2.3/ElggCrypto_8php_source.html

 <?php

 use \Elgg\Database\SiteSecret;

 class ElggCrypto {

     const CHARS_PASSWORD = 'bcdfghjklmnpqrstvwxyz2346789';

     const CHARS_HEX = '0123456789abcdef';

     private $site_secret;

     public function __construct(SiteSecret $site_secret = null) {
         $this->site_secret = $site_secret;
     }

     public function getRandomBytes($length) {
         if (is_callable('random_bytes')) {
             try {
                 return random_bytes($length);
             } catch (\Exception $e) {}
         }

         $SSLstr = '4'; // http://xkcd.com/221/

         if (function_exists('openssl_random_pseudo_bytes') && substr(PHP_OS, 0, 3) !== 'WIN') {
             $SSLstr = openssl_random_pseudo_bytes($length, $strong);
             if ($strong) {
                 return $SSLstr;
             }
         }

         if (function_exists('mcrypt_create_iv') && substr(PHP_OS, 0, 3) !== 'WIN') {
             $str = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
             if ($str !== false) {
                 return $str;
             }
         }

         $str = '';
         $bits_per_round = 2; // bits of entropy collected in each clock drift round
         $msec_per_round = 400; // expected running time of each round in microseconds
         $hash_len = 20; // SHA-1 Hash length
         $total = $length; // total bytes of entropy to collect

         $handle = @fopen('/dev/urandom', 'rb');
         if ($handle && function_exists('stream_set_read_buffer')) {
             @stream_set_read_buffer($handle, 0);
         }

         do {
             $bytes = ($total > $hash_len) ? $hash_len : $total;
             $total -= $bytes;

             //collect any entropy available from the PHP system and filesystem
             $entropy = rand() . uniqid(mt_rand(), true) . $SSLstr;
             $entropy .= implode('', @fstat(@fopen(__FILE__, 'r')));
             $entropy .= memory_get_usage() . getmypid();
             $entropy .= serialize($_ENV) . serialize($_SERVER);
             if (function_exists('posix_times')) {
                 $entropy .= serialize(posix_times());
             }
             if (function_exists('zend_thread_id')) {
                 $entropy .= zend_thread_id();
             }

             if ($handle) {
                 $entropy .= @fread($handle, $bytes);
             } else {
                 // In the future we should consider outright refusing to generate bytes without an
                 // official random source, as many consider hacks like this irresponsible.

                 // Measure the time that the operations will take on average
                 for ($i = 0; $i < 3; $i++) {
                     $c1 = microtime(true);
                     $var = sha1(mt_rand());
                     for ($j = 0; $j < 50; $j++) {
                         $var = sha1($var);
                     }
                     $c2 = microtime(true);
                     $entropy .= $c1 . $c2;
                 }

                 // Based on the above measurement determine the total rounds
                 // in order to bound the total running time.
                 if ($c2 - $c1 == 0) {
                     // This occurs on some Windows systems. On a late 2013 MacBook Pro, 2.6 GHz Intel Core i7
                     // this averaged 400, so we're just going with that. With all the other entropy gathered
                     // this should be sufficient.
                     $rounds = 400;
                 } else {
                     $rounds = (int) ($msec_per_round * 50 / (int) (($c2 - $c1) * 1000000));
                 }

                 // Take the additional measurements. On average we can expect
                 // at least $bits_per_round bits of entropy from each measurement.
                 $iter = $bytes * (int) (ceil(8 / $bits_per_round));

                 for ($i = 0; $i < $iter; $i++) {
                     $c1 = microtime();
                     $var = sha1(mt_rand());
                     for ($j = 0; $j < $rounds; $j++) {
                         $var = sha1($var);
                     }
                     $c2 = microtime();
                     $entropy .= $c1 . $c2;
                 }
             }

             // We assume sha1 is a deterministic extractor for the $entropy variable.
             $str .= sha1($entropy, true);

         } while ($length > strlen($str));

         if ($handle) {
             @fclose($handle);
         }

         return substr($str, 0, $length);
     }

     public function getHmac($data, $algo = 'sha256', $key = '') {
         if (!$key) {
             $key = $this->site_secret->get(true);
         }
         return new Elgg\Security\Hmac($key, [$this, 'areEqual'], $data, $algo);
     }

     public function getRandomString($length, $chars = null) {
         if ($length < 1) {
             throw new \InvalidArgumentException('Length should be >= 1');
         }

         if (empty($chars)) {
             $numBytes = ceil($length * 0.75);
             $bytes    = $this->getRandomBytes($numBytes);
             $string = substr(rtrim(base64_encode($bytes), '='), 0, $length);

             // Base64 URL
             return strtr($string, '+/', '-_');
         }

         if ($chars == self::CHARS_HEX) {
             // hex is easy
             $bytes = $this->getRandomBytes(ceil($length / 2));
             return substr(bin2hex($bytes), 0, $length);
         }

         $listLen = strlen($chars);

         if ($listLen == 1) {
             return str_repeat($chars, $length);
         }

         $bytes  = $this->getRandomBytes($length);
         $pos    = 0;
         $result = '';
         for ($i = 0; $i < $length; $i++) {
             $pos     = ($pos + ord($bytes[$i])) % $listLen;
             $result .= $chars[$pos];
         }

         return $result;
     }

     public function areEqual($str1, $str2) {
         $len1 = $this->strlen($str1);
         $len2 = $this->strlen($str2);
         if ($len1 !== $len2) {
             return false;
         }

         $status = 0;
         for ($i = 0; $i < $len1; $i++) {
             $status |= (ord($str1[$i]) ^ ord($str2[$i]));
         }

         return $status === 0;
     }

     protected function strlen($binary_string) {
         if (function_exists('mb_strlen')) {
             return mb_strlen($binary_string, '8bit');
         }
         return strlen($binary_string);
     }
 }
ElggCrypto\areEqual
areEqual($str1, $str2)
Are two strings equal (compared in constant time)?
Definition: ElggCrypto.php:278

Elgg\Database\SiteSecret
Definition: SiteSecret.php:22

$result
$result
Definition: set_maintenance_mode.php:11

ElggCrypto\CHARS_PASSWORD
const CHARS_PASSWORD
Character set for temp passwords (no risk of embedded profanity/glyphs that look similar) ...
Definition: ElggCrypto.php:18

ElggCrypto\getRandomBytes
getRandomBytes($length)
Generate a string of highly randomized bytes (over the full 8-bit range).
Definition: ElggCrypto.php:72

$e
$e
Definition: metadata.php:12

$data
$data
Definition: opendd.php:13

$length
$length
Definition: excerpt.php:14

ElggCrypto

$string
$string
Definition: set_priority.php:30

$key
$key
Definition: summary.php:34

Elgg\Security\Hmac
Component for creating HMAC tokens.
Definition: Hmac.php:7

ElggCrypto\__construct
__construct(SiteSecret $site_secret=null)
Constructor.
Definition: ElggCrypto.php:35

ElggCrypto\CHARS_HEX
const CHARS_HEX
Character set for hexadecimal.
Definition: ElggCrypto.php:23

ElggCrypto\getRandomString
getRandomString($length, $chars=null)
Generate a random string of specified length.
Definition: ElggCrypto.php:228

ElggCrypto\strlen
strlen($binary_string)
Count the number of bytes in a string.
Definition: ElggCrypto.php:311

ElggCrypto\getHmac
getHmac($data, $algo= 'sha256', $key= '')
Get an HMAC token builder/validator object.
Definition: ElggCrypto.php:202

Exception