1 | <?php |
||
13 | class ElggCrypto { |
||
14 | |||
15 | /** |
||
16 | * Character set for temp passwords (no risk of embedded profanity/glyphs that look similar) |
||
17 | */ |
||
18 | const CHARS_PASSWORD = 'bcdfghjklmnpqrstvwxyz2346789'; |
||
19 | |||
20 | /** |
||
21 | * Character set for hexadecimal |
||
22 | */ |
||
23 | const CHARS_HEX = '0123456789abcdef'; |
||
24 | |||
25 | /** |
||
26 | * @var SiteSecret |
||
27 | */ |
||
28 | private $site_secret; |
||
29 | |||
30 | /** |
||
31 | * Constructor |
||
32 | * |
||
33 | * @param SiteSecret $site_secret Secret service |
||
34 | */ |
||
35 | 122 | public function __construct(SiteSecret $site_secret = null) { |
|
38 | |||
39 | /** |
||
40 | * Generate a string of highly randomized bytes (over the full 8-bit range). |
||
41 | * |
||
42 | * @param int $length Number of bytes needed |
||
43 | * @return string Random bytes |
||
44 | * |
||
45 | * @author George Argyros <[email protected]> |
||
46 | * @copyright 2012, George Argyros. All rights reserved. |
||
47 | * @license Modified BSD |
||
48 | * @link https://github.com/GeorgeArgyros/Secure-random-bytes-in-PHP/blob/master/srand.php Original |
||
49 | * |
||
50 | * Redistribution and use in source and binary forms, with or without |
||
51 | * modification, are permitted provided that the following conditions are met: |
||
52 | * * Redistributions of source code must retain the above copyright |
||
53 | * notice, this list of conditions and the following disclaimer. |
||
54 | * * Redistributions in binary form must reproduce the above copyright |
||
55 | * notice, this list of conditions and the following disclaimer in the |
||
56 | * documentation and/or other materials provided with the distribution. |
||
57 | * * Neither the name of the <organization> nor the |
||
58 | * names of its contributors may be used to endorse or promote products |
||
59 | * derived from this software without specific prior written permission. |
||
60 | * |
||
61 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND |
||
62 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
||
63 | * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
||
64 | * DISCLAIMED. IN NO EVENT SHALL GEORGE ARGYROS BE LIABLE FOR ANY |
||
65 | * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES |
||
66 | * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
||
67 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND |
||
68 | * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
||
69 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
||
70 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
||
71 | */ |
||
72 | 337 | public function getRandomBytes($length) { |
|
192 | |||
193 | /** |
||
194 | * Get an HMAC token builder/validator object |
||
195 | * |
||
196 | * @param mixed $data HMAC data or serializable data |
||
197 | * @param string $algo Hash algorithm |
||
198 | * @param string $key Optional key (default uses site secret) |
||
199 | * |
||
200 | * @return \Elgg\Security\Hmac |
||
201 | */ |
||
202 | 59 | public function getHmac($data, $algo = 'sha256', $key = '') { |
|
208 | |||
209 | /** |
||
210 | * Generate a random string of specified length. |
||
211 | * |
||
212 | * Uses supplied character list for generating the new string. |
||
213 | * If no character list provided - uses Base64 URL character set. |
||
214 | * |
||
215 | * @param int $length Desired length of the string |
||
216 | * @param string|null $chars Characters to be chosen from randomly. If not given, the Base64 URL |
||
217 | * charset will be used. |
||
218 | * |
||
219 | * @return string The random string |
||
220 | * |
||
221 | * @throws InvalidArgumentException |
||
222 | * |
||
223 | * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) |
||
224 | * @license http://framework.zend.com/license/new-bsd New BSD License |
||
225 | * |
||
226 | * @see https://github.com/zendframework/zf2/blob/master/library/Zend/Math/Rand.php#L179 |
||
227 | */ |
||
228 | 341 | public function getRandomString($length, $chars = null) { |
|
264 | |||
265 | /** |
||
266 | * Are two strings equal (compared in constant time)? |
||
267 | * |
||
268 | * @param string $str1 First string to compare |
||
269 | * @param string $str2 Second string to compare |
||
270 | * |
||
271 | * @return bool |
||
272 | * |
||
273 | * Based on password_verify in PasswordCompat |
||
274 | * @author Anthony Ferrara <[email protected]> |
||
275 | * @license http://www.opensource.org/licenses/mit-license.html MIT License |
||
276 | * @copyright 2012 The Authors |
||
277 | */ |
||
278 | 50 | public function areEqual($str1, $str2) { |
|
292 | |||
293 | /** |
||
294 | * Count the number of bytes in a string |
||
295 | * |
||
296 | * We cannot simply use strlen() for this, because it might be overwritten by the mbstring extension. |
||
297 | * In this case, strlen() will count the number of *characters* based on the internal encoding. A |
||
298 | * sequence of bytes might be regarded as a single multibyte character. |
||
299 | * |
||
300 | * Use elgg_strlen() to count UTF-characters instead of bytes. |
||
301 | * |
||
302 | * @param string $binary_string The input string |
||
303 | * |
||
304 | * @return int The number of bytes |
||
305 | * |
||
306 | * From PasswordCompat\binary\_strlen |
||
307 | * @author Anthony Ferrara <[email protected]> |
||
308 | * @license http://www.opensource.org/licenses/mit-license.html MIT License |
||
309 | * @copyright 2012 The Authors |
||
310 | */ |
||
311 | 50 | protected function strlen($binary_string) { |
|
317 | } |
||
318 |
Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: