Pbkdf2PasswordHash.php

Go to the documentation of this file.

<?php
 
declare(strict_types=1);
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
namespace ‪TYPO3\CMS\Core\Crypto\PasswordHashing;
 
use ‪TYPO3\CMS\Core\Crypto\Random;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
 
class ‪Pbkdf2PasswordHash implements ‪PasswordHashInterface
{
    protected const ‪PREFIX = '$pbkdf2-sha256$';
 
    protected ‪$options = [
        'hash_count' => 25000
    ];
 
    public function ‪__construct(array ‪$options = [])
    {
        $newOptions = ‪$this->options;
        if (isset(‪$options['hash_count'])) {
            if ((int)‪$options['hash_count'] < 1000 || (int)‪$options['hash_count'] > 10000000) {
                throw new \InvalidArgumentException(
                    'hash_count must not be lower than 1000 or bigger than 10000000',
                    1533903544
                );
            }
            $newOptions['hash_count'] = (int)‪$options['hash_count'];
        }
        $this->options = $newOptions;
    }
 
    public function ‪checkPassword(string $plainPW, string $saltedHashPW): bool
    {
        return $this->‪isValidSalt($saltedHashPW) && hash_equals((string)$this->‪getHashedPasswordInternal($plainPW, $saltedHashPW), $saltedHashPW);
    }
 
    public function ‪isAvailable(): bool
    {
        return function_exists('hash_pbkdf2');
    }
 
    public function ‪getHashedPassword(string $password)
    {
        return $this->‪getHashedPasswordInternal($password);
    }
 
    public function ‪isValidSaltedPW(string $saltedPW): bool
    {
        $isValid = !strncmp(self::PREFIX, $saltedPW, strlen(self::PREFIX));
        if ($isValid) {
            $isValid = $this->‪isValidSalt($saltedPW);
        }
        return $isValid;
    }
 
    public function ‪isHashUpdateNeeded(string $saltedPW): bool
    {
        // Check whether this was an updated password.
        if (strncmp($saltedPW, self::PREFIX, strlen(self::PREFIX)) || !$this->‪isValidSalt($saltedPW)) {
            return true;
        }
        // Check whether the iteration count used differs from the standard number.
        $iterationCount = $this->‪getIterationCount($saltedPW);
        return $iterationCount !== null && $iterationCount < $this->options['hash_count'];
    }
 
    protected function ‪getIterationCount(string $setting)
    {
        $iterationCount = null;
        $setting = substr($setting, strlen(self::PREFIX));
        $firstSplitPos = strpos($setting, '$');
        // Hashcount existing
        if ($firstSplitPos !== false
            && $firstSplitPos <= strlen((string)10000000)
            && is_numeric(substr($setting, 0, $firstSplitPos))
        ) {
            $iterationCount = (int)substr($setting, 0, $firstSplitPos);
        }
        return $iterationCount;
    }
 
    protected function ‪getHashedPasswordInternal(string $password, string $salt = null)
    {
        $saltedPW = null;
        if ($password !== '') {
            $hashCount = $this->options['hash_count'];
            if (empty($salt) || !$this->‪isValidSalt($salt)) {
                $salt = $this->‪getGeneratedSalt();
            } else {
                $hashCount = $this->‪getIterationCount($salt);
                $salt = $this->‪getStoredSalt($salt);
            }
            $hash = hash_pbkdf2('sha256', $password, $salt, $hashCount, 0, true);
            $saltWithSettings = $salt;
            // salt without setting
            if (strlen($salt) === 16) {
                $saltWithSettings = self::PREFIX . sprintf('%02u', $hashCount) . '$' . $this->‪base64Encode($salt, 16);
            }
            $saltedPW = $saltWithSettings . '$' . $this->‪base64Encode($hash, strlen($hash));
        }
        return $saltedPW;
    }
 
    protected function ‪getGeneratedSalt(): string
    {
        return GeneralUtility::makeInstance(Random::class)->generateRandomBytes(16);
    }
 
    protected function ‪getStoredSalt(string $salt): string
    {
        if (!strncmp('$', $salt, 1)) {
            if (!strncmp(self::PREFIX, $salt, strlen(self::PREFIX))) {
                $saltParts = ‪GeneralUtility::trimExplode('$', $salt, 4);
                $salt = $saltParts[2];
            }
        }
        return $this->‪base64Decode($salt);
    }
 
    protected function ‪getItoa64(): string
    {
        return './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
    }
 
    protected function ‪isValidSalt(string $salt): bool
    {
        $isValid = ($skip = false);
        $reqLenBase64 = $this->‪getLengthBase64FromBytes(16);
        if (strlen($salt) >= $reqLenBase64) {
            // Salt with prefixed setting
            if (!strncmp('$', $salt, 1)) {
                if (!strncmp(self::PREFIX, $salt, strlen(self::PREFIX))) {
                    $isValid = true;
                    $salt = substr($salt, (int)strrpos($salt, '$') + 1);
                } else {
                    $skip = true;
                }
            }
            // Checking base64 characters
            if (!$skip && strlen($salt) >= $reqLenBase64) {
                if (preg_match('/^[' . preg_quote($this->‪getItoa64(), '/') . ']{' . $reqLenBase64 . ',' . $reqLenBase64 . '}$/', substr($salt, 0, $reqLenBase64))) {
                    $isValid = true;
                }
            }
        }
        return $isValid;
    }
 
    protected function ‪getLengthBase64FromBytes(int $byteLength): int
    {
        // Calculates bytes in bits in base64
        return (int)ceil($byteLength * 8 / 6);
    }
 
    protected function ‪base64Encode(string $input, int $count): string
    {
        $input = substr($input, 0, $count);
        return rtrim(str_replace('+', '.', base64_encode($input)), " =\r\n\t\0\x0B");
    }
 
    protected function ‪base64Decode(string $value): string
    {
        return base64_decode(str_replace('.', '+', $value));
    }
}