Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
91.84% |
45 / 49 |
|
50.00% |
2 / 4 |
CRAP | |
0.00% |
0 / 1 |
EncryptedPassword | |
91.84% |
45 / 49 |
|
50.00% |
2 / 4 |
14.11 | |
0.00% |
0 / 1 |
getDelimiter | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
getDefaultParams | |
100.00% |
4 / 4 |
|
100.00% |
1 / 1 |
1 | |||
crypt | |
94.74% |
18 / 19 |
|
0.00% |
0 / 1 |
6.01 | |||
update | |
88.00% |
22 / 25 |
|
0.00% |
0 / 1 |
6.06 |
1 | <?php |
2 | /** |
3 | * Implements the EncryptedPassword class for the MediaWiki software. |
4 | * |
5 | * This program is free software; you can redistribute it and/or modify |
6 | * it under the terms of the GNU General Public License as published by |
7 | * the Free Software Foundation; either version 2 of the License, or |
8 | * (at your option) any later version. |
9 | * |
10 | * This program is distributed in the hope that it will be useful, |
11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
13 | * GNU General Public License for more details. |
14 | * |
15 | * You should have received a copy of the GNU General Public License along |
16 | * with this program; if not, write to the Free Software Foundation, Inc., |
17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
18 | * http://www.gnu.org/copyleft/gpl.html |
19 | * |
20 | * @file |
21 | */ |
22 | |
23 | declare( strict_types = 1 ); |
24 | |
25 | /** |
26 | * Helper class for passwords that use another password hash underneath it |
27 | * and encrypts that hash with a configured secret. |
28 | * |
29 | * @since 1.24 |
30 | */ |
31 | class EncryptedPassword extends ParameterizedPassword { |
32 | protected function getDelimiter(): string { |
33 | return ':'; |
34 | } |
35 | |
36 | protected function getDefaultParams(): array { |
37 | return [ |
38 | 'cipher' => $this->config['cipher'], |
39 | 'secret' => count( $this->config['secrets'] ) - 1 |
40 | ]; |
41 | } |
42 | |
43 | public function crypt( string $password ): void { |
44 | $secret = $this->config['secrets'][$this->params['secret']]; |
45 | |
46 | // Clear error string |
47 | while ( openssl_error_string() !== false ); |
48 | |
49 | if ( $this->hash ) { |
50 | $decrypted = openssl_decrypt( |
51 | $this->hash, $this->params['cipher'], |
52 | $secret, 0, base64_decode( $this->args[0] ) ); |
53 | if ( $decrypted === false ) { |
54 | throw new PasswordError( 'Error decrypting password: ' . openssl_error_string() ); |
55 | } |
56 | $underlyingPassword = $this->factory->newFromCiphertext( $decrypted ); |
57 | } else { |
58 | $underlyingPassword = $this->factory->newFromType( $this->config['underlying'] ); |
59 | } |
60 | |
61 | $underlyingPassword->crypt( $password ); |
62 | if ( count( $this->args ) ) { |
63 | $iv = base64_decode( $this->args[0] ); |
64 | } else { |
65 | $iv = random_bytes( openssl_cipher_iv_length( $this->params['cipher'] ) ); |
66 | } |
67 | |
68 | $this->hash = openssl_encrypt( |
69 | $underlyingPassword->toString(), $this->params['cipher'], $secret, 0, $iv ); |
70 | if ( $this->hash === false ) { |
71 | throw new PasswordError( 'Error encrypting password: ' . openssl_error_string() ); |
72 | } |
73 | $this->args = [ base64_encode( $iv ) ]; |
74 | } |
75 | |
76 | /** |
77 | * Updates the underlying hash by encrypting it with the newest secret. |
78 | * |
79 | * @throws PasswordError If the configuration is not valid |
80 | * @return bool True if the password was updated |
81 | */ |
82 | public function update(): bool { |
83 | if ( count( $this->args ) != 1 || $this->params == $this->getDefaultParams() ) { |
84 | // Hash does not need updating |
85 | return false; |
86 | } |
87 | |
88 | // Clear error string |
89 | while ( openssl_error_string() !== false ); |
90 | |
91 | // Decrypt the underlying hash |
92 | $underlyingHash = openssl_decrypt( |
93 | $this->hash, |
94 | $this->params['cipher'], |
95 | $this->config['secrets'][$this->params['secret']], |
96 | 0, |
97 | base64_decode( $this->args[0] ) |
98 | ); |
99 | if ( $underlyingHash === false ) { |
100 | throw new PasswordError( 'Error decrypting password: ' . openssl_error_string() ); |
101 | } |
102 | |
103 | // Reset the params |
104 | $this->params = $this->getDefaultParams(); |
105 | |
106 | // Check the key size with the new params |
107 | $iv = random_bytes( openssl_cipher_iv_length( $this->params['cipher'] ) ); |
108 | $this->hash = openssl_encrypt( |
109 | $underlyingHash, |
110 | $this->params['cipher'], |
111 | $this->config['secrets'][$this->params['secret']], |
112 | 0, |
113 | $iv |
114 | ); |
115 | if ( $this->hash === false ) { |
116 | throw new PasswordError( 'Error encrypting password: ' . openssl_error_string() ); |
117 | } |
118 | |
119 | $this->args = [ base64_encode( $iv ) ]; |
120 | |
121 | return true; |
122 | } |
123 | } |