Inheritance diagram for ilBcryptPasswordEncoder:

Collaboration diagram for ilBcryptPasswordEncoder:

Public Member Functions

__construct (array $config=array())

isBackwardCompatibilityEnabled ()

setBackwardCompatibility ($backward_compatibility)

Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+.

isSecurityFlawIgnored ()

setIsSecurityFlawIgnored ($is_security_flaw_ignored)

getClientSalt ()

setClientSalt ($client_salt)

getCosts ()

setCosts ($costs)

encodePassword ($raw, $salt)

{Encodes the raw password.

Parameters

string	$raw	The password to encode
string	$salt	The salt

Returns: string The encoded password

}

isPasswordValid ($encoded, $raw, $salt)

{Checks a raw password against an encoded password.The raw password has to be injected into the encoder instance before.

Parameters

string	$encoded	An encoded password
string	$raw	A raw password
string	$salt	The salt

Returns: Boolean true if the password is valid, false otherwise

}

getName ()

{Returns a unique name/id of the concrete password encoder.

Returns: string

}

requiresSalt ()

{Returns whether or not the encoder requires a salt.

Returns: boolean

}

getClientSaltLocation ()

onSelection ()

{A client should call this method when the specific encoder is selected.}

saveForm (ilPropertyFormGUI $form)

{

Parameters

ilPropertyFormGUI $form

Returns: mixed

}

Public Member Functions inherited from ilPasswordEncoderConfigurationFormAware

buildForm (ilPropertyFormGUI $form)

Called when an encoder should build individual form parts for the user interface.

validateForm (ilPropertyFormGUI $form)

Called if an encoder should validate a request concerning business rules.

Data Fields
const	MIN_SALT_SIZE = 16
const	SALT_STORAGE_FILENAME = 'pwsalt.txt'
Data Fields inherited from ilBasePasswordEncoder
const	MAX_PASSWORD_LENGTH = 4096

Protected Member Functions
	init ()
	isBcryptSupported ()
	encode ($raw, $salt)
	Generates a bcrypt encoded string.
	check ($encoded, $raw, $salt)
	Verifies a bcrypt encoded string.
Protected Member Functions inherited from ilBasePasswordEncoder
	comparePasswords ($known_string, $user_string)
	Compares two passwords.
	isPasswordTooLong ($password)
	Checks if the password is too long.

Protected Attributes
	$client_salt = null
	$costs = '08'
	$is_security_flaw_ignored = false
	$backward_compatibility = false

Private Member Functions
	generateClientSalt ()
	readClientSalt ()
	storeClientSalt ()

Detailed Description

Definition at line 12 of file class.ilBcryptPasswordEncoder.php.

Constructor & Destructor Documentation

ilBcryptPasswordEncoder::__construct ( array $config = array() )

Parameters

array $config

Exceptions

ilPasswordException

Definition at line 48 of file class.ilBcryptPasswordEncoder.php.

References init(), setCosts(), and setIsSecurityFlawIgnored().

        {
                if(!empty($config))
                {
                        foreach($config as $key => $value)
                        {
                                switch(strtolower($key))
                                {
                                        case 'cost':
                                                $this->setCosts($value);
                                                break;
                                        case 'ignore_security_flaw':
                                                $this->setIsSecurityFlawIgnored($value);
                                                break;
                                }
                        }
                }
                
                $this->init();
        }

Here is the call graph for this function:

Member Function Documentation

ilBcryptPasswordEncoder::check	(	$encoded,
		$raw,
		$salt
	)

protected

Verifies a bcrypt encoded string.

Parameters

string	$encoded
string	$raw
string	$salt

Returns: bool

Definition at line 263 of file class.ilBcryptPasswordEncoder.php.

References getClientSalt().

Referenced by isPasswordValid().

        {
                $hashed_password  = hash_hmac('whirlpool', str_pad($raw, strlen($raw) * 4, sha1($salt), STR_PAD_BOTH), $this->getClientSalt(), true);
                return crypt($hashed_password, substr($encoded, 0, 30)) == $encoded;
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::encode	(	$raw,
		$salt
	)

protected

Generates a bcrypt encoded string.

Parameters

string	$raw
string	$salt

Returns: string

Exceptions

ilPasswordException

Check for security flaw in the bcrypt implementation used by crypt()

See Also: http://php.net/security/crypt_blowfish.php

Definition at line 219 of file class.ilBcryptPasswordEncoder.php.

References getClientSalt(), getCosts(), isBackwardCompatibilityEnabled(), isBcryptSupported(), and isSecurityFlawIgnored().

Referenced by encodePassword().

