Changeset 756 for branches/1.1dev/lib/Utilities.inc.php
- Timestamp:
- Nov 16, 2021 8:30:58 AM (2 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/1.1dev/lib/Utilities.inc.php
r754 r756 739 739 function hash64($string, $length=18) 740 740 { 741 $app =& App::getInstance(); 742 743 return mb_substr(preg_replace('/[^\w]/' . $app->getParam('preg_u'), '', base64_encode(hash('sha512', $string, true))), 0, $length); 741 return mb_substr(preg_replace('/[^\w]/', '', base64_encode(hash('sha512', $string, true))), 0, $length); 744 742 } 745 743 746 744 /** 747 745 * Signs a value using md5 and a simple text key. In order for this 748 * function to be useful (i.e. secure) the keymust be kept secret, which746 * function to be useful (i.e. secure) the salt must be kept secret, which 749 747 * means keeping it as safe as database credentials. Putting it into an 750 748 * environment variable set in httpd.conf is a good place. 751 749 * 752 750 * @access public 753 *754 751 * @param string $val The string to sign. 755 * @param string $ key(Optional) A text key to use for computing the signature.756 * 752 * @param string $salt (Optional) A text key to use for computing the signature. 753 * @param string $length (Optional) The length of the added signature. Longer signatures are safer. Must match the length passed to verifySignature() for the signatures to match. 757 754 * @return string The original value with a signature appended. 758 755 */ 759 function addSignature($val, $ key=null)760 { 761 global $CFG;762 763 if ('' == $val) {764 logMsg(sprintf('Adding signature to empty string.', null), LOG_NOTICE, __FILE__, __LINE__);765 } 766 767 if (!isset($key)) {768 $ key= $CFG->signing_key;769 } 770 771 return $val . '-' . substr(md5($val . $key), 0, 18);756 function addSignature($val, $salt=null, $length=18) 757 { 758 if ('' == trim($val)) { 759 logMsg(sprintf('Cannot add signature to an empty string.', null), LOG_INFO, __FILE__, __LINE__); 760 return ''; 761 } 762 763 if (!isset($salt)) { 764 global $CFG; 765 $salt = $CFG->signing_key; 766 } 767 768 return $val . '-' . mb_substr(preg_replace('/[^\w]/', '', base64_encode(hash('sha512', $val . $salt, true))), 0, $length); 772 769 } 773 770 … … 776 773 * 777 774 * @access public 778 *779 775 * @param string $signed_val The string to sign. 780 *781 776 * @return string The original value with a signature removed. 782 777 */ 783 778 function removeSignature($signed_val) 784 779 { 785 return substr($signed_val, 0, strrpos($signed_val, '-')); 786 } 787 788 /** 789 * Verifies a signature appened to a value by addSignature(). 780 if (empty($signed_val) || mb_strpos($signed_val, '-') === false) { 781 return ''; 782 } 783 return mb_substr($signed_val, 0, mb_strrpos($signed_val, '-')); 784 } 785 786 /** 787 * Verifies a signature appended to a value by addSignature(). 790 788 * 791 789 * @access public 792 *793 790 * @param string $signed_val A value with appended signature. 794 * @param string $ key(Optional) A text key to use for computing the signature.795 * 791 * @param string $salt (Optional) A text key to use for computing the signature. 792 * @param string $length (Optional) The length of the added signature. 796 793 * @return bool True if the signature matches the var. 797 794 */ 798 function verifySignature($signed_val, $ key=null)795 function verifySignature($signed_val, $salt=null, $length=18) 799 796 { 800 797 // Strip the value from the signed value. 801 $val = substr($signed_val, 0, strrpos($signed_val, '-'));798 $val = removeSignature($signed_val); 802 799 // If the signed value matches the original signed value we consider the value safe. 803 if ( $signed_val == addSignature($val, $key)) {800 if ('' != $signed_val && $signed_val == addSignature($val, $salt, $length)) { 804 801 // Signature verified. 805 802 return true; 806 803 } else { 804 logMsg(sprintf('Failed signature (%s should be %s)', $signed_val, addSignature($val, $salt, $length)), LOG_DEBUG, __FILE__, __LINE__); 807 805 return false; 808 806 }
Note: See TracChangeset
for help on using the changeset viewer.