Home Explore Help
Sign In
epsylon
/
Elgg-Lorea-Hydra
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0
Branch: master
Branches Tags
Elgg-Lorea-H...
/
engine
/
classes
/
Elgg
/
Database
/
SiteSecret.php

SiteSecret.php 2.6 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103 
  1. <?php
    2. 

  2. namespace Elgg\Database;
    3. 

  3. 

  4. /**
    5. 

  5.  * Manages a site-specific secret key, encoded as a 32 byte string "secret"
    6. 

  6.  *
    7. 

  7.  * The key can have two formats:
    8. 

  8.  *   - Since 1.8.17 all keys generated are Base64URL-encoded with the 1st character set to "z" so that
    9. 

  9.  *     the format can be recognized. With one character lost, this makes the keys effectively 186 bits.
    10. 

  10.  *   - Before 1.8.17 keys were hex-encoded (128 bits) but created from insufficiently random sources.
    11. 

  11.  *
    12. 

  12.  * The hex keys were created with rand() as the only decent source of entropy (the site's creation time
    13. 

  13.  * is not too difficult to find). As such, systems with a low getrandmax() value created particularly
    14. 

  14.  * weak keys. You can check key string using getStrength().
    15. 

  15.  *
    16. 

  16.  * @access private
    17. 

  17.  *
    18. 

  18.  * @package    Elgg.Core
    19. 

  19.  * @subpackage Database
    20. 

  20.  * @since      1.10.0
    21. 

  21.  */
    22. 

  22. class SiteSecret {
    23. 

  23. 

  24. 	/**
    25. 

  25. 	 * Initialise the site secret (32 bytes: "z" to indicate format + 186-bit key in Base64 URL).
    26. 

  26. 	 *
    27. 

  27. 	 * Used during installation and saves as a datalist.
    28. 

  28. 	 *
    29. 

  29. 	 * Note: Old secrets were hex encoded.
    30. 

  30. 	 *
    31. 

  31. 	 * @return mixed The site secret hash or false
    32. 

  32. 	 * @access private
    33. 

  33. 	 */
    34. 

  34. 	function init() {
    35. 

  35. 		$secret = 'z' . _elgg_services()->crypto->getRandomString(31);
    36. 

  36. 

  37. 		if (_elgg_services()->datalist->set('__site_secret__', $secret)) {
    38. 

  38. 			return $secret;
    39. 

  39. 		}
    40. 

  40. 

  41. 		return false;
    42. 

  42. 	}
    43. 

  43. 

  44. 	/**
    45. 

  45. 	 * Returns the site secret.
    46. 

  46. 	 *
    47. 

  47. 	 * Used to generate difficult to guess hashes for sessions and action tokens.
    48. 

  48. 	 *
    49. 

  49. 	 * @param bool $raw If true, a binary key will be returned
    50. 

  50. 	 *
    51. 

  51. 	 * @return string Site secret.
    52. 

  52. 	 * @access private
    53. 

  53. 	 */
    54. 

  54. 	function get($raw = false) {
    55. 

  55. 		$secret = _elgg_services()->datalist->get('__site_secret__');
    56. 

  56. 		if (!$secret) {
    57. 

  57. 			$secret = init_site_secret();
    58. 

  58. 		}
    59. 

  59. 

  60. 		if ($raw) {
    61. 

  61. 			// try to return binary key
    62. 

  62. 			if ($secret[0] === 'z') {
    63. 

  63. 				// new keys are "z" + base64URL
    64. 

  64. 				$base64 = strtr(substr($secret, 1), '-_', '+/');
    65. 

  65. 				$key = base64_decode($base64);
    66. 

  66. 				if ($key !== false) {
    67. 

  67. 					// on failure, at least return string key :/
    68. 

  68. 					return $key;
    69. 

  69. 				}
    70. 

  70. 			} else {
    71. 

  71. 				// old keys are hex
    72. 

  72. 				return hex2bin($secret);
    73. 

  73. 			}
    74. 

  74. 		}
    75. 

  75. 

  76. 		return $secret;
    77. 

  77. 	}
    78. 

  78. 

  79. 	/**
    80. 

  80. 	 * Get the strength of the site secret
    81. 

  81. 	 *
    82. 

  82. 	 * If "weak" or "moderate" is returned, this assumes we're running on the same system that created
    83. 

  83. 	 * the key.
    84. 

  84. 	 *
    85. 

  85. 	 * @return string "strong", "moderate", or "weak"
    86. 

  86. 	 * @access private
    87. 

  87. 	 */
    88. 

  88. 	function getStrength() {
    89. 

  89. 		$secret = get_site_secret();
    90. 

  90. 		if ($secret[0] !== 'z') {
    91. 

  91. 			$rand_max = getrandmax();
    92. 

  92. 			if ($rand_max < pow(2, 16)) {
    93. 

  93. 				return 'weak';
    94. 

  94. 			}
    95. 

  95. 			if ($rand_max < pow(2, 32)) {
    96. 

  96. 				return 'moderate';
    97. 

  97. 			}
    98. 

  98. 		}
    99. 

  99. 		return 'strong';
    100. 

  100. 	}
    101. 

  101. 

  102. }
    103. 

  103.