Pbkdf2Salt.php

Go to the documentation of this file.

<?php
namespace TYPO3\CMS\Saltedpasswords\Salt;

/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */

use TYPO3\CMS\Core\Crypto\Random;
use TYPO3\CMS\Core\Utility\GeneralUtility;

class Pbkdf2Salt extends AbstractSalt implements SaltInterface
{
    const ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';

    const HASH_COUNT = 25000;

    const MAX_HASH_COUNT = 10000000;

    const MIN_HASH_COUNT = 1000;

    protected static $hashCount;

    protected static $maxHashCount;

    protected static $minHashCount;

    protected static $saltLengthPbkdf2 = 16;

    protected static $settingPbkdf2 = '$pbkdf2-sha256$';

    protected function applySettingsToSalt($salt)
    {
        $saltWithSettings = $salt;
        // salt without setting
        if (strlen($salt) === $this->getSaltLength()) {
            $saltWithSettings = $this->getSetting() . sprintf('%02u', $this->getHashCount()) . '$' . $this->base64Encode($salt, $this->getSaltLength());
        }
        return $saltWithSettings;
    }

    public function checkPassword($plainPW, $saltedHashPW)
    {
        return $this->isValidSalt($saltedHashPW) && hash_equals($this->getHashedPassword($plainPW, $saltedHashPW), $saltedHashPW);
    }

    protected function getIterationCount($setting)
    {
        $iterationCount = null;
        $setting = substr($setting, strlen($this->getSetting()));
        $firstSplitPos = strpos($setting, '$');
        // Hashcount existing
        if ($firstSplitPos !== false
            && $firstSplitPos <= strlen((string)$this->getMaxHashCount())
            && is_numeric(substr($setting, 0, $firstSplitPos))
        ) {
            $iterationCount = (int)substr($setting, 0, $firstSplitPos);
        }
        return $iterationCount;
    }

    protected function getGeneratedSalt()
    {
        return GeneralUtility::makeInstance(Random::class)->generateRandomBytes($this->getSaltLength());
    }

    protected function getStoredSalt($salt)
    {
        if (!strncmp('$', $salt, 1)) {
            if (!strncmp($this->getSetting(), $salt, strlen($this->getSetting()))) {
                $saltParts = GeneralUtility::trimExplode('$', $salt, 4);
                $salt = $saltParts[2];
            }
        }
        return $this->base64Decode($salt);
    }

    protected function getItoa64()
    {
        return self::ITOA64;
    }

    public function getHashedPassword($password, $salt = null)
    {
        $saltedPW = null;
        if ($password !== '') {
            if (empty($salt) || !$this->isValidSalt($salt)) {
                $salt = $this->getGeneratedSalt();
            } else {
                $this->setHashCount($this->getIterationCount($salt));
                $salt = $this->getStoredSalt($salt);
            }
            $hash = hash_pbkdf2('sha256', $password, $salt, $this->getHashCount(), 0, true);
            $saltedPW = $this->applySettingsToSalt($salt) . '$' . $this->base64Encode($hash, strlen($hash));
        }
        return $saltedPW;
    }

    public function getHashCount()
    {
        return isset(self::$hashCount) ? self::$hashCount : self::HASH_COUNT;
    }

    public function getMaxHashCount()
    {
        return isset(self::$maxHashCount) ? self::$maxHashCount : self::MAX_HASH_COUNT;
    }

    public function isAvailable()
    {
        return function_exists('hash_pbkdf2');
    }

    public function getMinHashCount()
    {
        return isset(self::$minHashCount) ? self::$minHashCount : self::MIN_HASH_COUNT;
    }

    public function getSaltLength()
    {
        return self::$saltLengthPbkdf2;
    }

    public function getSetting()
    {
        return self::$settingPbkdf2;
    }

    public function isHashUpdateNeeded($saltedPW)
    {
        // Check whether this was an updated password.
        if (strncmp($saltedPW, $this->getSetting(), strlen($this->getSetting())) || !$this->isValidSalt($saltedPW)) {
            return true;
        }
        // Check whether the iteration count used differs from the standard number.
        $iterationCount = $this->getIterationCount($saltedPW);
        return !is_null($iterationCount) && $iterationCount < $this->getHashCount();
    }

    public function isValidSalt($salt)
    {
        $isValid = ($skip = false);
        $reqLenBase64 = $this->getLengthBase64FromBytes($this->getSaltLength());
        if (strlen($salt) >= $reqLenBase64) {
            // Salt with prefixed setting
            if (!strncmp('$', $salt, 1)) {
                if (!strncmp($this->getSetting(), $salt, strlen($this->getSetting()))) {
                    $isValid = true;
                    $salt = substr($salt, strrpos($salt, '$') + 1);
                } else {
                    $skip = true;
                }
            }
            // Checking base64 characters
            if (!$skip && strlen($salt) >= $reqLenBase64) {
                if (preg_match('/^[' . preg_quote($this->getItoa64(), '/') . ']{' . $reqLenBase64 . ',' . $reqLenBase64 . '}$/', substr($salt, 0, $reqLenBase64))) {
                    $isValid = true;
                }
            }
        }
        return $isValid;
    }

    public function isValidSaltedPW($saltedPW)
    {
        $isValid = !strncmp($this->getSetting(), $saltedPW, strlen($this->getSetting()));
        if ($isValid) {
            $isValid = $this->isValidSalt($saltedPW);
        }
        return $isValid;
    }

    public function setHashCount($hashCount = null)
    {
        self::$hashCount = !is_null($hashCount) && is_int($hashCount) && $hashCount >= $this->getMinHashCount() && $hashCount <= $this->getMaxHashCount() ? $hashCount : self::HASH_COUNT;
    }

    public function setMaxHashCount($maxHashCount = null)
    {
        self::$maxHashCount = !is_null($maxHashCount) && is_int($maxHashCount) ? $maxHashCount : self::MAX_HASH_COUNT;
    }

    public function setMinHashCount($minHashCount = null)
    {
        self::$minHashCount = !is_null($minHashCount) && is_int($minHashCount) ? $minHashCount : self::MIN_HASH_COUNT;
    }

    public function base64Encode($input, $count)
    {
        $input = substr($input, 0, $count);
        return rtrim(str_replace('+', '.', base64_encode($input)), " =\r\n\t\0\x0B");
    }

    public function base64Decode($value)
    {
        return base64_decode(str_replace('.', '+', $value));
    }
}