EE_Encryption - Code Metrics - Inspection of "Daily Inspection: Merge branch 'FET-10768-extract-..." - eventespresso/event-espresso-core - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Branch — FET-10766-extract-activation-d... (a86901)

unknown

created 2017-07-01 21:20 UTC

EE_Encryption C

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	668
Duplicated Lines	1.2 %

Coupling/Cohesion

Components	2
Dependencies	0

Importance

Changes

Metric	Value
dl	8
loc	668
rs	5.1505
c	0
b	0
f	0
wmc	79
lcom	2
cbo	0

21 Methods

Rating	Name	Duplication	Size	Complexity
B	__construct()	0	14	5
A	instance()	0	8	2
A	get_encryption_key()	0	18	3
A	encrypt()	0	13	3
A	decrypt()	0	14	3
A	base64_string_encode()	0	9	3
A	base64_string_decode()	0	9	3
A	base64_url_encode()	0	11	3
A	base64_url_decode()	0	11	3
B	openssl_encrypt()	0	34	5
B	openssl_decrypt()	0	30	5
A	getDigestHashValue()	0	7	2
B	getCipherMethod()	0	16	5
B	getAvailableCipherMethod()	0	31	4
A	getDigestMethod()	0	16	3
B	acme_encrypt()	4	25	5
C	acme_decrypt()	4	32	7
B	valid_base_64()	0	18	5
A	generate_random_string()	0	10	2
B	m_encrypt()	0	28	4
B	m_decrypt()	0	29	4

How to fix Duplicated Code Complexity

Duplicated Code

Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.

Common duplication problems, and corresponding solutions are:

If you have the same expression in different places: Extract expression to a method
If you have the same method in different sub-classes: Extract method, and pull up field to the parent class
If you have the same code in unrelated classes: Consider extracting the code to a new class, and injecting that class

Complex Class

Tip: Before tackling complexity, make sure that you eliminate any duplication first. This often can reduce the size of classes significantly.

Complex classes like EE_Encryption often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.

Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.

While breaking up the class, it is a good idea to analyze how other classes use EE_Encryption, and based on these observations, apply Extract Interface, too.

<?php
defined('EVENT_ESPRESSO_VERSION') || exit('No direct script access allowed');



/**
 * EE_Encryption class
 * class for applying low-grade string encryption/decryption
 * really only good for hiding content from simple bots and script kiddies
 * but better for solving encoding issues with databases
 *
 * @package    Event Espresso
 * @subpackage includes/functions
 * @author     Brent Christensen
 */
class EE_Encryption
{

    /**
     * key used for saving the encryption key to the wp_options table
     */
    const ENCRYPTION_OPTION_KEY = 'ee_encryption_key';

    /**
     * the OPENSSL cipher method used
     */
    const OPENSSL_CIPHER_METHOD = 'AES-128-CBC';

    /**
     * WP "options_name" used to store a verified available cipher method
     */
    const OPENSSL_CIPHER_METHOD_OPTION_NAME = 'ee_openssl_cipher_method';

    /**
     * the OPENSSL digest method used
     */
    const OPENSSL_DIGEST_METHOD = 'sha512';

    /**
     * separates the encrypted text from the initialization vector
     */
    const OPENSSL_IV_DELIMITER = ':iv:';

    /**
     * appended to text encrypted using the acme encryption
     */
    const ACME_ENCRYPTION_FLAG = '::ae';



    /**
     * instance of the EE_Encryption object
     */
    protected static $_instance;

    /**
     * @var string $_encryption_key
     */
    protected $_encryption_key;

    /**
     * @var string $cipher_method
     */
    private $cipher_method = '';

    /**
     * @var array $cipher_methods
     */
    private $cipher_methods = array();

    /**
     * @var array $digest_methods
     */
    private $digest_methods = array();

    /**
     * @var boolean $_use_openssl_encrypt
     */
    protected $_use_openssl_encrypt = false;

    /**
     * @var boolean $_use_mcrypt
     */
    protected $_use_mcrypt = false;

    /**
     * @var boolean $_use_base64_encode
     */
    protected $_use_base64_encode = false;



    /**
     * protected constructor to prevent direct creation
     */
    protected function __construct()
    {
        if (! defined('ESPRESSO_ENCRYPT')) {
            define('ESPRESSO_ENCRYPT', true);
        }
        if (extension_loaded('openssl')) {
            $this->_use_openssl_encrypt = true;
        } else if (extension_loaded('mcrypt')) {
            $this->_use_mcrypt = true;
        }
        if (function_exists('base64_encode')) {
            $this->_use_base64_encode = true;
        }
    }



    /**
     * singleton method used to instantiate class object
     *
     * @return EE_Encryption
     */
    public static function instance()
    {
        // check if class object is instantiated
        if (! self::$_instance instanceof EE_Encryption) {
            self::$_instance = new self();
        }
        return self::$_instance;
    }



    /**
     * get encryption key
     *
     * @return string
     */
    public function get_encryption_key()
    {
        // if encryption key has not been set
        if (empty($this->_encryption_key)) {
            // retrieve encryption_key from db
            $this->_encryption_key = get_option(EE_Encryption::ENCRYPTION_OPTION_KEY, '');
            // WHAT?? No encryption_key in the db ??
            if ($this->_encryption_key === '') {
                // let's make one. And md5 it to make it just the right size for a key
                $new_key = md5($this->generate_random_string());
                // now save it to the db for later
                add_option(EE_Encryption::ENCRYPTION_OPTION_KEY, $new_key);
                // here's the key - FINALLY !
                $this->_encryption_key = $new_key;
            }
        }
        return $this->_encryption_key;
    }



    /**
     * encrypts data
     *
     * @param string $text_string - the text to be encrypted
     * @return string
     * @throws RuntimeException
     */
    public function encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        if ($this->_use_openssl_encrypt) {
            $encrypted_text = $this->openssl_encrypt($text_string);
        } else {
            $encrypted_text = $this->acme_encrypt($text_string);
        }
        return $encrypted_text;
    }



    /**
     * decrypts data
     *
     * @param string $encrypted_text - the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    public function decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // if PHP's mcrypt functions are installed then we'll use them
        if ($this->_use_openssl_encrypt) {
            $decrypted_text = $this->openssl_decrypt($encrypted_text);
        } else {
            $decrypted_text = $this->acme_decrypt($encrypted_text);
        }
        return $decrypted_text;
    }



    /**
     * encodes string with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $text_string the text to be encoded
     * @return string
     */
    public function base64_string_encode($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string) || ! $this->_use_base64_encode) {
            return $text_string;
        }
        // encode
        return base64_encode($text_string);
    }



    /**
     * decodes string that has been encoded with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $encoded_string the text to be decoded
     * @return string
     */
    public function base64_string_decode($encoded_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encoded_string) || ! $this->valid_base_64($encoded_string)) {
            return $encoded_string;
        }
        // decode
        return base64_decode($encoded_string);
    }



    /**
     * encodes  url string with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $text_string the text to be encoded
     * @return string
     */
    public function base64_url_encode($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string) || ! $this->_use_base64_encode) {
            return $text_string;
        }
        // encode
        $encoded_string = base64_encode($text_string);
        // remove chars to make encoding more URL friendly
        return strtr($encoded_string, '+/=', '-_,');
    }



    /**
     * decodes  url string that has been encoded with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $encoded_string the text to be decoded
     * @return string
     */
    public function base64_url_decode($encoded_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encoded_string) || ! $this->valid_base_64($encoded_string)) {
            return $encoded_string;
        }
        // replace previously removed characters
        $encoded_string = strtr($encoded_string, '-_,', '+/=');
        // decode
        return base64_decode($encoded_string);
    }



    /**
     * encrypts data using PHP's openssl functions
     *
     * @param string $text_string the text to be encrypted
     * @return string
     * @throws RuntimeException
     */
    protected function openssl_encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        $this->cipher_method = $this->getCipherMethod();
        // get initialization vector size
        $iv_size = openssl_cipher_iv_length($this->cipher_method);
        // generate initialization vector.
        // The second parameter ("crypto_strong") is passed by reference,
        // and is used to determines if the algorithm used was "cryptographically strong"
        // openssl_random_pseudo_bytes() will toggle it to either true or false
        $iv = openssl_random_pseudo_bytes($iv_size, $is_strong);
        if ($iv === false || $is_strong === false) {
            throw new RuntimeException(
                esc_html__('Failed to generate OpenSSL initialization vector.', 'event_espresso')
            );
        }
        // encrypt it
        $encrypted_text = openssl_encrypt(
            $text_string,
            $this->cipher_method,
            $this->getDigestHashValue(),
            0,
            $iv
        );
        // append the initialization vector
        $encrypted_text .= EE_Encryption::OPENSSL_IV_DELIMITER . $iv;
        // trim and maybe encode
        return $this->_use_base64_encode
            ? trim(base64_encode($encrypted_text))
            : trim($encrypted_text);
    }



    /**
     * Returns a cipher method that has been verified to work.
     * First checks if the cached cipher has been set already and if so, returns that.
     * Then tests the incoming default and returns that if it's good.
     * If not, then it retrieves the previously tested and saved cipher method.
     * But if that doesn't exist, then calls getAvailableCipherMethod()
     * to see what is available on the server, and returns the results.
     *
     * @param string $cipher_method
     * @return string
     * @throws RuntimeException
     */
    protected function getCipherMethod($cipher_method = EE_Encryption::OPENSSL_CIPHER_METHOD)
    {
        if($this->cipher_method !== ''){
            return $this->cipher_method;
        }
        // verify that the default cipher method can produce an initialization vector
        if (openssl_cipher_iv_length($cipher_method) === false) {
            // nope? okay let's get what we found in the past to work
            $cipher_method = get_option(EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME, '');
            // oops... haven't tested available cipher methods yet
            if($cipher_method === '' || openssl_cipher_iv_length($cipher_method) === false) {
                $cipher_method = $this->getAvailableCipherMethod($cipher_method);
            }
        }
        return $cipher_method;
    }



    /**
     * @param string $cipher_method
     * @return string
     * @throws \RuntimeException
     */
    protected function getAvailableCipherMethod($cipher_method)
    {
        // verify that the incoming cipher method can produce an initialization vector
        if (openssl_cipher_iv_length($cipher_method) === false) {
            // nope? then check the next cipher in the list of available cipher methods
            $cipher_method = next($this->cipher_methods);
            // what? there's no list? then generate that list and cache it,
            if (empty($this->cipher_methods)) {
                $this->cipher_methods = openssl_get_cipher_methods();
                // then grab the first item from the list
                $cipher_method = reset($this->cipher_methods);
            }
            if($cipher_method === false){
                throw new RuntimeException(
                    esc_html__(
                        'OpenSSL support appears to be enabled on the server, but no cipher methods are available. Please contact the server administrator.',
                        'event_espresso'
                    )
                );
            }
            // verify that the next cipher method works
            return $this->getAvailableCipherMethod($cipher_method);
        }
        // if we've gotten this far, then we found an available cipher method that works
        // so save that for next time
        update_option(
            EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME,
            $cipher_method
        );
        return $cipher_method;
    }



    /**
     * decrypts data that has been encrypted with PHP's openssl functions
     *
     * @param string $encrypted_text the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    protected function openssl_decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // decode
        $encrypted_text = $this->valid_base_64($encrypted_text)
            ? base64_decode($encrypted_text)
            : $encrypted_text;
        $encrypted_components = explode(
            EE_Encryption::OPENSSL_IV_DELIMITER,
            $encrypted_text,
            2
        );
        // check that iv exists, and if not, maybe text was encoded using mcrypt?
        if ($this->_use_mcrypt && ! isset($encrypted_components[1])) {
            return $this->m_decrypt($encrypted_text);

        }
        // decrypt it
        $decrypted_text = openssl_decrypt(
            $encrypted_components[0],
            $this->getCipherMethod(),
            $this->getDigestHashValue(),
            0,
            $encrypted_components[1]
        );
        $decrypted_text = trim($decrypted_text);
        return $decrypted_text;
    }



    /**
     * Computes the digest hash value using the specified digest method.
     * If that digest method fails to produce a valid hash value,
     * then we'll grab the next digest method and recursively try again until something works.
     *
     * @param string $digest_method
     * @return string
     * @throws RuntimeException
     */
    protected function getDigestHashValue($digest_method = EE_Encryption::OPENSSL_DIGEST_METHOD){
        $digest_hash_value = openssl_digest($this->get_encryption_key(), $digest_method);
        if ($digest_hash_value === false) {
            return $this->getDigestHashValue($this->getDigestMethod());
        }
        return $digest_hash_value;
    }



    /**
     * Returns the NEXT element in the $digest_methods array.
     * If the $digest_methods array is empty, then we populate it
     * with the available values returned from openssl_get_md_methods().
     *
     * @return string
     * @throws \RuntimeException
     */
    protected function getDigestMethod(){
        $digest_method = prev($this->digest_methods);
        if (empty($this->digest_methods)) {
            $this->digest_methods = openssl_get_md_methods();
            $digest_method = end($this->digest_methods);
        }
        if ($digest_method === false) {
            throw new RuntimeException(
                esc_html__(
                    'OpenSSL support appears to be enabled on the server, but no digest methods are available. Please contact the server administrator.',
                    'event_espresso'
                )
            );
        }
        return $digest_method;
    }


    /**
     * encrypts data for acme servers that didn't bother to install PHP mcrypt
     *
     * @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
     * @param string $text_string the text to be decrypted
     * @return string
     */
    protected function acme_encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        $key_bits = str_split(
            str_pad(
                '',
                strlen($text_string),
                $this->get_encryption_key(),
                STR_PAD_RIGHT
            )
        );
        $string_bits = str_split($text_string);
        foreach ($string_bits as $k => $v) {
            $temp = ord($v) + ord($key_bits[$k]);
            $string_bits[$k] = chr($temp > 255 ? ($temp - 256) : $temp);
        }
        $encrypted_text = implode('', $string_bits);
        $encrypted_text .= EE_Encryption::ACME_ENCRYPTION_FLAG;
        return $this->_use_base64_encode
            ? base64_encode($encrypted_text)
            : $encrypted_text;
    }



    /**
     * decrypts data for acme servers that didn't bother to install PHP mcrypt
     *
     * @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
     * @param string $encrypted_text the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    protected function acme_decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // decode the data ?
        $encrypted_text = $this->valid_base_64($encrypted_text)
            ? base64_decode($encrypted_text)
            : $encrypted_text;
        if (
            $this->_use_mcrypt
            && strpos($encrypted_text, EE_Encryption::ACME_ENCRYPTION_FLAG) === false
        ){
            return $this->m_decrypt($encrypted_text);

