REL1_32/php/OATHAuthUtils_8php_source.html

<?php


class OATHAuthUtils {


    public static function isEnabledFor( User $user ) {

        $oathUser = OATHAuthHooks::getOATHUserRepository()->findByUser( $user );

        return $oathUser && $oathUser->getKey();

    }


    public static function encryptSessionData( array $plaintextVars, $userId ) {

        $keyMaterial = self::getKeyMaterials();

        $keys = self::getUserKeys( $keyMaterial, $userId );

        return self::seal( json_encode( $plaintextVars ), $keys['encrypt'], $keys['hmac'] );

    }


    public static function decryptSessionData( $ciphertext, $userId ) {

        $keyMaterial = self::getKeyMaterials();

        $keys = self::getUserKeys( $keyMaterial, $userId );

        return json_decode( self::unseal( $ciphertext, $keys['encrypt'], $keys['hmac'] ), true );

    }


    private static function getKeyMaterials() {

        global $wgOATHAuthSecret, $wgSecretKey;

        return $wgOATHAuthSecret ?: $wgSecretKey;

    }


    private static function getUserKeys( $secret, $userid ) {

        $keymats = hash_pbkdf2( 'sha256', $secret, "oath-$userid", 10001, 64, true );

        return [

            'encrypt' => substr( $keymats, 0, 32 ),

            'hmac' => substr( $keymats, 32, 32 ),

        ];

    }


    private static function seal( $data, $encKey, $hmacKey ) {

        $iv = random_bytes( 16 );

        $ciphertext = openssl_encrypt(

            $data,

            'aes-256-ctr',

            $encKey,

            OPENSSL_RAW_DATA,

            $iv

        );

        $sealed = base64_encode( $iv ) . '.' . base64_encode( $ciphertext );

        $hmac = hash_hmac( 'sha256', $sealed, $hmacKey, true );

        return base64_encode( $hmac ) . '.' . $sealed;

    }


    private static function unseal( $encrypted, $encKey, $hmacKey ) {

        $pieces = explode( '.', $encrypted );

        if ( count( $pieces ) !== 3 ) {

            throw new InvalidArgumentException( 'Invalid sealed-secret format' );

        }


        list( $hmac, $iv, $ciphertext ) = $pieces;

        $integCalc = hash_hmac( 'sha256', $iv . '.' . $ciphertext, $hmacKey, true );

        if ( !hash_equals( $integCalc, base64_decode( $hmac ) ) ) {

            throw new Exception( 'Sealed secret has been tampered with, aborting.' );

        }


        return openssl_decrypt(

            base64_decode( $ciphertext ),

            'aes-256-ctr',

            $encKey,

            OPENSSL_RAW_DATA,

            base64_decode( $iv )

        );

    }


}


$wgSecretKey
$wgSecretKey
This should always be customised in LocalSettings.php.
Definition DefaultSettings.php:5986

OATHAuthHooks\getOATHUserRepository
static getOATHUserRepository()
Get the singleton OATH user repository.
Definition OATHAuthHooks.php:34

OATHAuthUtils
This program is free software; you can redistribute it and/or modify it under the terms of the GNU Ge...
Definition OATHAuthUtils.php:24

OATHAuthUtils\encryptSessionData
static encryptSessionData(array $plaintextVars, $userId)
Encrypt an aray of variables to put into the user's session.
Definition OATHAuthUtils.php:45

OATHAuthUtils\seal
static seal( $data, $encKey, $hmacKey)
Actually encrypt the data, using a new random IV, and prepend the hmac of the encrypted data + IV,...
Definition OATHAuthUtils.php:97

OATHAuthUtils\getUserKeys
static getUserKeys( $secret, $userid)
Generate encryption and hmac keys, unique to this user, based on a single wiki secret.
Definition OATHAuthUtils.php:81

OATHAuthUtils\getKeyMaterials
static getKeyMaterials()
Get the base secret for this wiki, used to derive all of the encryption keys.
Definition OATHAuthUtils.php:69

OATHAuthUtils\unseal
static unseal( $encrypted, $encKey, $hmacKey)
Decrypt data sealed using seal().
Definition OATHAuthUtils.php:120

OATHAuthUtils\decryptSessionData
static decryptSessionData( $ciphertext, $userId)
Decrypt an encrypted packet, generated with encryptSessionData.
Definition OATHAuthUtils.php:57

OATHAuthUtils\isEnabledFor
static isEnabledFor(User $user)
Check whether OATH two-factor authentication is enabled for a given user.
Definition OATHAuthUtils.php:31

User
The User object encapsulates all of the user-specific settings (user_id, name, rights,...
Definition User.php:47

list
deferred txt A few of the database updates required by various functions here can be deferred until after the result page is displayed to the user For updating the view updating the linked to tables after a etc PHP does not yet have any way to tell the server to actually return and disconnect while still running these but it might have such a feature in the future We handle these by creating a deferred update object and putting those objects on a global list
Definition deferred.txt:11

array
The wiki should then use memcached to cache various data To use multiple just add more items to the array To increase the weight of a make its entry a array("192.168.0.1:11211", 2))

$keys
$keys
Definition testCompression.php:67