2.3/ElggCrypto_8php_source.html

 <?php


 use \Elgg\Database\SiteSecret;


 class ElggCrypto {


     const CHARS_PASSWORD = 'bcdfghjklmnpqrstvwxyz2346789';


     const CHARS_HEX = '0123456789abcdef';


     private $site_secret;


     public function __construct(SiteSecret $site_secret = null) {

         $this->site_secret = $site_secret;

     }


     public function getRandomBytes($length) {

         if (is_callable('random_bytes')) {

             try {

                 return random_bytes($length);

             } catch (\Exception $e) {}

         }


         $SSLstr = '4'; // http://xkcd.com/221/


         if (function_exists('openssl_random_pseudo_bytes') && substr(PHP_OS, 0, 3) !== 'WIN') {

             $SSLstr = openssl_random_pseudo_bytes($length, $strong);

             if ($strong) {

                 return $SSLstr;

             }

         }


         if (function_exists('mcrypt_create_iv') && substr(PHP_OS, 0, 3) !== 'WIN') {

             $str = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);

             if ($str !== false) {

                 return $str;

             }

         }


         $str = '';

         $bits_per_round = 2; // bits of entropy collected in each clock drift round

         $msec_per_round = 400; // expected running time of each round in microseconds

         $hash_len = 20; // SHA-1 Hash length

         $total = $length; // total bytes of entropy to collect


         $handle = @fopen('/dev/urandom', 'rb');

         if ($handle && function_exists('stream_set_read_buffer')) {

             @stream_set_read_buffer($handle, 0);

         }


         do {

             $bytes = ($total > $hash_len) ? $hash_len : $total;

             $total -= $bytes;


             //collect any entropy available from the PHP system and filesystem

             $entropy = rand() . uniqid(mt_rand(), true) . $SSLstr;

             $entropy .= implode('', @fstat(@fopen(__FILE__, 'r')));

             $entropy .= memory_get_usage() . getmypid();

             $entropy .= serialize($_ENV) . serialize($_SERVER);

             if (function_exists('posix_times')) {

                 $entropy .= serialize(posix_times());

             }

             if (function_exists('zend_thread_id')) {

                 $entropy .= zend_thread_id();

             }


             if ($handle) {

                 $entropy .= @fread($handle, $bytes);

             } else {

                 // In the future we should consider outright refusing to generate bytes without an

                 // official random source, as many consider hacks like this irresponsible.


                 // Measure the time that the operations will take on average

                 for ($i = 0; $i < 3; $i++) {

                     $c1 = microtime(true);

                     $var = sha1(mt_rand());

                     for ($j = 0; $j < 50; $j++) {

                         $var = sha1($var);

                     }

                     $c2 = microtime(true);

                     $entropy .= $c1 . $c2;

                 }


                 // Based on the above measurement determine the total rounds

                 // in order to bound the total running time.

                 if ($c2 - $c1 == 0) {

                     // This occurs on some Windows systems. On a late 2013 MacBook Pro, 2.6 GHz Intel Core i7

                     // this averaged 400, so we're just going with that. With all the other entropy gathered

                     // this should be sufficient.

                     $rounds = 400;

                 } else {

                     $rounds = (int) ($msec_per_round * 50 / (int) (($c2 - $c1) * 1000000));

                 }


                 // Take the additional measurements. On average we can expect

                 // at least $bits_per_round bits of entropy from each measurement.

                 $iter = $bytes * (int) (ceil(8 / $bits_per_round));


                 for ($i = 0; $i < $iter; $i++) {

                     $c1 = microtime();

                     $var = sha1(mt_rand());

                     for ($j = 0; $j < $rounds; $j++) {

                         $var = sha1($var);

                     }

                     $c2 = microtime();

                     $entropy .= $c1 . $c2;

                 }

             }


             // We assume sha1 is a deterministic extractor for the $entropy variable.

             $str .= sha1($entropy, true);


         } while ($length > strlen($str));


         if ($handle) {

             @fclose($handle);

         }


         return substr($str, 0, $length);

     }


     public function getHmac($data, $algo = 'sha256', $key = '') {

         if (!$key) {

             $key = $this->site_secret->get(true);

         }

         return new Elgg\Security\Hmac($key, [$this, 'areEqual'], $data, $algo);

     }


     public function getRandomString($length, $chars = null) {

         if ($length < 1) {

             throw new \InvalidArgumentException('Length should be >= 1');

         }


         if (empty($chars)) {

             $numBytes = ceil($length * 0.75);

             $bytes    = $this->getRandomBytes($numBytes);

             $string = substr(rtrim(base64_encode($bytes), '='), 0, $length);


             // Base64 URL

             return strtr($string, '+/', '-_');

         }


         if ($chars == self::CHARS_HEX) {

             // hex is easy

             $bytes = $this->getRandomBytes(ceil($length / 2));

             return substr(bin2hex($bytes), 0, $length);

         }


         $listLen = strlen($chars);


         if ($listLen == 1) {

             return str_repeat($chars, $length);

         }


         $bytes  = $this->getRandomBytes($length);

         $pos    = 0;

         $result = '';

         for ($i = 0; $i < $length; $i++) {

             $pos     = ($pos + ord($bytes[$i])) % $listLen;

             $result .= $chars[$pos];

         }


         return $result;

     }


     public function areEqual($str1, $str2) {

         $len1 = $this->strlen($str1);

         $len2 = $this->strlen($str2);

         if ($len1 !== $len2) {

             return false;

         }


         $status = 0;

         for ($i = 0; $i < $len1; $i++) {

             $status |= (ord($str1[$i]) ^ ord($str2[$i]));

         }


         return $status === 0;

     }


     protected function strlen($binary_string) {

         if (function_exists('mb_strlen')) {

             return mb_strlen($binary_string, '8bit');

         }

         return strlen($binary_string);

     }

 }

$result
$result
Definition: set_maintenance_mode.php:11

ElggCrypto
Definition: ElggCrypto.php:13

ElggCrypto\areEqual
areEqual($str1, $str2)
Are two strings equal (compared in constant time)?
Definition: ElggCrypto.php:278

ElggCrypto\getHmac
getHmac($data, $algo='sha256', $key='')
Get an HMAC token builder/validator object.
Definition: ElggCrypto.php:202

ElggCrypto\getRandomBytes
getRandomBytes($length)
Generate a string of highly randomized bytes (over the full 8-bit range).
Definition: ElggCrypto.php:72

ElggCrypto\CHARS_HEX
const CHARS_HEX
Character set for hexadecimal.
Definition: ElggCrypto.php:23

ElggCrypto\CHARS_PASSWORD
const CHARS_PASSWORD
Character set for temp passwords (no risk of embedded profanity/glyphs that look similar)
Definition: ElggCrypto.php:18

ElggCrypto\__construct
__construct(SiteSecret $site_secret=null)
Constructor.
Definition: ElggCrypto.php:35

ElggCrypto\strlen
strlen($binary_string)
Count the number of bytes in a string.
Definition: ElggCrypto.php:311

ElggCrypto\getRandomString
getRandomString($length, $chars=null)
Generate a random string of specified length.
Definition: ElggCrypto.php:228

Elgg\Database\SiteSecret
Definition: SiteSecret.php:22

Elgg\Security\Hmac
Component for creating HMAC tokens.
Definition: Hmac.php:7

$data
$data
Definition: opendd.php:13

$length
$length
Definition: excerpt.php:14

$key
$key
Definition: summary.php:34

$string
$string
Definition: set_priority.php:30

$e
$e
Definition: metadata.php:12