9.5/_pbkdf2_password_hash_8php_source.html

<?php

declare(strict_types = 1);

namespace ‪TYPO3\CMS\Core\Crypto\PasswordHashing;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use ‪TYPO3\CMS\Core\Compatibility\PublicMethodDeprecationTrait;

use ‪TYPO3\CMS\Core\Crypto\Random;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;


class ‪Pbkdf2PasswordHash implements ‪PasswordHashInterface

{

    use ‪PublicMethodDeprecationTrait;


    private ‪$deprecatedPublicMethods = [

        'isValidSalt' => 'Using Pbkdf2PasswordHash::isValidSalt() is deprecated and will not be possible anymore in TYPO3 v10.0.',

        'base64Encode' => 'Using Pbkdf2PasswordHash::base64Encode() is deprecated and will not be possible anymore in TYPO3 v10.0.',

        'base64Decode' => 'Using Pbkdf2PasswordHash::base64Decode() is deprecated and will not be possible anymore in TYPO3 v10.0.',

    ];


    protected const ‪PREFIX = '$pbkdf2-sha256$';


    protected ‪$options = [

        'hash_count' => 25000

    ];


    const ‪ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';


    const ‪HASH_COUNT = 25000;


    const ‪MAX_HASH_COUNT = 10000000;


    const ‪MIN_HASH_COUNT = 1000;


    public function ‪__construct(array ‪$options = [])

    {

        $newOptions = ‪$this->options;

        if (isset(‪$options['hash_count'])) {

            if ((int)‪$options['hash_count'] < 1000 || (int)‪$options['hash_count'] > 10000000) {

                throw new \InvalidArgumentException(

                    'hash_count must not be lower than 1000 or bigger than 10000000',

                    1533903544

                );

            }

            $newOptions['hash_count'] = (int)‪$options['hash_count'];

        }

        $this->options = $newOptions;

    }


    public function ‪checkPassword(string $plainPW, string $saltedHashPW): bool

    {

        return $this->‪isValidSalt($saltedHashPW) && hash_equals($this->‪getHashedPasswordInternal($plainPW, $saltedHashPW), $saltedHashPW);

    }


    public function ‪isAvailable(): bool

    {

        return function_exists('hash_pbkdf2');

    }


    public function ‪getHashedPassword(string $password, string $salt = null)

    {

        if ($salt !== null) {

            trigger_error(static::class . ': using a custom salt is deprecated.', E_USER_DEPRECATED);

        }

        return $this->‪getHashedPasswordInternal($password, $salt);

    }


    public function ‪isValidSaltedPW(string $saltedPW): bool

    {

        $isValid = !strncmp(self::PREFIX, $saltedPW, strlen(self::PREFIX));

        if ($isValid) {

            $isValid = $this->‪isValidSalt($saltedPW);

        }

        return $isValid;

    }


    public function ‪isHashUpdateNeeded(string $saltedPW): bool

    {

        // Check whether this was an updated password.

        if (strncmp($saltedPW, self::PREFIX, strlen(self::PREFIX)) || !$this->‪isValidSalt($saltedPW)) {

            return true;

        }

        // Check whether the iteration count used differs from the standard number.

        $iterationCount = $this->‪getIterationCount($saltedPW);

        return $iterationCount !== null && $iterationCount < $this->options['hash_count'];

    }


    protected function ‪getIterationCount(string $setting)

    {

        $iterationCount = null;

        $setting = substr($setting, strlen(self::PREFIX));

        $firstSplitPos = strpos($setting, '$');

        // Hashcount existing

        if ($firstSplitPos !== false

            && $firstSplitPos <= strlen((string)10000000)

            && is_numeric(substr($setting, 0, $firstSplitPos))

        ) {

            $iterationCount = (int)substr($setting, 0, $firstSplitPos);

        }

        return $iterationCount;

    }


    protected function ‪getHashedPasswordInternal(string $password, string $salt = null)

