EE_Encryption - Code Metrics - Inspection of "Daily Inspection: Merge branch 'master' into BUG-1..." - eventespresso/event-espresso-core - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Branch — BUG-10806-lower-encryption (5d0dd9)

unknown

created 2017-06-16 21:12 UTC

EE_Encryption C

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	675
Duplicated Lines	1.19 %

Coupling/Cohesion

Components	2
Dependencies	0

Importance

Changes

Metric	Value
dl	8
loc	675
rs	5.1224
c	0
b	0
f	0
wmc	78
lcom	2
cbo	0

21 Methods

Rating	Name	Duplication	Size	Complexity
B	__construct()	0	14	5
A	instance()	0	8	2
A	get_encryption_key()	0	18	3
A	encrypt()	0	13	3
A	decrypt()	0	14	3
A	base64_string_encode()	0	9	3
A	base64_string_decode()	0	9	3
A	base64_url_encode()	0	11	3
A	base64_url_decode()	0	11	3
B	openssl_encrypt()	0	34	5
A	getCipherMethod()	0	16	4
B	getAvailableCipherMethod()	0	32	4
B	openssl_decrypt()	0	30	5
A	getDigestHashValue()	0	7	2
A	getDigestMethod()	0	16	3
B	acme_encrypt()	4	25	5
C	acme_decrypt()	4	32	7
B	valid_base_64()	0	18	5
A	generate_random_string()	0	10	2
B	m_encrypt()	0	28	4
B	m_decrypt()	0	29	4

How to fix Duplicated Code Complexity

Duplicated Code

Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.

Common duplication problems, and corresponding solutions are:

If you have the same expression in different places: Extract expression to a method
If you have the same method in different sub-classes: Extract method, and pull up field to the parent class
If you have the same code in unrelated classes: Consider extracting the code to a new class, and injecting that class

Complex Class

Tip: Before tackling complexity, make sure that you eliminate any duplication first. This often can reduce the size of classes significantly.

Complex classes like EE_Encryption often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.

Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.

While breaking up the class, it is a good idea to analyze how other classes use EE_Encryption, and based on these observations, apply Extract Interface, too.

<?php
defined('EVENT_ESPRESSO_VERSION') || exit('No direct script access allowed');



/**
 * EE_Encryption class
 * class for applying low-grade string encryption/decryption
 * really only good for hiding content from simple bots and script kiddies
 * but better for solving encoding issues with databases
 *
 * @package    Event Espresso
 * @subpackage includes/functions
 * @author     Brent Christensen
 */
class EE_Encryption
{

    /**
     * key used for saving the encryption key to the wp_options table
     */
    const ENCRYPTION_OPTION_KEY = 'ee_encryption_key';

    /**
     * the OPENSSL cipher method used
     */
    const OPENSSL_CIPHER_METHOD = 'AES-128-CBC';

    /**
     * the OPENSSL cipher method used
     */
    const OPENSSL_CIPHER_METHOD_OPTION_NAME = 'ee_openssl_cipher_method';

    /**
     * the OPENSSL digest method used
     */
    const OPENSSL_DIGEST_METHOD = 'sha512';

    /**
     * separates the encrypted text from the initialization vector
     */
    const OPENSSL_IV_DELIMITER = ':iv:';

    /**
     * appended to text encrypted using the acme encryption
     */
    const ACME_ENCRYPTION_FLAG = '::ae';



    /**
     * instance of the EE_Encryption object
     */
    protected static $_instance;

    /**
     * @var string $_encryption_key
     */
    protected $_encryption_key;

    /**
     * @var string $cipher_method
     */
    private $cipher_method = '';

    /**
     * @var array $cipher_methods
     */
    private $cipher_methods = array();

    /**
     * @var array $digest_methods
     */
    private $digest_methods = array();

    /**
     * @var boolean $_use_openssl_encrypt
     */
    protected $_use_openssl_encrypt = false;

    /**
     * @var boolean $_use_mcrypt
     */
    protected $_use_mcrypt = false;

    /**
     * @var boolean $_use_base64_encode
     */
    protected $_use_base64_encode = false;



    /**
     * protected constructor to prevent direct creation
     */
    protected function __construct()
    {
        if (! defined('ESPRESSO_ENCRYPT')) {
            define('ESPRESSO_ENCRYPT', true);
        }
        if (extension_loaded('openssl')) {
            $this->_use_openssl_encrypt = true;
        } else if (extension_loaded('mcrypt')) {
            $this->_use_mcrypt = true;
        }
        if (function_exists('base64_encode')) {
            $this->_use_base64_encode = true;
        }
    }



    /**
     * singleton method used to instantiate class object
     *
     * @return EE_Encryption
     */
    public static function instance()
    {
        // check if class object is instantiated
        if (! self::$_instance instanceof EE_Encryption) {
            self::$_instance = new self();
        }
        return self::$_instance;
    }



