MediaWiki  1.33.0
Static Public Member Functions | Static Private Member Functions | List of all members
OATHAuthUtils Class Reference

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. More...

Static Public Member Functions

static decryptSessionData ( $ciphertext, $userId)
 Decrypt an encrypted packet, generated with encryptSessionData. More...
 
static encryptSessionData (array $plaintextVars, $userId)
 Encrypt an aray of variables to put into the user's session. More...
 
static isEnabledFor (User $user)
 Check whether OATH two-factor authentication is enabled for a given user. More...
 

Static Private Member Functions

static getKeyMaterials ()
 Get the base secret for this wiki, used to derive all of the encryption keys. More...
 
static getUserKeys ( $secret, $userid)
 Generate encryption and hmac keys, unique to this user, based on a single wiki secret. More...
 
static seal ( $data, $encKey, $hmacKey)
 Actually encrypt the data, using a new random IV, and prepend the hmac of the encrypted data + IV, using a separate hmac key. More...
 
static unseal ( $encrypted, $encKey, $hmacKey)
 Decrypt data sealed using seal(). More...
 

Detailed Description

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. http://www.gnu.org/copyleft/gpl.html Utility class for various OATH functions

Definition at line 24 of file OATHAuthUtils.php.

Member Function Documentation

◆ decryptSessionData()

static OATHAuthUtils::decryptSessionData (   $ciphertext,
  $userId 
)
static

Decrypt an encrypted packet, generated with encryptSessionData.

Parameters
string$ciphertextEncrypted data packet
string | int$userId
Returns
array of strings

Definition at line 57 of file OATHAuthUtils.php.

References $keys, getKeyMaterials(), and getUserKeys().

◆ encryptSessionData()

static OATHAuthUtils::encryptSessionData ( array  $plaintextVars,
  $userId 
)
static

Encrypt an aray of variables to put into the user's session.

We use this when storing the user's password in their session. We can use json as the serialization format because $plaintextVars is an array of strings.

Parameters
array$plaintextVarsarray of user input strings
int$userIdpassed to key derivation functions so each user uses distinct encryption and hmac keys
Returns
string encrypted data packet

Definition at line 45 of file OATHAuthUtils.php.

References $keys, getKeyMaterials(), getUserKeys(), and seal().

◆ getKeyMaterials()

static OATHAuthUtils::getKeyMaterials ( )
staticprivate

Get the base secret for this wiki, used to derive all of the encryption keys.

When $wgOATHAuthSecret is rotated, users who are part way through the two-step login will get an exception, and have to re-start the login.

Returns
string

Definition at line 69 of file OATHAuthUtils.php.

References $wgSecretKey.

Referenced by decryptSessionData(), and encryptSessionData().

◆ getUserKeys()

static OATHAuthUtils::getUserKeys (   $secret,
  $userid 
)
staticprivate

Generate encryption and hmac keys, unique to this user, based on a single wiki secret.

Use a moderate pbkdf2 work factor in case we ever leak keys.

Parameters
string$secret
string | int$userid
Returns
array including key for encryption and integrity checking

Definition at line 81 of file OATHAuthUtils.php.

Referenced by decryptSessionData(), and encryptSessionData().

◆ isEnabledFor()

static OATHAuthUtils::isEnabledFor ( User  $user)
static

Check whether OATH two-factor authentication is enabled for a given user.

This is a stable method that does not change and can be used in other extensions.

Parameters
User$user
Returns
bool

Definition at line 31 of file OATHAuthUtils.php.

References $user, and OATHAuthHooks\getOATHUserRepository().

◆ seal()

static OATHAuthUtils::seal (   $data,
  $encKey,
  $hmacKey 
)
staticprivate

Actually encrypt the data, using a new random IV, and prepend the hmac of the encrypted data + IV, using a separate hmac key.

Parameters
string$data
string$encKey
string$hmacKey
Returns
string $hmac.$iv.$ciphertext, each component b64 encoded

Definition at line 97 of file OATHAuthUtils.php.

References $data.

Referenced by encryptSessionData().

◆ unseal()

static OATHAuthUtils::unseal (   $encrypted,
  $encKey,
  $hmacKey 
)
staticprivate

Decrypt data sealed using seal().

First checks the hmac to prevent various attacks.

Parameters
string$encrypted
string$encKey
string$hmacKey
Returns
string plaintext
Exceptions
Exception

Definition at line 120 of file OATHAuthUtils.php.

References captcha-old\count, and list.

The documentation for this class was generated from the following file: