phpseclib 1.0.2

This commit is contained in:
Roland Gruber 2016-05-10 18:14:55 +02:00
parent 88b7a32187
commit c4075de648
15 changed files with 20634 additions and 20515 deletions

View File

@ -1,197 +1,197 @@
<?php <?php
/** /**
* Pure-PHP implementation of AES. * Pure-PHP implementation of AES.
* *
* Uses mcrypt, if available/possible, and an internal implementation, otherwise. * Uses mcrypt, if available/possible, and an internal implementation, otherwise.
* *
* PHP versions 4 and 5 * PHP versions 4 and 5
* *
* NOTE: Since AES.php is (for compatibility and phpseclib-historical reasons) virtually * NOTE: Since AES.php is (for compatibility and phpseclib-historical reasons) virtually
* just a wrapper to Rijndael.php you may consider using Rijndael.php instead of * just a wrapper to Rijndael.php you may consider using Rijndael.php instead of
* to save one include_once(). * to save one include_once().
* *
* If {@link self::setKeyLength() setKeyLength()} isn't called, it'll be calculated from * If {@link self::setKeyLength() setKeyLength()} isn't called, it'll be calculated from
* {@link self::setKey() setKey()}. ie. if the key is 128-bits, the key length will be 128-bits. If it's 136-bits * {@link self::setKey() setKey()}. ie. if the key is 128-bits, the key length will be 128-bits. If it's 136-bits
* it'll be null-padded to 192-bits and 192 bits will be the key length until {@link self::setKey() setKey()} * it'll be null-padded to 192-bits and 192 bits will be the key length until {@link self::setKey() setKey()}
* is called, again, at which point, it'll be recalculated. * is called, again, at which point, it'll be recalculated.
* *
* Since Crypt_AES extends Crypt_Rijndael, some functions are available to be called that, in the context of AES, don't * Since Crypt_AES extends Crypt_Rijndael, some functions are available to be called that, in the context of AES, don't
* make a whole lot of sense. {@link self::setBlockLength() setBlockLength()}, for instance. Calling that function, * make a whole lot of sense. {@link self::setBlockLength() setBlockLength()}, for instance. Calling that function,
* however possible, won't do anything (AES has a fixed block length whereas Rijndael has a variable one). * however possible, won't do anything (AES has a fixed block length whereas Rijndael has a variable one).
* *
* Here's a short example of how to use this library: * Here's a short example of how to use this library:
* <code> * <code>
* <?php * <?php
* include 'Crypt/AES.php'; * include 'Crypt/AES.php';
* *
* $aes = new Crypt_AES(); * $aes = new Crypt_AES();
* *
* $aes->setKey('abcdefghijklmnop'); * $aes->setKey('abcdefghijklmnop');
* *
* $size = 10 * 1024; * $size = 10 * 1024;
* $plaintext = ''; * $plaintext = '';
* for ($i = 0; $i < $size; $i++) { * for ($i = 0; $i < $size; $i++) {
* $plaintext.= 'a'; * $plaintext.= 'a';
* } * }
* *
* echo $aes->decrypt($aes->encrypt($plaintext)); * echo $aes->decrypt($aes->encrypt($plaintext));
* ?> * ?>
* </code> * </code>
* *
* LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy * LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal * of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights * in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is * copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions: * furnished to do so, subject to the following conditions:
* *
* The above copyright notice and this permission notice shall be included in * The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software. * all copies or substantial portions of the Software.
* *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE. * THE SOFTWARE.
* *
* @category Crypt * @category Crypt
* @package Crypt_AES * @package Crypt_AES
* @author Jim Wigginton <terrafrost@php.net> * @author Jim Wigginton <terrafrost@php.net>
* @copyright 2008 Jim Wigginton * @copyright 2008 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License * @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net * @link http://phpseclib.sourceforge.net
*/ */
/** /**
* Include Crypt_Rijndael * Include Crypt_Rijndael
*/ */
if (!class_exists('Crypt_Rijndael')) { if (!class_exists('Crypt_Rijndael')) {
include_once 'Rijndael.php'; include_once 'Rijndael.php';
} }
/**#@+ /**#@+
* @access public * @access public
* @see self::encrypt() * @see self::encrypt()
* @see self::decrypt() * @see self::decrypt()
*/ */
/** /**
* Encrypt / decrypt using the Counter mode. * Encrypt / decrypt using the Counter mode.
* *
* Set to -1 since that's what Crypt/Random.php uses to index the CTR mode. * Set to -1 since that's what Crypt/Random.php uses to index the CTR mode.
* *
* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29 * @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29
*/ */
define('CRYPT_AES_MODE_CTR', CRYPT_MODE_CTR); define('CRYPT_AES_MODE_CTR', CRYPT_MODE_CTR);
/** /**
* Encrypt / decrypt using the Electronic Code Book mode. * Encrypt / decrypt using the Electronic Code Book mode.
* *
* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29 * @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29
*/ */
define('CRYPT_AES_MODE_ECB', CRYPT_MODE_ECB); define('CRYPT_AES_MODE_ECB', CRYPT_MODE_ECB);
/** /**
* Encrypt / decrypt using the Code Book Chaining mode. * Encrypt / decrypt using the Code Book Chaining mode.
* *
* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29 * @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29
*/ */
define('CRYPT_AES_MODE_CBC', CRYPT_MODE_CBC); define('CRYPT_AES_MODE_CBC', CRYPT_MODE_CBC);
/** /**
* Encrypt / decrypt using the Cipher Feedback mode. * Encrypt / decrypt using the Cipher Feedback mode.
* *
* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher_feedback_.28CFB.29 * @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher_feedback_.28CFB.29
*/ */
define('CRYPT_AES_MODE_CFB', CRYPT_MODE_CFB); define('CRYPT_AES_MODE_CFB', CRYPT_MODE_CFB);
/** /**
* Encrypt / decrypt using the Cipher Feedback mode. * Encrypt / decrypt using the Cipher Feedback mode.
* *
* @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_feedback_.28OFB.29 * @link http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_feedback_.28OFB.29
*/ */
define('CRYPT_AES_MODE_OFB', CRYPT_MODE_OFB); define('CRYPT_AES_MODE_OFB', CRYPT_MODE_OFB);
/**#@-*/ /**#@-*/
/** /**
* Pure-PHP implementation of AES. * Pure-PHP implementation of AES.