    /**
     * get encryption key
     *
     * @return string
     */
    public function get_encryption_key()
    {
        // if encryption key has not been set
        if (empty($this->_encryption_key)) {
            // retrieve encryption_key from db
            $this->_encryption_key = get_option(EE_Encryption::ENCRYPTION_OPTION_KEY, '');
            // WHAT?? No encryption_key in the db ??
            if ($this->_encryption_key === '') {
                // let's make one. And md5 it to make it just the right size for a key
                $new_key = md5($this->generate_random_string());
                // now save it to the db for later
                add_option(EE_Encryption::ENCRYPTION_OPTION_KEY, $new_key);
                // here's the key - FINALLY !
                $this->_encryption_key = $new_key;
            }
        }
        return $this->_encryption_key;
    }



    /**
     * encrypts data
     *
     * @param string $text_string - the text to be encrypted
     * @return string
     * @throws RuntimeException
     */
    public function encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        if ($this->_use_openssl_encrypt) {
            $encrypted_text = $this->openssl_encrypt($text_string);
        } else {
            $encrypted_text = $this->acme_encrypt($text_string);
        }
        return $encrypted_text;
    }



    /**
     * decrypts data
     *
     * @param string $encrypted_text - the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    public function decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // if PHP's mcrypt functions are installed then we'll use them
        if ($this->_use_openssl_encrypt) {
            $decrypted_text = $this->openssl_decrypt($encrypted_text);
        } else {
            $decrypted_text = $this->acme_decrypt($encrypted_text);
        }
        return $decrypted_text;
    }



    /**
     * encodes string with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $text_string the text to be encoded
     * @return string
     */
    public function base64_string_encode($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string) || ! $this->_use_base64_encode) {
            return $text_string;
        }
        // encode
        return base64_encode($text_string);
    }



    /**
     * decodes string that has been encoded with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $encoded_string the text to be decoded
     * @return string
     */
    public function base64_string_decode($encoded_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encoded_string) || ! $this->valid_base_64($encoded_string)) {
            return $encoded_string;
        }
        // decode
        return base64_decode($encoded_string);
    }



    /**
     * encodes  url string with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $text_string the text to be encoded
     * @return string
     */
    public function base64_url_encode($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string) || ! $this->_use_base64_encode) {
            return $text_string;
        }
        // encode
        $encoded_string = base64_encode($text_string);
        // remove chars to make encoding more URL friendly
        return strtr($encoded_string, '+/=', '-_,');
    }



    /**
     * decodes  url string that has been encoded with PHP's base64 encoding
     *
     * @see http://php.net/manual/en/function.base64-encode.php
     * @param string $encoded_string the text to be decoded
     * @return string
     */
    public function base64_url_decode($encoded_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encoded_string) || ! $this->valid_base_64($encoded_string)) {
            return $encoded_string;
        }
        // replace previously removed characters
        $encoded_string = strtr($encoded_string, '-_,', '+/=');
        // decode
        return base64_decode($encoded_string);
    }



    /**
     * encrypts data using PHP's openssl functions
     *
     * @param string $text_string the text to be encrypted
     * @return string
     * @throws RuntimeException
     */
    protected function openssl_encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        $this->cipher_method = $this->getCipherMethod();
        // get initialization vector size
        $iv_size = openssl_cipher_iv_length($this->cipher_method);
        // generate initialization vector.
        // The second parameter ("crypto_strong") is passed by reference,
        // and is used to determines if the algorithm used was "cryptographically strong"
        // openssl_random_pseudo_bytes() will toggle it to either true or false
        $iv = openssl_random_pseudo_bytes($iv_size, $is_strong);
        if ($iv === false || $is_strong === false) {
            throw new RuntimeException(
                esc_html__('Failed to generate OpenSSL initialization vector.', 'event_espresso')
            );
        }
        // encrypt it
        $encrypted_text = openssl_encrypt(
            $text_string,
            $this->cipher_method,
            $this->getDigestHashValue(),
            0,
            $iv
        );
        // append the initialization vector
        $encrypted_text .= EE_Encryption::OPENSSL_IV_DELIMITER . $iv;
        // trim and maybe encode
        return $this->_use_base64_encode
            ? trim(base64_encode($encrypted_text))
            : trim($encrypted_text);
    }



    /**
     * Returns a cipher method that has been verified to work.
     * First checks if the cached cipher has  been set already and if so, returns that.
     * Then tests the incoming default and returns that if it's good.
     * If not, then it retrieves the previously tested and saved cipher method.
     * But if that doesn't exist, then
     *
     * @param string $cipher_method
     * @return string
     * @throws RuntimeException
     */
    protected function getCipherMethod($cipher_method = EE_Encryption::OPENSSL_CIPHER_METHOD)
    {
        if($this->cipher_method !== ''){
            return $this->cipher_method;
        }
        // verify that the default cipher method can produce an initialization vector
        if (openssl_cipher_iv_length($cipher_method) === false) {
            // nope? okay let's get what we found in the past to work
            $cipher_method = get_option(EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME, '');
            // oops... haven't tested available cipher methods yet
            if($cipher_method === '') {
                $cipher_method = $this->getAvailableCipherMethod($cipher_method);
            }
        }
        return $cipher_method;
    }



