NEW Add password hasher for pbkdf2_sha512 (#11644)

Author: GuySartorelli

_config/encryptors.yml

@@ -11,5 +11,7 @@ name: coreencryptors
       'SilverStripe\Security\PasswordEncryptor_PHPHash': md5
     sha1_v2.4:
       'SilverStripe\Security\PasswordEncryptor_PHPHash': sha1
+    pbkdf2_sha512:
+      'SilverStripe\Security\PasswordEncryptorPBKDF2': sha512
     blowfish:
       'SilverStripe\Security\PasswordEncryptor_Blowfish':

src/Security/PasswordEncryptorPBKDF2.php

@@ -0,0 +1,65 @@
+<?php
+
+namespace SilverStripe\Security;
+
+use RuntimeException;
+
+/**
+ * Provides Password-Based Key Derivation Function hashing for passwords, using the provided algorithm (default
+ * is SHA512), which is NZISM compliant under version 3.2 section 17.2.
+ */
+class PasswordEncryptorPBKDF2 extends PasswordEncryptor
+{
+    private string $algorithm = 'sha512';
+
+    /**
+     * The number of internal iterations for hash_pbkdf2() to perform for the derivation. Please note that if you
+     * change this from the default value you will break existing hashes stored in the database, so these would
+     * need to be regenerated.
+     */
+    private int $iterations = 30000;
+
+    /**
+     * @throws RuntimeException If the provided algorithm is not available in the current environment
+     */
+    public function __construct(string $algorithm, ?int $iterations = null)
+    {
+        if (!in_array($algorithm, hash_hmac_algos())) {
+            throw new RuntimeException(
+                sprintf('Hash algorithm "%s" not found in hash_hmac_algos()', $algorithm)
+            );
+        }
+
+        $this->algorithm = $algorithm;
+
+        if ($iterations !== null) {
+            $this->iterations = $iterations;
+        }
+    }
+
+    /**
+     * Get the name of the algorithm that will be used to hash the password
+     */
+    public function getAlgorithm(): string
+    {
+        return $this->algorithm;
+    }
+
+    /**
+     * Get the number of iterations that will be used to hash the password
+     */
+    public function getIterations(): int
+    {
+        return $this->iterations;
+    }
+
+    public function encrypt($password, $salt = null, $member = null)
+    {
+        return hash_pbkdf2(
+            $this->getAlgorithm() ?? '',
+            (string) $password,
+            (string) $salt,
+            $this->getIterations() ?? 0
+        );
+    }
+}

tests/php/Security/PasswordEncryptorPBKDF2Test.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace SilverStripe\Security\Tests;
+
+use League\Flysystem\Exception;
+use SilverStripe\Dev\SapphireTest;
+use SilverStripe\Security\PasswordEncryptorPBKDF2;
+
+class PasswordEncryptorPBKDF2Test extends SapphireTest
+{
+    public function testGetIterations()
+    {
+        $encryptor = new PasswordEncryptorPBKDF2('sha512', 12345);
+        $this->assertSame(12345, $encryptor->getIterations());
+    }
+
+    public function testEncrypt()
+    {
+        $encryptor = new PasswordEncryptorPBKDF2('sha512', 10000);
+        $salt = 'predictablesaltforunittesting';
+        $result = $encryptor->encrypt('opensesame', $salt);
+        $this->assertSame(
+            '6bafcacb90',
+            substr($result ?? '', 0, 10),
+            'Hashed password with predictable salt did not match fixtured expectation'
+        );
+    }
+
+    public function testThrowsExceptionWhenInvalidAlgorithmIsProvided()
+    {
+        $this->expectException(\Exception::class);
+        $this->expectExceptionMessage('Hash algorithm "foobar" not found in hash_hmac_algos()');
+        new PasswordEncryptorPBKDF2('foobar');
+    }
+}