* *
* @package Crypt_AES * @package Crypt_AES
* @author Jim Wigginton <terrafrost@php.net> * @author Jim Wigginton <terrafrost@php.net>
* @access public * @access public
*/ */
class Crypt_AES extends Crypt_Rijndael class Crypt_AES extends Crypt_Rijndael
{ {
/** /**
* The namespace used by the cipher for its constants. * The namespace used by the cipher for its constants.
* *
* @see Crypt_Base::const_namespace * @see Crypt_Base::const_namespace
* @var string * @var string
* @access private * @access private
*/ */
var $const_namespace = 'AES'; var $const_namespace = 'AES';
/** /**
* Dummy function * Dummy function
* *
* Since Crypt_AES extends Crypt_Rijndael, this function is, technically, available, but it doesn't do anything. * Since Crypt_AES extends Crypt_Rijndael, this function is, technically, available, but it doesn't do anything.
* *
* @see Crypt_Rijndael::setBlockLength() * @see Crypt_Rijndael::setBlockLength()
* @access public * @access public
* @param int $length * @param int $length
*/ */
function setBlockLength($length) function setBlockLength($length)
{ {
return; return;
} }
/** /**
* Sets the key length * Sets the key length
* *
* Valid key lengths are 128, 192, and 256. If the length is less than 128, it will be rounded up to * Valid key lengths are 128, 192, and 256. If the length is less than 128, it will be rounded up to
* 128. If the length is greater than 128 and invalid, it will be rounded down to the closest valid amount. * 128. If the length is greater than 128 and invalid, it will be rounded down to the closest valid amount.
* *
* @see Crypt_Rijndael:setKeyLength() * @see Crypt_Rijndael:setKeyLength()
* @access public * @access public
* @param int $length * @param int $length
*/ */
function setKeyLength($length) function setKeyLength($length)
{ {
switch ($length) { switch ($length) {
case 160: case 160:
$length = 192; $length = 192;
break; break;
case 224: case 224:
$length = 256; $length = 256;
} }
parent::setKeyLength($length); parent::setKeyLength($length);
} }
/** /**
* Sets the key. * Sets the key.
* *
* Rijndael supports five different key lengths, AES only supports three. * Rijndael supports five different key lengths, AES only supports three.
* *
* @see Crypt_Rijndael:setKey() * @see Crypt_Rijndael:setKey()
* @see setKeyLength() * @see setKeyLength()
* @access public * @access public
* @param string $key * @param string $key
*/ */
function setKey($key) function setKey($key)
{ {
parent::setKey($key); parent::setKey($key);
if (!$this->explicit_key_length) { if (!$this->explicit_key_length) {
$length = strlen($key); $length = strlen($key);
switch (true) { switch (true) {
case $length <= 16: case $length <= 16:
$this->key_length = 16; $this->key_length = 16;
break; break;
case $length <= 24: case $length <= 24:
$this->key_length = 24; $this->key_length = 24;
break; break;
default: default:
$this->key_length = 32; $this->key_length = 32;
} }
$this->_setEngine(); $this->_setEngine();
} }
} }
} }

View File

@ -746,10 +746,13 @@ class Crypt_Base
return !defined('OPENSSL_RAW_DATA') ? substr($result, 0, -$this->block_size) : $result; return !defined('OPENSSL_RAW_DATA') ? substr($result, 0, -$this->block_size) : $result;
case CRYPT_MODE_CBC: case CRYPT_MODE_CBC:
$result = openssl_encrypt($plaintext, $this->cipher_name_openssl, $this->key, $this->openssl_options, $this->encryptIV); $result = openssl_encrypt($plaintext, $this->cipher_name_openssl, $this->key, $this->openssl_options, $this->encryptIV);
if (!defined('OPENSSL_RAW_DATA')) {
$result = substr($result, 0, -$this->block_size);
}
if ($this->continuousBuffer) { if ($this->continuousBuffer) {
$this->encryptIV = substr($result, -$this->block_size); $this->encryptIV = substr($result, -$this->block_size);
} }
return !defined('OPENSSL_RAW_DATA') ? substr($result, 0, -$this->block_size) : $result; return $result;
case CRYPT_MODE_CTR: case CRYPT_MODE_CTR:
return $this->_openssl_ctr_process($plaintext, $this->encryptIV, $this->enbuffer); return $this->_openssl_ctr_process($plaintext, $this->encryptIV, $this->enbuffer);
case CRYPT_MODE_CFB: case CRYPT_MODE_CFB:
@ -1052,10 +1055,13 @@ class Crypt_Base
if (!defined('OPENSSL_RAW_DATA')) { if (!defined('OPENSSL_RAW_DATA')) {
$padding = str_repeat(chr($this->block_size), $this->block_size) ^ substr($ciphertext, -$this->block_size); $padding = str_repeat(chr($this->block_size), $this->block_size) ^ substr($ciphertext, -$this->block_size);
$ciphertext.= substr(openssl_encrypt($padding, $this->cipher_name_openssl_ecb, $this->key, true), 0, $this->block_size); $ciphertext.= substr(openssl_encrypt($padding, $this->cipher_name_openssl_ecb, $this->key, true), 0, $this->block_size);
$offset = 2 * $this->block_size;
} else {
$offset = $this->block_size;
} }
$plaintext = openssl_decrypt($ciphertext, $this->cipher_name_openssl, $this->key, $this->openssl_options, $this->decryptIV); $plaintext = openssl_decrypt($ciphertext, $this->cipher_name_openssl, $this->key, $this->openssl_options, $this->decryptIV);
if ($this->continuousBuffer) { if ($this->continuousBuffer) {
$this->decryptIV = substr($ciphertext, -$this->block_size); $this->decryptIV = substr($ciphertext, -$offset, $this->block_size);
} }
break; break;
case CRYPT_MODE_CTR: case CRYPT_MODE_CTR:

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -387,7 +387,7 @@ class Crypt_RC2 extends Crypt_Base
/** /**
* Sets the key length. * Sets the key length.
* *
* Valid key lengths are 1 to 1024. * Valid key lengths are 8 to 1024.
* Calling this function after setting the key has no effect until the next * Calling this function after setting the key has no effect until the next
* Crypt_RC2::setKey() call. * Crypt_RC2::setKey() call.
* *
@ -396,9 +396,16 @@ class Crypt_RC2 extends Crypt_Base
*/ */
function setKeyLength($length) function setKeyLength($length)
{ {
if ($length >= 1 && $length <= 1024) { if ($length < 8) {
$this->default_key_length = 8;
} elseif ($length > 1024) {
$this->default_key_length = 128;
} else {
$this->default_key_length = $length; $this->default_key_length = $length;
} }
$this->current_key_length = $this->default_key_length;
parent::setKeyLength($length);
} }
/** /**
@ -415,7 +422,7 @@ class Crypt_RC2 extends Crypt_Base
/** /**
* Sets the key. * Sets the key.
