MediaWiki REL1_31
OATHAuthUtils.php
Go to the documentation of this file.
1<?php
31 public static function isEnabledFor( User $user ) {
32 $oathUser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );
33 return $oathUser && $oathUser->getKey();
34 }
35
45 public static function encryptSessionData( array $plaintextVars, $userId ) {
46 $keyMaterial = self::getKeyMaterials();
47 $keys = self::getUserKeys( $keyMaterial, $userId );
48 return self::seal( json_encode( $plaintextVars ), $keys['encrypt'], $keys['hmac'] );
49 }
50
57 public static function decryptSessionData( $ciphertext, $userId ) {
58 $keyMaterial = self::getKeyMaterials();
59 $keys = self::getUserKeys( $keyMaterial, $userId );
60 return json_decode( self::unseal( $ciphertext, $keys['encrypt'], $keys['hmac'] ), true );
61 }
62
69 private static function getKeyMaterials() {
70 global $wgOATHAuthSecret, $wgSecretKey;
71 return $wgOATHAuthSecret ?: $wgSecretKey;
72 }
73
81 private static function getUserKeys( $secret, $userid ) {
82 $keymats = hash_pbkdf2( 'sha256', $secret, "oath-$userid", 10001, 64, true );
83 return [
84 'encrypt' => substr( $keymats, 0, 32 ),
85 'hmac' => substr( $keymats, 32, 32 ),
86 ];
87 }
88
97 private static function seal( $data, $encKey, $hmacKey ) {
98 $iv = MWCryptRand::generate( 16, true );
99 $ciphertext = openssl_encrypt(
100 $data,
101 'aes-256-ctr',
102 $encKey,
103 OPENSSL_RAW_DATA,
104 $iv
105 );
106 $sealed = base64_encode( $iv ) . '.' . base64_encode( $ciphertext );
107 $hmac = hash_hmac( 'sha256', $sealed, $hmacKey, true );
108 return base64_encode( $hmac ) . '.' . $sealed;
109 }
110
120 private static function unseal( $encrypted, $encKey, $hmacKey ) {
121 $pieces = explode( '.', $encrypted );
122 if ( count( $pieces ) !== 3 ) {
123 throw new InvalidArgumentException( 'Invalid sealed-secret format' );
124 }
125
126 list( $hmac, $iv, $ciphertext ) = $pieces;
127 $integCalc = hash_hmac( 'sha256', $iv . '.' . $ciphertext, $hmacKey, true );
128 if ( !hash_equals( $integCalc, base64_decode( $hmac ) ) ) {
129 throw new Exception( 'Sealed secret has been tampered with, aborting.' );
130 }
131
132 return openssl_decrypt(
133 base64_decode( $ciphertext ),
134 'aes-256-ctr',
135 $encKey,
136 OPENSSL_RAW_DATA,
137 base64_decode( $iv )
138 );
139 }
140
141}
$wgSecretKey
This should always be customised in LocalSettings.php.
static generate( $bytes, $forceStrong=false)
Generate a run of (ideally) cryptographically random data and return it in raw binary form.
static getOATHUserRepository()
Get the singleton OATH user repository.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU Ge...
static encryptSessionData(array $plaintextVars, $userId)
Encrypt an aray of variables to put into the user's session.
static seal( $data, $encKey, $hmacKey)
Actually encrypt the data, using a new random IV, and prepend the hmac of the encrypted data + IV,...
static getUserKeys( $secret, $userid)
Generate encryption and hmac keys, unique to this user, based on a single wiki secret.
static getKeyMaterials()
Get the base secret for this wiki, used to derive all of the encryption keys.
static unseal( $encrypted, $encKey, $hmacKey)
Decrypt data sealed using seal().
static decryptSessionData( $ciphertext, $userId)
Decrypt an encrypted packet, generated with encryptSessionData.
static isEnabledFor(User $user)
Check whether OATH two-factor authentication is enabled for a given user.
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition User.php:53
deferred txt A few of the database updates required by various functions here can be deferred until after the result page is displayed to the user For updating the view updating the linked to tables after a etc PHP does not yet have any way to tell the server to actually return and disconnect while still running these but it might have such a feature in the future We handle these by creating a deferred update object and putting those objects on a global list
Definition deferred.txt:11