public static function bytes($length)
{
if (!(ctype_digit(@(string) $length) && ($length = (int) $length) > 0)) {
throw new InvalidArgumentException('Random::bytes(): A positive integer value as parameter is expected.');
}
return secure_random_bytes($length);
}
function security_code()
{
// Import secure random bytes function
require_once './srand.php';
// Let's generate a totally random string using SHA-1
$sha1_hash = sha1(secure_random_bytes(100));
// Start the session so we can store what the security code actually is
session_start();
// We don't need a 32 character long string so we trim it down to 6
$security_code = substr($sha1_hash, 15, 6);
// Set the session to store the security code
$_SESSION['captcha'] = $security_code;
// Close the session
session_write_close();
return $security_code;
}
private function _generate_key()
{
do {
// Generate a random salt
// Modified by Ivan Tcholakov, 28-JUN-2015.
//$salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
$salt = secure_random_bytes(16);
//
$new_key = substr($salt, 0, config_item('rest_key_length'));
} while (self::_key_exists($new_key));
// Already in the DB? Fail. Try again
return $new_key;
}
function random_key($len, $readable = false, $hash = false)
{
if (!function_exists('secure_random_bytes')) {
include PUN_ROOT . 'include/srand.php';
}
$key = secure_random_bytes($len);
if ($hash) {
return substr(bin2hex($key), 0, $len);
} else {
if ($readable) {
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$result = '';
for ($i = 0; $i < $len; ++$i) {
$result .= substr($chars, ord($key[$i]) % strlen($chars), 1);
}
return $result;
}
}
return $key;
}
/**
*
* @param int $num_bytes [optional]
* @return string
*/
function generate_csrf_token($num_bytes = 16)
{
require_once 'lib/srand.php';
return bin2hex(secure_random_bytes($num_bytes));
}
function updateAccount($user_id, $oldPassword, $newPassword, $newPasswordConfirm, $newEmail)
{
$user_id = escape($user_id);
$oldPassword = escape($oldPassword);
$newPassword = escape($newPassword);
$newPasswordConfirm = escape($newPasswordConfirm);
$newEmail = escape($newEmail);
$result = verifyLogin($_SESSION['user_id'], $_POST['old_password']);
if ($result === TRUE) {
$set_string = "";
//decrypt the password if needed
require_once includePath() . "/crypto.php";
$newPassword = decryptPassword($newPassword);
$newPasswordConfirm = decryptPassword($newPasswordConfirm);
if (strlen($newPassword) > 0 || strlen($newPasswordConfirm) > 0) {
if (strlen($newPassword) >= 6) {
//enforce minimum password length of six
if ($newPassword == $newPasswordConfirm) {
$validPassword = validPassword($newPassword);
if ($validPassword == 0) {
$gen_salt = secure_random_bytes(20);
$db_salt = escape(bin2hex($gen_salt));
$set_string .= "password = '******', salt = '{$db_salt}', ";
} else {
return $validPassword;
}
} else {
return 11;
}
} else {
return 1;
}
}
if (strlen($newEmail) > 0) {
if (validEmail($newEmail)) {
$set_string .= "email = '" . escape($newEmail) . "', ";
} else {
return 10;
}
}
if (strlen($set_string) > 0) {
$set_string = substr($set_string, 0, strlen($set_string) - 2);
//get rid of trailing comma and space
mysql_query("UPDATE users SET " . $set_string . " WHERE id='{$user_id}'");
}
return 0;
} else {
return $result;
}
}
function secure_random()
{
return hexdec(bin2hex(secure_random_bytes(3)));
}
public static function getRandomInts($numInts)
{
$ints = array();
if ($numInts <= 0) {
return $ints;
}
// Modified by Deepak Patil <*****@*****.**>, 21-DEC-2014.
// The purpose of this change is making this method tollerant to different system configurations.
