Inheritance diagram for ilBcryptPasswordEncoder:

Collaboration diagram for ilBcryptPasswordEncoder:

Public Member Functions
	__construct (array $config=[])

	getDataDirectory ()

	setDataDirectory (string $data_directory)

	isBackwardCompatibilityEnabled ()

	setBackwardCompatibility (bool $backward_compatibility)
	Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+. More...

	isSecurityFlawIgnored ()

	setIsSecurityFlawIgnored (bool $is_security_flaw_ignored)

	getClientSalt ()

	setClientSalt (?string $client_salt)

	encodePassword (string $raw, string $salt)

	isPasswordValid (string $encoded, string $raw, string $salt)

	getName ()

	requiresSalt ()

	requiresReencoding (string $encoded)

	getClientSaltLocation ()

Public Member Functions inherited from ilBcryptPhpPasswordEncoder
	__construct (array $config=[])

	benchmarkCost (float $time_target=0.05)

	getName ()

	isSupportedByRuntime ()

	getCosts ()

	setCosts (string $costs)

	encodePassword (string $raw, string $salt)

	isPasswordValid (string $encoded, string $raw, string $salt)

	requiresReencoding (string $encoded)

Public Member Functions inherited from ilBasePasswordEncoder
	isSupportedByRuntime ()

	requiresSalt ()

	requiresReencoding (string $encoded)

Data Fields
const	MIN_SALT_SIZE = 16

const	SALT_STORAGE_FILENAME = 'pwsalt.txt'

Data Fields inherited from ilBasePasswordEncoder
const	MAX_PASSWORD_LENGTH = 4096

Protected Member Functions
	init ()

	isBcryptSupported ()

	encode (string $raw, string $userSecret)
	Generates a bcrypt encoded string. More...

	check (string $encoded, string $raw, string $salt)
	Verifies a bcrypt encoded string. More...

Protected Member Functions inherited from ilBcryptPhpPasswordEncoder
	init ()

Protected Member Functions inherited from ilBasePasswordEncoder
	comparePasswords (string $knownString, string $userString)
	Compares two passwords. More...

	isPasswordTooLong (string $password)
	Checks if the password is too long. More...

Private Member Functions
	readClientSalt ()

	generateClientSalt ()

	storeClientSalt ()

Private Attributes
	$client_salt = null

	$is_security_flaw_ignored = false

	$backward_compatibility = false

	$data_directory = ''

Additional Inherited Members
Protected Attributes inherited from ilBcryptPhpPasswordEncoder
	$costs = '08'

Detailed Description

Definition at line 12 of file class.ilBcryptPasswordEncoder.php.

Constructor & Destructor Documentation

◆ __construct()

ilBcryptPasswordEncoder::__construct ( array $config = [] )

Parameters

array $config

Exceptions

ilPasswordException

Definition at line 36 of file class.ilBcryptPasswordEncoder.php.

References $config, ILIAS\GlobalScreen\Provider\__construct(), setDataDirectory(), and setIsSecurityFlawIgnored().

     {
         if (!empty($config)) {
             foreach ($config as $key => $value) {
                 switch (strtolower($key)) {
                     case 'ignore_security_flaw':
                         $this->setIsSecurityFlawIgnored($value);
                         break;
 
                     case 'data_directory':
                         $this->setDataDirectory($value);
                         break;
                 }
             }
         }
 
         parent::__construct($config);
     }

Here is the call graph for this function:

Member Function Documentation

◆ check()

ilBcryptPasswordEncoder::check	(	string	$encoded,
		string	$raw,
		string	$salt
	)

protected

Verifies a bcrypt encoded string.

Parameters

string	$encoded
string	$raw
string	$salt

Returns: bool

Definition at line 245 of file class.ilBcryptPasswordEncoder.php.

References ilBasePasswordEncoder\comparePasswords(), and getClientSalt().

Referenced by isPasswordValid().

                                                                          : bool
     {
         $hashedPassword = hash_hmac(
             'whirlpool',
             str_pad($raw, strlen($raw) * 4, sha1($salt), STR_PAD_BOTH),
             $this->getClientSalt(),
             true
         );
 
         return $this->comparePasswords($encoded, crypt($hashedPassword, substr($encoded, 0, 30)));
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ encode()

ilBcryptPasswordEncoder::encode	(	string	$raw,
		string	$userSecret
	)

protected

Generates a bcrypt encoded string.

Parameters

string	$raw	The raw password
string	$userSecret	A randomly generated string (should be 16 ASCII chars)

Returns: string

Exceptions

ilPasswordException

Check for security flaw in the bcrypt implementation used by crypt()

See also: http://php.net/security/crypt_blowfish.php

Definition at line 197 of file class.ilBcryptPasswordEncoder.php.

References getClientSalt(), ilBcryptPhpPasswordEncoder\getCosts(), isBackwardCompatibilityEnabled(), isBcryptSupported(), and isSecurityFlawIgnored().