    /**
     * @param string $cipher_method
     * @return string
     * @throws \RuntimeException
     */
    protected function getAvailableCipherMethod($cipher_method)
    {
        // verify that the incoming cipher method can produce an initialization vector
        if (openssl_cipher_iv_length($cipher_method) === false) {
            // nope? okay then get then check the list of available cipher methods
            // what? there's no list? then generate that list and cache it,
            // then rewind the list to the first item, which should match the default
            if (empty($this->cipher_methods)) {
                $this->cipher_methods = openssl_get_cipher_methods();
                reset($this->cipher_methods);
            }
            // advance to the next cipher in the list
            $cipher_method = next($this->cipher_methods);
            if($cipher_method === false){
                throw new RuntimeException(
                    esc_html__(
                        'OpenSSL support appears to be enabled on the server, but no cipher methods are available. Please contact the server administrator.',
                        'event_espresso'
                    )
                );
            }
            // verify that the next cipher method works
            return $this->getAvailableCipherMethod($cipher_method);
        }
        // if we've gotten this far, then we found an available cipher method that works
        // so save that for next time
        update_option(
            EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME,
            $cipher_method
        );
        return $cipher_method;
    }



    /**
     * decrypts data that has been encrypted with PHP's openssl functions
     *
     * @param string $encrypted_text the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    protected function openssl_decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // decode
        $encrypted_text = $this->valid_base_64($encrypted_text)
            ? base64_decode($encrypted_text)
            : $encrypted_text;
        $encrypted_components = explode(
            EE_Encryption::OPENSSL_IV_DELIMITER,
            $encrypted_text,
            2
        );
        // check that iv exists, and if not, maybe text was encoded using mcrypt?
        if ($this->_use_mcrypt && ! isset($encrypted_components[1])) {
            return $this->m_decrypt($encrypted_text);

        }
        // decrypt it
        $decrypted_text = openssl_decrypt(
            $encrypted_components[0],
            $this->getCipherMethod(),
            $this->getDigestHashValue(),
            0,
            $encrypted_components[1]
        );
        $decrypted_text = trim($decrypted_text);
        return $decrypted_text;
    }



    /**
     * Computes the digest hash value using the specified digest method.
     * If that digest method fails to produce a valid hash value,
     * then we'll grab the next digest method and recursively try again until something works.
     *
     * @param string $digest_method
     * @return string
     * @throws RuntimeException
     */
    protected function getDigestHashValue($digest_method = EE_Encryption::OPENSSL_DIGEST_METHOD){
        $digest_hash_value = openssl_digest($this->get_encryption_key(), $digest_method);
        if ($digest_hash_value === false) {
            return $this->getDigestHashValue($this->getDigestMethod());
        }
        return $digest_hash_value;
    }



    /**
     * Returns the NEXT element in the $digest_methods array.
     * If the $digest_methods array is empty, then we populate it
     * with the available values returned from openssl_get_md_methods().
     * But first we will advance to the last element, so that when prev() is called,
     * we'll get what was originally the second to last element.
     * Why?
     * Because the last elements returned by openssl_get_md_methods()
     * are typically the newer SHA methods like SHA512, and we want to try them first.
     * We've already tried SHA512 as the default set by the OPENSSL_DIGEST_METHOD constant,
     * but that will get skipped as soon as prev() is called.
     *
     * @return string
     * @throws \RuntimeException
     */
    protected function getDigestMethod(){
        if (empty($this->digest_methods)) {
            $this->digest_methods = openssl_get_md_methods();
            end($this->digest_methods);
        }
        $digest_method = prev($this->digest_methods);
        if ($digest_method === false) {
            throw new RuntimeException(
                esc_html__(
                    'OpenSSL support appears to be enabled on the server, but no digest methods are available. Please contact the server administrator.',
                    'event_espresso'
                )
            );
        }
        return $digest_method;
    }


    /**
     * encrypts data for acme servers that didn't bother to install PHP mcrypt
     *
     * @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
     * @param string $text_string the text to be decrypted
     * @return string
     */
    protected function acme_encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        $key_bits = str_split(
            str_pad(
                '',
                strlen($text_string),
                $this->get_encryption_key(),
                STR_PAD_RIGHT
            )
        );
        $string_bits = str_split($text_string);
        foreach ($string_bits as $k => $v) {
            $temp = ord($v) + ord($key_bits[$k]);
            $string_bits[$k] = chr($temp > 255 ? ($temp - 256) : $temp);
        }
        $encrypted_text = implode('', $string_bits);
        $encrypted_text .= EE_Encryption::ACME_ENCRYPTION_FLAG;
        return $this->_use_base64_encode
            ? base64_encode($encrypted_text)
            : $encrypted_text;
    }



    /**
     * decrypts data for acme servers that didn't bother to install PHP mcrypt
     *
     * @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
     * @param string $encrypted_text the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    protected function acme_decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // decode the data ?
        $encrypted_text = $this->valid_base_64($encrypted_text)
            ? base64_decode($encrypted_text)
            : $encrypted_text;
        if (
            $this->_use_mcrypt
            && strpos($encrypted_text, EE_Encryption::ACME_ENCRYPTION_FLAG) === false
        ){
            return $this->m_decrypt($encrypted_text);

