Inheritance diagram for ilBcryptPasswordEncoder:

Collaboration diagram for ilBcryptPasswordEncoder:

Public Member Functions
	__construct (array $config=[])

	getDataDirectory ()

	setDataDirectory (string $data_directory)

	isBackwardCompatibilityEnabled ()

	setBackwardCompatibility (bool $backward_compatibility)
	Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+. More...

	isSecurityFlawIgnored ()

	setIsSecurityFlawIgnored (bool $is_security_flaw_ignored)

	getClientSalt ()

	setClientSalt (?string $client_salt)

	encodePassword (string $raw, string $salt)
	Encodes the raw password. More...

	isPasswordValid (string $encoded, string $raw, string $salt)
	Checks a raw password against an encoded password. More...

	getName ()
	Returns a unique name/id of the concrete password encoder. More...

	requiresSalt ()
	Returns whether the encoder requires a salt. More...

	requiresReencoding (string $encoded)
	Returns whether the encoded password needs to be re-encoded. More...

	getClientSaltLocation ()

Public Member Functions inherited from ilBcryptPhpPasswordEncoder
	__construct (array $config=[])

	benchmarkCost (float $time_target=0.05)

	getName ()
	Returns a unique name/id of the concrete password encoder. More...

	getCosts ()

	setCosts (string $costs)

	encodePassword (string $raw, string $salt)
	Encodes the raw password. More...

	isPasswordValid (string $encoded, string $raw, string $salt)
	Checks a raw password against an encoded password. More...

	requiresReencoding (string $encoded)
	Returns whether the encoded password needs to be re-encoded. More...

Public Member Functions inherited from ilBasePasswordEncoder
	isSupportedByRuntime ()
	Returns whether the encoder is supported by the runtime (PHP, HHVM, ...) More...

	requiresSalt ()
	Returns whether the encoder requires a salt. More...

	requiresReencoding (string $encoded)
	Returns whether the encoded password needs to be re-encoded. More...

	encodePassword (string $raw, string $salt)
	Encodes the raw password. More...

	isPasswordValid (string $encoded, string $raw, string $salt)
	Checks a raw password against an encoded password. More...

	getName ()
	Returns a unique name/id of the concrete password encoder. More...

	requiresSalt ()
	Returns whether the encoder requires a salt. More...

	requiresReencoding (string $encoded)
	Returns whether the encoded password needs to be re-encoded. More...

	isSupportedByRuntime ()
	Returns whether the encoder is supported by the runtime (PHP, HHVM, ...) More...

Data Fields
const	SALT_STORAGE_FILENAME = 'pwsalt.txt'

Protected Member Functions
	init ()

	isBcryptSupported ()

	encode (string $raw, string $userSecret)

	check (string $encoded, string $raw, string $salt)

	init ()

Protected Member Functions inherited from ilBasePasswordEncoder
	comparePasswords (string $knownString, string $userString)
	Compares two passwords. More...

	isPasswordTooLong (string $password)

Private Member Functions
	readClientSalt ()

	generateClientSalt ()

	storeClientSalt ()

Private Attributes
const	MIN_SALT_SIZE = 16

string	$client_salt = null

bool	$is_security_flaw_ignored = false

bool	$backward_compatibility = false

string	$data_directory = ''

Additional Inherited Members
Protected Attributes inherited from ilBcryptPhpPasswordEncoder
string	$costs = '08'

Detailed Description

Definition at line 27 of file class.ilBcryptPasswordEncoder.php.

Constructor & Destructor Documentation

◆ __construct()

ilBcryptPasswordEncoder::__construct ( array $config = [] )

Parameters

array<string,mixed> $config

Exceptions

ilPasswordException

Reimplemented from ilBcryptPhpPasswordEncoder.

Definition at line 44 of file class.ilBcryptPasswordEncoder.php.

    {
        foreach ($config as $key => $value) {
            $key = strtolower($key);
            if ($key === 'ignore_security_flaw') {
                $this->setIsSecurityFlawIgnored($value);
            } elseif ($key === 'data_directory') {
                $this->setDataDirectory($value);
            }
        }
 
        parent::__construct($config);
    }

References $config, ILIAS\LTI\ToolProvider\$key, ILIAS\GlobalScreen\Provider\__construct(), setDataDirectory(), and setIsSecurityFlawIgnored().

Here is the call graph for this function:

Member Function Documentation

◆ check()

ilBcryptPasswordEncoder::check	(	string	$encoded,
		string	$raw,
		string	$salt
	)

protected

Definition at line 189 of file class.ilBcryptPasswordEncoder.php.

                                                                        : bool
    {
        $hashedPassword = hash_hmac(
            'whirlpool',
            str_pad($raw, strlen($raw) * 4, sha1($salt), STR_PAD_BOTH),
            $this->getClientSalt(),
            true
        );
 
        return $this->comparePasswords($encoded, crypt($hashedPassword, substr($encoded, 0, 30)));
    }

References ilBasePasswordEncoder\comparePasswords(), and getClientSalt().

Referenced by isPasswordValid().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ encode()

ilBcryptPasswordEncoder::encode	(	string	$raw,
		string	$userSecret
	)

protected

Check for security flaw in the bcrypt implementation used by crypt()

See also: http://php.net/security/crypt_blowfish.php

Definition at line 148 of file class.ilBcryptPasswordEncoder.php.

                                                              : string
    {
        $clientSecret = $this->getClientSalt();
        $hashedPassword = hash_hmac(
            'whirlpool',
            str_pad($raw, strlen($raw) * 4, sha1($userSecret), STR_PAD_BOTH),
            $clientSecret,
            true
        );
        $salt = substr(
            str_shuffle(str_repeat('./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', 22)),
            0,
            22
        );
 
        if ($this->isBcryptSupported() && !$this->isBackwardCompatibilityEnabled()) {
            $prefix = '$2y$';
        } else {
            $prefix = '$2a$';
            // check if the password contains 8-bit character
            if (!$this->isSecurityFlawIgnored() && preg_match('#[\x80-\xFF]#', $raw)) {
                throw new ilPasswordException(
                    'The bcrypt implementation used by PHP can contain a security flaw ' .
                    'using passwords with 8-bit characters. ' .
                    'We suggest to upgrade to PHP 5.3.7+ or use passwords with only 7-bit characters.'
                );
            }
        }
 
        $saltedPassword = crypt($hashedPassword, $prefix . $this->getCosts() . '$' . $salt);
        if (strlen($saltedPassword) <= 13) {
            throw new ilPasswordException('Error during the bcrypt generation');
        }
 
        return $saltedPassword;
    }

References getClientSalt(), ilBcryptPhpPasswordEncoder\getCosts(), isBackwardCompatibilityEnabled(), isBcryptSupported(), and isSecurityFlawIgnored().

Referenced by encodePassword().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ encodePassword()

ilBcryptPasswordEncoder::encodePassword	(	string	$raw,
		string	$salt
	)

Encodes the raw password.

Parameters

string	$raw	The password to encode
string	$salt	The salt

Returns: string The encoded password

Reimplemented from ilBcryptPhpPasswordEncoder.

Definition at line 111 of file class.ilBcryptPasswordEncoder.php.

                                                             : string
    {
        if (!$this->getClientSalt()) {
            throw new ilPasswordException('Missing client salt.');
        }
 
        if ($this->isPasswordTooLong($raw)) {
            throw new ilPasswordException('Invalid password.');
        }
 
        return $this->encode($raw, $salt);
    }

References encode(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testBackwardCompatibility(), ilBcryptPasswordEncoderTest\testExceptionIfPasswordsContainA8BitCharacterAndBackwardCompatibilityIsEnabled(), ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfSaltIsMissingIsOnEncoding(), and ilBcryptPasswordEncoderTest\testNoExceptionIfPasswordsContainA8BitCharacterAndBackwardCompatibilityIsEnabledWithIgnoredSecurityFlaw().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ generateClientSalt()

ilBcryptPasswordEncoder::generateClientSalt ( )

private

Definition at line 219 of file class.ilBcryptPasswordEncoder.php.

                                         : void
    {
        $this->setClientSalt(
            substr(str_replace('+', '.', base64_encode(ilPasswordUtils::getBytes(self::MIN_SALT_SIZE))), 0, 22)
        );
    }

References ilPasswordUtils\getBytes(), and setClientSalt().

Referenced by readClientSalt().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getClientSalt()

ilBcryptPasswordEncoder::getClientSalt ( )

Definition at line 101 of file class.ilBcryptPasswordEncoder.php.

                                   : ?string
    {
        return $this->client_salt;
    }

References $client_salt.

Referenced by check(), encode(), encodePassword(), isPasswordValid(), storeClientSalt(), ilBcryptPasswordEncoderTest\testClientSaltIsGeneratedWhenNoClientSaltExistsYet(), and ilBcryptPasswordEncoderTest\testInstanceCanBeCreatedAndInitializedWithClientSalt().