        {
                $hashed_password = hash_hmac('whirlpool', str_pad($raw, strlen($raw) * 4, sha1($salt), STR_PAD_BOTH), $this->getClientSalt(), true);
                $salt            = substr(str_shuffle(str_repeat('./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', 22)), 0, 22);
                if($this->isBcryptSupported() && !$this->isBackwardCompatibilityEnabled())
                {
                        $prefix = '$2y$';
                }
                else
                {
                        $prefix = '$2a$';
                        // check if the password contains 8-bit character
                        if(!$this->isSecurityFlawIgnored() && preg_match('/[\x80-\xFF]/', $raw))
                        {
                                require_once 'Services/Password/exceptions/class.ilPasswordException.php';
                                throw new ilPasswordException(
                                        'The bcrypt implementation used by PHP can contain a security flaw ' .
                                        'using passwords with 8-bit characters. ' .
                                        'We suggest to upgrade to PHP 5.3.7+ or use passwords with only 7-bit characters.'
                                );
                        }
                }
                $encrypted_password = crypt($hashed_password, $prefix . $this->getCosts() . '$' . $salt);
                if(strlen($encrypted_password) <= 13)
                {
                        require_once 'Services/Password/exceptions/class.ilPasswordException.php';
                        throw new ilPasswordException('Error during the bcrypt generation');
                }
                return $encrypted_password;
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::encodePassword	(	$raw,
		$salt
	)

{Encodes the raw password.

Parameters

string	$raw	The password to encode
string	$salt	The salt

Returns: string The encoded password

}

Exceptions

ilPasswordException

Implements ilPasswordEncoder.

Definition at line 165 of file class.ilBcryptPasswordEncoder.php.

References encode(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfThePasswordExceedsTheSupportedLengthOnEncoding(), and ilBcryptPasswordEncoderTest\testPasswordShouldBeCorrectlyEncodedAndVerified().

        {
                if(!$this->getClientSalt())
                {
                        require_once 'Services/Password/exceptions/class.ilPasswordException.php';
                        throw new ilPasswordException('Missing client salt.');
                }
                if($this->isPasswordTooLong($raw))
                {
                        require_once 'Services/Password/exceptions/class.ilPasswordException.php';
                        throw new ilPasswordException('Invalid password.');
                }
                
                return $this->encode($raw, $salt);
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::generateClientSalt ( )

private

Definition at line 280 of file class.ilBcryptPasswordEncoder.php.

References ilPasswordUtils\getBytes(), and setClientSalt().

Referenced by onSelection().

        {
                require_once 'Services/Password/classes/class.ilPasswordUtils.php';
                $this->setClientSalt(
                        substr(str_replace('+', '.', base64_encode(ilPasswordUtils::getBytes(self::MIN_SALT_SIZE))), 0, 22)
                );
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::getClientSalt ( )

Returns: string|null

Definition at line 122 of file class.ilBcryptPasswordEncoder.php.

References $client_salt.

Referenced by check(), encode(), encodePassword(), isPasswordValid(), onSelection(), and storeClientSalt().

        {
                return $this->client_salt;
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::getClientSaltLocation ( )

Returns: string

Definition at line 272 of file class.ilBcryptPasswordEncoder.php.

References ilUtil\getDataDir(), and SALT_STORAGE_FILENAME.

Referenced by readClientSalt(), and storeClientSalt().

        {
                return ilUtil::getDataDir() . '/' . self::SALT_STORAGE_FILENAME;
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::getCosts ( )

Returns: string

Definition at line 138 of file class.ilBcryptPasswordEncoder.php.

References $costs.

Referenced by encode(), and ilBcryptPasswordEncoderTest\testCostsCanBeRetrievedWhenCostsAreSet().

        {
                return $this->costs;
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::getName ( )

{Returns a unique name/id of the concrete password encoder.

Returns: string

}

Implements ilPasswordEncoder.

Definition at line 199 of file class.ilBcryptPasswordEncoder.php.

        {
                return 'bcrypt';
        }

ilBcryptPasswordEncoder::init ( )

protected

Definition at line 73 of file class.ilBcryptPasswordEncoder.php.

References readClientSalt().

Referenced by __construct().

        {
                $this->readClientSalt();
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::isBackwardCompatibilityEnabled ( )

Returns: boolean

Definition at line 89 of file class.ilBcryptPasswordEncoder.php.

References $backward_compatibility.

Referenced by encode().

        {
                return (bool)$this->backward_compatibility;
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::isBcryptSupported ( )

protected

Returns: bool

Definition at line 81 of file class.ilBcryptPasswordEncoder.php.

Referenced by encode().

        {
                return PHP_VERSION_ID >= 50307;
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::isPasswordValid	(	$encoded,
		$raw,
		$salt
	)

{Checks a raw password against an encoded password.The raw password has to be injected into the encoder instance before.

Parameters

string	$encoded	An encoded password
string	$raw	A raw password
string	$salt	The salt

Returns: Boolean true if the password is valid, false otherwise

}

Implements ilPasswordEncoder.

Definition at line 185 of file class.ilBcryptPasswordEncoder.php.

References check(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testPasswordShouldBeCorrectlyEncodedAndVerified(), and ilBcryptPasswordEncoderTest\testPasswordVerificationShouldFailIfTheRawPasswordExceedsTheSupportedLength().