        }
        $encrypted_text = substr($encrypted_text, 0, -4);
        $key_bits = str_split(
            str_pad(
                '',
                strlen($encrypted_text),
                $this->get_encryption_key(),
                STR_PAD_RIGHT
            )
        );
        $string_bits = str_split($encrypted_text);
        foreach ($string_bits as $k => $v) {
            $temp = ord($v) - ord($key_bits[$k]);
            $string_bits[$k] = chr($temp < 0 ? ($temp + 256) : $temp);
        }
        return implode('', $string_bits);
    }



    /**
     * @see http://stackoverflow.com/questions/2556345/detect-base64-encoding-in-php#30231906
     * @param $string
     * @return bool
     */
    protected function valid_base_64($string)
    {
        // ensure data is a string
        if (! is_string($string) || ! $this->_use_base64_encode) {
            return false;
        }
        $decoded = base64_decode($string, true);
        // Check if there is no invalid character in string
        if (! preg_match('/^[a-zA-Z0-9\/\r\n+]*={0,2}$/', $string)) {
            return false;
        }
        // Decode the string in strict mode and send the response
        if (! base64_decode($string, true)) {
            return false;
        }
        // Encode and compare it to original one
        return base64_encode($decoded) === $string;
    }



    /**
     * generate random string
     *
     * @see http://stackoverflow.com/questions/637278/what-is-the-best-way-to-generate-a-random-key-within-php
     * @param int $length number of characters for random string
     * @return string
     */
    public function generate_random_string($length = 40)
    {
        $iterations = ceil($length / 40);
        $random_string = '';
        for ($i = 0; $i < $iterations; $i++) {
            $random_string .= sha1(microtime(true) . mt_rand(10000, 90000));
        }
        $random_string = substr($random_string, 0, $length);
        return $random_string;
    }



    /**
     * encrypts data using PHP's mcrypt functions
     *
     * @deprecated 4.9.39
     * @param string $text_string
     * @internal   param $string - the text to be encrypted
     * @return string
     * @throws RuntimeException
     */
    protected function m_encrypt($text_string = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($text_string)) {
            return $text_string;
        }
        // get the initialization vector size
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        // initialization vector
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        if ($iv === false) {
            throw new RuntimeException(
                esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
            );
        }
        // encrypt it
        $encrypted_text = mcrypt_encrypt(
            MCRYPT_RIJNDAEL_256,
            $this->get_encryption_key(),
            $text_string,
            MCRYPT_MODE_ECB,
            $iv
        );
        // trim and maybe encode
        return $this->_use_base64_encode
            ? trim(base64_encode($encrypted_text))
            : trim($encrypted_text);
    }



    /**
     * decrypts data that has been encrypted with PHP's mcrypt functions
     *
     * @deprecated 4.9.39
     * @param string $encrypted_text the text to be decrypted
     * @return string
     * @throws RuntimeException
     */
    protected function m_decrypt($encrypted_text = '')
    {
        // you give me nothing??? GET OUT !
        if (empty($encrypted_text)) {
            return $encrypted_text;
        }
        // decode
        $encrypted_text = $this->valid_base_64($encrypted_text)
            ? base64_decode($encrypted_text)
            : $encrypted_text;
        // get the initialization vector size
        $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
        $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
        if ($iv === false) {
            throw new RuntimeException(
                esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
            );
        }
        // decrypt it
        $decrypted_text = mcrypt_decrypt(
            MCRYPT_RIJNDAEL_256,
            $this->get_encryption_key(),
            $encrypted_text,
            MCRYPT_MODE_ECB,
            $iv
        );
        $decrypted_text = trim($decrypted_text);
        return $decrypted_text;
    }

}
/* End of file EE_Encryption.class.php */
/* Location: /includes/core/EE_Encryption.core.php */


