Skip to content

Commit

Permalink
Merge pull request neos#2917 from reflexxion/task/2916-pbkdf2
Browse files Browse the repository at this point in the history
  • Loading branch information
kdambekalns authored Oct 8, 2022
2 parents 72ec464 + 51c6e65 commit 894898c
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 25 deletions.
24 changes: 2 additions & 22 deletions Neos.Flow/Classes/Security/Cryptography/Algorithms.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,13 @@
*
* Right now this class provides a PHP based PBKDF2 implementation.
*
* @deprecated since 8.2, use PHPs `hash_pbkdf2`
*/
class Algorithms
{
/**
* Compute a derived key from a password based on PBKDF2
*
* See PKCS #5 v2.0 http://tools.ietf.org/html/rfc2898 for implementation details.
* The implementation is tested with test vectors from http://tools.ietf.org/html/rfc6070 .
*
* If https://wiki.php.net/rfc/hash_pbkdf2 is ever part of PHP we should check for the
* existence of hash_pbkdf2() and use it if available.
*
* @param string $password Input string / password
* @param string $salt The salt
* @param integer $iterationCount Hash iteration count
Expand All @@ -37,21 +32,6 @@ class Algorithms
*/
public static function pbkdf2($password, $salt, $iterationCount, $derivedKeyLength, $algorithm = 'sha256')
{
$hashLength = strlen(hash($algorithm, '', true));
$keyBlocksToCompute = ceil($derivedKeyLength / $hashLength);
$derivedKey = '';

for ($block = 1; $block <= $keyBlocksToCompute; $block++) {
$iteratedBlock = hash_hmac($algorithm, $salt . pack('N', $block), $password, true);

for ($iteration = 1, $iteratedHash = $iteratedBlock; $iteration < $iterationCount; $iteration++) {
$iteratedHash = hash_hmac($algorithm, $iteratedHash, $password, true);
$iteratedBlock ^= $iteratedHash;
}

$derivedKey .= $iteratedBlock;
}

return substr($derivedKey, 0, $derivedKeyLength);
return hash_pbkdf2($algorithm, $password, $salt, $iterationCount, $derivedKeyLength, true);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
*/

use Neos\Flow\Utility\Algorithms as UtilityAlgorithms;
use Neos\Flow\Security\Cryptography\Algorithms as CryptographyAlgorithms;

/**
* A PBKDF2 based password hashing strategy
Expand Down Expand Up @@ -71,7 +70,7 @@ public function __construct($dynamicSaltLength, $iterationCount, $derivedKeyLeng
public function hashPassword($password, $staticSalt = null)
{
$dynamicSalt = UtilityAlgorithms::generateRandomBytes($this->dynamicSaltLength);
$result = CryptographyAlgorithms::pbkdf2($password, $dynamicSalt . $staticSalt, $this->iterationCount, $this->derivedKeyLength, $this->algorithm);
$result = hash_pbkdf2($this->algorithm, $password, $dynamicSalt . $staticSalt, $this->iterationCount, $this->derivedKeyLength, true);
return base64_encode($dynamicSalt) . ',' . base64_encode($result);
}

Expand All @@ -94,6 +93,6 @@ public function validatePassword($password, $hashedPasswordAndSalt, $staticSalt
$dynamicSalt = base64_decode($parts[0]);
$derivedKey = base64_decode($parts[1]);
$derivedKeyLength = strlen($derivedKey);
return $derivedKey === CryptographyAlgorithms::pbkdf2($password, $dynamicSalt . $staticSalt, $this->iterationCount, $derivedKeyLength, $this->algorithm);
return $derivedKey === hash_pbkdf2($this->algorithm, $password, $dynamicSalt . $staticSalt, $this->iterationCount, $derivedKeyLength, true);
}
}

0 comments on commit 894898c

Please sign in to comment.