* *
* Keys can be of any length. RC2, itself, uses 1 to 1024 bit keys (eg. * Keys can be of any length. RC2, itself, uses 8 to 1024 bit keys (eg.
* strlen($key) <= 128), however, we only use the first 128 bytes if $key * strlen($key) <= 128), however, we only use the first 128 bytes if $key
* has more then 128 bytes in it, and set $key to a single null byte if * has more then 128 bytes in it, and set $key to a single null byte if
* it is empty. * it is empty.
@ -514,7 +521,7 @@ class Crypt_RC2 extends Crypt_Base
return $result; return $result;
} }
return parent::encrypt($ciphertext); return parent::decrypt($ciphertext);
} }
/** /**

View File

@ -1,352 +1,352 @@
<?php <?php
/** /**
* Pure-PHP implementation of RC4. * Pure-PHP implementation of RC4.
* *
* Uses mcrypt, if available, and an internal implementation, otherwise. * Uses mcrypt, if available, and an internal implementation, otherwise.
* *
* PHP versions 4 and 5 * PHP versions 4 and 5
* *
* Useful resources are as follows: * Useful resources are as follows:
* *
* - {@link http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt ARCFOUR Algorithm} * - {@link http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt ARCFOUR Algorithm}
* - {@link http://en.wikipedia.org/wiki/RC4 - Wikipedia: RC4} * - {@link http://en.wikipedia.org/wiki/RC4 - Wikipedia: RC4}
* *
* RC4 is also known as ARCFOUR or ARC4. The reason is elaborated upon at Wikipedia. This class is named RC4 and not * RC4 is also known as ARCFOUR or ARC4. The reason is elaborated upon at Wikipedia. This class is named RC4 and not
* ARCFOUR or ARC4 because RC4 is how it is referred to in the SSH1 specification. * ARCFOUR or ARC4 because RC4 is how it is referred to in the SSH1 specification.
* *
* Here's a short example of how to use this library: * Here's a short example of how to use this library:
* <code> * <code>
* <?php * <?php
* include 'Crypt/RC4.php'; * include 'Crypt/RC4.php';
* *
* $rc4 = new Crypt_RC4(); * $rc4 = new Crypt_RC4();
* *
* $rc4->setKey('abcdefgh'); * $rc4->setKey('abcdefgh');
* *
* $size = 10 * 1024; * $size = 10 * 1024;
* $plaintext = ''; * $plaintext = '';
* for ($i = 0; $i < $size; $i++) { * for ($i = 0; $i < $size; $i++) {
* $plaintext.= 'a'; * $plaintext.= 'a';
* } * }
* *
* echo $rc4->decrypt($rc4->encrypt($plaintext)); * echo $rc4->decrypt($rc4->encrypt($plaintext));
* ?> * ?>
* </code> * </code>
* *
* LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy * LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal * of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights * in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is * copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions: * furnished to do so, subject to the following conditions:
* *
* The above copyright notice and this permission notice shall be included in * The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software. * all copies or substantial portions of the Software.
* *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE. * THE SOFTWARE.
* *
* @category Crypt * @category Crypt
* @package Crypt_RC4 * @package Crypt_RC4
* @author Jim Wigginton <terrafrost@php.net> * @author Jim Wigginton <terrafrost@php.net>
* @copyright 2007 Jim Wigginton * @copyright 2007 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License * @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net * @link http://phpseclib.sourceforge.net
*/ */
/** /**
* Include Crypt_Base * Include Crypt_Base
* *
* Base cipher class * Base cipher class
*/ */
if (!class_exists('Crypt_Base')) { if (!class_exists('Crypt_Base')) {
include_once 'Base.php'; include_once 'Base.php';
} }
/**#@+ /**#@+
* @access private * @access private
* @see self::_crypt() * @see self::_crypt()
*/ */
define('CRYPT_RC4_ENCRYPT', 0); define('CRYPT_RC4_ENCRYPT', 0);
define('CRYPT_RC4_DECRYPT', 1); define('CRYPT_RC4_DECRYPT', 1);
/**#@-*/ /**#@-*/
/** /**
* Pure-PHP implementation of RC4. * Pure-PHP implementation of RC4.
* *
* @package Crypt_RC4 * @package Crypt_RC4
* @author Jim Wigginton <terrafrost@php.net> * @author Jim Wigginton <terrafrost@php.net>
* @access public * @access public
*/ */
class Crypt_RC4 extends Crypt_Base class Crypt_RC4 extends Crypt_Base
{ {
/** /**
* Block Length of the cipher * Block Length of the cipher
* *
* RC4 is a stream cipher * RC4 is a stream cipher
* so we the block_size to 0 * so we the block_size to 0
* *
* @see Crypt_Base::block_size * @see Crypt_Base::block_size
* @var int * @var int
* @access private * @access private
*/ */
var $block_size = 0; var $block_size = 0;
/** /**
* Key Length (in bytes) * Key Length (in bytes)
* *
* @see Crypt_RC4::setKeyLength() * @see Crypt_RC4::setKeyLength()
* @var int * @var int
* @access private * @access private
*/ */
var $key_length = 128; // = 1024 bits var $key_length = 128; // = 1024 bits
/** /**
* The namespace used by the cipher for its constants. * The namespace used by the cipher for its constants.
* *
* @see Crypt_Base::const_namespace * @see Crypt_Base::const_namespace
* @var string * @var string
* @access private * @access private
*/ */
var $const_namespace = 'RC4'; var $const_namespace = 'RC4';
/** /**
* The mcrypt specific name of the cipher * The mcrypt specific name of the cipher
* *
* @see Crypt_Base::cipher_name_mcrypt * @see Crypt_Base::cipher_name_mcrypt
* @var string * @var string
* @access private * @access private
*/ */
var $cipher_name_mcrypt = 'arcfour'; var $cipher_name_mcrypt = 'arcfour';
/** /**
* Holds whether performance-optimized $inline_crypt() can/should be used. * Holds whether performance-optimized $inline_crypt() can/should be used.