1		<?php
2		defined('EVENT_ESPRESSO_VERSION') \|\| exit('No direct script access allowed');
3
4
5
6		/**
7		* EE_Encryption class
8		* class for applying low-grade string encryption/decryption
9		* really only good for hiding content from simple bots and script kiddies
10		* but better for solving encoding issues with databases
11		*
12		* @package Event Espresso
13		* @subpackage includes/functions
14		* @author Brent Christensen
15		*/
16		class EE_Encryption
17		{
18
19		/**
20		* key used for saving the encryption key to the wp_options table
21		*/
22		const ENCRYPTION_OPTION_KEY = 'ee_encryption_key';
23
24		/**
25		* the OPENSSL cipher method used
26		*/
27		const OPENSSL_CIPHER_METHOD = 'AES-128-CBC';
28
29		/**
30		* the OPENSSL cipher method used
31		*/
32		const OPENSSL_CIPHER_METHOD_OPTION_NAME = 'ee_openssl_cipher_method';
33
34		/**
35		* the OPENSSL digest method used
36		*/
37		const OPENSSL_DIGEST_METHOD = 'sha512';
38
39		/**
40		* separates the encrypted text from the initialization vector
41		*/
42		const OPENSSL_IV_DELIMITER = ':iv:';
43
44		/**
45		* appended to text encrypted using the acme encryption
46		*/
47		const ACME_ENCRYPTION_FLAG = '::ae';
48
49
50
51		/**
52		* instance of the EE_Encryption object
53		*/
54		protected static $_instance;
55
56		/**
57		* @var string $_encryption_key
58		*/
59		protected $_encryption_key;
60
61		/**
62		* @var string $cipher_method
63		*/
64		private $cipher_method = '';
65
66		/**
67		* @var array $cipher_methods
68		*/
69		private $cipher_methods = array();
70
71		/**
72		* @var array $digest_methods
73		*/
74		private $digest_methods = array();
75
76		/**
77		* @var boolean $_use_openssl_encrypt
78		*/
79		protected $_use_openssl_encrypt = false;
80
81		/**
82		* @var boolean $_use_mcrypt
83		*/
84		protected $_use_mcrypt = false;
85
86		/**
87		* @var boolean $_use_base64_encode
88		*/
89		protected $_use_base64_encode = false;
90
91
92
93		/**
94		* protected constructor to prevent direct creation
95		*/
96		protected function __construct()
97		{
98		if (! defined('ESPRESSO_ENCRYPT')) {
99		define('ESPRESSO_ENCRYPT', true);
100		}
101		if (extension_loaded('openssl')) {
102		$this->_use_openssl_encrypt = true;
103		} else if (extension_loaded('mcrypt')) {
104		$this->_use_mcrypt = true;
105		}
106		if (function_exists('base64_encode')) {
107		$this->_use_base64_encode = true;
108		}
109		}
110
111
112
113		/**
114		* singleton method used to instantiate class object
115		*
116		* @return EE_Encryption
117		*/
118		public static function instance()
119		{
120		// check if class object is instantiated
121		if (! self::$_instance instanceof EE_Encryption) {
122		self::$_instance = new self();
123		}
124		return self::$_instance;
125		}
126
127
128
129		/**
130		* get encryption key
131		*
132		* @return string
133		*/
134		public function get_encryption_key()
135		{
136		// if encryption key has not been set
137		if (empty($this->_encryption_key)) {
138		// retrieve encryption_key from db
139		$this->_encryption_key = get_option(EE_Encryption::ENCRYPTION_OPTION_KEY, '');
140		// WHAT?? No encryption_key in the db ??
141		if ($this->_encryption_key === '') {
142		// let's make one. And md5 it to make it just the right size for a key
143		$new_key = md5($this->generate_random_string());
144		// now save it to the db for later
145		add_option(EE_Encryption::ENCRYPTION_OPTION_KEY, $new_key);
146		// here's the key - FINALLY !
147		$this->_encryption_key = $new_key;
148		}
149		}
150		return $this->_encryption_key;
151		}
152
153
154
155		/**
156		* encrypts data
157		*
158		* @param string $text_string - the text to be encrypted
159		* @return string
160		* @throws RuntimeException
161		*/
162		public function encrypt($text_string = '')
163		{
164		// you give me nothing??? GET OUT !
165		if (empty($text_string)) {
166		return $text_string;
167		}
168		if ($this->_use_openssl_encrypt) {
169		$encrypted_text = $this->openssl_encrypt($text_string);
170		} else {
171		$encrypted_text = $this->acme_encrypt($text_string);
172		}
173		return $encrypted_text;
174		}
175
176
177
178		/**
179		* decrypts data
180		*
181		* @param string $encrypted_text - the text to be decrypted
182		* @return string
183		* @throws RuntimeException
184		*/
185		public function decrypt($encrypted_text = '')
186		{
187		// you give me nothing??? GET OUT !
188		if (empty($encrypted_text)) {
189		return $encrypted_text;
190		}
191		// if PHP's mcrypt functions are installed then we'll use them
192		if ($this->_use_openssl_encrypt) {
193		$decrypted_text = $this->openssl_decrypt($encrypted_text);
194		} else {
195		$decrypted_text = $this->acme_decrypt($encrypted_text);
196		}
197		return $decrypted_text;
198		}
199
200
201
202		/**
203		* encodes string with PHP's base64 encoding
204		*
205		* @see http://php.net/manual/en/function.base64-encode.php
206		* @param string $text_string the text to be encoded
207		* @return string
208		*/
209		public function base64_string_encode($text_string = '')
210		{
211		// you give me nothing??? GET OUT !
212		if (empty($text_string) \|\| ! $this->_use_base64_encode) {
213		return $text_string;
214		}
215		// encode
216		return base64_encode($text_string);
