string {`
	`397`	`+ if (is_string($hash) && empty($hash)) {`
	`398`	`+ return $hash;`
	`399`	`+ }`
	`400`	`+ return $hash;`
	`401`	`+ }`
`369`	`402`	`}`