        }
        $encrypted_text = substr($encrypted_text, 0, -4);
        $key_bits = str_split(
            str_pad(
                '',
                strlen($encrypted_text),
                $this->get_encryption_key(),
                STR_PAD_RIGHT
            )
        );
        $string_bits = str_split($encrypted_text);
        foreach ($string_bits as $k => $v) {
            $temp = ord($v) - ord($key_bits[$k]);
            $string_bits[$k] = chr($temp < 0 ? ($temp + 256) : $temp);
        }
        return implode('', $string_bits);
    }



    /**
     * @see http://stackoverflow.com/questions/2556345/detect-base64-encoding-in-php#30231906
     * @param $string
     * @return bool
     */
    protected function valid_base_64($string)
    {
        // ensure data is a string
        if (! is_string($string) || ! $this->_use_base64_encode) {
            return false;
        }
        $decoded = base64_decode($string, true);
        // Check if there is no invalid character in string
        if (! preg_match('/^[a-zA-Z0-9\/\r\n+]*={0,2}$/', $string)) {
            return false;
        }
        // Decode the string in strict mode and send the response
        if (! base64_decode($string, true)) {
            return false;
        }
        // Encode and compare it to original one
        return base64_encode($decoded) === $string;
    }



    /**
     * generate random string
     *
     * @see http://stackoverflow.com/questions/637278/what-is-the-best-way-to-generate-a-random-key-within-php
     * @param int $length number of characters for random string
     * @return string
     */
    public function generate_random_string($length = 40)
    {
        $iterations = ceil($length / 40);
        $random_string = '';
        for ($i = 0; $i < $iterations; $i++) {
            $random_string .= sha1(microtime(true) . mt_rand(10000, 90000));
        }
        $random_string = substr($random_string, 0, $length);
        return $random_string;
    }



    /**
     * encrypts data using PHP's mcrypt functions
     *
     * @deprecated 4.9.39
     * @param string $text_string
     * @internal   param $string - the text to be encrypted
     * @return string
     * @throws RuntimeException
     */
    protected function m_encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        // get the initialization vector size
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        // initialization vector
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        if ($iv === false) {
            throw new RuntimeException(
                esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
            );
        }
        // encrypt it
        $encrypted_text = mcrypt_encrypt(
            MCRYPT_RIJNDAEL_256,
            $this->get_encryption_key(),
            $text_string,
            MCRYPT_MODE_ECB,
            $iv
        );
        // trim and maybe encode
        return $this->_use_base64_encode
            ? trim(base64_encode($encrypted_text))
            : trim($encrypted_text);
    }



    /**
     * decrypts data that has been encrypted with PHP's mcrypt functions
     *
     * @deprecated 4.9.39
     * @param string $encrypted_text the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    protected function m_decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // decode
        $encrypted_text = $this->valid_base_64($encrypted_text)
            ? base64_decode($encrypted_text)
            : $encrypted_text;
        // get the initialization vector size
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        if ($iv === false) {
            throw new RuntimeException(
                esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
            );
        }
        // decrypt it
        $decrypted_text = mcrypt_decrypt(
            MCRYPT_RIJNDAEL_256,
            $this->get_encryption_key(),
            $encrypted_text,
            MCRYPT_MODE_ECB,
            $iv
        );
        $decrypted_text = trim($decrypted_text);
        return $decrypted_text;
    }

}
/* End of file EE_Encryption.class.php */
/* Location: /includes/core/EE_Encryption.core.php */