217		}
218
219
220
221		/**
222		* decodes string that has been encoded with PHP's base64 encoding
223		*
224		* @see http://php.net/manual/en/function.base64-encode.php
225		* @param string $encoded_string the text to be decoded
226		* @return string
227		*/
228		public function base64_string_decode($encoded_string = '')
229		{
230		// you give me nothing??? GET OUT !
231		if (empty($encoded_string) \|\| ! $this->valid_base_64($encoded_string)) {
232		return $encoded_string;
233		}
234		// decode
235		return base64_decode($encoded_string);
236		}
237
238
239
240		/**
241		* encodes url string with PHP's base64 encoding
242		*
243		* @see http://php.net/manual/en/function.base64-encode.php
244		* @param string $text_string the text to be encoded
245		* @return string
246		*/
247		public function base64_url_encode($text_string = '')
248		{
249		// you give me nothing??? GET OUT !
250		if (empty($text_string) \|\| ! $this->_use_base64_encode) {
251		return $text_string;
252		}
253		// encode
254		$encoded_string = base64_encode($text_string);
255		// remove chars to make encoding more URL friendly
256		return strtr($encoded_string, '+/=', '-_,');
257		}
258
259
260
261		/**
262		* decodes url string that has been encoded with PHP's base64 encoding
263		*
264		* @see http://php.net/manual/en/function.base64-encode.php
265		* @param string $encoded_string the text to be decoded
266		* @return string
267		*/
268		public function base64_url_decode($encoded_string = '')
269		{
270		// you give me nothing??? GET OUT !
271		if (empty($encoded_string) \|\| ! $this->valid_base_64($encoded_string)) {
272		return $encoded_string;
273		}
274		// replace previously removed characters
275		$encoded_string = strtr($encoded_string, '-_,', '+/=');
276		// decode
277		return base64_decode($encoded_string);
278		}
279
280
281
282		/**
283		* encrypts data using PHP's openssl functions
284		*
285		* @param string $text_string the text to be encrypted
286		* @return string
287		* @throws RuntimeException
288		*/
289		protected function openssl_encrypt($text_string = '')
290		{
291		// you give me nothing??? GET OUT !
292		if (empty($text_string)) {
293		return $text_string;
294		}
295		$this->cipher_method = $this->getCipherMethod();
296		// get initialization vector size
297		$iv_size = openssl_cipher_iv_length($this->cipher_method);
298		// generate initialization vector.
299		// The second parameter ("crypto_strong") is passed by reference,
300		// and is used to determines if the algorithm used was "cryptographically strong"
301		// openssl_random_pseudo_bytes() will toggle it to either true or false
302		$iv = openssl_random_pseudo_bytes($iv_size, $is_strong);
303		if ($iv === false \|\| $is_strong === false) {
304		throw new RuntimeException(
305		esc_html__('Failed to generate OpenSSL initialization vector.', 'event_espresso')
306		);
307		}
308		// encrypt it
309		$encrypted_text = openssl_encrypt(
310		$text_string,
311		$this->cipher_method,
312		$this->getDigestHashValue(),
313		0,
314		$iv
315		);
316		// append the initialization vector
317		$encrypted_text .= EE_Encryption::OPENSSL_IV_DELIMITER . $iv;
318		// trim and maybe encode
319		return $this->_use_base64_encode
320		? trim(base64_encode($encrypted_text))
321		: trim($encrypted_text);
322		}
323
324
325
326		/**
327		* Returns a cipher method that has been verified to work.
328		* First checks if the cached cipher has been set already and if so, returns that.
329		* Then tests the incoming default and returns that if it's good.
330		* If not, then it retrieves the previously tested and saved cipher method.
331		* But if that doesn't exist, then
332		*
333		* @param string $cipher_method
334		* @return string
335		* @throws RuntimeException
336		*/
337		protected function getCipherMethod($cipher_method = EE_Encryption::OPENSSL_CIPHER_METHOD)
338		{
339		if($this->cipher_method !== ''){
340		return $this->cipher_method;
341		}
342		// verify that the default cipher method can produce an initialization vector
343		if (openssl_cipher_iv_length($cipher_method) === false) {
344		// nope? okay let's get what we found in the past to work
345		$cipher_method = get_option(EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME, '');
346		// oops... haven't tested available cipher methods yet
347		if($cipher_method === '') {
348		$cipher_method = $this->getAvailableCipherMethod($cipher_method);
349		}
350		}
351		return $cipher_method;
352		}
353
354
355
356		/**
357		* @param string $cipher_method
358		* @return string
359		* @throws \RuntimeException
360		*/
361		protected function getAvailableCipherMethod($cipher_method)
362		{
363		// verify that the incoming cipher method can produce an initialization vector
364		if (openssl_cipher_iv_length($cipher_method) === false) {
365		// nope? okay then get then check the list of available cipher methods
366		// what? there's no list? then generate that list and cache it,
367		// then rewind the list to the first item, which should match the default
368		if (empty($this->cipher_methods)) {
369		$this->cipher_methods = openssl_get_cipher_methods();
370		reset($this->cipher_methods);
371		}
372		// advance to the next cipher in the list
