-
-
Notifications
You must be signed in to change notification settings - Fork 188
/
Pbkdf2HashingStrategy.php
96 lines (86 loc) · 3.76 KB
/
Pbkdf2HashingStrategy.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
<?php
declare(strict_types=1);
namespace Neos\Flow\Security\Cryptography;
/*
* This file is part of the Neos.Flow package.
*
* (c) Contributors of the Neos Project - www.neos.io
*
* This package is Open Source Software. For the full copyright and license
* information, please view the LICENSE file which was distributed with this
* source code.
*/
use Neos\Flow\Utility\Algorithms as UtilityAlgorithms;
/**
* A PBKDF2 based password hashing strategy
*
*/
class Pbkdf2HashingStrategy implements PasswordHashingStrategyInterface
{
/**
* Length of the dynamic random salt to generate in bytes
*/
protected int $dynamicSaltLength;
/**
* Hash iteration count, high counts (>10.000) make brute-force attacks unfeasible
*/
protected int $iterationCount;
/**
* Derived key length
*/
protected int $derivedKeyLength;
/**
* Hash algorithm to use, see hash_algos()
*/
protected string $algorithm;
/**
* Construct a PBKDF2 hashing strategy with the given parameters
*
* @param integer $dynamicSaltLength Length of the dynamic random salt to generate in bytes
* @param integer $iterationCount Hash iteration count, high counts (>10.000) make brute-force attacks unfeasible
* @param integer $derivedKeyLength Derived key length
* @param string $algorithm Hash algorithm to use, see hash_algos()
*/
public function __construct(int $dynamicSaltLength, int $iterationCount, int $derivedKeyLength, string $algorithm)
{
$this->dynamicSaltLength = $dynamicSaltLength;
$this->iterationCount = $iterationCount;
$this->derivedKeyLength = $derivedKeyLength;
$this->algorithm = $algorithm;
}
/**
* Hash a password for storage using PBKDF2 and the configured parameters.
* Will use a combination of a random dynamic salt and the given static salt.
*
* @param string $password Cleartext password that should be hashed
* @param string|null $staticSalt Static salt that will be appended to the random dynamic salt
* @return string A Base64 encoded string with the derived key (hashed password) and dynamic salt
*/
public function hashPassword($password, $staticSalt = null)
{
$dynamicSalt = UtilityAlgorithms::generateRandomBytes($this->dynamicSaltLength);
$result = hash_pbkdf2($this->algorithm, $password, $dynamicSalt . $staticSalt, $this->iterationCount, $this->derivedKeyLength, true);
return base64_encode($dynamicSalt) . ',' . base64_encode($result);
}
/**
* Validate a password against a derived key (hashed password) and salt using PBKDF2.
* Iteration count and algorithm have to match the parameters when generating the derived key.
*
* @param string $password The cleartext password
* @param string $hashedPasswordAndSalt The derived key and salt in Base64 encoding as returned by hashPassword for verification
* @param string|null $staticSalt Static salt that will be appended to the dynamic salt
* @return bool true if the given password matches the hashed password
* @throws \InvalidArgumentException
*/
public function validatePassword($password, $hashedPasswordAndSalt, $staticSalt = null)
{
$parts = explode(',', $hashedPasswordAndSalt);
if (count($parts) !== 2) {
throw new \InvalidArgumentException('The derived key with salt must contain a salt, separated with a comma from the derived key', 1306172911);
}
$dynamicSalt = base64_decode($parts[0]);
$derivedKey = base64_decode($parts[1]);
$derivedKeyLength = strlen($derivedKey);
return $derivedKey === hash_pbkdf2($this->algorithm, $password, $dynamicSalt . $staticSalt, $this->iterationCount, $derivedKeyLength, true);
}
}