//$rawBinary = mcrypt_create_iv($numInts * PHP_INT_SIZE, MCRYPT_DEV_URANDOM);
$rawBinary = secure_random_bytes($numInts * PHP_INT_SIZE);
//
for ($i = 0; $i < $numInts; ++$i) {
$thisInt = 0;
for ($j = 0; $j < PHP_INT_SIZE; ++$j) {
$thisInt = $thisInt << 8 | ord($rawBinary[$i * PHP_INT_SIZE + $j]) & 0xff;
}
// Absolute value in two's compliment (with min int going to zero)
$thisInt = $thisInt & PHP_INT_MAX;
$ints[] = $thisInt;
}
return $ints;
}
function resetPassword($user_id, $password)
{
$user_id = escape($user_id);
$gen_salt = secure_random_bytes(20);
$db_salt = escape(bin2hex($gen_salt));
//decrypt the password if needed
require_once includePath() . "/crypto.php";
$password = decryptPassword($password);
$password = escape(chash2($password, $gen_salt));
mysql_query("UPDATE users SET password='******', salt = '{$db_salt}' WHERE id='{$user_id}'");
mysql_query("DELETE FROM reset WHERE user_id='{$user_id}'");
//make sure user doesn't reset again with same link
}
/**
* Drop in replacement for rand() or mt_rand().
*
* @param int $min [optional]
* @param int $max [optional]
* @return int
*/
function crypto_rand_secure($min = null, $max = null)
{
require_once 'lib/srand.php';
// default values for optional min/max
if ($min === null) {
$min = 0;
}
if ($max === null) {
$max = getrandmax();
} else {
$max += 1;
}
// for being inclusive
$range = $max - $min;
if ($range <= 0) {
return $min;
}
// not so random...
$log = log($range, 2);
$bytes = (int) ($log / 8) + 1;
// length in bytes
$bits = (int) $log + 1;
// length in bits
$filter = (int) (1 << $bits) - 1;
// set all lower bits to 1
do {
$rnd = hexdec(bin2hex(secure_random_bytes($bytes)));
$rnd = $rnd & $filter;
// discard irrelevant bits
} while ($rnd >= $range);
return $min + $rnd;
}
<?
include("../include/common.php");
include("../config.php");
include("../include/db_connect.php");
include("../include/session.php");
if($config['rsa_modulus'] != '' && $config['rsa_exponent'] != '' && $config['rsa_key'] != '') {
//generate a random salt for the password encryption; this is saved in session
// set the current time so that we don't permit old salts to be reused
// note: the random salt is encrypted in hexadecimal to prevent encoding issues; shouldn't be a problem though...
$crypt_key = bin2hex(secure_random_bytes(20));
if(!isset($_SESSION['crypt_key'])) {
$_SESSION['crypt_key'] = array();
}
$_SESSION['crypt_key'][] = array(time(), $crypt_key);
?>
function pcryptf() {
var rsa = new RSAKey();
rsa.setPublic("<?php
echo $config['rsa_modulus'];
?>
", "<?php
echo $config['rsa_exponent'];
?>
");
var salt = "<?php
echo $crypt_key;
?>
private function _generate_key()
{
do {
// Generate a random salt
// Modified by Deepak Patil <*****@*****.**>, 10-JUL-2015.
//$salt = $this->security->get_random_bytes(64);
//
//// If an error occurred, then fall back to the previous method
//if ($salt === FALSE)
//{
// $salt = hash('sha256', time() . mt_rand());
//}
$salt = secure_random_bytes(64);
//
$new_key = substr($salt, 0, config_item('rest_key_length'));
} while ($this->_key_exists($new_key));
return $new_key;
}
private function _generate_key()
{
do {
// Generate a random salt
// Modified by Ivan Tcholakov, 10-JUL-2015.
//$salt = $this->security->get_random_bytes(64);
//
//// If an error occurred, then fall back to the previous method
//if ($salt === FALSE)
//{
// $salt = hash('sha256', time() . mt_rand());
//}
$salt = secure_random_bytes(64);
//
$new_key = substr($salt, 0, config_item('rest_key_length'));
} while (self::_key_exists($new_key));
// Already in the DB? Fail. Try again
return $new_key;
}
private function _generate_key()
{
do {
// Generate a random salt
// Modified by Ivan Tcholakov, 13-SEP-2015.
//$salt = base_convert(bin2hex($this->security->get_random_bytes(64)), 16, 36);
$salt = base_convert(bin2hex(secure_random_bytes(64)), 16, 36);
//
// Removed by Ivan Tcholakov, 13-SEP-2015.
//// If an error occurred, then fall back to the previous method
//if ($salt === FALSE)
//{
// $salt = hash('sha256', time() . mt_rand());
//}
//
$new_key = substr($salt, 0, config_item('rest_key_length'));
} while ($this->_key_exists($new_key));
return $new_key;
}
