Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
| Total | |
77.78% |
7 / 9 |
|
50.00% |
1 / 2 |
CRAP | |
0.00% |
0 / 1 |
| Pbkdf2PasswordUsingOpenSSL | |
87.50% |
7 / 8 |
|
50.00% |
1 / 2 |
5.05 | |
0.00% |
0 / 1 |
| getDigestAlgo | |
100.00% |
3 / 3 |
|
100.00% |
1 / 1 |
2 | |||
| pbkdf2 | |
80.00% |
4 / 5 |
|
0.00% |
0 / 1 |
3.07 | |||
| 1 | <?php |
| 2 | /** |
| 3 | * Implements the Pbkdf2PasswordUsingOpenSSL class for the MediaWiki software. |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License as published by |
| 7 | * the Free Software Foundation; either version 2 of the License, or |
| 8 | * (at your option) any later version. |
| 9 | * |
| 10 | * This program is distributed in the hope that it will be useful, |
| 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 13 | * GNU General Public License for more details. |
| 14 | * |
| 15 | * You should have received a copy of the GNU General Public License along |
| 16 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
| 18 | * http://www.gnu.org/copyleft/gpl.html |
| 19 | * |
| 20 | * @file |
| 21 | */ |
| 22 | |
| 23 | declare( strict_types = 1 ); |
| 24 | |
| 25 | namespace MediaWiki\Password; |
| 26 | |
| 27 | /** |
| 28 | * A PBKDF2-hashed password, using OpenSSL |
| 29 | * |
| 30 | * @since 1.40 |
| 31 | */ |
| 32 | class Pbkdf2PasswordUsingOpenSSL extends AbstractPbkdf2Password { |
| 33 | /** |
| 34 | * @var array<string, string> |
| 35 | */ |
| 36 | private static $digestAlgos; |
| 37 | |
| 38 | /** |
| 39 | * List of hash algorithms we support and OpenSSL's names for them. |
| 40 | * |
| 41 | * We include only the algorithms that make sense to support, rather than |
| 42 | * all potentially available algorithms. In particular, we do not include: |
| 43 | * |
| 44 | * - Broken algorithms, such as "md5" and "sha1" |
| 45 | * - Algorithms no longer available by default, such as "whirlpool" |
| 46 | * - Algorithms that perform especially poorly on server CPUs relative |
| 47 | * to other available hardware (as of 2022, this includes "sha3-512"; |
| 48 | * see <https://keccak.team/2017/is_sha3_slow.html>) |
| 49 | * - Variants for which there is no reason for use, such as "sha384" |
| 50 | * (a truncated "sha512" that starts with a different initial state) |
| 51 | * |
| 52 | * The array keys should match the algorithm names known to hash_pbkdf2(). |
| 53 | */ |
| 54 | private const DIGEST_ALGOS = [ |
| 55 | 'sha256' => 'sha256', |
| 56 | 'sha512' => 'sha512', |
| 57 | ]; |
| 58 | |
| 59 | protected function getDigestAlgo( string $algo ): ?string { |
| 60 | if ( !isset( self::$digestAlgos ) ) { |
| 61 | self::$digestAlgos = array_intersect( self::DIGEST_ALGOS, openssl_get_md_methods() ); |
| 62 | } |
| 63 | return self::$digestAlgos[$algo] ?? null; |
| 64 | } |
| 65 | |
| 66 | protected function pbkdf2( |
| 67 | string $digestAlgo, |
| 68 | string $password, |
| 69 | string $salt, |
| 70 | int $rounds, |
| 71 | int $length |
| 72 | ): string { |
| 73 | // Clear error string |
| 74 | while ( openssl_error_string() !== false ); |
| 75 | $hash = openssl_pbkdf2( $password, $salt, $length, $rounds, $digestAlgo ); |
| 76 | if ( !is_string( $hash ) ) { |
| 77 | throw new PasswordError( 'Error when hashing password: ' . openssl_error_string() ); |
| 78 | } |
| 79 | return $hash; |
| 80 | } |
| 81 | } |
| 82 | |
| 83 | /** @deprecated since 1.43 use MediaWiki\\Password\\Pbkdf2PasswordUsingOpenSSL */ |
| 84 | class_alias( Pbkdf2PasswordUsingOpenSSL::class, 'Pbkdf2PasswordUsingOpenSSL' ); |