        {
                if(!$this->getClientSalt())
                {
                        require_once 'Services/Password/exceptions/class.ilPasswordException.php';
                        throw new ilPasswordException('Missing client salt.');
                }
                return !$this->isPasswordTooLong($raw)  && $this->check($encoded, $raw, $salt);
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::isSecurityFlawIgnored ( )

Returns: boolean

Definition at line 106 of file class.ilBcryptPasswordEncoder.php.

References $is_security_flaw_ignored.

Referenced by encode().

        {
                return (bool)$this->is_security_flaw_ignored;
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::onSelection ( )

{A client should call this method when the specific encoder is selected.}

Exceptions

ilPasswordException

Implements ilPasswordEncoderConfigurationFormAware.

Definition at line 319 of file class.ilBcryptPasswordEncoder.php.

References generateClientSalt(), getClientSalt(), setClientSalt(), and storeClientSalt().

        {
                if(!$this->getClientSalt())
                {
                        try
                        {
                                $this->generateClientSalt();
                                $this->storeClientSalt();
                        }
                        catch(ilPasswordException $e)
                        {
                                $this->setClientSalt(null);
                                throw $e;
                        }
                }
        }

Here is the call graph for this function:

ilBcryptPasswordEncoder::readClientSalt ( )

private

Definition at line 291 of file class.ilBcryptPasswordEncoder.php.

References getClientSaltLocation(), and setClientSalt().

Referenced by init().

        {
                if(is_file($this->getClientSaltLocation()) && is_readable($this->getClientSaltLocation()))
                {
                        $contents = file_get_contents($this->getClientSaltLocation());
                        if(strlen(trim($contents)))
                        {
                                $this->setClientSalt($contents);
                        }
                }
        }

Here is the call graph for this function:

Here is the caller graph for this function:

ilBcryptPasswordEncoder::requiresSalt ( )

{Returns whether or not the encoder requires a salt.

Returns: boolean

}

Implements ilPasswordEncoder.

Definition at line 207 of file class.ilBcryptPasswordEncoder.php.

        {
                return true;
        }

ilBcryptPasswordEncoder::saveForm ( ilPropertyFormGUI $form )

{

Parameters

ilPropertyFormGUI $form

Returns: mixed

}

Implements ilPasswordEncoderConfigurationFormAware.

Definition at line 358 of file class.ilBcryptPasswordEncoder.php.

{

}

ilBcryptPasswordEncoder::setBackwardCompatibility ( $backward_compatibility )

Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+.

Parameters

boolean $backward_compatibility

Definition at line 98 of file class.ilBcryptPasswordEncoder.php.

References $backward_compatibility.

        {
                $this->backward_compatibility = (bool)$backward_compatibility;
        }

ilBcryptPasswordEncoder::setClientSalt ( $client_salt )

Parameters

string | null $client_salt

Definition at line 130 of file class.ilBcryptPasswordEncoder.php.

References $client_salt.

Referenced by generateClientSalt(), onSelection(), and readClientSalt().

        {
                $this->client_salt = $client_salt;
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::setCosts ( $costs )

Parameters

string $costs

Exceptions

ilPasswordException

Definition at line 147 of file class.ilBcryptPasswordEncoder.php.

References $costs.

Referenced by __construct(), ilBcryptPasswordEncoderTest\testCostsCanBeRetrievedWhenCostsAreSet(), ilBcryptPasswordEncoderTest\testCostsCanBeSetInRange(), ilBcryptPasswordEncoderTest\testCostsCannotBeSetAboveRange(), ilBcryptPasswordEncoderTest\testCostsCannotBeSetBelowRange(), ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfThePasswordExceedsTheSupportedLengthOnEncoding(), ilBcryptPasswordEncoderTest\testPasswordShouldBeCorrectlyEncodedAndVerified(), and ilBcryptPasswordEncoderTest\testPasswordVerificationShouldFailIfTheRawPasswordExceedsTheSupportedLength().

        {
                if(!empty($costs))
                {
                        $costs = (int)$costs;
                        if($costs < 4 || $costs > 31)
                        {
                                require_once 'Services/Password/exceptions/class.ilPasswordException.php';
                                throw new ilPasswordException('The costs parameter of bcrypt must be in range 04-31');
                        }
                        $this->costs = sprintf('%1$02d', $costs);
                }
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::setIsSecurityFlawIgnored ( $is_security_flaw_ignored )

Parameters

boolean $is_security_flaw_ignored

Definition at line 114 of file class.ilBcryptPasswordEncoder.php.

References $is_security_flaw_ignored.

Referenced by __construct().

        {
                $this->is_security_flaw_ignored = (bool)$is_security_flaw_ignored;
        }

Here is the caller graph for this function:

ilBcryptPasswordEncoder::storeClientSalt ( )

private

Exceptions

ilPasswordException

Definition at line 306 of file class.ilBcryptPasswordEncoder.php.

References $result, getClientSalt(), and getClientSaltLocation().

Referenced by onSelection().

        {
                $result = @file_put_contents($this->getClientSaltLocation(), $this->getClientSalt());
                if(!$result)
                {
                        throw new ilPasswordException("Could not store the client salt. Please contact an administrator.");
                }
        }