* *
* @see Crypt_Base::inline_crypt * @see Crypt_Base::inline_crypt
* @var mixed * @var mixed
* @access private * @access private
*/ */
var $use_inline_crypt = false; // currently not available var $use_inline_crypt = false; // currently not available
/** /**
* The Key * The Key
* *
* @see self::setKey() * @see self::setKey()
* @var string * @var string
* @access private * @access private
*/ */
var $key = "\0"; var $key = "\0";
/** /**
* The Key Stream for decryption and encryption * The Key Stream for decryption and encryption
* *
* @see self::setKey() * @see self::setKey()
* @var array * @var array
* @access private * @access private
*/ */
var $stream; var $stream;
/** /**
* Default Constructor. * Default Constructor.
* *
* Determines whether or not the mcrypt extension should be used. * Determines whether or not the mcrypt extension should be used.
* *
* @see Crypt_Base::Crypt_Base() * @see Crypt_Base::Crypt_Base()
* @return Crypt_RC4 * @return Crypt_RC4
* @access public * @access public
*/ */
function Crypt_RC4() function Crypt_RC4()
{ {
parent::Crypt_Base(CRYPT_MODE_STREAM); parent::Crypt_Base(CRYPT_MODE_STREAM);
} }
/** /**
* Test for engine validity * Test for engine validity
* *
* This is mainly just a wrapper to set things up for Crypt_Base::isValidEngine() * This is mainly just a wrapper to set things up for Crypt_Base::isValidEngine()
* *
* @see Crypt_Base::Crypt_Base() * @see Crypt_Base::Crypt_Base()
* @param int $engine * @param int $engine
* @access public * @access public
* @return bool * @return bool
*/ */
function isValidEngine($engine) function isValidEngine($engine)
{ {
switch ($engine) { switch ($engine) {
case CRYPT_ENGINE_OPENSSL: case CRYPT_ENGINE_OPENSSL:
switch (strlen($this->key)) { switch (strlen($this->key)) {
case 5: case 5:
$this->cipher_name_openssl = 'rc4-40'; $this->cipher_name_openssl = 'rc4-40';
break; break;
case 8: case 8:
$this->cipher_name_openssl = 'rc4-64'; $this->cipher_name_openssl = 'rc4-64';
break; break;
case 16: case 16:
$this->cipher_name_openssl = 'rc4'; $this->cipher_name_openssl = 'rc4';
break; break;
default: default:
return false; return false;
} }
} }
return parent::isValidEngine($engine); return parent::isValidEngine($engine);
} }
/** /**
* Dummy function. * Dummy function.
* *
* Some protocols, such as WEP, prepend an "initialization vector" to the key, effectively creating a new key [1]. * Some protocols, such as WEP, prepend an "initialization vector" to the key, effectively creating a new key [1].
* If you need to use an initialization vector in this manner, feel free to prepend it to the key, yourself, before * If you need to use an initialization vector in this manner, feel free to prepend it to the key, yourself, before
* calling setKey(). * calling setKey().
* *
* [1] WEP's initialization vectors (IV's) are used in a somewhat insecure way. Since, in that protocol, * [1] WEP's initialization vectors (IV's) are used in a somewhat insecure way. Since, in that protocol,
* the IV's are relatively easy to predict, an attack described by * the IV's are relatively easy to predict, an attack described by
* {@link http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf Scott Fluhrer, Itsik Mantin, and Adi Shamir} * {@link http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf Scott Fluhrer, Itsik Mantin, and Adi Shamir}
* can be used to quickly guess at the rest of the key. The following links elaborate: * can be used to quickly guess at the rest of the key. The following links elaborate:
* *
* {@link http://www.rsa.com/rsalabs/node.asp?id=2009 http://www.rsa.com/rsalabs/node.asp?id=2009} * {@link http://www.rsa.com/rsalabs/node.asp?id=2009 http://www.rsa.com/rsalabs/node.asp?id=2009}
* {@link http://en.wikipedia.org/wiki/Related_key_attack http://en.wikipedia.org/wiki/Related_key_attack} * {@link http://en.wikipedia.org/wiki/Related_key_attack http://en.wikipedia.org/wiki/Related_key_attack}
* *
* @param string $iv * @param string $iv
* @see self::setKey() * @see self::setKey()
* @access public * @access public
*/ */
function setIV($iv) function setIV($iv)
{ {
} }
/** /**
* Sets the key length * Sets the key length
* *
* Keys can be between 1 and 256 bytes long. * Keys can be between 1 and 256 bytes long.
* *
* @access public * @access public
* @param int $length * @param int $length
*/ */
function setKeyLength($length) function setKeyLength($length)
{ {
if ($length < 8) { if ($length < 8) {
$this->key_length = 1; $this->key_length = 1;
} elseif ($length > 2048) { } elseif ($length > 2048) {
$this->key_length = 248; $this->key_length = 256;
} else { } else {
$this->key_length = $length >> 3; $this->key_length = $length >> 3;
} }
parent::setKeyLength($length); parent::setKeyLength($length);
} }
/** /**
* Encrypts a message. * Encrypts a message.
* *
* @see Crypt_Base::decrypt() * @see Crypt_Base::decrypt()
* @see self::_crypt() * @see self::_crypt()
* @access public * @access public
* @param string $plaintext * @param string $plaintext
* @return string $ciphertext * @return string $ciphertext
*/ */
function encrypt($plaintext) function encrypt($plaintext)
{ {
if ($this->engine != CRYPT_ENGINE_INTERNAL) { if ($this->engine != CRYPT_ENGINE_INTERNAL) {
return parent::encrypt($plaintext); return parent::encrypt($plaintext);
} }
return $this->_crypt($plaintext, CRYPT_RC4_ENCRYPT); return $this->_crypt($plaintext, CRYPT_RC4_ENCRYPT);
} }
/** /**
* Decrypts a message. * Decrypts a message.
* *
* $this->decrypt($this->encrypt($plaintext)) == $this->encrypt($this->encrypt($plaintext)). * $this->decrypt($this->encrypt($plaintext)) == $this->encrypt($this->encrypt($plaintext)).
* At least if the continuous buffer is disabled. * At least if the continuous buffer is disabled.
