/** * Validate a password against a derived key (hashed password) and salt using PBKDF2. * Iteration count and algorithm have to match the parameters when generating the derived key. * * @param string $password The cleartext password * @param string $hashedPasswordAndSalt The derived key and salt in Base64 encoding as returned by hashPassword for verification * @param string $staticSalt Static salt that will be appended to the dynamic salt * @return boolean TRUE if the given password matches the hashed password * @throws \InvalidArgumentException */ public function validatePassword($password, $hashedPasswordAndSalt, $staticSalt = NULL) { $parts = explode(',', $hashedPasswordAndSalt); if (count($parts) !== 2) { throw new \InvalidArgumentException('The derived key with salt must contain a salt, separated with a comma from the derived key', 1306172911); } $dynamicSalt = base64_decode($parts[0]); $derivedKey = base64_decode($parts[1]); $derivedKeyLength = strlen($derivedKey); return $derivedKey === \TYPO3\FLOW3\Security\Cryptography\Algorithms::pbkdf2($password, $dynamicSalt . $staticSalt, $this->iterationCount, $derivedKeyLength, $this->algorithm); }
/** * @test * @dataProvider pbkdf2TestVectors */ public function pbkdf2TestVectorsAreCorrect($password, $salt, $iterationCount, $derivedKeyLength, $output) { $result = \TYPO3\FLOW3\Security\Cryptography\Algorithms::pbkdf2($password, $salt, $iterationCount, $derivedKeyLength, 'sha1'); $this->assertEquals(unpack('H*', pack('H*', $output)), unpack('H*', $result)); }