From a415c29efee45520ae252d2aa28f1083a521cd7b Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Wed, 17 Apr 2024 09:56:49 +0200
Subject: Adding upstream version 6.4.3+dfsg1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 wp-includes/class-wp-recovery-mode-key-service.php | 192 +++++++++++++++++++++
 1 file changed, 192 insertions(+)
 create mode 100644 wp-includes/class-wp-recovery-mode-key-service.php

(limited to 'wp-includes/class-wp-recovery-mode-key-service.php')

diff --git a/wp-includes/class-wp-recovery-mode-key-service.php b/wp-includes/class-wp-recovery-mode-key-service.php
new file mode 100644
index 0000000..73713ca
--- /dev/null
+++ b/wp-includes/class-wp-recovery-mode-key-service.php
@@ -0,0 +1,192 @@
+<?php
+/**
+ * Error Protection API: WP_Recovery_Mode_Key_Service class
+ *
+ * @package WordPress
+ * @since 5.2.0
+ */
+
+/**
+ * Core class used to generate and validate keys used to enter Recovery Mode.
+ *
+ * @since 5.2.0
+ */
+#[AllowDynamicProperties]
+final class WP_Recovery_Mode_Key_Service {
+
+	/**
+	 * The option name used to store the keys.
+	 *
+	 * @since 5.2.0
+	 * @var string
+	 */
+	private $option_name = 'recovery_keys';
+
+	/**
+	 * Creates a recovery mode token.
+	 *
+	 * @since 5.2.0
+	 *
+	 * @return string A random string to identify its associated key in storage.
+	 */
+	public function generate_recovery_mode_token() {
+		return wp_generate_password( 22, false );
+	}
+
+	/**
+	 * Creates a recovery mode key.
+	 *
+	 * @since 5.2.0
+	 *
+	 * @global PasswordHash $wp_hasher
+	 *
+	 * @param string $token A token generated by {@see generate_recovery_mode_token()}.
+	 * @return string Recovery mode key.
+	 */
+	public function generate_and_store_recovery_mode_key( $token ) {
+
+		global $wp_hasher;
+
+		$key = wp_generate_password( 22, false );
+
+		if ( empty( $wp_hasher ) ) {
+			require_once ABSPATH . WPINC . '/class-phpass.php';
+			$wp_hasher = new PasswordHash( 8, true );
+		}
+
+		$hashed = $wp_hasher->HashPassword( $key );
+
+		$records = $this->get_keys();
+
+		$records[ $token ] = array(
+			'hashed_key' => $hashed,
+			'created_at' => time(),
+		);
+
+		$this->update_keys( $records );
+
+		/**
+		 * Fires when a recovery mode key is generated.
+		 *
+		 * @since 5.2.0
+		 *
+		 * @param string $token The recovery data token.
+		 * @param string $key   The recovery mode key.
+		 */
+		do_action( 'generate_recovery_mode_key', $token, $key );
+
+		return $key;
+	}
+
+	/**
+	 * Verifies if the recovery mode key is correct.
+	 *
+	 * Recovery mode keys can only be used once; the key will be consumed in the process.
+	 *
+	 * @since 5.2.0
+	 *
+	 * @global PasswordHash $wp_hasher
+	 *
+	 * @param string $token The token used when generating the given key.
+	 * @param string $key   The unhashed key.
+	 * @param int    $ttl   Time in seconds for the key to be valid for.
+	 * @return true|WP_Error True on success, error object on failure.
+	 */
+	public function validate_recovery_mode_key( $token, $key, $ttl ) {
+		global $wp_hasher;
+
+		$records = $this->get_keys();
+
+		if ( ! isset( $records[ $token ] ) ) {
+			return new WP_Error( 'token_not_found', __( 'Recovery Mode not initialized.' ) );
+		}
+
+		$record = $records[ $token ];
+
+		$this->remove_key( $token );
+
+		if ( ! is_array( $record ) || ! isset( $record['hashed_key'], $record['created_at'] ) ) {
+			return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
+		}
+
+		if ( empty( $wp_hasher ) ) {
+			require_once ABSPATH . WPINC . '/class-phpass.php';
+			$wp_hasher = new PasswordHash( 8, true );
+		}
+
+		if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
+			return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
+		}
+
+		if ( time() > $record['created_at'] + $ttl ) {
+			return new WP_Error( 'key_expired', __( 'Recovery key expired.' ) );
+		}
+
+		return true;
+	}
+
+	/**
+	 * Removes expired recovery mode keys.
+	 *
+	 * @since 5.2.0
+	 *
+	 * @param int $ttl Time in seconds for the keys to be valid for.
+	 */
+	public function clean_expired_keys( $ttl ) {
+
+		$records = $this->get_keys();
+
+		foreach ( $records as $key => $record ) {
+			if ( ! isset( $record['created_at'] ) || time() > $record['created_at'] + $ttl ) {
+				unset( $records[ $key ] );
+			}
+		}
+
+		$this->update_keys( $records );
+	}
+
+	/**
+	 * Removes a used recovery key.
+	 *
+	 * @since 5.2.0
+	 *
+	 * @param string $token The token used when generating a recovery mode key.
+	 */
+	private function remove_key( $token ) {
+
+		$records = $this->get_keys();
+
+		if ( ! isset( $records[ $token ] ) ) {
+			return;
+		}
+
+		unset( $records[ $token ] );
+
+		$this->update_keys( $records );
+	}
+
+	/**
+	 * Gets the recovery key records.
+	 *
+	 * @since 5.2.0
+	 *
+	 * @return array Associative array of $token => $data pairs, where $data has keys 'hashed_key'
+	 *               and 'created_at'.
+	 */
+	private function get_keys() {
+		return (array) get_option( $this->option_name, array() );
+	}
+
+	/**
+	 * Updates the recovery key records.
+	 *
+	 * @since 5.2.0
+	 *
+	 * @param array $keys Associative array of $token => $data pairs, where $data has keys 'hashed_key'
+	 *                    and 'created_at'.
+	 * @return bool True on success, false on failure.
+	 */
+	private function update_keys( array $keys ) {
+		return update_option( $this->option_name, $keys );
+	}
+}
-- 
cgit v1.2.3