ilBcryptPasswordEncoder Class Reference

Inheritance diagram for ilBcryptPasswordEncoder:

Collaboration diagram for ilBcryptPasswordEncoder:

Public Member Functions
	__construct (array $config=array())
	getDataDirectory ()
	setDataDirectory ($data_directory)
	isBackwardCompatibilityEnabled ()
	setBackwardCompatibility ($backward_compatibility)
	Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+. More...
	isSecurityFlawIgnored ()
	setIsSecurityFlawIgnored ($is_security_flaw_ignored)
	getClientSalt ()
	setClientSalt ($client_salt)
	encodePassword ($raw, $salt)
	{Encodes the raw password. Parameters string $raw The password to encode string $salt The salt Returns string The encoded password } More...
	isPasswordValid ($encoded, $raw, $salt)
	{Checks a raw password against an encoded password.The raw password has to be injected into the encoder instance before. Parameters string $encoded An encoded password string $raw A raw password string $salt The salt Returns Boolean true if the password is valid, false otherwise } More...
	getName ()
	{Returns a unique name/id of the concrete password encoder. Returns string } More...
	requiresSalt ()
	{Returns whether or not the encoder requires a salt. Returns boolean } More...
	requiresReencoding ($encoded)
	{Returns whether or not the a encoded password needs to be re-encoded. Parameters $encoded string Returns boolean } More...
	getClientSaltLocation ()
Public Member Functions inherited from ilBcryptPhpPasswordEncoder
	__construct (array $config=array())
	benchmarkCost ($time_target=0.05)
	getName ()
	isSupportedByRuntime ()
	{Returns whether or not the encoder is supported by the runtime (PHP, HHVM, ...) Returns boolean } More...
	getCosts ()
	setCosts ($costs)
	encodePassword ($raw, $salt)
	{Encodes the raw password. Parameters string $raw The password to encode string $salt The salt Returns string The encoded password } More...
	isPasswordValid ($encoded, $raw, $salt)
	{Checks a raw password against an encoded password.The raw password has to be injected into the encoder instance before. Parameters string $encoded An encoded password string $raw A raw password string $salt The salt Returns Boolean true if the password is valid, false otherwise } More...
	requiresReencoding ($encoded)
	{Returns whether or not the a encoded password needs to be re-encoded. Parameters $encoded string Returns boolean } More...
Public Member Functions inherited from ilBasePasswordEncoder
	isSupportedByRuntime ()
	{Returns whether or not the encoder is supported by the runtime (PHP, HHVM, ...) Returns boolean } More...
	requiresSalt ()
	{Returns whether or not the encoder requires a salt. Returns boolean } More...
	requiresReencoding ($encoded)
	{Returns whether or not the a encoded password needs to be re-encoded. Parameters $encoded string Returns boolean } More...

Data Fields
const	MIN_SALT_SIZE = 16
const	SALT_STORAGE_FILENAME = 'pwsalt.txt'
Data Fields inherited from ilBasePasswordEncoder
const	MAX_PASSWORD_LENGTH = 4096

Protected Member Functions
	init ()
	isBcryptSupported ()
	encode ($raw, $user_secret)
	Generates a bcrypt encoded string. More...
	check ($encoded, $raw, $salt)
	Verifies a bcrypt encoded string. More...
Protected Member Functions inherited from ilBcryptPhpPasswordEncoder
	init ()
Protected Member Functions inherited from ilBasePasswordEncoder
	comparePasswords ($known_string, $user_string)
	Compares two passwords. More...
	isPasswordTooLong ($password)
	Checks if the password is too long. More...

Private Member Functions
	readClientSalt ()
	generateClientSalt ()
	storeClientSalt ()

Private Attributes
	$client_salt = null
	$is_security_flaw_ignored = false
	$backward_compatibility = false
	$data_directory = ''

Additional Inherited Members
Protected Attributes inherited from ilBcryptPhpPasswordEncoder
	$costs = '08'

Detailed Description

Definition at line 11 of file class.ilBcryptPasswordEncoder.php.

Constructor & Destructor Documentation

__construct()

ilBcryptPasswordEncoder::__construct

(

array

$config = array()

)

Parameters

array

$config

Exceptions

ilPasswordException

Definition at line 47 of file class.ilBcryptPasswordEncoder.php.

References $config, $key, setDataDirectory(), and setIsSecurityFlawIgnored().

    {
        if (!empty($config)) {
            foreach ($config as $key => $value) {
                switch (strtolower($key)) {
                    case 'ignore_security_flaw':
                        $this->setIsSecurityFlawIgnored($value);
                        break;

                    case 'data_directory':
                        $this->setDataDirectory($value);
                        break;
                }
            }
        }

        parent::__construct($config);
    }

Here is the call graph for this function:

Member Function Documentation

check()

ilBcryptPasswordEncoder::check (   $encoded,   $raw,   $salt  )

protected

Verifies a bcrypt encoded string.