Referenced by encodePassword().

                                                                : string
     {
         $clientSecret = $this->getClientSalt();
         $hashedPassword = hash_hmac(
             'whirlpool',
             str_pad($raw, strlen($raw) * 4, sha1($userSecret), STR_PAD_BOTH),
             $clientSecret,
             true
         );
         $salt = substr(
             str_shuffle(str_repeat('./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', 22)),
             0,
             22
         );
 
         if ($this->isBcryptSupported() && !$this->isBackwardCompatibilityEnabled()) {
             $prefix = '$2y$';
         } else {
             $prefix = '$2a$';
             // check if the password contains 8-bit character
             if (!$this->isSecurityFlawIgnored() && preg_match('/[\x80-\xFF]/', $raw)) {
                 throw new ilPasswordException(
                     'The bcrypt implementation used by PHP can contain a security flaw ' .
                     'using passwords with 8-bit characters. ' .
                     'We suggest to upgrade to PHP 5.3.7+ or use passwords with only 7-bit characters.'
                 );
             }
         }
 
         $saltedPassword = crypt($hashedPassword, $prefix . $this->getCosts() . '$' . $salt);
         if (strlen($saltedPassword) <= 13) {
             throw new ilPasswordException('Error during the bcrypt generation');
         }
 
         return $saltedPassword;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ encodePassword()

ilBcryptPasswordEncoder::encodePassword	(	string	$raw,
		string	$salt
	)

Exceptions

ilPasswordException

Implements ilPasswordEncoder.

Definition at line 140 of file class.ilBcryptPasswordEncoder.php.

References encode(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfThePasswordExceedsTheSupportedLengthOnEncoding(), and ilBcryptPasswordEncoderTest\testPasswordShouldBeCorrectlyEncodedAndVerified().

                                                               : string
     {
         if (!$this->getClientSalt()) {
             throw new ilPasswordException('Missing client salt.');
         }
 
         if ($this->isPasswordTooLong($raw)) {
             throw new ilPasswordException('Invalid password.');
         }
 
         return $this->encode($raw, $salt);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ generateClientSalt()

ilBcryptPasswordEncoder::generateClientSalt ( )

private

Definition at line 284 of file class.ilBcryptPasswordEncoder.php.

References ilPasswordUtils\getBytes(), and setClientSalt().

Referenced by readClientSalt().

                                           : void
     {
         $this->setClientSalt(
             substr(str_replace('+', '.', base64_encode(ilPasswordUtils::getBytes(self::MIN_SALT_SIZE))), 0, 22)
         );
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getClientSalt()

ilBcryptPasswordEncoder::getClientSalt ( )

Returns: string|null

Definition at line 123 of file class.ilBcryptPasswordEncoder.php.

References $client_salt.

Referenced by check(), encode(), encodePassword(), isPasswordValid(), and storeClientSalt().

                                     : ?string
     {
         return $this->client_salt;
     }

Here is the caller graph for this function:

◆ getClientSaltLocation()

ilBcryptPasswordEncoder::getClientSaltLocation ( )

Returns: string

Definition at line 260 of file class.ilBcryptPasswordEncoder.php.

References getDataDirectory().

Referenced by readClientSalt(), and storeClientSalt().

                                             : string
     {
         return $this->getDataDirectory() . '/' . self::SALT_STORAGE_FILENAME;
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getDataDirectory()

ilBcryptPasswordEncoder::getDataDirectory ( )

Returns: string

Definition at line 74 of file class.ilBcryptPasswordEncoder.php.

References $data_directory.

Referenced by getClientSaltLocation().

                                        : string
     {
         return $this->data_directory;
     }

Here is the caller graph for this function:

◆ getName()

ilBcryptPasswordEncoder::getName ( )

Implements ilPasswordEncoder.

Definition at line 169 of file class.ilBcryptPasswordEncoder.php.

Referenced by ilBcryptPasswordEncoderTest\testNameShouldBeBcrypt().

                               : string
     {
         return 'bcrypt';
     }

Here is the caller graph for this function:

◆ init()

ilBcryptPasswordEncoder::init ( )

protected

Exceptions

ilPasswordException

Definition at line 58 of file class.ilBcryptPasswordEncoder.php.

References readClientSalt().

                               : void
     {
         $this->readClientSalt();
     }

Here is the call graph for this function:

◆ isBackwardCompatibilityEnabled()

ilBcryptPasswordEncoder::isBackwardCompatibilityEnabled ( )

Returns: boolean

Definition at line 90 of file class.ilBcryptPasswordEncoder.php.

References $backward_compatibility.

Referenced by encode().

                                                      : bool
     {
         return (bool) $this->backward_compatibility;
     }

Here is the caller graph for this function:

◆ isBcryptSupported()

ilBcryptPasswordEncoder::isBcryptSupported ( )

protected

Returns: bool

Definition at line 66 of file class.ilBcryptPasswordEncoder.php.

Referenced by encode().