    {

        $saltedPW = null;

        if ($password !== '') {

            $hashCount = $this->options['hash_count'];

            if (empty($salt) || !$this->‪isValidSalt($salt)) {

                $salt = $this->‪getGeneratedSalt();

            } else {

                $hashCount = $this->‪getIterationCount($salt);

                $salt = $this->‪getStoredSalt($salt);

            }

            $hash = hash_pbkdf2('sha256', $password, $salt, $hashCount, 0, true);

            $saltWithSettings = $salt;

            // salt without setting

            if (strlen($salt) === 16) {

                $saltWithSettings = self::PREFIX . sprintf('%02u', $hashCount) . '$' . $this->‪base64Encode($salt, 16);

            }

            $saltedPW = $saltWithSettings . '$' . $this->‪base64Encode($hash, strlen($hash));

        }

        return $saltedPW;

    }


    protected function ‪getGeneratedSalt(): string

    {

        return GeneralUtility::makeInstance(Random::class)->generateRandomBytes(16);

    }


    protected function ‪getStoredSalt(string $salt): string

    {

        if (!strncmp('$', $salt, 1)) {

            if (!strncmp(self::PREFIX, $salt, strlen(self::PREFIX))) {

                $saltParts = GeneralUtility::trimExplode('$', $salt, 4);

                $salt = $saltParts[2];

            }

        }

        return $this->‪base64Decode($salt);

    }


    protected function ‪getItoa64(): string

    {

        return './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

    }


    protected function ‪isValidSalt(string $salt): bool

    {

        $isValid = ($skip = false);

        $reqLenBase64 = $this->‪getLengthBase64FromBytes(16);

        if (strlen($salt) >= $reqLenBase64) {

            // Salt with prefixed setting

            if (!strncmp('$', $salt, 1)) {

                if (!strncmp(self::PREFIX, $salt, strlen(self::PREFIX))) {

                    $isValid = true;

                    $salt = substr($salt, strrpos($salt, '$') + 1);

                } else {

                    $skip = true;

                }

            }

            // Checking base64 characters

            if (!$skip && strlen($salt) >= $reqLenBase64) {

                if (preg_match('/^[' . preg_quote($this->‪getItoa64(), '/') . ']{' . $reqLenBase64 . ',' . $reqLenBase64 . '}$/', substr($salt, 0, $reqLenBase64))) {

                    $isValid = true;

                }

            }

        }

        return $isValid;

    }


    protected function ‪getLengthBase64FromBytes(int $byteLength): int

    {

        // Calculates bytes in bits in base64

        return (int)ceil($byteLength * 8 / 6);

    }


    protected function ‪base64Encode(string $input, int $count): string

    {

        $input = substr($input, 0, $count);

        return rtrim(str_replace('+', '.', base64_encode($input)), " =\r\n\t\0\x0B");

    }


    protected function ‪base64Decode(string $value): string

    {

        return base64_decode(str_replace('.', '+', $value));

    }


    public function ‪getHashCount(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return $this->options['hash_count'];

    }


    public function ‪getMaxHashCount(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return 10000000;

    }


    public function ‪getMinHashCount(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return 1000;

    }


    public function ‪getSaltLength(): int

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return 16;

    }


    public function ‪getSetting(): string

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        return ‪self::PREFIX;

    }


    public function ‪setHashCount(int $hashCount = null)

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        if ($hashCount >= 1000 && $hashCount <= 10000000) {

            $this->options['hash_count'] = $hashCount;

        }

    }


    public function ‪setMaxHashCount(int $maxHashCount = null)

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        // Empty, max hash count is hard coded to 10000000

    }


    public function ‪setMinHashCount(int $minHashCount = null)

    {

        trigger_error('This method will be removed in TYPO3 v10.0.', E_USER_DEPRECATED);

        // Empty, max hash count is hard coded to 1000

    }

}