Merge pull request #2917 from reflexxion/task/2916-pbkdf2

neos · Oct 8, 2022 · 894898c · 894898c
2 parents 72ec464 + 51c6e65
commit 894898c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 25 deletions.
diff --git a/Neos.Flow/Classes/Security/Cryptography/Algorithms.php b/Neos.Flow/Classes/Security/Cryptography/Algorithms.php
@@ -16,18 +16,13 @@
  *
  * Right now this class provides a PHP based PBKDF2 implementation.
  *
+ * @deprecated since 8.2, use PHPs `hash_pbkdf2`
  */
 class Algorithms
 {
     /**
      * Compute a derived key from a password based on PBKDF2
      *
-     * See PKCS #5 v2.0 http://tools.ietf.org/html/rfc2898 for implementation details.
-     * The implementation is tested with test vectors from http://tools.ietf.org/html/rfc6070 .
-     *
-     * If https://wiki.php.net/rfc/hash_pbkdf2 is ever part of PHP we should check for the
-     * existence of hash_pbkdf2() and use it if available.
-     *
      * @param string $password Input string / password
      * @param string $salt The salt
      * @param integer $iterationCount Hash iteration count
@@ -37,21 +32,6 @@ class Algorithms
      */
     public static function pbkdf2($password, $salt, $iterationCount, $derivedKeyLength, $algorithm = 'sha256')
     {
-        $hashLength = strlen(hash($algorithm, '', true));
-        $keyBlocksToCompute = ceil($derivedKeyLength / $hashLength);
-        $derivedKey = '';
-
-        for ($block = 1; $block <= $keyBlocksToCompute; $block++) {
-            $iteratedBlock = hash_hmac($algorithm, $salt . pack('N', $block), $password, true);
-
-            for ($iteration = 1, $iteratedHash = $iteratedBlock; $iteration < $iterationCount; $iteration++) {
-                $iteratedHash = hash_hmac($algorithm, $iteratedHash, $password, true);
-                $iteratedBlock ^= $iteratedHash;
-            }
-
-            $derivedKey .= $iteratedBlock;
-        }
-
-        return substr($derivedKey, 0, $derivedKeyLength);
+        return hash_pbkdf2($algorithm, $password, $salt, $iterationCount, $derivedKeyLength, true);
     }
 }
diff --git a/Neos.Flow/Classes/Security/Cryptography/Pbkdf2HashingStrategy.php b/Neos.Flow/Classes/Security/Cryptography/Pbkdf2HashingStrategy.php
@@ -12,7 +12,6 @@
  */
 
 use Neos\Flow\Utility\Algorithms as UtilityAlgorithms;
-use Neos\Flow\Security\Cryptography\Algorithms as CryptographyAlgorithms;
 
 /**
  * A PBKDF2 based password hashing strategy
@@ -71,7 +70,7 @@ public function __construct($dynamicSaltLength, $iterationCount, $derivedKeyLeng
     public function hashPassword($password, $staticSalt = null)
     {
         $dynamicSalt = UtilityAlgorithms::generateRandomBytes($this->dynamicSaltLength);
-        $result = CryptographyAlgorithms::pbkdf2($password, $dynamicSalt . $staticSalt, $this->iterationCount, $this->derivedKeyLength, $this->algorithm);
+        $result = hash_pbkdf2($this->algorithm, $password, $dynamicSalt . $staticSalt, $this->iterationCount, $this->derivedKeyLength, true);
         return base64_encode($dynamicSalt) . ',' . base64_encode($result);
     }
 
@@ -94,6 +93,6 @@ public function validatePassword($password, $hashedPasswordAndSalt, $staticSalt
         $dynamicSalt = base64_decode($parts[0]);
         $derivedKey = base64_decode($parts[1]);
         $derivedKeyLength = strlen($derivedKey);
-        return $derivedKey === CryptographyAlgorithms::pbkdf2($password, $dynamicSalt . $staticSalt, $this->iterationCount, $derivedKeyLength, $this->algorithm);
+        return $derivedKey === hash_pbkdf2($this->algorithm, $password, $dynamicSalt . $staticSalt, $this->iterationCount, $derivedKeyLength, true);
     }
 }