/sites/all/modules/service_container/lib/Drupal/Component/Utility/Crypt.php

https://gitlab.com/leoplanxxi/dr7-web-buap-2016 · PHP · 143 lines · 47 code · 14 blank · 82 comment · 8 complexity · 7058473fa968d4e289d79d660e00f510 MD5 · raw file 

    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * @file
    5. 

  5.  * Contains \Drupal\Component\Utility\Crypt.
    6. 

  6.  */
    7. 

  7. 

  8. namespace Drupal\Component\Utility;
    9. 

  9. 

  10. /**
    11. 

  11.  * Utility class for cryptographically-secure string handling routines.
    12. 

  12.  *
    13. 

  13.  * @ingroup utility
    14. 

  14.  */
    15. 

  15. class Crypt {
    16. 

  16. 

  17.   /**
    18. 

  18.    * Returns a string of highly randomized bytes (over the full 8-bit range).
    19. 

  19.    *
    20. 

  20.    * This function is better than simply calling mt_rand() or any other built-in
    21. 

  21.    * PHP function because it can return a long string of bytes (compared to < 4
    22. 

  22.    * bytes normally from mt_rand()) and uses the best available pseudo-random
    23. 

  23.    * source.
    24. 

  24.    *
    25. 

  25.    * @param int $count
    26. 

  26.    *   The number of characters (bytes) to return in the string.
    27. 

  27.    *
    28. 

  28.    * @return string
    29. 

  29.    *   A randomly generated string.
    30. 

  30.    */
    31. 

  31.   public static function randomBytes($count) {
    32. 

  32.     // $random_state does not use drupal_static as it stores random bytes.
    33. 

  33.     static $random_state, $bytes;
    34. 

  34. 

  35.     $missing_bytes = $count - strlen($bytes);
    36. 

  36. 

  37.     if ($missing_bytes > 0) {
    38. 

  38.       // openssl_random_pseudo_bytes() will find entropy in a system-dependent
    39. 

  39.       // way.
    40. 

  40.       if (function_exists('openssl_random_pseudo_bytes')) {
    41. 

  41.         $bytes .= openssl_random_pseudo_bytes($missing_bytes);
    42. 

  42.       }
    43. 

  43. 

  44.       // Else, read directly from /dev/urandom, which is available on many *nix
    45. 

  45.       // systems and is considered cryptographically secure.
    46. 

  46.       elseif ($fh = @fopen('/dev/urandom', 'rb')) {
    47. 

  47.         // PHP only performs buffered reads, so in reality it will always read
    48. 

  48.         // at least 4096 bytes. Thus, it costs nothing extra to read and store
    49. 

  49.         // that much so as to speed any additional invocations.
    50. 

  50.         $bytes .= fread($fh, max(4096, $missing_bytes));
    51. 

  51.         fclose($fh);
    52. 

  52.       }
    53. 

  53. 

  54.       // If we couldn't get enough entropy, this simple hash-based PRNG will
    55. 

  55.       // generate a good set of pseudo-random bytes on any system.
    56. 

  56.       // Note that it may be important that our $random_state is passed
    57. 

  57.       // through hash() prior to being rolled into $output, that the two hash()
    58. 

  58.       // invocations are different, and that the extra input into the first one -
    59. 

  59.       // the microtime() - is prepended rather than appended. This is to avoid
    60. 

  60.       // directly leaking $random_state via the $output stream, which could
    61. 

  61.       // allow for trivial prediction of further "random" numbers.
    62. 

  62.       if (strlen($bytes) < $count) {
    63. 

  63.         // Initialize on the first call. The contents of $_SERVER includes a mix
    64. 

  64.         // of user-specific and system information that varies a little with
    65. 

  65.         // each page.
    66. 

  66.         if (!isset($random_state)) {
    67. 

  67.           $random_state = print_r($_SERVER, TRUE);
    68. 

  68.           if (function_exists('getmypid')) {
    69. 

  69.             // Further initialize with the somewhat random PHP process ID.
    70. 

  70.             $random_state .= getmypid();
    71. 

  71.           }
    72. 

  72.           $bytes = '';
    73. 

  73.         }
    74. 

  74. 

  75.         do {
    76. 

  76.           $random_state = hash('sha256', microtime() . mt_rand() . $random_state);
    77. 

  77.           $bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
    78. 

  78.         } while (strlen($bytes) < $count);
    79. 

  79.       }
    80. 

  80.     }
    81. 

  81.     $output = substr($bytes, 0, $count);
    82. 

  82.     $bytes = substr($bytes, $count);
    83. 

  83.     return $output;
    84. 

  84.   }
    85. 

  85. 

  86.   /**
    87. 

  87.    * Calculates a base-64 encoded, URL-safe sha-256 hmac.
    88. 

  88.    *
    89. 

  89.    * @param mixed $data
    90. 

  90.    *   Scalar value to be validated with the hmac.
    91. 

  91.    * @param mixed $key
    92. 

  92.    *   A secret key, this can be any scalar value.
    93. 

  93.    *
    94. 

  94.    * @return string
    95. 

  95.    *   A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and
    96. 

  96.    *   any = padding characters removed.
    97. 

  97.    */
    98. 

  98.   public static function hmacBase64($data, $key) {
    99. 

  99.     // $data and $key being strings here is necessary to avoid empty string
    100. 

  100.     // results of the hash function if they are not scalar values. As this
    101. 

  101.     // function is used in security-critical contexts like token validation it
    102. 

  102.     // is important that it never returns an empty string.
    103. 

  103.     if (!is_scalar($data) || !is_scalar($key)) {
    104. 

  104.       throw new \InvalidArgumentException('Both parameters passed to \Drupal\Component\Utility\Crypt::hmacBase64 must be scalar values.');
    105. 

  105.     }
    106. 

  106. 

  107.     $hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
    108. 

  108.     // Modify the hmac so it's safe to use in URLs.
    109. 

  109.     return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
    110. 

  110.   }
    111. 

  111. 

  112.   /**
    113. 

  113.    * Calculates a base-64 encoded, URL-safe sha-256 hash.
    114. 

  114.    *
    115. 

  115.    * @param string $data
    116. 

  116.    *   String to be hashed.
    117. 

  117.    *
    118. 

  118.    * @return string
    119. 

  119.    *   A base-64 encoded sha-256 hash, with + replaced with -, / with _ and
    120. 

  120.    *   any = padding characters removed.
    121. 

  121.    */
    122. 

  122.   public static function hashBase64($data) {
    123. 

  123.     $hash = base64_encode(hash('sha256', $data, TRUE));
    124. 

  124.     // Modify the hash so it's safe to use in URLs.
    125. 

  125.     return strtr($hash, array('+' => '-', '/' => '_', '=' => ''));
    126. 

  126.   }
    127. 

  127. 

  128.   /**
    129. 

  129.    * Returns a URL-safe, base64 encoded string of highly randomized bytes.
    130. 

  130.    *
    131. 

  131.    * @param $byte_count
    132. 

  132.    *   The number of random bytes to fetch and base64 encode.
    133. 

  133.    *
    134. 

  134.    * @return string
    135. 

  135.    *   The base64 encoded result will have a length of up to 4 * $byte_count.
    136. 

  136.    *
    137. 

  137.    * @see \Drupal\Component\Utility\Crypt::randomBytes()
    138. 

  138.    */
    139. 

  139.   public static function randomBytesBase64($count = 32) {
    140. 

  140.     return strtr(base64_encode(static::randomBytes($count)), array('+' => '-', '/' => '_', '=' => ''));
    141. 

  141.   }
    142. 

  142. 

  143. }
    144.