373		$cipher_method = next($this->cipher_methods);
374		if($cipher_method === false){
375		throw new RuntimeException(
376		esc_html__(
377		'OpenSSL support appears to be enabled on the server, but no cipher methods are available. Please contact the server administrator.',
378		'event_espresso'
379		)
380		);
381		}
382		// verify that the next cipher method works
383		return $this->getAvailableCipherMethod($cipher_method);
384		}
385		// if we've gotten this far, then we found an available cipher method that works
386		// so save that for next time
387		update_option(
388		EE_Encryption::OPENSSL_CIPHER_METHOD_OPTION_NAME,
389		$cipher_method
390		);
391		return $cipher_method;
392		}
393
394
395
396		/**
397		* decrypts data that has been encrypted with PHP's openssl functions
398		*
399		* @param string $encrypted_text the text to be decrypted
400		* @return string
401		* @throws RuntimeException
402		*/
403		protected function openssl_decrypt($encrypted_text = '')
404		{
405		// you give me nothing??? GET OUT !
406		if (empty($encrypted_text)) {
407		return $encrypted_text;
408		}
409		// decode
410		$encrypted_text = $this->valid_base_64($encrypted_text)
411		? base64_decode($encrypted_text)
412		: $encrypted_text;
413		$encrypted_components = explode(
414		EE_Encryption::OPENSSL_IV_DELIMITER,
415		$encrypted_text,
416		2
417		);
418		// check that iv exists, and if not, maybe text was encoded using mcrypt?
419		if ($this->_use_mcrypt && ! isset($encrypted_components[1])) {
420		return $this->m_decrypt($encrypted_text);
		0 ignored issues – show Deprecated Code introduced 2017-05-10 22:30 UTC by Report Bug Copy Issue Report The method `EE_Encryption::m_decrypt()` has been deprecated with message: 4.9.39 This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
421		}
422		// decrypt it
423		$decrypted_text = openssl_decrypt(
424		$encrypted_components[0],
425		$this->getCipherMethod(),
426		$this->getDigestHashValue(),
427		0,
428		$encrypted_components[1]
429		);
430		$decrypted_text = trim($decrypted_text);
431		return $decrypted_text;
432		}
433
434
435
436		/**
437		* Computes the digest hash value using the specified digest method.
438		* If that digest method fails to produce a valid hash value,
439		* then we'll grab the next digest method and recursively try again until something works.
440		*
441		* @param string $digest_method
442		* @return string
443		* @throws RuntimeException
444		*/
445		protected function getDigestHashValue($digest_method = EE_Encryption::OPENSSL_DIGEST_METHOD){
446		$digest_hash_value = openssl_digest($this->get_encryption_key(), $digest_method);
447		if ($digest_hash_value === false) {
448		return $this->getDigestHashValue($this->getDigestMethod());
449		}
450		return $digest_hash_value;
451		}
452
453
454
455		/**
456		* Returns the NEXT element in the $digest_methods array.
457		* If the $digest_methods array is empty, then we populate it
458		* with the available values returned from openssl_get_md_methods().
459		* But first we will advance to the last element, so that when prev() is called,
460		* we'll get what was originally the second to last element.
461		* Why?
462		* Because the last elements returned by openssl_get_md_methods()
463		* are typically the newer SHA methods like SHA512, and we want to try them first.
464		* We've already tried SHA512 as the default set by the OPENSSL_DIGEST_METHOD constant,
465		* but that will get skipped as soon as prev() is called.
466		*
467		* @return string
468		* @throws \RuntimeException
469		*/
470		protected function getDigestMethod(){
471		if (empty($this->digest_methods)) {
472		$this->digest_methods = openssl_get_md_methods();
473		end($this->digest_methods);
474		}
475		$digest_method = prev($this->digest_methods);
476		if ($digest_method === false) {
477		throw new RuntimeException(
478		esc_html__(
479		'OpenSSL support appears to be enabled on the server, but no digest methods are available. Please contact the server administrator.',
480		'event_espresso'
481		)
482		);
483		}
484		return $digest_method;
485		}
486
487
488		/**
489		* encrypts data for acme servers that didn't bother to install PHP mcrypt
490		*
491		* @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
492		* @param string $text_string the text to be decrypted
493		* @return string
494		*/
495		protected function acme_encrypt($text_string = '')
496		{
497		// you give me nothing??? GET OUT !
498		if (empty($text_string)) {
499		return $text_string;
500		}
501		$key_bits = str_split(
502		str_pad(
503		'',
504		strlen($text_string),
505		$this->get_encryption_key(),
506		STR_PAD_RIGHT
507		)
508		);
509		$string_bits = str_split($text_string);
510	View Code Duplication	foreach ($string_bits as $k => $v) {
511		$temp = ord($v) + ord($key_bits[$k]);
512		$string_bits[$k] = chr($temp > 255 ? ($temp - 256) : $temp);
513		}
514		$encrypted_text = implode('', $string_bits);
515		$encrypted_text .= EE_Encryption::ACME_ENCRYPTION_FLAG;
516		return $this->_use_base64_encode
517		? base64_encode($encrypted_text)
518		: $encrypted_text;
519		}
520
521
522
523		/**
524		* decrypts data for acme servers that didn't bother to install PHP mcrypt
525		*