* *
* @see Crypt_Base::encrypt() * @see Crypt_Base::encrypt()
* @see self::_crypt() * @see self::_crypt()
* @access public * @access public
* @param string $ciphertext * @param string $ciphertext
* @return string $plaintext * @return string $plaintext
*/ */
function decrypt($ciphertext) function decrypt($ciphertext)
{ {
if ($this->engine != CRYPT_ENGINE_INTERNAL) { if ($this->engine != CRYPT_ENGINE_INTERNAL) {
return parent::decrypt($ciphertext); return parent::decrypt($ciphertext);
} }
return $this->_crypt($ciphertext, CRYPT_RC4_DECRYPT); return $this->_crypt($ciphertext, CRYPT_RC4_DECRYPT);
} }
/** /**
* Setup the key (expansion) * Setup the key (expansion)
* *
* @see Crypt_Base::_setupKey() * @see Crypt_Base::_setupKey()
* @access private * @access private
*/ */
function _setupKey() function _setupKey()
{ {
$key = $this->key; $key = $this->key;
$keyLength = strlen($key); $keyLength = strlen($key);
$keyStream = range(0, 255); $keyStream = range(0, 255);
$j = 0; $j = 0;
for ($i = 0; $i < 256; $i++) { for ($i = 0; $i < 256; $i++) {
$j = ($j + $keyStream[$i] + ord($key[$i % $keyLength])) & 255; $j = ($j + $keyStream[$i] + ord($key[$i % $keyLength])) & 255;
$temp = $keyStream[$i]; $temp = $keyStream[$i];
$keyStream[$i] = $keyStream[$j]; $keyStream[$i] = $keyStream[$j];
$keyStream[$j] = $temp; $keyStream[$j] = $temp;
} }
$this->stream = array(); $this->stream = array();
$this->stream[CRYPT_RC4_DECRYPT] = $this->stream[CRYPT_RC4_ENCRYPT] = array( $this->stream[CRYPT_RC4_DECRYPT] = $this->stream[CRYPT_RC4_ENCRYPT] = array(
0, // index $i 0, // index $i
0, // index $j 0, // index $j
$keyStream $keyStream
); );
} }
/** /**
* Encrypts or decrypts a message. * Encrypts or decrypts a message.
* *
* @see self::encrypt() * @see self::encrypt()
* @see self::decrypt() * @see self::decrypt()
* @access private * @access private
* @param string $text * @param string $text
* @param int $mode * @param int $mode
* @return string $text * @return string $text
*/ */
function _crypt($text, $mode) function _crypt($text, $mode)
{ {
if ($this->changed) { if ($this->changed) {
$this->_setup(); $this->_setup();
$this->changed = false; $this->changed = false;
} }
$stream = &$this->stream[$mode]; $stream = &$this->stream[$mode];
if ($this->continuousBuffer) { if ($this->continuousBuffer) {
$i = &$stream[0]; $i = &$stream[0];
$j = &$stream[1]; $j = &$stream[1];
$keyStream = &$stream[2]; $keyStream = &$stream[2];
} else { } else {
$i = $stream[0]; $i = $stream[0];
$j = $stream[1]; $j = $stream[1];
$keyStream = $stream[2]; $keyStream = $stream[2];
} }
$len = strlen($text); $len = strlen($text);
for ($k = 0; $k < $len; ++$k) { for ($k = 0; $k < $len; ++$k) {
$i = ($i + 1) & 255; $i = ($i + 1) & 255;
$ksi = $keyStream[$i]; $ksi = $keyStream[$i];
$j = ($j + $ksi) & 255; $j = ($j + $ksi) & 255;
$ksj = $keyStream[$j]; $ksj = $keyStream[$j];
$keyStream[$i] = $ksj; $keyStream[$i] = $ksj;
$keyStream[$j] = $ksi; $keyStream[$j] = $ksi;
$text[$k] = $text[$k] ^ chr($keyStream[($ksj + $ksi) & 255]); $text[$k] = $text[$k] ^ chr($keyStream[($ksj + $ksi) & 255]);
} }
return $text; return $text;
} }
} }

File diff suppressed because it is too large Load Diff

View File

@ -1,299 +1,334 @@
<?php <?php
/** /**
* Random Number Generator * Random Number Generator
* *
* The idea behind this function is that it can be easily replaced with your own crypt_random_string() * The idea behind this function is that it can be easily replaced with your own crypt_random_string()
* function. eg. maybe you have a better source of entropy for creating the initial states or whatever. * function. eg. maybe you have a better source of entropy for creating the initial states or whatever.
* *
* PHP versions 4 and 5 * PHP versions 4 and 5
* *
* Here's a short example of how to use this library: * Here's a short example of how to use this library:
* <code> * <code>
* <?php * <?php
* include 'Crypt/Random.php'; * include 'Crypt/Random.php';
* *
* echo bin2hex(crypt_random_string(8)); * echo bin2hex(crypt_random_string(8));
* ?> * ?>
* </code> * </code>
* *
* LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy * LICENSE: Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal * of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights * in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is * copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions: * furnished to do so, subject to the following conditions:
* *
* The above copyright notice and this permission notice shall be included in * The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software. * all copies or substantial portions of the Software.
* *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE. * THE SOFTWARE.
* *
* @category Crypt * @category Crypt
* @package Crypt_Random * @package Crypt_Random
* @author Jim Wigginton <terrafrost@php.net> * @author Jim Wigginton <terrafrost@php.net>
* @copyright 2007 Jim Wigginton * @copyright 2007 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License * @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net * @link http://phpseclib.sourceforge.net
*/ */
// laravel is a PHP framework that utilizes phpseclib. laravel workbenches may, independently, // laravel is a PHP framework that utilizes phpseclib. laravel workbenches may, independently,
// have phpseclib as a requirement as well. if you're developing such a program you may encounter // have phpseclib as a requirement as well. if you're developing such a program you may encounter
// a "Cannot redeclare crypt_random_string()" error. // a "Cannot redeclare crypt_random_string()" error.
if (!function_exists('crypt_random_string')) { if (!function_exists('crypt_random_string')) {
/** /**
* "Is Windows" test * "Is Windows" test
* *
* @access private * @access private
*/ */
define('CRYPT_RANDOM_IS_WINDOWS', strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'); define('CRYPT_RANDOM_IS_WINDOWS', strtoupper(substr(PHP_OS, 0, 3)) === 'WIN');
/** /**
* Generate a random string. * Generate a random string.
* *
* Although microoptimizations are generally discouraged as they impair readability this function is ripe with * Although microoptimizations are generally discouraged as they impair readability this function is ripe with
* microoptimizations because this function has the potential of being called a huge number of times. * microoptimizations because this function has the potential of being called a huge number of times.
* eg. for RSA key generation. * eg. for RSA key generation.
