Rev 1295 | Rev 1359 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed
| Rev 1295 | Rev 1305 | ||
|---|---|---|---|
| Line 692... | Line 692... | ||
| 692 | return $mixed != 0; |
692 | return $mixed != 0; |
| 693 | } else { |
693 | } else { |
| 694 | return (bool)$mixed; // let PHP decide... |
694 | return (bool)$mixed; // let PHP decide... |
| 695 | } |
695 | } |
| 696 | } |
696 | } |
| 697 | 697 | ||
| - | 698 | /** |
|
| - | 699 | * @param string $data |
|
| - | 700 | * @param string $key |
|
| - | 701 | * @return string |
|
| - | 702 | * @throws \Exception |
|
| - | 703 | */ |
|
| - | 704 | function encrypt_str(string $data, string $key): string { |
|
| - | 705 | if (function_exists('openssl_encrypt')) { |
|
| - | 706 | $iv = random_bytes(16); // AES block size in CBC mode |
|
| - | 707 | // Encryption |
|
| - | 708 | $ciphertext = openssl_encrypt( |
|
| - | 709 | $data, |
|
| - | 710 | 'AES-256-CBC', |
|
| - | 711 | hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, true), |
|
| - | 712 | OPENSSL_RAW_DATA, |
|
| - | 713 | $iv |
|
| - | 714 | ); |
|
| - | 715 | // Authentication |
|
| - | 716 | $hmac = sha3_512_hmac($iv . $ciphertext, $key, true); |
|
| - | 717 | return $hmac . $iv . $ciphertext; |
|
| - | 718 | } else { |
|
| - | 719 | // When OpenSSL is not available, then we just do a HMAC |
|
| - | 720 | $hmac = sha3_512_hmac($data, $key, true); |
|
| - | 721 | return $hmac . $data; |
|
| - | 722 | } |
|
| - | 723 | } |
|
| - | 724 | ||
| - | 725 | /** |
|
| - | 726 | * @param string $data |
|
| - | 727 | * @param string $key |
|
| - | 728 | * @return string |
|
| - | 729 | * @throws OIDplusException |
|
| - | 730 | */ |
|
| - | 731 | function decrypt_str(string $data, string $key): string { |
|
| - | 732 | if (function_exists('openssl_decrypt')) { |
|
| - | 733 | $hmac = mb_substr($data, 0, 64, '8bit'); |
|
| - | 734 | $iv = mb_substr($data, 64, 16, '8bit'); |
|
| - | 735 | $ciphertext = mb_substr($data, 80, null, '8bit'); |
|
| - | 736 | // Authentication |
|
| - | 737 | $hmacNew = sha3_512_hmac($iv . $ciphertext, $key, true); |
|
| - | 738 | if (!hash_equals($hmac, $hmacNew)) { |
|
| - | 739 | throw new OIDplusException(_L('Authentication failed')); |
|
| - | 740 | } |
|
| - | 741 | // Decryption |
|
| - | 742 | $cleartext = openssl_decrypt( |
|
| - | 743 | $ciphertext, |
|
| - | 744 | 'AES-256-CBC', |
|
| - | 745 | hash_pbkdf2('sha512', $key, '', 10000, 32/*256bit*/, true), |
|
| - | 746 | OPENSSL_RAW_DATA, |
|
| - | 747 | $iv |
|
| - | 748 | ); |
|
| - | 749 | if ($cleartext === false) { |
|
| - | 750 | throw new OIDplusException(_L('Decryption failed')); |
|
| - | 751 | } |
|
| - | 752 | return $cleartext; |
|
| - | 753 | } else { |
|
| - | 754 | // When OpenSSL is not available, then we just do a HMAC |
|
| - | 755 | $hmac = mb_substr($data, 0, 64, '8bit'); |
|
| - | 756 | $cleartext = mb_substr($data, 64, null, '8bit'); |
|
| - | 757 | $hmacNew = sha3_512_hmac($cleartext, $key, true); |
|
| - | 758 | if (!hash_equals($hmac, $hmacNew)) { |
|
| - | 759 | throw new OIDplusException(_L('Authentication failed')); |
|
| - | 760 | } |
|
| - | 761 | return $cleartext; |
|
| - | 762 | } |
|
| - | 763 | } |
|
| - | 764 | ||
| 698 | 765 | ||