                                            : bool
     {
         return PHP_VERSION_ID >= 50307;
     }

Here is the caller graph for this function:

◆ isPasswordValid()

ilBcryptPasswordEncoder::isPasswordValid	(	string	$encoded,
		string	$raw,
		string	$salt
	)

Exceptions

ilPasswordException

Implements ilPasswordEncoder.

Definition at line 157 of file class.ilBcryptPasswordEncoder.php.

References check(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testPasswordShouldBeCorrectlyEncodedAndVerified(), and ilBcryptPasswordEncoderTest\testPasswordVerificationShouldFailIfTheRawPasswordExceedsTheSupportedLength().

                                                                                 : bool
     {
         if (!$this->getClientSalt()) {
             throw new ilPasswordException('Missing client salt.');
         }
 
         return !$this->isPasswordTooLong($raw) && $this->check($encoded, $raw, $salt);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ isSecurityFlawIgnored()

ilBcryptPasswordEncoder::isSecurityFlawIgnored ( )

Returns: boolean

Definition at line 107 of file class.ilBcryptPasswordEncoder.php.

References $is_security_flaw_ignored.

Referenced by encode().

                                             : bool
     {
         return (bool) $this->is_security_flaw_ignored;
     }

Here is the caller graph for this function:

◆ readClientSalt()

ilBcryptPasswordEncoder::readClientSalt ( )

private

Exceptions

ilPasswordException

Definition at line 268 of file class.ilBcryptPasswordEncoder.php.

References generateClientSalt(), getClientSaltLocation(), setClientSalt(), and storeClientSalt().

Referenced by init().

                                       : void
     {
         if (is_file($this->getClientSaltLocation()) && is_readable($this->getClientSaltLocation())) {
             $contents = file_get_contents($this->getClientSaltLocation());
             if (strlen(trim($contents))) {
                 $this->setClientSalt($contents);
             }
         } else {
             $this->generateClientSalt();
             $this->storeClientSalt();
         }
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ requiresReencoding()

ilBcryptPasswordEncoder::requiresReencoding ( string $encoded )

Implements ilPasswordEncoder.

Definition at line 185 of file class.ilBcryptPasswordEncoder.php.

Referenced by ilBcryptPasswordEncoderTest\testEncoderDoesNotSupportReencoding().

                                                         : bool
     {
         return false;
     }

Here is the caller graph for this function:

◆ requiresSalt()

ilBcryptPasswordEncoder::requiresSalt ( )

Implements ilPasswordEncoder.

Definition at line 177 of file class.ilBcryptPasswordEncoder.php.

Referenced by ilBcryptPasswordEncoderTest\testEncoderReliesOnSalts().

                                    : bool
     {
         return true;
     }

Here is the caller graph for this function:

◆ setBackwardCompatibility()

ilBcryptPasswordEncoder::setBackwardCompatibility ( bool $backward_compatibility )

Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+.

Parameters

boolean $backward_compatibility

Definition at line 99 of file class.ilBcryptPasswordEncoder.php.

                                                                            : void
     {
         $this->backward_compatibility = (bool) $backward_compatibility;
     }

◆ setClientSalt()

ilBcryptPasswordEncoder::setClientSalt ( ?string $client_salt )

Parameters

string | null $client_salt

Definition at line 131 of file class.ilBcryptPasswordEncoder.php.

References $client_salt.

Referenced by generateClientSalt(), and readClientSalt().

     {
         $this->client_salt = $client_salt;
     }

Here is the caller graph for this function:

◆ setDataDirectory()

ilBcryptPasswordEncoder::setDataDirectory ( string $data_directory )

Parameters

string $data_directory

Definition at line 82 of file class.ilBcryptPasswordEncoder.php.

References $data_directory.

Referenced by __construct().

                                                              : void
     {
         $this->data_directory = $data_directory;
     }

Here is the caller graph for this function:

◆ setIsSecurityFlawIgnored()

ilBcryptPasswordEncoder::setIsSecurityFlawIgnored ( bool $is_security_flaw_ignored )

Parameters

boolean $is_security_flaw_ignored

Definition at line 115 of file class.ilBcryptPasswordEncoder.php.

Referenced by __construct().

                                                                              : void
     {
         $this->is_security_flaw_ignored = (bool) $is_security_flaw_ignored;
     }

Here is the caller graph for this function:

◆ storeClientSalt()

ilBcryptPasswordEncoder::storeClientSalt ( )

private

Exceptions

ilPasswordException

Definition at line 294 of file class.ilBcryptPasswordEncoder.php.

References $result, getClientSalt(), and getClientSaltLocation().

Referenced by readClientSalt().

                                        : void
     {
         $result = @file_put_contents($this->getClientSaltLocation(), $this->getClientSalt());
         if (!$result) {
             throw new ilPasswordException(sprintf(
                 "Could not store the client salt in: %s. Please contact an administrator.",
                 $this->getClientSaltLocation()
             ));
         }
     }