* *
* @param int $length * @param int $length
* @return string * @return string
* @access public * @access public
*/ */
function crypt_random_string($length) function crypt_random_string($length)
{ {
if (CRYPT_RANDOM_IS_WINDOWS) { if (CRYPT_RANDOM_IS_WINDOWS) {
// method 1. prior to PHP 5.3, mcrypt_create_iv() would call rand() on windows // method 1. prior to PHP 5.3, mcrypt_create_iv() would call rand() on windows
if (extension_loaded('mcrypt') && version_compare(PHP_VERSION, '5.3.0', '>=')) { if (extension_loaded('mcrypt') && version_compare(PHP_VERSION, '5.3.0', '>=')) {
return mcrypt_create_iv($length); return mcrypt_create_iv($length);
} }
// method 2. openssl_random_pseudo_bytes was introduced in PHP 5.3.0 but prior to PHP 5.3.4 there was, // method 2. openssl_random_pseudo_bytes was introduced in PHP 5.3.0 but prior to PHP 5.3.4 there was,
// to quote <http://php.net/ChangeLog-5.php#5.3.4>, "possible blocking behavior". as of 5.3.4 // to quote <http://php.net/ChangeLog-5.php#5.3.4>, "possible blocking behavior". as of 5.3.4
// openssl_random_pseudo_bytes and mcrypt_create_iv do the exact same thing on Windows. ie. they both // openssl_random_pseudo_bytes and mcrypt_create_iv do the exact same thing on Windows. ie. they both
// call php_win32_get_random_bytes(): // call php_win32_get_random_bytes():
// //
// https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/openssl/openssl.c#L5008 // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/openssl/openssl.c#L5008
// https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1392 // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1392
// //
// php_win32_get_random_bytes() is defined thusly: // php_win32_get_random_bytes() is defined thusly:
// //
// https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/win32/winutil.c#L80 // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/win32/winutil.c#L80
// //
// we're calling it, all the same, in the off chance that the mcrypt extension is not available // we're calling it, all the same, in the off chance that the mcrypt extension is not available
if (extension_loaded('openssl') && version_compare(PHP_VERSION, '5.3.4', '>=')) { if (extension_loaded('openssl') && version_compare(PHP_VERSION, '5.3.4', '>=')) {
return openssl_random_pseudo_bytes($length); return openssl_random_pseudo_bytes($length);
} }
} else { } else {
// method 1. the fastest // method 1. the fastest
if (extension_loaded('openssl') && version_compare(PHP_VERSION, '5.3.0', '>=')) { if (extension_loaded('openssl') && version_compare(PHP_VERSION, '5.3.0', '>=')) {
return openssl_random_pseudo_bytes($length); return openssl_random_pseudo_bytes($length);
} }
// method 2 // method 2
static $fp = true; static $fp = true;
if ($fp === true) { if ($fp === true) {
// warning's will be output unles the error suppression operator is used. errors such as // warning's will be output unles the error suppression operator is used. errors such as
// "open_basedir restriction in effect", "Permission denied", "No such file or directory", etc. // "open_basedir restriction in effect", "Permission denied", "No such file or directory", etc.
$fp = @fopen('/dev/urandom', 'rb'); $fp = @fopen('/dev/urandom', 'rb');
} }
if ($fp !== true && $fp !== false) { // surprisingly faster than !is_bool() or is_resource() if ($fp !== true && $fp !== false) { // surprisingly faster than !is_bool() or is_resource()
return fread($fp, $length); return fread($fp, $length);
} }
// method 3. pretty much does the same thing as method 2 per the following url: // method 3. pretty much does the same thing as method 2 per the following url:
// https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1391 // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1391
// surprisingly slower than method 2. maybe that's because mcrypt_create_iv does a bunch of error checking that we're // surprisingly slower than method 2. maybe that's because mcrypt_create_iv does a bunch of error checking that we're
// not doing. regardless, this'll only be called if this PHP script couldn't open /dev/urandom due to open_basedir // not doing. regardless, this'll only be called if this PHP script couldn't open /dev/urandom due to open_basedir
// restrictions or some such // restrictions or some such
if (extension_loaded('mcrypt')) { if (extension_loaded('mcrypt')) {
return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM); return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
} }
} }
// at this point we have no choice but to use a pure-PHP CSPRNG // at this point we have no choice but to use a pure-PHP CSPRNG
// cascade entropy across multiple PHP instances by fixing the session and collecting all // cascade entropy across multiple PHP instances by fixing the session and collecting all
// environmental variables, including the previous session data and the current session // environmental variables, including the previous session data and the current session
// data. // data.
// //
// mt_rand seeds itself by looking at the PID and the time, both of which are (relatively) // mt_rand seeds itself by looking at the PID and the time, both of which are (relatively)
// easy to guess at. linux uses mouse clicks, keyboard timings, etc, as entropy sources, but // easy to guess at. linux uses mouse clicks, keyboard timings, etc, as entropy sources, but
// PHP isn't low level to be able to use those as sources and on a web server there's not likely // PHP isn't low level to be able to use those as sources and on a web server there's not likely
// going to be a ton of keyboard or mouse action. web servers do have one thing that we can use // going to be a ton of keyboard or mouse action. web servers do have one thing that we can use
// however, a ton of people visiting the website. obviously you don't want to base your seeding // however, a ton of people visiting the website. obviously you don't want to base your seeding
// soley on parameters a potential attacker sends but (1) not everything in $_SERVER is controlled // soley on parameters a potential attacker sends but (1) not everything in $_SERVER is controlled
// by the user and (2) this isn't just looking at the data sent by the current user - it's based // by the user and (2) this isn't just looking at the data sent by the current user - it's based
// on the data sent by all users. one user requests the page and a hash of their info is saved. // on the data sent by all users. one user requests the page and a hash of their info is saved.
