Rev 1295 | Rev 1359 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
Rev 1295 | Rev 1305 | ||
---|---|---|---|
Line 692... | Line 692... | ||
692 | return $mixed != 0; |
692 | return $mixed != 0; |
693 | } else { |
693 | } else { |
694 | return (bool)$mixed; // let PHP decide... |
694 | return (bool)$mixed; // let PHP decide... |
695 | } |
695 | } |
696 | } |
696 | } |
697 | 697 | ||
- | 698 | /** |
|
- | 699 | * @param string $data |
|
- | 700 | * @param string $key |
|
- | 701 | * @return string |
|
- | 702 | * @throws \Exception |
|
- | 703 | */ |
|
- | 704 | function encrypt_str(string $data, string $key): string { |
|
- | 705 | if (function_exists('openssl_encrypt')) { |
|
- | 706 | $iv = random_bytes(16); // AES block size in CBC mode |
|
- | 707 | // Encryption |
|
- | 708 | $ciphertext = openssl_encrypt( |
|
- | 709 | $data, |
|
- | 710 | 'AES-256-CBC', |
|
- | 711 | hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, true), |
|
- | 712 | OPENSSL_RAW_DATA, |
|
- | 713 | $iv |
|
- | 714 | ); |
|
- | 715 | // Authentication |
|
- | 716 | $hmac = sha3_512_hmac($iv . $ciphertext, $key, true); |
|
- | 717 | return $hmac . $iv . $ciphertext; |
|
- | 718 | } else { |
|
- | 719 | // When OpenSSL is not available, then we just do a HMAC |
|
- | 720 | $hmac = sha3_512_hmac($data, $key, true); |
|
- | 721 | return $hmac . $data; |
|
- | 722 | } |
|
- | 723 | } |
|
- | 724 | ||
- | 725 | /** |
|
- | 726 | * @param string $data |
|
- | 727 | * @param string $key |
|
- | 728 | * @return string |
|
- | 729 | * @throws OIDplusException |
|
- | 730 | */ |
|
- | 731 | function decrypt_str(string $data, string $key): string { |
|
- | 732 | if (function_exists('openssl_decrypt')) { |
|
- | 733 | $hmac = mb_substr($data, 0, 64, '8bit'); |
|
- | 734 | $iv = mb_substr($data, 64, 16, '8bit'); |
|
- | 735 | $ciphertext = mb_substr($data, 80, null, '8bit'); |
|
- | 736 | // Authentication |
|
- | 737 | $hmacNew = sha3_512_hmac($iv . $ciphertext, $key, true); |
|
- | 738 | if (!hash_equals($hmac, $hmacNew)) { |
|
- | 739 | throw new OIDplusException(_L('Authentication failed')); |
|
- | 740 | } |
|
- | 741 | // Decryption |
|
- | 742 | $cleartext = openssl_decrypt( |
|
- | 743 | $ciphertext, |
|
- | 744 | 'AES-256-CBC', |
|
- | 745 | hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, true), |
|
- | 746 | OPENSSL_RAW_DATA, |
|
- | 747 | $iv |
|
- | 748 | ); |
|
- | 749 | if ($cleartext === false) { |
|
- | 750 | throw new OIDplusException(_L('Decryption failed')); |
|
- | 751 | } |
|
- | 752 | return $cleartext; |
|
- | 753 | } else { |
|
- | 754 | // When OpenSSL is not available, then we just do a HMAC |
|
- | 755 | $hmac = mb_substr($data, 0, 64, '8bit'); |
|
- | 756 | $cleartext = mb_substr($data, 64, null, '8bit'); |
|
- | 757 | $hmacNew = sha3_512_hmac($cleartext, $key, true); |
|
- | 758 | if (!hash_equals($hmac, $hmacNew)) { |
|
- | 759 | throw new OIDplusException(_L('Authentication failed')); |
|
- | 760 | } |
|
- | 761 | return $cleartext; |
|
- | 762 | } |
|
- | 763 | } |
|
- | 764 | ||
698 | 765 |