Here is the caller graph for this function:

◆ getClientSaltLocation()

ilBcryptPasswordEncoder::getClientSaltLocation ( )

Definition at line 201 of file class.ilBcryptPasswordEncoder.php.

                                           : string
    {
        return $this->getDataDirectory() . '/' . self::SALT_STORAGE_FILENAME;
    }

References getDataDirectory(), and SALT_STORAGE_FILENAME.

Referenced by readClientSalt(), and storeClientSalt().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getDataDirectory()

ilBcryptPasswordEncoder::getDataDirectory ( )

Definition at line 68 of file class.ilBcryptPasswordEncoder.php.

                                      : string
    {
        return $this->data_directory;
    }

References $data_directory.

Referenced by getClientSaltLocation().

Here is the caller graph for this function:

◆ getName()

ilBcryptPasswordEncoder::getName ( )

Returns a unique name/id of the concrete password encoder.

Reimplemented from ilBcryptPhpPasswordEncoder.

Definition at line 133 of file class.ilBcryptPasswordEncoder.php.

                             : string
    {
        return 'bcrypt';
    }

Referenced by ilBcryptPasswordEncoderTest\testNameShouldBeBcrypt().

Here is the caller graph for this function:

◆ init()

ilBcryptPasswordEncoder::init ( )

protected

Reimplemented from ilBcryptPhpPasswordEncoder.

Definition at line 58 of file class.ilBcryptPasswordEncoder.php.

                             : void
    {
        $this->readClientSalt();
    }

References readClientSalt().

Here is the call graph for this function:

◆ isBackwardCompatibilityEnabled()

ilBcryptPasswordEncoder::isBackwardCompatibilityEnabled ( )

Definition at line 78 of file class.ilBcryptPasswordEncoder.php.

                                                    : bool
    {
        return $this->backward_compatibility;
    }

References $backward_compatibility.

Referenced by encode(), and ilBcryptPasswordEncoderTest\testBackwardCompatibilityCanBeRetrievedWhenBackwardCompatibilityIsSet().

Here is the caller graph for this function:

◆ isBcryptSupported()

ilBcryptPasswordEncoder::isBcryptSupported ( )

protected

Definition at line 63 of file class.ilBcryptPasswordEncoder.php.

                                          : bool
    {
        return PHP_VERSION_ID >= 50307;
    }

Referenced by encode().

Here is the caller graph for this function:

◆ isPasswordValid()

ilBcryptPasswordEncoder::isPasswordValid	(	string	$encoded,
		string	$raw,
		string	$salt
	)

Checks a raw password against an encoded password.

The raw password has to be injected into the encoder instance before.

Parameters

string	$encoded	An encoded password
string	$raw	A raw password
string	$salt	The salt, may be empty

Returns: Boolean true if the password is valid, false otherwise

Reimplemented from ilBcryptPhpPasswordEncoder.

Definition at line 124 of file class.ilBcryptPasswordEncoder.php.

                                                                               : bool
    {
        if (!$this->getClientSalt()) {
            throw new ilPasswordException('Missing client salt.');
        }
 
        return !$this->isPasswordTooLong($raw) && $this->check($encoded, $raw, $salt);
    }

References check(), getClientSalt(), and ilBasePasswordEncoder\isPasswordTooLong().

Referenced by ilBcryptPasswordEncoderTest\testBackwardCompatibility(), and ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfSaltIsMissingIsOnVerification().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ isSecurityFlawIgnored()

ilBcryptPasswordEncoder::isSecurityFlawIgnored ( )

Definition at line 91 of file class.ilBcryptPasswordEncoder.php.

                                           : bool
    {
        return $this->is_security_flaw_ignored;
    }

References $is_security_flaw_ignored.

Referenced by encode().

Here is the caller graph for this function:

◆ readClientSalt()

ilBcryptPasswordEncoder::readClientSalt ( )

private

Definition at line 206 of file class.ilBcryptPasswordEncoder.php.

                                     : void
    {
        if (is_file($this->getClientSaltLocation()) && is_readable($this->getClientSaltLocation())) {
            $contents = file_get_contents($this->getClientSaltLocation());
            if ($contents !== false && trim($contents) !== '') {
                $this->setClientSalt($contents);
            }
        } else {
            $this->generateClientSalt();
            $this->storeClientSalt();
        }
    }

References generateClientSalt(), getClientSaltLocation(), setClientSalt(), and storeClientSalt().

Referenced by init().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ requiresReencoding()

ilBcryptPasswordEncoder::requiresReencoding ( string $encoded )

Returns whether the encoded password needs to be re-encoded.