1		<?php
2		defined('EVENT_ESPRESSO_VERSION') \|\| exit('No direct script access allowed');
3
4
5
6		/**
7		* EE_Encryption class
8		* class for applying low-grade string encryption/decryption
9		* really only good for hiding content from simple bots and script kiddies
10		* but better for solving encoding issues with databases
11		*
12		* @package Event Espresso
13		* @subpackage includes/functions
14		* @author Brent Christensen
15		*/
16		class EE_Encryption
17		{
18
19		/**
20		* key used for saving the encryption key to the wp_options table
21		*/
22		const ENCRYPTION_OPTION_KEY = 'ee_encryption_key';
23
24		/**
25		* the OPENSSL cipher method used
26		*/
27		const OPENSSL_CIPHER_METHOD = 'AES-128-CBC';
28
29		/**
30		* WP "options_name" used to store a verified available cipher method
31		*/
32		const OPENSSL_CIPHER_METHOD_OPTION_NAME = 'ee_openssl_cipher_method';
33
34		/**
35		* the OPENSSL digest method used
36		*/
37		const OPENSSL_DIGEST_METHOD = 'sha512';
38
39		/**
40		* separates the encrypted text from the initialization vector
41		*/
42		const OPENSSL_IV_DELIMITER = ':iv:';
43
44		/**
45		* appended to text encrypted using the acme encryption
46		*/
47		const ACME_ENCRYPTION_FLAG = '::ae';
48
49
50
51		/**
52		* instance of the EE_Encryption object
53		*/
54		protected static $_instance;
55
56		/**
57		* @var string $_encryption_key
58		*/
59		protected $_encryption_key;
60
61		/**
62		* @var string $cipher_method
63		*/
64		private $cipher_method = '';
65
66		/**
67		* @var array $cipher_methods
68		*/
69		private $cipher_methods = array();
70
71		/**
72		* @var array $digest_methods
73		*/
74		private $digest_methods = array();
75
76		/**
77		* @var boolean $_use_openssl_encrypt
78		*/
79		protected $_use_openssl_encrypt = false;
80
81		/**
82		* @var boolean $_use_mcrypt
83		*/
84		protected $_use_mcrypt = false;
85
86		/**
87		* @var boolean $_use_base64_encode
88		*/
89		protected $_use_base64_encode = false;
90
91
92
93		/**
94		* protected constructor to prevent direct creation
95		*/
96		protected function __construct()
97		{
98		if (! defined('ESPRESSO_ENCRYPT')) {
99		define('ESPRESSO_ENCRYPT', true);
100		}
101		if (extension_loaded('openssl')) {
102		$this->_use_openssl_encrypt = true;
103		} else if (extension_loaded('mcrypt')) {
104		$this->_use_mcrypt = true;
105		}
106		if (function_exists('base64_encode')) {
107		$this->_use_base64_encode = true;
108		}
109		}
110
111
112
113		/**
114		* singleton method used to instantiate class object
115		*
116		* @return EE_Encryption
117		*/
118		public static function instance()
119		{
120		// check if class object is instantiated
121		if (! self::$_instance instanceof EE_Encryption) {
122		self::$_instance = new self();
123		}
124		return self::$_instance;
125		}
126
127
128
129		/**
130		* get encryption key
131		*
132		* @return string
133		*/
134		public function get_encryption_key()
135		{
136		// if encryption key has not been set
137		if (empty($this->_encryption_key)) {
138		// retrieve encryption_key from db
139		$this->_encryption_key = get_option(EE_Encryption::ENCRYPTION_OPTION_KEY, '');
140		// WHAT?? No encryption_key in the db ??
141		if ($this->_encryption_key === '') {
142		// let's make one. And md5 it to make it just the right size for a key
143		$new_key = md5($this->generate_random_string());
144		// now save it to the db for later
145		add_option(EE_Encryption::ENCRYPTION_OPTION_KEY, $new_key);
146		// here's the key - FINALLY !
147		$this->_encryption_key = $new_key;
148		}
149		}
150		return $this->_encryption_key;
151		}
152
153
154
155		/**
156		* encrypts data
157		*
158		* @param string $text_string - the text to be encrypted
159		* @return string
160		* @throws RuntimeException
161		*/
162		public function encrypt($text_string = '')
163		{
164		// you give me nothing??? GET OUT !
165		if (empty($text_string)) {
166		return $text_string;
167		}
168		if ($this->_use_openssl_encrypt) {
169		$encrypted_text = $this->openssl_encrypt($text_string);
170		} else {
171		$encrypted_text = $this->acme_encrypt($text_string);
172		}
173		return $encrypted_text;
174		}
175
176
177
178		/**
179		* decrypts data
180		*
181		* @param string $encrypted_text - the text to be decrypted
182		* @return string
183		* @throws RuntimeException
184		*/
185		public function decrypt($encrypted_text = '')
186		{
187		// you give me nothing??? GET OUT !
188		if (empty($encrypted_text)) {
189		return $encrypted_text;
190		}
191		// if PHP's mcrypt functions are installed then we'll use them
192		if ($this->_use_openssl_encrypt) {
193		$decrypted_text = $this->openssl_decrypt($encrypted_text);
194		} else {
195		$decrypted_text = $this->acme_decrypt($encrypted_text);
196		}
197		return $decrypted_text;
198		}
199
200
201
202		/**
203		* encodes string with PHP's base64 encoding
204		*
205		* @see http://php.net/manual/en/function.base64-encode.php
206		* @param string $text_string the text to be encoded
207		* @return string
208		*/
209		public function base64_string_encode($text_string = '')
210		{
211		// you give me nothing??? GET OUT !