Parameters

string	$encoded
string	$raw
string	$salt

Returns

bool

Definition at line 253 of file class.ilBcryptPasswordEncoder.php.

References getClientSalt().

Referenced by isPasswordValid().

    {
        $hashed_password = hash_hmac('whirlpool', str_pad($raw, strlen($raw) * 4, sha1($salt), STR_PAD_BOTH), $this->getClientSalt(), true);
        return crypt($hashed_password, substr($encoded, 0, 30)) == $encoded;
    }

Here is the call graph for this function:

Here is the caller graph for this function:

encode()

ilBcryptPasswordEncoder::encode (   $raw,   $user_secret  )

protected

Generates a bcrypt encoded string.

Parameters

string	$raw	The raw password
string	$user_secret	A randomly generated string (should be 16 ASCII chars)

Returns

string

Exceptions

ilPasswordException

Check for security flaw in the bcrypt implementation used by crypt()

See also

http://php.net/security/crypt_blowfish.php

Definition at line 212 of file class.ilBcryptPasswordEncoder.php.

References getClientSalt(), ilBcryptPhpPasswordEncoder\getCosts(), isBackwardCompatibilityEnabled(), isBcryptSupported(), and isSecurityFlawIgnored().

Referenced by encodePassword().

    {
        $client_secret = $this->getClientSalt();
        $hashed_password = hash_hmac('whirlpool', str_pad($raw, strlen($raw) * 4, sha1($user_secret), STR_PAD_BOTH), $client_secret, true);
        $salt = substr(str_shuffle(str_repeat('./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', 22)), 0, 22);

        if ($this->isBcryptSupported() && !$this->isBackwardCompatibilityEnabled()) {
            $prefix = '$2y$';
        } else {
            $prefix = '$2a$';
            // check if the password contains 8-bit character
            if (!$this->isSecurityFlawIgnored() && preg_match('/[\x80-\xFF]/', $raw)) {
                require_once 'Services/Password/exceptions/class.ilPasswordException.php';
                throw new ilPasswordException(
                    'The bcrypt implementation used by PHP can contain a security flaw ' .
                    'using passwords with 8-bit characters. ' .
                    'We suggest to upgrade to PHP 5.3.7+ or use passwords with only 7-bit characters.'
                );
            }
        }

        $salted_password = crypt($hashed_password, $prefix . $this->getCosts() . '$' . $salt);
        if (strlen($salted_password) <= 13) {
            require_once 'Services/Password/exceptions/class.ilPasswordException.php';
            throw new ilPasswordException('Error during the bcrypt generation');
        }

        return $salted_password;
    }

Here is the call graph for this function:

Here is the caller graph for this function:

encodePassword()

ilBcryptPasswordEncoder::encodePassword	(		$raw,
			$salt
	)

{Encodes the raw password.

Parameters

string	$raw	The password to encode
string	$salt	The salt

Returns

string The encoded password

}

Exceptions

ilPasswordException

Implements ilPasswordEncoder.

Definition at line 151 of file class.ilBcryptPasswordEncoder.php.

References encode(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfThePasswordExceedsTheSupportedLengthOnEncoding(), and ilBcryptPasswordEncoderTest\testPasswordShouldBeCorrectlyEncodedAndVerified().

    {
        if (!$this->getClientSalt()) {
            require_once 'Services/Password/exceptions/class.ilPasswordException.php';
            throw new ilPasswordException('Missing client salt.');
        }

        if ($this->isPasswordTooLong($raw)) {
            require_once 'Services/Password/exceptions/class.ilPasswordException.php';
            throw new ilPasswordException('Invalid password.');
        }

        return $this->encode($raw, $salt);
    }

Here is the call graph for this function:

Here is the caller graph for this function:

generateClientSalt()

ilBcryptPasswordEncoder::generateClientSalt ( )

private

Definition at line 286 of file class.ilBcryptPasswordEncoder.php.

References ilPasswordUtils\getBytes(), and setClientSalt().

Referenced by readClientSalt().

    {
        require_once 'Services/Password/classes/class.ilPasswordUtils.php';
        $this->setClientSalt(
            substr(str_replace('+', '.', base64_encode(ilPasswordUtils::getBytes(self::MIN_SALT_SIZE))), 0, 22)
        );
    }

Here is the call graph for this function:

Here is the caller graph for this function:

getClientSalt()

ilBcryptPasswordEncoder::getClientSalt

(

)

Returns

string|null

Definition at line 134 of file class.ilBcryptPasswordEncoder.php.

References $client_salt.

Referenced by check(), encode(), encodePassword(), isPasswordValid(), and storeClientSalt().

    {
        return $this->client_salt;
    }

Here is the caller graph for this function:

getClientSaltLocation()

ilBcryptPasswordEncoder::getClientSaltLocation

(

)

Returns

string

Definition at line 262 of file class.ilBcryptPasswordEncoder.php.

References getDataDirectory().

Referenced by readClientSalt(), and storeClientSalt().

    {
        return $this->getDataDirectory() . '/' . self::SALT_STORAGE_FILENAME;
    }

Here is the call graph for this function:

Here is the caller graph for this function:

getDataDirectory()

ilBcryptPasswordEncoder::getDataDirectory

(

)

Returns

string

Definition at line 85 of file class.ilBcryptPasswordEncoder.php.

References $data_directory.

Referenced by getClientSaltLocation().

    {
        return $this->data_directory;
    }

Here is the caller graph for this function:

getName()

ilBcryptPasswordEncoder::getName

(

)

{Returns a unique name/id of the concrete password encoder.

Returns

string

}

Implements ilPasswordEncoder.

Definition at line 182 of file class.ilBcryptPasswordEncoder.php.

Referenced by ilBcryptPasswordEncoderTest\testNameShouldBeBcrypt().

    {
        return 'bcrypt';
    }

Here is the caller graph for this function:

init()

ilBcryptPasswordEncoder::init ( )

protected

Definition at line 69 of file class.ilBcryptPasswordEncoder.php.

References readClientSalt().

    {
        $this->readClientSalt();
    }

Here is the call graph for this function:

isBackwardCompatibilityEnabled()

ilBcryptPasswordEncoder::isBackwardCompatibilityEnabled

(

)

Returns

boolean

Definition at line 101 of file class.ilBcryptPasswordEncoder.php.

References $backward_compatibility.

Referenced by encode().

    {
        return (bool) $this->backward_compatibility;
    }

Here is the caller graph for this function:

isBcryptSupported()

ilBcryptPasswordEncoder::isBcryptSupported ( )

protected

Returns

bool

Definition at line 77 of file class.ilBcryptPasswordEncoder.php.

Referenced by encode().

    {
        return PHP_VERSION_ID >= 50307;
    }

Here is the caller graph for this function:

isPasswordValid()

ilBcryptPasswordEncoder::isPasswordValid	(		$encoded,
			$raw,
			$salt
	)

{Checks a raw password against an encoded password.The raw password has to be injected into the encoder instance before.

Parameters

string	$encoded	An encoded password
string	$raw	A raw password
string	$salt	The salt

Returns

Boolean true if the password is valid, false otherwise

}

Implements ilPasswordEncoder.

Definition at line 169 of file class.ilBcryptPasswordEncoder.php.

References check(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testPasswordShouldBeCorrectlyEncodedAndVerified(), and ilBcryptPasswordEncoderTest\testPasswordVerificationShouldFailIfTheRawPasswordExceedsTheSupportedLength().

    {
        if (!$this->getClientSalt()) {
            require_once 'Services/Password/exceptions/class.ilPasswordException.php';
            throw new ilPasswordException('Missing client salt.');
        }

        return !$this->isPasswordTooLong($raw) && $this->check($encoded, $raw, $salt);
    }

Here is the call graph for this function:

Here is the caller graph for this function:

isSecurityFlawIgnored()

ilBcryptPasswordEncoder::isSecurityFlawIgnored

(

)

Returns

boolean

Definition at line 118 of file class.ilBcryptPasswordEncoder.php.

References $is_security_flaw_ignored.

Referenced by encode().

    {
        return (bool) $this->is_security_flaw_ignored;
    }

Here is the caller graph for this function:

readClientSalt()

ilBcryptPasswordEncoder::readClientSalt ( )

private

Definition at line 270 of file class.ilBcryptPasswordEncoder.php.

References generateClientSalt(), getClientSaltLocation(), setClientSalt(), and storeClientSalt().

Referenced by init().

    {
        if (is_file($this->getClientSaltLocation()) && is_readable($this->getClientSaltLocation())) {
            $contents = file_get_contents($this->getClientSaltLocation());
            if (strlen(trim($contents))) {
                $this->setClientSalt($contents);
            }
        } else {
            $this->generateClientSalt();
            $this->storeClientSalt();
        }
    }

Here is the call graph for this function:

Here is the caller graph for this function:

requiresReencoding()

ilBcryptPasswordEncoder::requiresReencoding

(

$encoded

)

{Returns whether or not the a encoded password needs to be re-encoded.