Reimplemented from ilBcryptPhpPasswordEncoder.

Definition at line 143 of file class.ilBcryptPasswordEncoder.php.

                                                       : bool
    {
        return false;
    }

Referenced by ilBcryptPasswordEncoderTest\testEncoderDoesNotSupportReencoding().

Here is the caller graph for this function:

◆ requiresSalt()

ilBcryptPasswordEncoder::requiresSalt ( )

Returns whether the encoder requires a salt.

Reimplemented from ilBasePasswordEncoder.

Definition at line 138 of file class.ilBcryptPasswordEncoder.php.

                                  : bool
    {
        return true;
    }

Referenced by ilBcryptPasswordEncoderTest\testEncoderReliesOnSalts().

Here is the caller graph for this function:

◆ setBackwardCompatibility()

ilBcryptPasswordEncoder::setBackwardCompatibility ( bool $backward_compatibility )

Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+.

Definition at line 86 of file class.ilBcryptPasswordEncoder.php.

                                                                          : void
    {
        $this->backward_compatibility = $backward_compatibility;
    }

References $backward_compatibility.

Referenced by ilBcryptPasswordEncoderTest\testBackwardCompatibility(), ilBcryptPasswordEncoderTest\testBackwardCompatibilityCanBeRetrievedWhenBackwardCompatibilityIsSet(), ilBcryptPasswordEncoderTest\testExceptionIfPasswordsContainA8BitCharacterAndBackwardCompatibilityIsEnabled(), and ilBcryptPasswordEncoderTest\testNoExceptionIfPasswordsContainA8BitCharacterAndBackwardCompatibilityIsEnabledWithIgnoredSecurityFlaw().

Here is the caller graph for this function:

◆ setClientSalt()

ilBcryptPasswordEncoder::setClientSalt ( ?string $client_salt )

Definition at line 106 of file class.ilBcryptPasswordEncoder.php.

                                                       : void
    {
        $this->client_salt = $client_salt;
    }

References $client_salt.

Referenced by generateClientSalt(), readClientSalt(), ilBcryptPasswordEncoderTest\testBackwardCompatibility(), ilBcryptPasswordEncoderTest\testExceptionIfPasswordsContainA8BitCharacterAndBackwardCompatibilityIsEnabled(), ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfSaltIsMissingIsOnEncoding(), ilBcryptPasswordEncoderTest\testExceptionIsRaisedIfSaltIsMissingIsOnVerification(), and ilBcryptPasswordEncoderTest\testNoExceptionIfPasswordsContainA8BitCharacterAndBackwardCompatibilityIsEnabledWithIgnoredSecurityFlaw().

Here is the caller graph for this function:

◆ setDataDirectory()

ilBcryptPasswordEncoder::setDataDirectory ( string $data_directory )

Definition at line 73 of file class.ilBcryptPasswordEncoder.php.

                                                            : void
    {
        $this->data_directory = $data_directory;
    }

References $data_directory.

Referenced by __construct().

Here is the caller graph for this function:

◆ setIsSecurityFlawIgnored()

ilBcryptPasswordEncoder::setIsSecurityFlawIgnored ( bool $is_security_flaw_ignored )

Definition at line 96 of file class.ilBcryptPasswordEncoder.php.

                                                                            : void
    {
        $this->is_security_flaw_ignored = $is_security_flaw_ignored;
    }

References $is_security_flaw_ignored.

Referenced by __construct(), and ilBcryptPasswordEncoderTest\testNoExceptionIfPasswordsContainA8BitCharacterAndBackwardCompatibilityIsEnabledWithIgnoredSecurityFlaw().

Here is the caller graph for this function:

◆ storeClientSalt()

ilBcryptPasswordEncoder::storeClientSalt ( )

private

Definition at line 226 of file class.ilBcryptPasswordEncoder.php.

                                      : void
    {
        $location = $this->getClientSaltLocation();
 
        set_error_handler(static function (int $severity, string $message, string $file, int $line): void {
            throw new ErrorException($message, $severity, $severity, $file, $line);
        });
 
        try {
            $result = file_put_contents($location, $this->getClientSalt());
            if (!$result) {
                throw new ilPasswordException(sprintf(
                    'Could not store the client salt in: %s. Please contact an administrator.',
                    $location
                ));
            }
        } catch (Exception $e) {
            throw new ilPasswordException(sprintf(
                'Could not store the client salt in: %s. Please contact an administrator.',
                $location
            ));
        } finally {
            restore_error_handler();
        }
    }