// another user visits the page and the serialization of their data is utilized along with the // another user visits the page and the serialization of their data is utilized along with the
// server envirnment stuff and a hash of the previous http request data (which itself utilizes // server envirnment stuff and a hash of the previous http request data (which itself utilizes
// a hash of the session data before that). certainly an attacker should be assumed to have // a hash of the session data before that). certainly an attacker should be assumed to have
// full control over his own http requests. he, however, is not going to have control over // full control over his own http requests. he, however, is not going to have control over
// everyone's http requests. // everyone's http requests.
static $crypto = false, $v; static $crypto = false, $v;
if ($crypto === false) { if ($crypto === false) {
// save old session data // save old session data
$old_session_id = session_id(); $old_session_id = session_id();
$old_use_cookies = ini_get('session.use_cookies'); $old_use_cookies = ini_get('session.use_cookies');
$old_session_cache_limiter = session_cache_limiter(); $old_session_cache_limiter = session_cache_limiter();
$_OLD_SESSION = isset($_SESSION) ? $_SESSION : false; $_OLD_SESSION = isset($_SESSION) ? $_SESSION : false;
if ($old_session_id != '') { if ($old_session_id != '') {
session_write_close(); session_write_close();
} }
session_id(1); session_id(1);
ini_set('session.use_cookies', 0); ini_set('session.use_cookies', 0);
session_cache_limiter(''); session_cache_limiter('');
session_start(); session_start();
$v = $seed = $_SESSION['seed'] = pack('H*', sha1( $v = $seed = $_SESSION['seed'] = pack('H*', sha1(
serialize($_SERVER) . (isset($_SERVER) ? phpseclib_safe_serialize($_SERVER) : '') .
serialize($_POST) . (isset($_POST) ? phpseclib_safe_serialize($_POST) : '') .
serialize($_GET) . (isset($_GET) ? phpseclib_safe_serialize($_GET) : '') .
serialize($_COOKIE) . (isset($_COOKIE) ? phpseclib_safe_serialize($_COOKIE) : '') .
serialize($GLOBALS) . phpseclib_safe_serialize($GLOBALS) .
serialize($_SESSION) . phpseclib_safe_serialize($_SESSION) .
serialize($_OLD_SESSION) phpseclib_safe_serialize($_OLD_SESSION)
)); ));
if (!isset($_SESSION['count'])) { if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0; $_SESSION['count'] = 0;
} }
$_SESSION['count']++; $_SESSION['count']++;
session_write_close(); session_write_close();
// restore old session data // restore old session data
if ($old_session_id != '') { if ($old_session_id != '') {
session_id($old_session_id); session_id($old_session_id);
session_start(); session_start();
ini_set('session.use_cookies', $old_use_cookies); ini_set('session.use_cookies', $old_use_cookies);
session_cache_limiter($old_session_cache_limiter); session_cache_limiter($old_session_cache_limiter);
} else { } else {
if ($_OLD_SESSION !== false) { if ($_OLD_SESSION !== false) {
$_SESSION = $_OLD_SESSION; $_SESSION = $_OLD_SESSION;
unset($_OLD_SESSION); unset($_OLD_SESSION);
} else { } else {
unset($_SESSION); unset($_SESSION);
} }
} }
// in SSH2 a shared secret and an exchange hash are generated through the key exchange process. // in SSH2 a shared secret and an exchange hash are generated through the key exchange process.
// the IV client to server is the hash of that "nonce" with the letter A and for the encryption key it's the letter C. // the IV client to server is the hash of that "nonce" with the letter A and for the encryption key it's the letter C.
// if the hash doesn't produce enough a key or an IV that's long enough concat successive hashes of the // if the hash doesn't produce enough a key or an IV that's long enough concat successive hashes of the
// original hash and the current hash. we'll be emulating that. for more info see the following URL: // original hash and the current hash. we'll be emulating that. for more info see the following URL:
// //
// http://tools.ietf.org/html/rfc4253#section-7.2 // http://tools.ietf.org/html/rfc4253#section-7.2
// //
// see the is_string($crypto) part for an example of how to expand the keys // see the is_string($crypto) part for an example of how to expand the keys
$key = pack('H*', sha1($seed . 'A')); $key = pack('H*', sha1($seed . 'A'));
$iv = pack('H*', sha1($seed . 'C')); $iv = pack('H*', sha1($seed . 'C'));
// ciphers are used as per the nist.gov link below. also, see this link: // ciphers are used as per the nist.gov link below. also, see this link:
// //
// http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator#Designs_based_on_cryptographic_primitives // http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator#Designs_based_on_cryptographic_primitives
switch (true) { switch (true) {
case phpseclib_resolve_include_path('Crypt/AES.php'): case phpseclib_resolve_include_path('Crypt/AES.php'):
if (!class_exists('Crypt_AES')) { if (!class_exists('Crypt_AES')) {
include_once 'AES.php'; include_once 'AES.php';
} }
$crypto = new Crypt_AES(CRYPT_AES_MODE_CTR); $crypto = new Crypt_AES(CRYPT_AES_MODE_CTR);
break; break;
case phpseclib_resolve_include_path('Crypt/Twofish.php'): case phpseclib_resolve_include_path('Crypt/Twofish.php'):
if (!class_exists('Crypt_Twofish')) { if (!class_exists('Crypt_Twofish')) {
include_once 'Twofish.php'; include_once 'Twofish.php';
} }
$crypto = new Crypt_Twofish(CRYPT_TWOFISH_MODE_CTR); $crypto = new Crypt_Twofish(CRYPT_TWOFISH_MODE_CTR);
break; break;
case phpseclib_resolve_include_path('Crypt/Blowfish.php'): case phpseclib_resolve_include_path('Crypt/Blowfish.php'):
if (!class_exists('Crypt_Blowfish')) { if (!class_exists('Crypt_Blowfish')) {
include_once 'Blowfish.php'; include_once 'Blowfish.php';
} }
$crypto = new Crypt_Blowfish(CRYPT_BLOWFISH_MODE_CTR); $crypto = new Crypt_Blowfish(CRYPT_BLOWFISH_MODE_CTR);
break; break;
case phpseclib_resolve_include_path('Crypt/TripleDES.php'): case phpseclib_resolve_include_path('Crypt/TripleDES.php'):
if (!class_exists('Crypt_TripleDES')) { if (!class_exists('Crypt_TripleDES')) {
include_once 'TripleDES.php'; include_once 'TripleDES.php';
} }
$crypto = new Crypt_TripleDES(CRYPT_DES_MODE_CTR); $crypto = new Crypt_TripleDES(CRYPT_DES_MODE_CTR);
break; break;
