33 return $oathUser && $oathUser->getKey();
60 return json_decode( self::unseal( $ciphertext,
$keys[
'encrypt'],
$keys[
'hmac'] ),
true );
82 $keymats = hash_pbkdf2(
'sha256', $secret,
"oath-$userid", 10001, 64,
true );
84 'encrypt' => substr( $keymats, 0, 32 ),
85 'hmac' => substr( $keymats, 32, 32 ),
97 private static function seal( $data, $encKey, $hmacKey ) {
99 $ciphertext = openssl_encrypt(
106 $sealed = base64_encode( $iv ) .
'.' . base64_encode( $ciphertext );
107 $hmac = hash_hmac(
'sha256', $sealed, $hmacKey,
true );
108 return base64_encode( $hmac ) .
'.' . $sealed;
120 private static function unseal( $encrypted, $encKey, $hmacKey ) {
121 $pieces = explode(
'.', $encrypted );
122 if ( count( $pieces ) !== 3 ) {
123 throw new InvalidArgumentException(
'Invalid sealed-secret format' );
126 list( $hmac, $iv, $ciphertext ) = $pieces;
127 $integCalc = hash_hmac(
'sha256', $iv .
'.' . $ciphertext, $hmacKey,
true );
128 if ( !hash_equals( $integCalc, base64_decode( $hmac ) ) ) {
129 throw new Exception(
'Sealed secret has been tampered with, aborting.' );
132 return openssl_decrypt(
133 base64_decode( $ciphertext ),
$wgSecretKey
This should always be customised in LocalSettings.php.
static generate( $bytes, $forceStrong=false)
Generate a run of (ideally) cryptographically random data and return it in raw binary form.
static getOATHUserRepository()
Get the singleton OATH user repository.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU Ge...
static encryptSessionData(array $plaintextVars, $userId)
Encrypt an aray of variables to put into the user's session.
static seal( $data, $encKey, $hmacKey)
Actually encrypt the data, using a new random IV, and prepend the hmac of the encrypted data + IV,...
static getUserKeys( $secret, $userid)
Generate encryption and hmac keys, unique to this user, based on a single wiki secret.
static getKeyMaterials()
Get the base secret for this wiki, used to derive all of the encryption keys.
static unseal( $encrypted, $encKey, $hmacKey)
Decrypt data sealed using seal().
static decryptSessionData( $ciphertext, $userId)
Decrypt an encrypted packet, generated with encryptSessionData.
static isEnabledFor(User $user)
Check whether OATH two-factor authentication is enabled for a given user.
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
deferred txt A few of the database updates required by various functions here can be deferred until after the result page is displayed to the user For updating the view updating the linked to tables after a etc PHP does not yet have any way to tell the server to actually return and disconnect while still running these but it might have such a feature in the future We handle these by creating a deferred update object and putting those objects on a global list