1 | <?php |
||
2 | |||
3 | /** |
||
4 | * Cryptographic services |
||
5 | * |
||
6 | * @access private |
||
7 | */ |
||
8 | class ElggCrypto { |
||
9 | |||
10 | /** |
||
11 | * Character set for temp passwords (no risk of embedded profanity/glyphs that look similar) |
||
12 | */ |
||
13 | const CHARS_PASSWORD = 'bcdfghjklmnpqrstvwxyz2346789'; |
||
14 | |||
15 | /** |
||
16 | * Character set for hexadecimal |
||
17 | */ |
||
18 | const CHARS_HEX = '0123456789abcdef'; |
||
19 | |||
20 | /** |
||
21 | * Generate a random string of specified length. |
||
22 | * |
||
23 | * Uses supplied character list for generating the new string. |
||
24 | * If no character list provided - uses Base64 URL character set. |
||
25 | * |
||
26 | * @param int $length Desired length of the string |
||
27 | * @param string|null $chars Characters to be chosen from randomly. If not given, the Base64 URL |
||
28 | * charset will be used. |
||
29 | * |
||
30 | * @return string The random string |
||
31 | * |
||
32 | * @throws InvalidArgumentException |
||
33 | * |
||
34 | * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) |
||
35 | * @license http://framework.zend.com/license/new-bsd New BSD License |
||
36 | * |
||
37 | * @see https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L179 |
||
38 | */ |
||
39 | 4598 | public function getRandomString($length, $chars = null) { |
|
40 | 4598 | if ($length < 1) { |
|
41 | throw new \InvalidArgumentException('Length should be >= 1'); |
||
42 | } |
||
43 | |||
44 | 4598 | if (empty($chars)) { |
|
45 | 4459 | $numBytes = ceil($length * 0.75); |
|
46 | 4459 | $bytes = random_bytes($numBytes); |
|
0 ignored issues
–
show
Bug
introduced
by
Loading history...
|
|||
47 | 4459 | $string = substr(rtrim(base64_encode($bytes), '='), 0, $length); |
|
48 | |||
49 | // Base64 URL |
||
50 | 4459 | return strtr($string, '+/', '-_'); |
|
51 | } |
||
52 | |||
53 | 154 | if ($chars == self::CHARS_HEX) { |
|
54 | // hex is easy |
||
55 | $bytes = random_bytes(ceil($length / 2)); |
||
56 | return substr(bin2hex($bytes), 0, $length); |
||
57 | } |
||
58 | |||
59 | 154 | $listLen = strlen($chars); |
|
60 | |||
61 | 154 | if ($listLen == 1) { |
|
62 | return str_repeat($chars, $length); |
||
63 | } |
||
64 | |||
65 | 154 | $bytes = random_bytes($length); |
|
66 | 154 | $pos = 0; |
|
67 | 154 | $result = ''; |
|
68 | 154 | for ($i = 0; $i < $length; $i++) { |
|
69 | 154 | $pos = ($pos + ord($bytes[$i])) % $listLen; |
|
70 | 154 | $result .= $chars[$pos]; |
|
71 | } |
||
72 | |||
73 | 154 | return $result; |
|
74 | } |
||
75 | |||
76 | /** |
||
77 | * Are two strings equal (compared in constant time)? |
||
78 | * |
||
79 | * @param string $str1 First string to compare |
||
80 | * @param string $str2 Second string to compare |
||
81 | * |
||
82 | * @return bool |
||
83 | * |
||
84 | * Based on password_verify in PasswordCompat |
||
85 | * @author Anthony Ferrara <[email protected]> |
||
86 | * @license http://www.opensource.org/licenses/mit-license.html MIT License |
||
87 | * @copyright 2012 The Authors |
||
88 | */ |
||
89 | 81 | public function areEqual($str1, $str2) { |
|
90 | 81 | $len1 = $this->strlen($str1); |
|
91 | 81 | $len2 = $this->strlen($str2); |
|
92 | 81 | if ($len1 !== $len2) { |
|
93 | 2 | return false; |
|
94 | } |
||
95 | |||
96 | 80 | $status = 0; |
|
97 | 80 | for ($i = 0; $i < $len1; $i++) { |
|
98 | 80 | $status |= (ord($str1[$i]) ^ ord($str2[$i])); |
|
99 | } |
||
100 | |||
101 | 80 | return $status === 0; |
|
102 | } |
||
103 | |||
104 | /** |
||
105 | * Count the number of bytes in a string |
||
106 | * |
||
107 | * We cannot simply use strlen() for this, because it might be overwritten by the mbstring extension. |
||
108 | * In this case, strlen() will count the number of *characters* based on the internal encoding. A |
||
109 | * sequence of bytes might be regarded as a single multibyte character. |
||
110 | * |
||
111 | * Use elgg_strlen() to count UTF-characters instead of bytes. |
||
112 | * |
||
113 | * @param string $binary_string The input string |
||
114 | * |
||
115 | * @return int The number of bytes |
||
116 | * |
||
117 | * From PasswordCompat\binary\_strlen |
||
118 | * @author Anthony Ferrara <[email protected]> |
||
119 | * @license http://www.opensource.org/licenses/mit-license.html MIT License |
||
120 | * @copyright 2012 The Authors |
||
121 | */ |
||
122 | 81 | protected function strlen($binary_string) { |
|
123 | 81 | if (function_exists('mb_strlen')) { |
|
124 | 81 | return mb_strlen($binary_string, '8bit'); |
|
125 | } |
||
126 | return strlen($binary_string); |
||
127 | } |
||
128 | } |
||
129 |