case phpseclib_resolve_include_path('Crypt/DES.php'): case phpseclib_resolve_include_path('Crypt/DES.php'):
if (!class_exists('Crypt_DES')) { if (!class_exists('Crypt_DES')) {
include_once 'DES.php'; include_once 'DES.php';
} }
$crypto = new Crypt_DES(CRYPT_DES_MODE_CTR); $crypto = new Crypt_DES(CRYPT_DES_MODE_CTR);
break; break;
case phpseclib_resolve_include_path('Crypt/RC4.php'): case phpseclib_resolve_include_path('Crypt/RC4.php'):
if (!class_exists('Crypt_RC4')) { if (!class_exists('Crypt_RC4')) {
include_once 'RC4.php'; include_once 'RC4.php';
} }
$crypto = new Crypt_RC4(); $crypto = new Crypt_RC4();
break; break;
default: default:
user_error('crypt_random_string requires at least one symmetric cipher be loaded'); user_error('crypt_random_string requires at least one symmetric cipher be loaded');
return false; return false;
} }
$crypto->setKey($key); $crypto->setKey($key);
$crypto->setIV($iv); $crypto->setIV($iv);
$crypto->enableContinuousBuffer(); $crypto->enableContinuousBuffer();
} }
//return $crypto->encrypt(str_repeat("\0", $length)); //return $crypto->encrypt(str_repeat("\0", $length));
// the following is based off of ANSI X9.31: // the following is based off of ANSI X9.31:
// //
// http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf // http://csrc.nist.gov/groups/STM/cavp/documents/rng/931rngext.pdf
// //
// OpenSSL uses that same standard for it's random numbers: // OpenSSL uses that same standard for it's random numbers:
// //
// http://www.opensource.apple.com/source/OpenSSL/OpenSSL-38/openssl/fips-1.0/rand/fips_rand.c // http://www.opensource.apple.com/source/OpenSSL/OpenSSL-38/openssl/fips-1.0/rand/fips_rand.c
// (do a search for "ANS X9.31 A.2.4") // (do a search for "ANS X9.31 A.2.4")
$result = ''; $result = '';
while (strlen($result) < $length) { while (strlen($result) < $length) {
$i = $crypto->encrypt(microtime()); // strlen(microtime()) == 21 $i = $crypto->encrypt(microtime()); // strlen(microtime()) == 21
$r = $crypto->encrypt($i ^ $v); // strlen($v) == 20 $r = $crypto->encrypt($i ^ $v); // strlen($v) == 20
$v = $crypto->encrypt($r ^ $i); // strlen($r) == 20 $v = $crypto->encrypt($r ^ $i); // strlen($r) == 20
$result.= $r; $result.= $r;
} }
return substr($result, 0, $length); return substr($result, 0, $length);
} }
} }
if (!function_exists('phpseclib_resolve_include_path')) { if (!function_exists('phpseclib_safe_serialize')) {
/** /**
* Resolve filename against the include path. * Safely serialize variables
* *
* Wrapper around stream_resolve_include_path() (which was introduced in * If a class has a private __sleep() method it'll give a fatal error on PHP 5.2 and earlier.
* PHP 5.3.2) with fallback implementation for earlier PHP versions. * PHP 5.3 will emit a warning.
* *
* @param string $filename * @param mixed $arr
* @return string|false * @access public
* @access public */
*/ function phpseclib_safe_serialize(&$arr)
function phpseclib_resolve_include_path($filename) {
{ if (is_object($arr)) {
if (function_exists('stream_resolve_include_path')) { return '';
return stream_resolve_include_path($filename); }
} if (!is_array($arr)) {
return serialize($arr);
// handle non-relative paths }
if (file_exists($filename)) { // prevent circular array recursion
return realpath($filename); if (isset($arr['__phpseclib_marker'])) {
} return '';
}
$paths = PATH_SEPARATOR == ':' ? $safearr = array();
preg_split('#(?<!phar):#', get_include_path()) : $arr['__phpseclib_marker'] = true;
explode(PATH_SEPARATOR, get_include_path()); foreach (array_keys($arr) as $key) {
foreach ($paths as $prefix) { // do not recurse on the '__phpseclib_marker' key itself, for smaller memory usage
// path's specified in include_path don't always end in / if ($key !== '__phpseclib_marker') {
$ds = substr($prefix, -1) == DIRECTORY_SEPARATOR ? '' : DIRECTORY_SEPARATOR; $safearr[$key] = phpseclib_safe_serialize($arr[$key]);
$file = $prefix . $ds . $filename; }
if (file_exists($file)) { }
return realpath($file); unset($arr['__phpseclib_marker']);
} return serialize($safearr);
} }
}
return false;
} if (!function_exists('phpseclib_resolve_include_path')) {
} /**
* Resolve filename against the include path.
*
* Wrapper around stream_resolve_include_path() (which was introduced in
* PHP 5.3.2) with fallback implementation for earlier PHP versions.
*
* @param string $filename
* @return string|false
* @access public
*/
function phpseclib_resolve_include_path($filename)
{
if (function_exists('stream_resolve_include_path')) {
return stream_resolve_include_path($filename);
}
// handle non-relative paths
if (file_exists($filename)) {
return realpath($filename);
}
$paths = PATH_SEPARATOR == ':' ?
preg_split('#(?<!phar):#', get_include_path()) :
explode(PATH_SEPARATOR, get_include_path());
foreach ($paths as $prefix) {
// path's specified in include_path don't always end in /
$ds = substr($prefix, -1) == DIRECTORY_SEPARATOR ? '' : DIRECTORY_SEPARATOR;
$file = $prefix . $ds . $filename;
if (file_exists($file)) {
return realpath($file);
}
}
return false;
}
}

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -320,9 +320,10 @@ class System_SSH_Agent
for ($i = 0; $i < $keyCount; $i++) { for ($i = 0; $i < $keyCount; $i++) {
$length = current(unpack('N', fread($this->fsock, 4))); $length = current(unpack('N', fread($this->fsock, 4)));
$key_blob = fread($this->fsock, $length); $key_blob = fread($this->fsock, $length);
$key_str = 'ssh-rsa ' . base64_encode($key_blob);
$length = current(unpack('N', fread($this->fsock, 4))); $length = current(unpack('N', fread($this->fsock, 4)));
if ($length) { if ($length) {
$key_comment = fread($this->fsock, $length); $key_str.= ' ' . fread($this->fsock, $length);
} }
$length = current(unpack('N', substr($key_blob, 0, 4))); $length = current(unpack('N', substr($key_blob, 0, 4)));
$key_type = substr($key_blob, 4, $length); $key_type = substr($key_blob, 4, $length);
@ -332,7 +333,7 @@ class System_SSH_Agent
include_once 'Crypt/RSA.php'; include_once 'Crypt/RSA.php';
} }
$key = new Crypt_RSA(); $key = new Crypt_RSA();
$key->loadKey('ssh-rsa ' . base64_encode($key_blob) . ' ' . $key_comment); $key->loadKey($key_str);
break; break;
case 'ssh-dss': case 'ssh-dss':
// not currently supported // not currently supported