/**
* Creates a salted hash from a string.
*
* @param string $str
* String to hash.
*
* @return string
* Returns hashed string, or false on error.
*/
public static function create($str)
{
switch (self::$_method) {
case self::BCRYPT:
$saltRnd = phpsecRand::str(22, self::$charsets['itoa64']);
$salt = sprintf('$2a$%s$%s', self::$_bcrypt_cost, $saltRnd);
$hash = crypt($str, $salt);
break;
case self::PBKDF2:
$salt = phpsecRand::bytes(64);
$hash = phpsecCrypt::pbkdf2($str, $salt, self::$_pbkdf2_c, self::$_pbkdf2_dkLen, self::$_pbkdf2_prf);
$hash = sprintf('$pbkdf2$c=%s&dk=%s&f=%s$%s$%s', self::$_pbkdf2_c, self::$_pbkdf2_dkLen, self::$_pbkdf2_prf, base64_encode($hash), base64_encode($salt));
break;
case self::SHA256:
case self::SHA512:
$saltRnd = phpsecRand::str(16, self::$charsets['itoa64']);
$salt = sprintf('%srounds=%s$%s', self::$_method, self::$_sha2_c, $saltRnd);
$hash = crypt($str, $salt);
break;
}
if (strlen($hash) > 13) {
return $hash;
}
return false;
}
/**
* Create a hashed version of a password, safe for storage in a database.
* This function return a json encoded array that can be stored directly
* into a database. The array has the following layout:
* array(
* 'hash' => The hash created from the password and a salt.
* 'salt' => The salt that was used along with the password to create the hash.
* 'algo' => The hashing algorithm used.
* )
*
* @param string $password
* The password to hash.
*
* @return string
* Returns a json encoded array containing the password hash, salt and
* some meta data.
*/
public static function hash($password)
{
$salt = phpsecRand::bytes(64);
switch (self::$_method) {
case self::phpsecPw_PBKDF2:
$hash = phpsecCrypt::pbkdf2($password, $salt, self::$_pbkdf2_c, self::$_pbkdf2_dkLen, self::$_pbkdf2_prf);
/* phpsecCrypt::pbkdf2() returns a binary string. So let's base64 encode it.*/
$hash = base64_encode($hash);
/* We append the iteration count, derived key length and PRF as we need this later. */
$algo = 'pbkdf2:' . self::$_pbkdf2_c . ':' . self::$_pbkdf2_dkLen . ':' . self::$_pbkdf2_prf;
break;
default:
$injected = self::inject($password, $salt);
$hash = hash(self::$_method, $injected);
$algo = self::$_method;
}
$return = array('hash' => $hash, 'salt' => base64_encode($salt), 'algo' => $algo);
return json_encode($return);
}
/**
* Encrypt data returning a JSON encoded array safe for storage in a database
* or file. The array has the following structure before it is encoded:
* array(
* 'cdata' => 'Encrypted data, Base 64 encoded',
* 'iv' => 'Base64 encoded IV',
* 'algo' => 'Algorythm used',
* 'mode' => 'Mode used',
* 'mac' => 'Message Authentication Code'
* )
*
* @param mixed $data
* Data to encrypt.
*
* @param string $key
* Key to encrypt data with.
*
* @return string
* Serialized array containing the encrypted data along with some meta data.
*/
public static function encrypt($data, $key)
{
$td = mcrypt_module_open(self::$_algo, '', self::$_mode, '');
/* Check key size. */
$keySize = strlen($key);
$keySizes = mcrypt_enc_get_supported_key_sizes($td);
if (count($keySizes) > 0) {
/* Encryption method requires a specific key size. */
if (!in_array($keySize, $keySizes)) {
phpsec::error('Key is out of range. Should be one of: ' . var_export($keySizes, 1));
return false;
}
} else {
/* No spsecific size is needed. */
if ($keySize == 0 || $keySize > mcrypt_enc_get_key_size($td)) {
phpsec::error('Key is out of range. Should be: 1 - ' . mcrypt_enc_get_key_size($td) . ' bytes.');
return false;
}
}
/* Create IV. */
$iv = phpsecRand::bytes(mcrypt_enc_get_iv_size($td));
/* Init mcrypt. */
mcrypt_generic_init($td, $key, $iv);
/* Prepeare the array with data. */
$serializedData = serialize($data);
/* Add padding if enabled. */
if (self::$_padding === true) {
$block = mcrypt_enc_get_block_size($td);
$serializedData = self::pad($block, $serializedData);
}
$encrypted['algo'] = self::$_algo;
/* Algorithm used to encrypt. */
$encrypted['mode'] = self::$_mode;
/* Algorithm mode. */
$encrypted['iv'] = base64_encode($iv);
/* Initialization vector, just a bunch of randomness. */
$encrypted['cdata'] = base64_encode(mcrypt_generic($td, $serializedData));
/* The encrypted data. */
$encrypted['mac'] = base64_encode(self::pbkdf2($encrypted['cdata'], $key, 1000, 32));
return json_encode($encrypted);
}
public function generate_unique_sequence($entropy = 100)
{
require_once 'lib/phpsec/phpsec/phpsec.rand.php';
return base64_encode(phpsecRand::bytes($entropy));
}
private function generate_provisional_password()
{
global $tikilib;
require_once 'lib/phpsec/phpsec/phpsec.rand.php';
$site_hash = $tikilib->get_site_hash();
$random_value = phpsecRand::bytes(40);
return base64_encode(sha1($random_value . $site_hash, true));
}
/**
* Set the cookie with the secret.
*
* @return true
*/
private static function setSecret()
{
self::$_secret = phpsecRand::bytes(32);
$cookieParam = session_get_cookie_params();
setcookie(self::$_keyCookie, base64_encode(self::$_secret), $cookieParam['lifetime'], $cookieParam['path'], $cookieParam['domain'], $cookieParam['secure'], $cookieParam['httponly']);
return true;
}
public function get_site_hash()
{
global $prefs;
if (! isset($prefs['internal_site_hash'])) {
require_once 'lib/phpsec/phpsec/phpsec.rand.php';
$hash = base64_encode(phpsecRand::bytes(100));
$this->set_preference('internal_site_hash', $hash);
}
return $prefs['internal_site_hash'];
}