212		if (empty($text_string) \|\| ! $this->_use_base64_encode) {
213		return $text_string;
214		}
215		// encode
216		return base64_encode($text_string);
217		}
218
219
220
221		/**
222		* decodes string that has been encoded with PHP's base64 encoding
223		*
224		* @see http://php.net/manual/en/function.base64-encode.php
225		* @param string $encoded_string the text to be decoded
226		* @return string
227		*/
228		public function base64_string_decode($encoded_string = '')
229		{
230		// you give me nothing??? GET OUT !
231		if (empty($encoded_string) \|\| ! $this->valid_base_64($encoded_string)) {
232		return $encoded_string;
233		}
234		// decode
235		return base64_decode($encoded_string);
236		}
237
238
239
240		/**
241		* encodes url string with PHP's base64 encoding
242		*
243		* @see http://php.net/manual/en/function.base64-encode.php
244		* @param string $text_string the text to be encoded
245		* @return string
246		*/
247		public function base64_url_encode($text_string = '')
248		{
249		// you give me nothing??? GET OUT !
250		if (empty($text_string) \|\| ! $this->_use_base64_encode) {
251		return $text_string;
252		}
253		// encode
254		$encoded_string = base64_encode($text_string);
255		// remove chars to make encoding more URL friendly
256		return strtr($encoded_string, '+/=', '-_,');
257		}
258
259
260
261		/**
262		* decodes url string that has been encoded with PHP's base64 encoding
263		*
264		* @see http://php.net/manual/en/function.base64-encode.php
265		* @param string $encoded_string the text to be decoded
266		* @return string
267		*/
268		public function base64_url_decode($encoded_string = '')
269		{
270		// you give me nothing??? GET OUT !
271		if (empty($encoded_string) \|\| ! $this->valid_base_64($encoded_string)) {
272		return $encoded_string;
273		}
274		// replace previously removed characters
275		$encoded_string = strtr($encoded_string, '-_,', '+/=');
276		// decode
277		return base64_decode($encoded_string);
278		}
279
280
281
282		/**
283		* encrypts data using PHP's openssl functions
284		*
285		* @param string $text_string the text to be encrypted
286		* @return string
287		* @throws RuntimeException
288		*/
289		protected function openssl_encrypt($text_string = '')
290		{
291		// you give me nothing??? GET OUT !
292		if (empty($text_string)) {
293		return $text_string;
294		}
295		$this->cipher_method = $this->getCipherMethod();
296		// get initialization vector size
297		$iv_size = openssl_cipher_iv_length($this->cipher_method);
298		// generate initialization vector.
299		// The second parameter ("crypto_strong") is passed by reference,
300		// and is used to determines if the algorithm used was "cryptographically strong"
301		// openssl_random_pseudo_bytes() will toggle it to either true or false
302		$iv = openssl_random_pseudo_bytes($iv_size, $is_strong);
303		if ($iv === false \|\| $is_strong === false) {
304		throw new RuntimeException(
305		esc_html__('Failed to generate OpenSSL initialization vector.', 'event_espresso')
306		);
307		}
308		// encrypt it
309		$encrypted_text = openssl_encrypt(
310		$text_string,
311		$this->cipher_method,
312		$this->getDigestHashValue(),
313		0,
314		$iv
315		);
316		// append the initialization vector
317		$encrypted_text .= EE_Encryption::OPENSSL_IV_DELIMITER . $iv;
318		// trim and maybe encode
319		return $this->_use_base64_encode
320		? trim(base64_encode($encrypted_text))
321		: trim($encrypted_text);
322		}
323
324
325
326		/**
327		* Returns a cipher method that has been verified to work.
328		* First checks if the cached cipher has been set already and if so, returns that.
329		* Then tests the incoming default and returns that if it's good.
330		* If not, then it retrieves the previously tested and saved cipher method.
331		* But if that doesn't exist, then calls getAvailableCipherMethod()
332		* to see what is available on the server, and returns the results.
333		*
334		* @param string $cipher_method
335		* @return string
336		* @throws RuntimeException
337		*/
338		protected function getCipherMethod($cipher_method = EE_Encryption::OPENSSL_CIPHER_METHOD)
339		{
340		if($this->cipher_method !== ''){
341		return $this->cipher_method;
342		}
343		// verify that the default cipher method can produce an initialization vector
344		if (openssl_cipher_iv_length($cipher_method) === false) {
345		// nope? okay let's get what we found in the past to work
346		$cipher_method = get_option(EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME, '');
347		// oops... haven't tested available cipher methods yet
348		if($cipher_method === '' \|\| openssl_cipher_iv_length($cipher_method) === false) {
349		$cipher_method = $this->getAvailableCipherMethod($cipher_method);
350		}
351		}
352		return $cipher_method;
353		}
354
355
356
357		/**
358		* @param string $cipher_method
359		* @return string
360		* @throws \RuntimeException
361		*/
362		protected function getAvailableCipherMethod($cipher_method)
363		{
364		// verify that the incoming cipher method can produce an initialization vector
365		if (openssl_cipher_iv_length($cipher_method) === false) {
366		// nope? then check the next cipher in the list of available cipher methods
367		$cipher_method = next($this->cipher_methods);
368		// what? there's no list? then generate that list and cache it,
369		if (empty($this->cipher_methods)) {
370		$this->cipher_methods = openssl_get_cipher_methods();
371		// then grab the first item from the list
372		$cipher_method = reset($this->cipher_methods);
373		}
374		if($cipher_method === false){
375		throw new RuntimeException(
376		esc_html__(
377		'OpenSSL support appears to be enabled on the server, but no cipher methods are available. Please contact the server administrator.',
378		'event_espresso'
379		)
380		);
381		}
382		// verify that the next cipher method works
383		return $this->getAvailableCipherMethod($cipher_method);
384		}
385		// if we've gotten this far, then we found an available cipher method that works
386		// so save that for next time
387		update_option(
388		EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME,
389		$cipher_method
390		);
391		return $cipher_method;
392		}
393
394
395
396		/**
397		* decrypts data that has been encrypted with PHP's openssl functions
398		*
399		* @param string $encrypted_text the text to be decrypted
400		* @return string
401		* @throws RuntimeException
402		*/
403		protected function openssl_decrypt($encrypted_text = '')
404		{
405		// you give me nothing??? GET OUT !
406		if (empty($encrypted_text)) {
407		return $encrypted_text;
408		}
409		// decode
410		$encrypted_text = $this->valid_base_64($encrypted_text)
411		? base64_decode($encrypted_text)
412		: $encrypted_text;
413		$encrypted_components = explode(
414		EE_Encryption::OPENSSL_IV_DELIMITER,
415		$encrypted_text,
416		2
417		);
418		// check that iv exists, and if not, maybe text was encoded using mcrypt?
419		if ($this->_use_mcrypt && ! isset($encrypted_components[1])) {
420		return $this->m_decrypt($encrypted_text);
		0 ignored issues – show Deprecated Code introduced 2017-05-10 22:30 UTC by Report Bug Copy Issue Report The method `EE_Encryption::m_decrypt()` has been deprecated with message: 4.9.39 This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
421		}
422		// decrypt it
423		$decrypted_text = openssl_decrypt(
424		$encrypted_components[0],
425		$this->getCipherMethod(),
426		$this->getDigestHashValue(),
427		0,
428		$encrypted_components[1]
429		);
430		$decrypted_text = trim($decrypted_text);
431		return $decrypted_text;
432		}
433
434
435
436		/**
437		* Computes the digest hash value using the specified digest method.
438		* If that digest method fails to produce a valid hash value,
439		* then we'll grab the next digest method and recursively try again until something works.
440		*
441		* @param string $digest_method
442		* @return string
443		* @throws RuntimeException
444		*/
445		protected function getDigestHashValue($digest_method = EE_Encryption::OPENSSL_DIGEST_METHOD){
446		$digest_hash_value = openssl_digest($this->get_encryption_key(), $digest_method);
447		if ($digest_hash_value === false) {
448		return $this->getDigestHashValue($this->getDigestMethod());
449		}
450		return $digest_hash_value;
451		}
452
453
454
455		/**
456		* Returns the NEXT element in the $digest_methods array.
457		* If the $digest_methods array is empty, then we populate it
458		* with the available values returned from openssl_get_md_methods().
459		*
460		* @return string
461		* @throws \RuntimeException
462		*/
463		protected function getDigestMethod(){
464		$digest_method = prev($this->digest_methods);
465		if (empty($this->digest_methods)) {
466		$this->digest_methods = openssl_get_md_methods();
467		$digest_method = end($this->digest_methods);
468		}
469		if ($digest_method === false) {
470		throw new RuntimeException(
471		esc_html__(
472		'OpenSSL support appears to be enabled on the server, but no digest methods are available. Please contact the server administrator.',
473		'event_espresso'
474		)
475		);
476		}
477		return $digest_method;
478		}
479
480
481		/**
482		* encrypts data for acme servers that didn't bother to install PHP mcrypt
483		*
484		* @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
485		* @param string $text_string the text to be decrypted
486		* @return string
487		*/
488		protected function acme_encrypt($text_string = '')
489		{
490		// you give me nothing??? GET OUT !
491		if (empty($text_string)) {
492		return $text_string;
493		}
494		$key_bits = str_split(
495		str_pad(
496		'',
497		strlen($text_string),
498		$this->get_encryption_key(),
499		STR_PAD_RIGHT
500		)
501		);
502		$string_bits = str_split($text_string);
503	View Code Duplication	foreach ($string_bits as $k => $v) {
504		$temp = ord($v) + ord($key_bits[$k]);
505		$string_bits[$k] = chr($temp > 255 ? ($temp - 256) : $temp);
506		}
507		$encrypted_text = implode('', $string_bits);
508		$encrypted_text .= EE_Encryption::ACME_ENCRYPTION_FLAG;
509		return $this->_use_base64_encode
510		? base64_encode($encrypted_text)
511		: $encrypted_text;
512		}
513
514
515
516		/**
517		* decrypts data for acme servers that didn't bother to install PHP mcrypt
518		*