Parameters

$encoded

string

Returns

boolean

}

Implements ilPasswordEncoder.

Definition at line 200 of file class.ilBcryptPasswordEncoder.php.

Referenced by ilBcryptPasswordEncoderTest\testEncoderDoesNotSupportReencoding().

    {
        return false;
    }

Here is the caller graph for this function:

requiresSalt()

ilBcryptPasswordEncoder::requiresSalt

(

)

{Returns whether or not the encoder requires a salt.

Returns

boolean

}

Implements ilPasswordEncoder.

Definition at line 190 of file class.ilBcryptPasswordEncoder.php.

Referenced by ilBcryptPasswordEncoderTest\testEncoderReliesOnSalts().

    {
        return true;
    }

Here is the caller graph for this function:

setBackwardCompatibility()

ilBcryptPasswordEncoder::setBackwardCompatibility

(

$backward_compatibility

)

Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+.

Parameters

boolean

$backward_compatibility

Definition at line 110 of file class.ilBcryptPasswordEncoder.php.

References $backward_compatibility.

    {
        $this->backward_compatibility = (bool) $backward_compatibility;
    }

setClientSalt()

ilBcryptPasswordEncoder::setClientSalt

(

$client_salt

)

Parameters

string | null

$client_salt

Definition at line 142 of file class.ilBcryptPasswordEncoder.php.

References $client_salt.

Referenced by generateClientSalt(), and readClientSalt().

    {
        $this->client_salt = $client_salt;
    }

Here is the caller graph for this function:

setDataDirectory()

ilBcryptPasswordEncoder::setDataDirectory

(

$data_directory

)

Parameters

string

$data_directory

Definition at line 93 of file class.ilBcryptPasswordEncoder.php.

References $data_directory.

Referenced by __construct().

    {
        $this->data_directory = $data_directory;
    }

Here is the caller graph for this function:

setIsSecurityFlawIgnored()

ilBcryptPasswordEncoder::setIsSecurityFlawIgnored

(

$is_security_flaw_ignored

)

Parameters

boolean

$is_security_flaw_ignored

Definition at line 126 of file class.ilBcryptPasswordEncoder.php.

References $is_security_flaw_ignored.

Referenced by __construct().

    {
        $this->is_security_flaw_ignored = (bool) $is_security_flaw_ignored;
    }

Here is the caller graph for this function:

storeClientSalt()

ilBcryptPasswordEncoder::storeClientSalt ( )

private

Exceptions

ilPasswordException

Definition at line 297 of file class.ilBcryptPasswordEncoder.php.

References $result, getClientSalt(), and getClientSaltLocation().

Referenced by readClientSalt().

    {
        $result = @file_put_contents($this->getClientSaltLocation(), $this->getClientSalt());
        if (!$result) {
            require_once 'Services/Password/exceptions/class.ilPasswordException.php';
            throw new ilPasswordException(sprintf("Could not store the client salt in: %s. Please contact an administrator.", $this->getClientSaltLocation()));
        }
    }

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

$backward_compatibility

ilBcryptPasswordEncoder::$backward_compatibility = false

private

Definition at line 36 of file class.ilBcryptPasswordEncoder.php.

Referenced by isBackwardCompatibilityEnabled(), and setBackwardCompatibility().

$client_salt

ilBcryptPasswordEncoder::$client_salt = null

private

Definition at line 26 of file class.ilBcryptPasswordEncoder.php.

Referenced by getClientSalt(), and setClientSalt().

$data_directory

ilBcryptPasswordEncoder::$data_directory = ''

private

Definition at line 41 of file class.ilBcryptPasswordEncoder.php.

Referenced by getDataDirectory(), and setDataDirectory().

$is_security_flaw_ignored

ilBcryptPasswordEncoder::$is_security_flaw_ignored = false

private

Definition at line 31 of file class.ilBcryptPasswordEncoder.php.

Referenced by isSecurityFlawIgnored(), and setIsSecurityFlawIgnored().

MIN_SALT_SIZE

const ilBcryptPasswordEncoder::MIN_SALT_SIZE = 16

Definition at line 16 of file class.ilBcryptPasswordEncoder.php.

SALT_STORAGE_FILENAME

const ilBcryptPasswordEncoder::SALT_STORAGE_FILENAME = 'pwsalt.txt'

Definition at line 21 of file class.ilBcryptPasswordEncoder.php.

Referenced by ilBcryptPasswordEncoderTest\testInstanceCanBeCreatedAndInitializedWithClientSalt().

---

The documentation for this class was generated from the following file:

• Services/Password/classes/encoders/class.ilBcryptPasswordEncoder.php