Decrypts a ciphertext to a string with a password, using a slow key
derivation function to make password cracking more expensive.
/** * @param $passwordHash * @param $token * @return array */ public static function tokenDecrypt($passwordHash, $token) { $decrypted = Crypto::decryptWithPassword($token, $passwordHash); return explode("|", $decrypted); }
} // Validation: check if this is a brute force attempt $past = strtotime("-5 min") * 1000; $events->search('value.action:failed AND @path.timestamp:[' . $past . ' TO ' . $now . ']'); $fail_total = $events->getTotalCount(); if ($fail_total >= 3) { $item->event('log')->post(['action' => 'disabled']); $errors = true; response(VALIDATION_TOO_MANY_ATTEMPTS, $errors); } // If all of the above validation checks pass, continue on if (!$errors) { $data_encrypted = hex2bin($item->secret); // Decrypt data, reference: https://github.com/defuse/php-encryption/ try { $data_decrypted = Crypto::decryptWithPassword($data_encrypted, $password); } catch (Ex\WrongKeyOrModifiedCiphertextException $ex) { $item->event('log')->post(['action' => 'failed']); response(DECRYPTION_PASSWORD_WRONG, true); } catch (Ex\EnvironmentIsBrokenException $ex) { response(ENCRYPTION_UNSAFE, true); } // Delete message if ($item->delete()) { $item->event('log')->post(['action' => 'deleted']); } else { response($item->getStatus(), true); } $data = unserialize($data_decrypted); // Send email to sender if (!empty($data["email_sender"])) {
/** * @expectedException \Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException */ public function testDecryptHexAsRaw() { $ciphertext = Crypto::encryptWithPassword('testdata', 'password', false); Crypto::decryptWithPassword($ciphertext, 'password', true); }
/** * @inheritDoc */ public function decodeToken($value) { return Crypto::decryptWithPassword($value, $this->key, true); }