Subversion Repositories oidplus

Compare Revisions

Regard whitespace Rev 1304 → Rev 1305

/trunk/includes/functions.inc.php
693,4 → 693,71
} else {
return (bool)$mixed; // let PHP decide...
}
}
 
/**
* @param string $data
* @param string $key
* @return string
* @throws \Exception
*/
function encrypt_str(string $data, string $key): string {
if (function_exists('openssl_encrypt')) {
$iv = random_bytes(16); // AES block size in CBC mode
// Encryption
$ciphertext = openssl_encrypt(
$data,
'AES-256-CBC',
hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, true),
OPENSSL_RAW_DATA,
$iv
);
// Authentication
$hmac = sha3_512_hmac($iv . $ciphertext, $key, true);
return $hmac . $iv . $ciphertext;
} else {
// When OpenSSL is not available, then we just do a HMAC
$hmac = sha3_512_hmac($data, $key, true);
return $hmac . $data;
}
}
 
/**
* @param string $data
* @param string $key
* @return string
* @throws OIDplusException
*/
function decrypt_str(string $data, string $key): string {
if (function_exists('openssl_decrypt')) {
$hmac = mb_substr($data, 0, 64, '8bit');
$iv = mb_substr($data, 64, 16, '8bit');
$ciphertext = mb_substr($data, 80, null, '8bit');
// Authentication
$hmacNew = sha3_512_hmac($iv . $ciphertext, $key, true);
if (!hash_equals($hmac, $hmacNew)) {
throw new OIDplusException(_L('Authentication failed'));
}
// Decryption
$cleartext = openssl_decrypt(
$ciphertext,
'AES-256-CBC',
hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, true),
OPENSSL_RAW_DATA,
$iv
);
if ($cleartext === false) {
throw new OIDplusException(_L('Decryption failed'));
}
return $cleartext;
} else {
// When OpenSSL is not available, then we just do a HMAC
$hmac = mb_substr($data, 0, 64, '8bit');
$cleartext = mb_substr($data, 64, null, '8bit');
$hmacNew = sha3_512_hmac($cleartext, $key, true);
if (!hash_equals($hmac, $hmacNew)) {
throw new OIDplusException(_L('Authentication failed'));
}
return $cleartext;
}
}