526		* @see http://stackoverflow.com/questions/800922/how-to-encrypt-string-without-mcrypt-library-in-php
527		* @param string $encrypted_text the text to be decrypted
528		* @return string
529		* @throws RuntimeException
530		*/
531		protected function acme_decrypt($encrypted_text = '')
532		{
533		// you give me nothing??? GET OUT !
534		if (empty($encrypted_text)) {
535		return $encrypted_text;
536		}
537		// decode the data ?
538		$encrypted_text = $this->valid_base_64($encrypted_text)
539		? base64_decode($encrypted_text)
540		: $encrypted_text;
541		if (
542		$this->_use_mcrypt
543		&& strpos($encrypted_text, EE_Encryption::ACME_ENCRYPTION_FLAG) === false
544		){
545		return $this->m_decrypt($encrypted_text);
		0 ignored issues – show Deprecated Code introduced 2017-05-23 23:14 UTC by Report Bug Copy Issue Report The method `EE_Encryption::m_decrypt()` has been deprecated with message: 4.9.39 This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
546		}
547		$encrypted_text = substr($encrypted_text, 0, -4);
548		$key_bits = str_split(
549		str_pad(
550		'',
551		strlen($encrypted_text),
552		$this->get_encryption_key(),
553		STR_PAD_RIGHT
554		)
555		);
556		$string_bits = str_split($encrypted_text);
557	View Code Duplication	foreach ($string_bits as $k => $v) {
558		$temp = ord($v) - ord($key_bits[$k]);
559		$string_bits[$k] = chr($temp < 0 ? ($temp + 256) : $temp);
560		}
561		return implode('', $string_bits);
562		}
563
564
565
566		/**
567		* @see http://stackoverflow.com/questions/2556345/detect-base64-encoding-in-php#30231906
568		* @param $string
569		* @return bool
570		*/
571		protected function valid_base_64($string)
572		{
573		// ensure data is a string
574		if (! is_string($string) \|\| ! $this->_use_base64_encode) {
575		return false;
576		}
577		$decoded = base64_decode($string, true);
578		// Check if there is no invalid character in string
579		if (! preg_match('/^[a-zA-Z0-9\/\r\n+]*={0,2}$/', $string)) {
580		return false;
581		}
582		// Decode the string in strict mode and send the response
583		if (! base64_decode($string, true)) {
584		return false;
585		}
586		// Encode and compare it to original one
587		return base64_encode($decoded) === $string;
588		}
589
590
591
592		/**
593		* generate random string
594		*
595		* @see http://stackoverflow.com/questions/637278/what-is-the-best-way-to-generate-a-random-key-within-php
596		* @param int $length number of characters for random string
597		* @return string
598		*/
599		public function generate_random_string($length = 40)
600		{
601		$iterations = ceil($length / 40);
602		$random_string = '';
603		for ($i = 0; $i < $iterations; $i++) {
604		$random_string .= sha1(microtime(true) . mt_rand(10000, 90000));
605		}
606		$random_string = substr($random_string, 0, $length);
607		return $random_string;
608		}
609
610
611
612		/**
613		* encrypts data using PHP's mcrypt functions
614		*
615		* @deprecated 4.9.39
616		* @param string $text_string
617		* @internal param $string - the text to be encrypted
618		* @return string
619		* @throws RuntimeException
620		*/
621		protected function m_encrypt($text_string = '')
622		{
623		// you give me nothing??? GET OUT !
624		if (empty($text_string)) {
625		return $text_string;
626		}
627		// get the initialization vector size
628		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
629		// initialization vector
630		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
631		if ($iv === false) {
632		throw new RuntimeException(
633		esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
634		);
635		}
636		// encrypt it
637		$encrypted_text = mcrypt_encrypt(
638		MCRYPT_RIJNDAEL_256,
639		$this->get_encryption_key(),
640		$text_string,
641		MCRYPT_MODE_ECB,
642		$iv
643		);
644		// trim and maybe encode
645		return $this->_use_base64_encode
646		? trim(base64_encode($encrypted_text))
647		: trim($encrypted_text);
648		}
649
650
651
652		/**
653		* decrypts data that has been encrypted with PHP's mcrypt functions
654		*
655		* @deprecated 4.9.39
656		* @param string $encrypted_text the text to be decrypted
657		* @return string
658		* @throws RuntimeException
659		*/
660		protected function m_decrypt($encrypted_text = '')
661		{
662		// you give me nothing??? GET OUT !
663		if (empty($encrypted_text)) {
664		return $encrypted_text;
665		}
666		// decode
667		$encrypted_text = $this->valid_base_64($encrypted_text)
668		? base64_decode($encrypted_text)
669		: $encrypted_text;
670		// get the initialization vector size
671		$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
672		$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
673		if ($iv === false) {
674		throw new RuntimeException(
675		esc_html__('Failed to generate mcrypt initialization vector.', 'event_espresso')
676		);
677		}
678		// decrypt it
679		$decrypted_text = mcrypt_decrypt(
680		MCRYPT_RIJNDAEL_256,
681		$this->get_encryption_key(),
682		$encrypted_text,
683		MCRYPT_MODE_ECB,
684		$iv
685		);
686		$decrypted_text = trim($decrypted_text);
687		return $decrypted_text;
688		}
689
690		}
691		/* End of file EE_Encryption.class.php */
692		/* Location: /includes/core/EE_Encryption.core.php */
693

eventespresso / event-espresso-core