Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
90.32% |
56 / 62 |
|
40.00% |
2 / 5 |
CRAP | |
0.00% |
0 / 1 |
EncryptedPassword | |
91.80% |
56 / 61 |
|
40.00% |
2 / 5 |
17.16 | |
0.00% |
0 / 1 |
getDelimiter | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
getDefaultParams | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
1 | |||
crypt | |
94.74% |
18 / 19 |
|
0.00% |
0 / 1 |
6.01 | |||
update | |
88.00% |
22 / 25 |
|
0.00% |
0 / 1 |
6.06 | |||
verify | |
91.67% |
11 / 12 |
|
0.00% |
0 / 1 |
3.01 |
1 | <?php |
2 | /** |
3 | * Implements the EncryptedPassword class for the MediaWiki software. |
4 | * |
5 | * This program is free software; you can redistribute it and/or modify |
6 | * it under the terms of the GNU General Public License as published by |
7 | * the Free Software Foundation; either version 2 of the License, or |
8 | * (at your option) any later version. |
9 | * |
10 | * This program is distributed in the hope that it will be useful, |
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | * GNU General Public License for more details. |
14 | * |
15 | * You should have received a copy of the GNU General Public License along |
16 | * with this program; if not, write to the Free Software Foundation, Inc., |
17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
18 | * http://www.gnu.org/copyleft/gpl.html |
19 | * |
20 | * @file |
21 | */ |
22 | |
23 | declare( strict_types = 1 ); |
24 | |
25 | namespace MediaWiki\Password; |
26 | |
27 | /** |
28 | * Helper class for passwords that use another password hash underneath it |
29 | * and encrypts that hash with a configured secret. |
30 | * |
31 | * @since 1.24 |
32 | */ |
33 | class EncryptedPassword extends ParameterizedPassword { |
34 | protected function getDelimiter(): string { |
35 | return ':'; |
36 | } |
37 | |
38 | protected function getDefaultParams(): array { |
39 | return [ |
40 | 'cipher' => $this->config['cipher'], |
41 | 'secret' => (string)( count( $this->config['secrets'] ) - 1 ) |
42 | ]; |
43 | } |
44 | |
45 | public function crypt( string $password ): void { |
46 | $secret = $this->config['secrets'][(int)$this->params['secret']]; |
47 | |
48 | // Clear error string |
49 | while ( openssl_error_string() !== false ); |
50 | |
51 | if ( $this->hash ) { |
52 | $decrypted = openssl_decrypt( |
53 | $this->hash, $this->params['cipher'], |
54 | $secret, 0, base64_decode( $this->args[0] ) ); |
55 | if ( $decrypted === false ) { |
56 | throw new PasswordError( 'Error decrypting password: ' . openssl_error_string() ); |
57 | } |
58 | $underlyingPassword = $this->factory->newFromCiphertext( $decrypted ); |
59 | } else { |
60 | $underlyingPassword = $this->factory->newFromType( $this->config['underlying'] ); |
61 | } |
62 | |
63 | $underlyingPassword->crypt( $password ); |
64 | if ( count( $this->args ) ) { |
65 | $iv = base64_decode( $this->args[0] ); |
66 | } else { |
67 | $iv = random_bytes( openssl_cipher_iv_length( $this->params['cipher'] ) ); |
68 | } |
69 | |
70 | $this->hash = openssl_encrypt( |
71 | $underlyingPassword->toString(), $this->params['cipher'], $secret, 0, $iv ); |
72 | if ( $this->hash === false ) { |
73 | throw new PasswordError( 'Error encrypting password: ' . openssl_error_string() ); |
74 | } |
75 | $this->args = [ base64_encode( $iv ) ]; |
76 | } |
77 | |
78 | /** |
79 | * Updates the underlying hash by encrypting it with the newest secret. |
80 | * |
81 | * @throws PasswordError If the configuration is not valid |
82 | * @return bool True if the password was updated |
83 | */ |
84 | public function update(): bool { |
85 | if ( count( $this->args ) != 1 || $this->params == $this->getDefaultParams() ) { |
86 | // Hash does not need updating |
87 | return false; |
88 | } |
89 | |
90 | // Clear error string |
91 | while ( openssl_error_string() !== false ); |
92 | |
93 | // Decrypt the underlying hash |
94 | $underlyingHash = openssl_decrypt( |
95 | $this->hash, |
96 | $this->params['cipher'], |
97 | $this->config['secrets'][(int)$this->params['secret']], |
98 | 0, |
99 | base64_decode( $this->args[0] ) |
100 | ); |
101 | if ( $underlyingHash === false ) { |
102 | throw new PasswordError( 'Error decrypting password: ' . openssl_error_string() ); |
103 | } |
104 | |
105 | // Reset the params |
106 | $this->params = $this->getDefaultParams(); |
107 | |
108 | // Check the key size with the new params |
109 | $iv = random_bytes( openssl_cipher_iv_length( $this->params['cipher'] ) ); |
110 | $this->hash = openssl_encrypt( |
111 | $underlyingHash, |
112 | $this->params['cipher'], |
113 | $this->config['secrets'][(int)$this->params['secret']], |
114 | 0, |
115 | $iv |
116 | ); |
117 | if ( $this->hash === false ) { |
118 | throw new PasswordError( 'Error encrypting password: ' . openssl_error_string() ); |
119 | } |
120 | |
121 | $this->args = [ base64_encode( $iv ) ]; |
122 | |
123 | return true; |
124 | } |
125 | |
126 | /** |
127 | * @inheritDoc |
128 | */ |
129 | public function verify( string $password ): bool { |
130 | // Clear error string |
131 | while ( openssl_error_string() !== false ); |
132 | |
133 | // Decrypt the underlying hash |
134 | $underlyingHash = openssl_decrypt( |
135 | $this->hash, |
136 | $this->params['cipher'], |
137 | $this->config['secrets'][(int)$this->params['secret']], |
138 | 0, |
139 | base64_decode( $this->args[0] ) |
140 | ); |
141 | if ( $underlyingHash === false ) { |
142 | throw new PasswordError( 'Error decrypting password: ' . openssl_error_string() ); |
143 | } |
144 | |
145 | $storedPassword = $this->factory->newFromCiphertext( $underlyingHash ); |
146 | return $storedPassword->verify( $password ); |
147 | } |
148 | } |
149 | |
150 | /** @deprecated since 1.43 use MediaWiki\\Password\\EncryptedPassword */ |
151 | class_alias( EncryptedPassword::class, 'EncryptedPassword' ); |