diff options
Diffstat (limited to 'system/libraries/Encryption.php')
| -rw-r--r-- | system/libraries/Encryption.php | 177 |
1 files changed, 112 insertions, 65 deletions
diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php index 810b7bf4a..1a61967a7 100644 --- a/system/libraries/Encryption.php +++ b/system/libraries/Encryption.php @@ -105,7 +105,6 @@ class CI_Encryption { 'cfb8' => 'cfb8', 'ctr' => 'ctr', 'stream' => '', - 'gcm' => 'gcm', 'xts' => 'xts' ) ); @@ -124,6 +123,13 @@ class CI_Encryption { 'sha512' => 64 ); + /** + * mbstring.func_override flag + * + * @var bool + */ + protected static $func_override; + // -------------------------------------------------------------------- /** @@ -146,8 +152,10 @@ class CI_Encryption { return show_error('Encryption: Unable to find an available encryption driver.'); } + isset(self::$func_override) OR self::$func_override = (extension_loaded('mbstring') && ini_get('mbstring.func_override')); $this->initialize($params); - if ( ! isset($this->_key) && strlen($key = config_item('encryption_key')) > 0) + + if ( ! isset($this->_key) && self::strlen($key = config_item('encryption_key')) > 0) { $this->_key = $key; } @@ -310,6 +318,21 @@ class CI_Encryption { // -------------------------------------------------------------------- /** + * Create a random key + * + * @param int $length Output length + * @return string + */ + public function create_key($length) + { + return ($this->_driver === 'mcrypt') + ? mcrypt_create_iv($length, MCRYPT_DEV_URANDOM) + : openssl_random_pseudo_bytes($length); + } + + // -------------------------------------------------------------------- + + /** * Encrypt * * @param string $data Input data @@ -323,7 +346,7 @@ class CI_Encryption { return FALSE; } - isset($params['key']) OR $params['key'] = $this->hkdf($this->_key, 'sha512', NULL, strlen($this->_key), 'encryption'); + isset($params['key']) OR $params['key'] = $this->hkdf($this->_key, 'sha512', NULL, self::strlen($this->_key), 'encryption'); if (($data = $this->{'_'.$this->_driver.'_encrypt'}($data, $params)) === FALSE) { @@ -356,16 +379,14 @@ class CI_Encryption { { return FALSE; } - elseif ( ! isset($params['iv'])) - { - // The greater-than-1 comparison is mostly a work-around for a bug, - // where 1 is returned for ARCFour instead of 0. - $params['iv'] = (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) - ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM) - : NULL; - } - if (mcrypt_generic_init($params['handle'], $params['key'], $params['iv']) < 0) + // The greater-than-1 comparison is mostly a work-around for a bug, + // where 1 is returned for ARCFour instead of 0. + $iv = (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) + ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM) + : NULL; + + if (mcrypt_generic_init($params['handle'], $params['key'], $iv) < 0) { if ($params['handle'] !== $this->_handle) { @@ -380,7 +401,7 @@ class CI_Encryption { if (in_array(strtolower(mcrypt_enc_get_modes_name($params['handle'])), array('cbc', 'ecb'), TRUE)) { $block_size = mcrypt_enc_get_block_size($params['handle']); - $pad = $block_size - (strlen($data) % $block_size); + $pad = $block_size - (self::strlen($data) % $block_size); $data .= str_repeat(chr($pad), $pad); } @@ -396,7 +417,7 @@ class CI_Encryption { // but OpenSSL isn't that dumb and we need to make the process // portable, so ... $data = (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB') - ? $params['iv'].mcrypt_generic($params['handle'], $data) + ? $iv.mcrypt_generic($params['handle'], $data) : mcrypt_generic($params['handle'], $data); mcrypt_generic_deinit($params['handle']); @@ -423,19 +444,17 @@ class CI_Encryption { { return FALSE; } - elseif ( ! isset($params['iv'])) - { - $params['iv'] = ($iv_size = openssl_cipher_iv_length($params['handle'])) - ? openssl_random_pseudo_bytes($iv_size) - : NULL; - } + + $iv = ($iv_size = openssl_cipher_iv_length($params['handle'])) + ? openssl_random_pseudo_bytes($iv_size) + : NULL; $data = openssl_encrypt( $data, $params['handle'], $params['key'], 1, // DO NOT TOUCH! - $params['iv'] + $iv ); if ($data === FALSE) @@ -443,7 +462,7 @@ class CI_Encryption { return FALSE; } - return $params['iv'].$data; + return $iv.$data; } // -------------------------------------------------------------------- @@ -470,13 +489,13 @@ class CI_Encryption { ? $this->_digests[$params['hmac_digest']] * 2 : $this->_digests[$params['hmac_digest']]; - if (strlen($data) <= $digest_size) + if (self::strlen($data) <= $digest_size) { return FALSE; } - $hmac_input = substr($data, 0, $digest_size); - $data = substr($data, $digest_size); + $hmac_input = self::substr($data, 0, $digest_size); + $data = self::substr($data, $digest_size); isset($params['hmac_key']) OR $params['hmac_key'] = $this->hkdf($this->_key, 'sha512', NULL, NULL, 'authentication'); $hmac_check = hash_hmac($params['hmac_digest'], $data, $params['hmac_key'], ! $params['base64']); @@ -499,12 +518,7 @@ class CI_Encryption { $data = base64_decode($data); } - if (isset($params['iv']) && strncmp($params['iv'], $data, $iv_size = strlen($params['iv'])) === 0) - { - $data = substr($data, $iv_size); - } - - isset($params['key']) OR $params['key'] = $this->hkdf($this->_key, 'sha512', NULL, strlen($this->_key), 'encryption'); + isset($params['key']) OR $params['key'] = $this->hkdf($this->_key, 'sha512', NULL, self::strlen($this->_key), 'encryption'); return $this->{'_'.