Skip to content

Y
yii2
Commit c5a3cd51 by Alexander Makarov
Options

Security component adjustments: fixed comment style, hkdf() and pbkdf2() are now…

Security component adjustments: fixed comment style, hkdf() and pbkdf2() are now protected, compareString() is now public
parent 2c5c2c10
Showing with 52 additions and 15 deletions
framework/base/Security.php
...@@ -44,20 +44,30 @@ class Security extends Component ...@@ -44,20 +44,30 @@ class Security extends Component
*/ */
public $passwordHashStrategy = 'crypt'; public $passwordHashStrategy = 'crypt';
// AES has 128-bit block size and three key sizes: 128, 192 and 256 bits. /**
// mcrypt offers the Rijndael cipher with block sizes of 128, 192 and 256 * AES has 128-bit block size and three key sizes: 128, 192 and 256 bits.
// bits but only the 128-bit Rijndael is standardized in AES. * mcrypt offers the Rijndael cipher with block sizes of 128, 192 and 256
// So to use AES in mycrypt, specify `'rijndael-128'` cipher and mcrypt * bits but only the 128-bit Rijndael is standardized in AES.
// chooses the appropriate AES based on the length of the supplied key. * So to use AES in mycrypt, specify `'rijndael-128'` cipher and mcrypt
* chooses the appropriate AES based on the length of the supplied key.
*/
const MCRYPT_CIPHER = 'rijndael-128'; const MCRYPT_CIPHER = 'rijndael-128';
const MCRYPT_MODE = 'cbc'; const MCRYPT_MODE = 'cbc';
// Same size for encryption keys, auth keys and KDF salt /**
* Same size for encryption keys, auth keys and KDF salt
*/
const KEY_SIZE = 16; const KEY_SIZE = 16;
// Hash algorithm for key derivation. /**
* Hash algorithm for key derivation.
*/
const KDF_HASH = 'sha256'; const KDF_HASH = 'sha256';
// Hash algorithm for authentication. /**
* Hash algorithm for authentication.
*/
const MAC_HASH = 'sha256'; const MAC_HASH = 'sha256';
// HKDF info value for auth keys /**
* HKDF info value for auth keys
*/
const AUTH_KEY_INFO = 'AuthorizationKey'; const AUTH_KEY_INFO = 'AuthorizationKey';
private $_cryptModule; private $_cryptModule;
...@@ -282,7 +292,7 @@ class Security extends Component ...@@ -282,7 +292,7 @@ class Security extends Component
* @throws InvalidParamException * @throws InvalidParamException
* @return string the derived key * @return string the derived key
*/ */
public function hkdf($algo, $inputKey, $salt = null, $info = null, $length = 0) protected function hkdf($algo, $inputKey, $salt = null, $info = null, $length = 0)
{ {
$test = @hash_hmac($algo, '', '', true); $test = @hash_hmac($algo, '', '', true);
if (!$test) { if (!$test) {
...@@ -329,7 +339,7 @@ class Security extends Component ...@@ -329,7 +339,7 @@ class Security extends Component
* @throws InvalidParamException * @throws InvalidParamException
* @return string the derived key * @return string the derived key
*/ */
public function pbkdf2($algo, $password, $salt, $iterations, $length = 0) protected function pbkdf2($algo, $password, $salt, $iterations, $length = 0)
{ {
if (function_exists('hash_pbkdf2')) { if (function_exists('hash_pbkdf2')) {
$outputKey = hash_pbkdf2($algo, $password, $salt, $iterations, $length, true); $outputKey = hash_pbkdf2($algo, $password, $salt, $iterations, $length, true);
...@@ -599,7 +609,7 @@ class Security extends Component ...@@ -599,7 +609,7 @@ class Security extends Component
* @param string $actual string to compare. * @param string $actual string to compare.
* @return boolean whether strings are equal. * @return boolean whether strings are equal.
*/ */
protected function compareString($expected, $actual) public function compareString($expected, $actual)
{ {
// timing attack resistant approach: // timing attack resistant approach:
$length = StringHelper::byteLength($expected); $length = StringHelper::byteLength($expected);
......
tests/unit/framework/base/ExposedSecurity.php 0 → 100644
<?php
namespace yiiunit\framework\base;
use yii\base\Security;
/**
* ExposedSecurity exposes protected methods for direct testing
*/
class ExposedSecurity extends Security
{
/**
* @inheritdoc
*/
public function hkdf($algo, $inputKey, $salt = null, $info = null, $length = 0)
{
return parent::hkdf($algo, $inputKey, $salt, $info, $length);
}
/**
* @inheritdoc
*/
public function pbkdf2($algo, $password, $salt, $iterations, $length = 0)
{
return parent::pbkdf2($algo, $password, $salt, $iterations, $length);
}
}
\ No newline at end of file
tests/unit/framework/base/SecurityTest.php
...@@ -8,7 +8,6 @@ ...@@ -8,7 +8,6 @@
namespace yiiunit\framework\base; namespace yiiunit\framework\base;
use yiiunit\TestCase; use yiiunit\TestCase;
use yii\base\Security;
/** /**
* @group base * @group base
...@@ -16,14 +15,14 @@ use yii\base\Security; ...@@ -16,14 +15,14 @@ use yii\base\Security;
class SecurityTest extends TestCase class SecurityTest extends TestCase
{ {
/** /**
* @var Security * @var ExposedSecurity
*/ */
protected $security; protected $security;
protected function setUp() protected function setUp()
{ {
parent::setUp(); parent::setUp();
$this->security = new Security(); $this->security = new ExposedSecurity();
$this->security->derivationIterations = 1000; // speed up test running $this->security->derivationIterations = 1000; // speed up test running
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment