includes/password/EncryptedPassword.php

   1 <?php
   2 /**
   3  * Implements the EncryptedPassword class for the MediaWiki software.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 /**
  24  * Helper class for passwords that use another password hash underneath it
  25  * and encrypts that hash with a configured secret.
  26  *
  27  * @since 1.24
  28  */
  29 class EncryptedPassword extends ParameterizedPassword {
  30         protected function getDelimiter() {
  31                 return ':';
  32         }
  33
  34         protected function getDefaultParams() {
  35                 return [
  36                         'cipher' => $this->config['cipher'],
  37                         'secret' => count( $this->config['secrets'] ) - 1
  38                 ];
  39         }
  40
  41         public function crypt( $password ) {
  42                 $secret = $this->config['secrets'][$this->params['secret']];
  43
  44                 // Clear error string
  45                 while ( openssl_error_string() !== false );
  46
  47                 if ( $this->hash ) {
  48                         $decrypted = openssl_decrypt(
  49                                         $this->hash, $this->params['cipher'],
  50                                         $secret, 0, base64_decode( $this->args[0] ) );
  51                         if ( $decrypted === false ) {
  52                                 throw new PasswordError( 'Error decrypting password: ' . openssl_error_string() );
  53                         }
  54                         $underlyingPassword = $this->factory->newFromCiphertext( $decrypted );
  55                 } else {
  56                         $underlyingPassword = $this->factory->newFromType( $this->config['underlying'] );
  57                 }
  58
  59                 $underlyingPassword->crypt( $password );
  60                 if ( count( $this->args ) ) {
  61                         $iv = base64_decode( $this->args[0] );
  62                 } else {
  63                         $iv = random_bytes( openssl_cipher_iv_length( $this->params['cipher'] ) );
  64                 }
  65
  66                 $this->hash = openssl_encrypt(
  67                         $underlyingPassword->toString(), $this->params['cipher'], $secret, 0, $iv );
  68                 if ( $this->hash === false ) {
  69                         throw new PasswordError( 'Error encrypting password: ' . openssl_error_string() );
  70                 }
  71                 $this->args = [ base64_encode( $iv ) ];
  72         }
  73
  74         /**
  75          * Updates the underlying hash by encrypting it with the newest secret.
  76          *
  77          * @throws MWException If the configuration is not valid
  78          * @return bool True if the password was updated
  79          */
  80         public function update() {
  81                 if ( count( $this->args ) != 1 || $this->params == $this->getDefaultParams() ) {
  82                         // Hash does not need updating
  83                         return false;
  84                 }
  85
  86                 // Clear error string
  87                 while ( openssl_error_string() !== false );
  88
  89                 // Decrypt the underlying hash
  90                 $underlyingHash = openssl_decrypt(
  91                         $this->hash,
  92                         $this->params['cipher'],
  93                         $this->config['secrets'][$this->params['secret']],
  94                         0,
  95                         base64_decode( $this->args[0] )
  96                 );
  97                 if ( $underlyingHash === false ) {
  98                         throw new PasswordError( 'Error decrypting password: ' . openssl_error_string() );
  99                 }
 100
 101                 // Reset the params
 102                 $this->params = $this->getDefaultParams();
 103
 104                 // Check the key size with the new params
 105                 $iv = random_bytes( openssl_cipher_iv_length( $this->params['cipher'] ) );
 106                 $this->hash = openssl_encrypt(
 107                                 $underlyingHash,
 108                                 $this->params['cipher'],
 109                                 $this->config['secrets'][$this->params['secret']],
 110                                 0,
 111                                 $iv
 112                         );
 113                 if ( $this->hash === false ) {
 114                         throw new PasswordError( 'Error encrypting password: ' . openssl_error_string() );
 115                 }
 116
 117                 $this->args = [ base64_encode( $iv ) ];
 118
 119                 return true;
 120         }
 121 }