1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
namespace SilverStripe\HybridSessions\Crypto; |
4
|
|
|
|
5
|
|
|
/** |
6
|
|
|
* Some cryptography used for Session cookie encryption. Requires the mcrypt extension. |
7
|
|
|
* |
8
|
|
|
* @deprecated 2.2.0 The PHP mcrypt library is deprecated. Please use OpenSSLCrypto instead. |
9
|
|
|
* |
10
|
|
|
* WARNING: Please beware that McryptCrypto does not preserve zero bytes at the end of encrypted messages. |
11
|
|
|
* Thus, a message such as "data\x00" will become "data" after encrypt-decrypt. |
12
|
|
|
* As such, it is not binary safe. |
13
|
|
|
* It is guaranteed for UTF-8 encoded text not to have zero bytes. However, other encodings may contain those. |
14
|
|
|
* For example, be careful with UTF-16LE, since characters less than U+0100 are very common. |
15
|
|
|
*/ |
16
|
|
|
class McryptCrypto implements CryptoHandler |
17
|
|
|
{ |
18
|
|
|
protected $key; |
19
|
|
|
|
20
|
|
|
protected $ivSize; |
21
|
|
|
|
22
|
|
|
protected $keySize; |
23
|
|
|
|
24
|
|
|
protected $salt; |
25
|
|
|
|
26
|
|
|
protected $saltedKey; |
27
|
|
|
|
28
|
|
|
/** |
29
|
|
|
* @return string |
30
|
|
|
*/ |
31
|
|
|
public function getKey() |
32
|
|
|
{ |
33
|
|
|
return $this->key; |
34
|
|
|
} |
35
|
|
|
|
36
|
|
|
/** |
37
|
|
|
* @return string |
38
|
|
|
*/ |
39
|
|
|
public function getSalt() |
40
|
|
|
{ |
41
|
|
|
return $this->salt; |
42
|
|
|
} |
43
|
|
|
|
44
|
|
|
/** |
45
|
|
|
* @param $key a per-site secret string which is used as the base encryption key. |
46
|
|
|
* @param $salt a per-session random string which is used as a salt to generate a per-session key |
47
|
|
|
* |
48
|
|
|
* The base encryption key needs to stay secret. If an attacker ever gets it, they can read their session, |
49
|
|
|
* and even modify & re-sign it. |
50
|
|
|
* |
51
|
|
|
* The salt is a random per-session string that is used with the base encryption key to create a per-session key. |
52
|
|
|
* This (amongst other things) makes sure an attacker can't use a known-plaintext attack to guess the key. |
53
|
|
|
* |
54
|
|
|
* Normally we could create a salt on encryption, send it to the client as part of the session (it doesn't |
55
|
|
|
* need to remain secret), then use the returned salt to decrypt. But we already have the Session ID which makes |
56
|
|
|
* a great salt, so no need to generate & handle another one. |
57
|
|
|
*/ |
58
|
|
|
public function __construct($key, $salt) |
59
|
|
|
{ |
60
|
|
|
$this->ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); |
61
|
|
|
$this->keySize = mcrypt_get_key_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC); |
62
|
|
|
|
63
|
|
|
$this->key = $key; |
64
|
|
|
$this->salt = $salt; |
65
|
|
|
$this->saltedKey = hash_pbkdf2('sha256', $this->key, $this->salt, 1000, $this->keySize, true); |
66
|
|
|
} |
67
|
|
|
|
68
|
|
|
/** |
69
|
|
|
* Encrypt and then sign some cleartext |
70
|
|
|
* |
71
|
|
|
* @param $cleartext - The cleartext to encrypt and sign |
72
|
|
|
* @return string - The encrypted-and-signed message as base64 ASCII. |
73
|
|
|
*/ |
74
|
|
|
public function encrypt($cleartext) |
75
|
|
|
{ |
76
|
|
|
$iv = mcrypt_create_iv($this->ivSize, MCRYPT_DEV_URANDOM); |
77
|
|
|
|
78
|
|
|
$enc = mcrypt_encrypt( |
79
|
|
|
MCRYPT_RIJNDAEL_256, |
80
|
|
|
$this->saltedKey, |
81
|
|
|
$cleartext, |
82
|
|
|
MCRYPT_MODE_CBC, |
83
|
|
|
$iv |
84
|
|
|
); |
85
|
|
|
|
86
|
|
|
$hash = hash_hmac('sha256', $enc, $this->saltedKey); |
87
|
|
|
|
88
|
|
|
return base64_encode($iv . $hash . $enc); |
89
|
|
|
} |
90
|
|
|
|
91
|
|
|
/** |
92
|
|
|
* Check the signature on an encrypted-and-signed message, and if valid |
93
|
|
|
* decrypt the content |
94
|
|
|
* |
95
|
|
|
* @param $data - The encrypted-and-signed message as base64 ASCII |
96
|
|
|
* |
97
|
|
|
* @return bool|string - The decrypted cleartext or false if signature failed |
98
|
|
|
*/ |
99
|
|
|
public function decrypt($data) |
100
|
|
|
{ |
101
|
|
|
$data = base64_decode($data); |
102
|
|
|
|
103
|
|
|
$iv = substr($data, 0, $this->ivSize); |
104
|
|
|
$hash = substr($data, $this->ivSize, 64); |
105
|
|
|
$enc = substr($data, $this->ivSize + 64); |
106
|
|
|
|
107
|
|
|
$cleartext = rtrim(mcrypt_decrypt( |
108
|
|
|
MCRYPT_RIJNDAEL_256, |
109
|
|
|
$this->saltedKey, |
110
|
|
|
$enc, |
111
|
|
|
MCRYPT_MODE_CBC, |
112
|
|
|
$iv |
113
|
|
|
), "\x00"); |
114
|
|
|
|
115
|
|
|
// Needs to be after decrypt so it always runs, to avoid timing attack |
116
|
|
|
$gen_hash = hash_hmac('sha256', $enc, $this->saltedKey); |
117
|
|
|
|
118
|
|
|
if ($gen_hash == $hash) { |
119
|
|
|
return $cleartext; |
120
|
|
|
} |
121
|
|
|
return false; |
|
|
|
|
122
|
|
|
} |
123
|
|
|
} |
124
|
|
|
|
If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design.
Let’s take a look at an example:
Our function
my_function
expects aPost
object, and outputs the author of the post. The base classPost
returns a simple string and outputting a simple string will work just fine. However, the child classBlogPost
which is a sub-type ofPost
instead decided to return anobject
, and is therefore violating the SOLID principles. If aBlogPost
were passed tomy_function
, PHP would not complain, but ultimately fail when executing thestrtoupper
call in its body.