519		* @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
520		* @param string $encrypted_text the text to be decrypted
521		* @return string
522		* @throws RuntimeException
523		*/
524		protected function acme_decrypt($encrypted_text = '')
525		{
526		// you give me nothing??? GET OUT !
527		if (empty($encrypted_text)) {
528		return $encrypted_text;
529		}
530		// decode the data ?
531		$encrypted_text = $this->valid_base_64($encrypted_text)
532		? base64_decode($encrypted_text)
533		: $encrypted_text;
534		if (
535		$this->_use_mcrypt
536		&& strpos($encrypted_text, EE_Encryption::ACME_ENCRYPTION_FLAG) === false
537		){
538		return $this->m_decrypt($encrypted_text);
		0 ignored issues – show Deprecated Code introduced 2017-05-23 23:14 UTC by Report Bug Copy Issue Report The method `EE_Encryption::m_decrypt()` has been deprecated with message: 4.9.39 This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
539		}
540		$encrypted_text = substr($encrypted_text, 0, -4);
541		$key_bits = str_split(
542		str_pad(
543		'',
544		strlen($encrypted_text),
545		$this->get_encryption_key(),
546		STR_PAD_RIGHT
547		)
548		);
549		$string_bits = str_split($encrypted_text);
550	View Code Duplication	foreach ($string_bits as $k => $v) {
551		$temp = ord($v) - ord($key_bits[$k]);
552		$string_bits[$k] = chr($temp < 0 ? ($temp + 256) : $temp);
553		}
554		return implode('', $string_bits);
555		}
556
557
558
559		/**
560		* @see http://stackoverflow.com/questions/2556345/detect-base64-encoding-in-php#30231906
561		* @param $string
562		* @return bool
563		*/
564		protected function valid_base_64($string)
565		{
566		// ensure data is a string
567		if (! is_string($string) \|\| ! $this->_use_base64_encode) {
568		return false;
569		}
570		$decoded = base64_decode($string, true);
571		// Check if there is no invalid character in string
572		if (! preg_match('/^[a-zA-Z0-9\/\r\n+]*={0,2}$/', $string)) {
573		return false;
574		}
575		// Decode the string in strict mode and send the response
576		if (! base64_decode($string, true)) {
577		return false;
578		}
579		// Encode and compare it to original one
580		return base64_encode($decoded) === $string;
581		}
582
583
584
585		/**
586		* generate random string
587		*
588		* @see http://stackoverflow.com/questions/637278/what-is-the-best-way-to-generate-a-random-key-within-php
589		* @param int $length number of characters for random string
590		* @return string
591		*/
592		public function generate_random_string($length = 40)
593		{
594		$iterations = ceil($length / 40);
595		$random_string = '';
596		for ($i = 0; $i < $iterations; $i++) {
597		$random_string .= sha1(microtime(true) . mt_rand(10000, 90000));
598		}
599		$random_string = substr($random_string, 0, $length);
600		return $random_string;
601		}
602
603
604
605		/**
606		* encrypts data using PHP's mcrypt functions
607		*
608		* @deprecated 4.9.39
609		* @param string $text_string
610		* @internal param $string - the text to be encrypted
611		* @return string
612		* @throws RuntimeException
613		*/
614		protected function m_encrypt($text_string = '')
615		{
616		// you give me nothing??? GET OUT !
617		if (empty($text_string)) {
618		return $text_string;
619		}
620		// get the initialization vector size
621		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
622		// initialization vector
623		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
624		if ($iv === false) {
625		throw new RuntimeException(
626		esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
627		);
628		}
629		// encrypt it
630		$encrypted_text = mcrypt_encrypt(
631		MCRYPT_RIJNDAEL_256,
632		$this->get_encryption_key(),
633		$text_string,
634		MCRYPT_MODE_ECB,
635		$iv
636		);
637		// trim and maybe encode
638		return $this->_use_base64_encode
639		? trim(base64_encode($encrypted_text))
640		: trim($encrypted_text);
641		}
642
643
644
645		/**
646		* decrypts data that has been encrypted with PHP's mcrypt functions
647		*
648		* @deprecated 4.9.39
649		* @param string $encrypted_text the text to be decrypted
650		* @return string
651		* @throws RuntimeException
652		*/
653		protected function m_decrypt($encrypted_text = '')
654		{
655		// you give me nothing??? GET OUT !
656		if (empty($encrypted_text)) {
657		return $encrypted_text;
658		}
659		// decode
660		$encrypted_text = $this->valid_base_64($encrypted_text)
661		? base64_decode($encrypted_text)
662		: $encrypted_text;
663		// get the initialization vector size
664		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
665		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
666		if ($iv === false) {
667		throw new RuntimeException(
668		esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
669		);
670		}
671		// decrypt it
672		$decrypted_text = mcrypt_decrypt(
673		MCRYPT_RIJNDAEL_256,
674		$this->get_encryption_key(),
675		$encrypted_text,
676		MCRYPT_MODE_ECB,
677		$iv
678		);
679		$decrypted_text = trim($decrypted_text);
680		return $decrypted_text;
681		}
682
683		}
684		/* End of file EE_Encryption.class.php */
685		/* Location: /includes/core/EE_Encryption.core.php */
686

eventespresso / event-espresso-core