$this->_driver.'_decrypt'}($data, $params); } @@ -524,30 +538,28 @@ class CI_Encryption { { return FALSE; } - elseif ( ! isset($params['iv'])) + + // The greater-than-1 comparison is mostly a work-around for a bug, + // where 1 is returned for ARCFour instead of 0. + if (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) { - // The greater-than-1 comparison is mostly a work-around for a bug, - // where 1 is returned for ARCFour instead of 0. - if (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) + if (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB') { - if (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB') - { - $params['iv'] = substr($data, 0, $iv_size); - $data = substr($data, $iv_size); - } - else - { - // MCrypt is dumb and this is ignored, only size matters - $params['iv'] = str_repeat("\x0", $iv_size); - } + $iv = self::substr($data, 0, $iv_size); + $data = self::substr($data, $iv_size); } else { - $params['iv'] = NULL; + // MCrypt is dumb and this is ignored, only size matters + $iv = str_repeat("\x0", $iv_size); } } + else + { + $iv = NULL; + } - if (mcrypt_generic_init($params['handle'], $params['key'], $params['iv']) < 0) + if (mcrypt_generic_init($params['handle'], $params['key'], $iv) < 0) { if ($params['handle'] !== $this->_handle) { @@ -561,7 +573,7 @@ class CI_Encryption { // Remove PKCS#7 padding, if necessary if (in_array(strtolower(mcrypt_enc_get_modes_name($params['handle'])), array('cbc', 'ecb'), TRUE)) { - $data = substr($data, 0, -ord($data[strlen($data)-1])); + $data = self::substr($data, 0, -ord($data[self::strlen($data)-1])); } mcrypt_generic_deinit($params['handle']); @@ -584,17 +596,14 @@ class CI_Encryption { */ protected function _openssl_decrypt($data, $params) { - if ( ! isset($params['iv'])) + if ($iv_size = openssl_cipher_iv_length($params['handle'])) { - if ($iv_size = openssl_cipher_iv_length($params['handle'])) - { - $params['iv'] = substr($data, 0, $iv_size); - $data = substr($data, $iv_size); - } - else - { - $params['iv'] = NULL; - } + $iv = self::substr($data, 0, $iv_size); + $data = self::substr($data, $iv_size); + } + else + { + $iv = NULL; } return empty($params['handle']) @@ -604,7 +613,7 @@ class CI_Encryption { $params['handle'], $params['key'], 1, // DO NOT TOUCH! - $params['iv'] + $iv ); } @@ -627,7 +636,7 @@ class CI_Encryption { 'mode' => $this->_mode, 'key' => NULL, 'base64' => TRUE, - 'hmac_digest' => ($this->_mode !== 'gcm' ? 'sha512' : NULL), + 'hmac_digest' => 'sha512', 'hmac_key' => NULL ) : FALSE; @@ -650,7 +659,7 @@ class CI_Encryption { } } - if ($params['mode'] === 'gcm' OR (isset($params['hmac']) && $params['hmac'] === FALSE)) + if (isset($params['hmac']) && $params['hmac'] === FALSE) { $params['hmac_digest'] = $params['hmac_key'] = NULL; } @@ -679,7 +688,6 @@ class CI_Encryption { 'cipher' => $params['cipher'], 'mode' => $params['mode'], 'key' => $params['key'], - 'iv' => isset($params['iv']) ? $params['iv'] : NULL, 'base64' => isset($params['raw_data']) ? ! $params['raw_data'] : FALSE, 'hmac_digest' => $params['hmac_digest'], 'hmac_key' => $params['hmac_key'] @@ -828,17 +836,17 @@ class CI_Encryption { return FALSE; } - strlen($salt) OR $salt = str_repeat("\0", $this->_digests[$digest]); + self::strlen($salt) OR $salt = str_repeat("\0", $this->_digests[$digest]); $prk = hash_hmac($digest, $key, $salt, TRUE); $key = ''; - for ($key_block = '', $block_index = 1; strlen($key) < $length; $block_index++) + for ($key_block = '', $block_index = 1; self::strlen($key) < $length; $block_index++) { $key_block = hash_hmac($digest, $key_block.$info.chr($block_index), $prk, TRUE); $key .= $key_block; } - return substr($key, 0, $length); + return self::substr($key, 0, $length); } // -------------------------------------------------------------------- @@ -864,6 +872,45 @@ class CI_Encryption { return NULL; } + // -------------------------------------------------------------------- + + /** + * Byte-safe strlen() + * + * @param string $str + * @return integer + */ + protected static function strlen($str) + { + return (self::$func_override) + ? mb_strlen($str, '8bit') + : strlen($str); + } + + // -------------------------------------------------------------------- + + /** + * Byte-safe substr() + * + * @param string $str + * @param int $start + * @param int $length + * @return string + */ + protected static function substr($str, $start, $length = NULL) + { + if (self::$func_override) + { + // mb_substr($str, $start, null, '8bit') returns an empty + // string on PHP 5.3 + isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); + return mb_substr($str, $start, $length, '8bit'); + } + + return isset($length) + ? substr($str, $start, $length) + : substr($str, $start); + } } /* End of file Encryption.php */ |