diff --git a/composer.json b/composer.json index 6808c5c1..9f5872a8 100644 --- a/composer.json +++ b/composer.json @@ -4,7 +4,9 @@ "type": "project", "require": { "danog/phpstruct": "^1.1", - "phpseclib/phpseclib": "^2.0" + "phpseclib/phpseclib": "^2.0", + "paragonie/constant_time_encoding": "^2.0", + "paragonie/random_compat": "^2.0" }, "license": "MIT", "authors": [ diff --git a/composer.lock b/composer.lock index c492c0a2..937baab0 100644 --- a/composer.lock +++ b/composer.lock @@ -4,8 +4,8 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "f60c705a31a0dc3e563a1cb78ce2bef9", - "content-hash": "018ac32ece19a237770fd6102396f9b3", + "hash": "bf8a060cc0075e345a7c0e8cc3d99ad5", + "content-hash": "2f241cb7dbf8d3d67d17fbead159145b", "packages": [ { "name": "danog/phpstruct", @@ -55,6 +55,115 @@ ], "time": "2016-07-29 15:13:54" }, + { + "name": "paragonie/constant_time_encoding", + "version": "v2.0.3", + "source": { + "type": "git", + "url": "https://github.com/paragonie/constant_time_encoding.git", + "reference": "e085e08c939de49707dbf64315d178d90fbc708d" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/e085e08c939de49707dbf64315d178d90fbc708d", + "reference": "e085e08c939de49707dbf64315d178d90fbc708d", + "shasum": "" + }, + "require": { + "php": "^7" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "type": "library", + "autoload": { + "psr-4": { + "ParagonIE\\ConstantTime\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com", + "role": "Maintainer" + }, + { + "name": "Steve 'Sc00bz' Thomas", + "email": "steve@tobtu.com", + "homepage": "https://www.tobtu.com", + "role": "Original Developer" + } + ], + "description": "Constant-time Implementations of RFC 4648 Encoding (Base-64, Base-32, Base-16)", + "keywords": [ + "base16", + "base32", + "base32_decode", + "base32_encode", + "base64", + "base64_decode", + "base64_encode", + "bin2hex", + "encoding", + "hex", + "hex2bin", + "rfc4648" + ], + "time": "2016-07-11 20:32:06" + }, + { + "name": "paragonie/random_compat", + "version": "v2.0.2", + "source": { + "type": "git", + "url": "https://github.com/paragonie/random_compat.git", + "reference": "088c04e2f261c33bed6ca5245491cfca69195ccf" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/088c04e2f261c33bed6ca5245491cfca69195ccf", + "reference": "088c04e2f261c33bed6ca5245491cfca69195ccf", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "type": "library", + "autoload": { + "files": [ + "lib/random.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "pseudorandom", + "random" + ], + "time": "2016-04-03 06:00:07" + }, { "name": "phpseclib/phpseclib", "version": "2.0.2", diff --git a/prime.php b/prime.php index 1543e189..34b465f6 100644 --- a/prime.php +++ b/prime.php @@ -93,24 +93,25 @@ class PrimeModule while ($g->equals($one)) { $x = $y; $params = ["y" => $y, "two" => $two, "c" => $c, "one" => $one, "n" => $n]; - $r->foreach(function ($i, $params) { + $r->loopforeach(function ($i, $params) { $params["y"] = $params["y"]->powMod($params["two"], $params["n"])->add($params["c"])->powMod($params["one"], $params["n"]); }, $params); - each($params, EXTR_OVERWRITE); + each($params); $k = $zero; while ($k->compare($r) == -1 && $g->equals($one)) { $ys = $y; $params = ["x" => $x, "y" => $y, "two" => $two, "c" => $c, "one" => $one, "n" => $n, "q" => $q]; - $m->min($r->subtract($k))->foreach(function ($i, $params) { + $m->min($r->subtract($k))->loopforeach(function ($i, $params) { $params["y"] = $params["y"]->powMod($params["two"], $params["n"])->add($params["c"])->powMod($params["one"], $params["n"]); $params["q"] = $params["q"]->multiply($params["x"]->subtract($params["y"])->abs())->powMod($params["one"], $params["n"]); }, $params); - each($params, EXTR_OVERWRITE); + each($params); $g = $q->gcd($n); $k = $k->add($m); } $r = $r->multiply($two); } + die; if ($g->equals($n)) { while (true) { $ys = $ys->powMod($two, $n)->add($c)->powMod($one, $n); diff --git a/prime.py b/prime.py index 9de089e6..6b6af6f2 100644 --- a/prime.py +++ b/prime.py @@ -67,7 +67,6 @@ def pollard_brent(n): k = 0 while k < r and g==1: ys = y - print(min(m, r-k)) for i in range(min(m, r-k)): y = (pow(y, 2, n) + c) % n q = q * abs(x-y) % n diff --git a/vendor/composer/autoload_files.php b/vendor/composer/autoload_files.php index 9a9a17de..0f99dcf8 100644 --- a/vendor/composer/autoload_files.php +++ b/vendor/composer/autoload_files.php @@ -7,4 +7,5 @@ $baseDir = dirname($vendorDir); return array( 'decc78cc4436b1292c6c0d151b19445c' => $vendorDir . '/phpseclib/phpseclib/phpseclib/bootstrap.php', + '5255c38a0faeba867671b61dfda6d864' => $vendorDir . '/paragonie/random_compat/lib/random.php', ); diff --git a/vendor/composer/autoload_psr4.php b/vendor/composer/autoload_psr4.php index 38756ce7..0b6764b6 100644 --- a/vendor/composer/autoload_psr4.php +++ b/vendor/composer/autoload_psr4.php @@ -7,4 +7,5 @@ $baseDir = dirname($vendorDir); return array( 'phpseclib\\' => array($vendorDir . '/phpseclib/phpseclib/phpseclib'), + 'ParagonIE\\ConstantTime\\' => array($vendorDir . '/paragonie/constant_time_encoding/src'), ); diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php index 59b17d72..547c98a5 100644 --- a/vendor/composer/autoload_static.php +++ b/vendor/composer/autoload_static.php @@ -8,6 +8,7 @@ class ComposerStaticInitbd69ed7fd0aebb6b1ba64b36dad1b458 { public static $files = array ( 'decc78cc4436b1292c6c0d151b19445c' => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib/bootstrap.php', + '5255c38a0faeba867671b61dfda6d864' => __DIR__ . '/..' . '/paragonie/random_compat/lib/random.php', ); public static $prefixLengthsPsr4 = array ( @@ -15,6 +16,10 @@ class ComposerStaticInitbd69ed7fd0aebb6b1ba64b36dad1b458 array ( 'phpseclib\\' => 10, ), + 'P' => + array ( + 'ParagonIE\\ConstantTime\\' => 23, + ), ); public static $prefixDirsPsr4 = array ( @@ -22,6 +27,10 @@ class ComposerStaticInitbd69ed7fd0aebb6b1ba64b36dad1b458 array ( 0 => __DIR__ . '/..' . '/phpseclib/phpseclib/phpseclib', ), + 'ParagonIE\\ConstantTime\\' => + array ( + 0 => __DIR__ . '/..' . '/paragonie/constant_time_encoding/src', + ), ); public static $prefixesPsr0 = array ( diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index 8a7e19fc..4519b622 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -142,5 +142,118 @@ "struct", "unpack" ] + }, + { + "name": "paragonie/constant_time_encoding", + "version": "v2.0.3", + "version_normalized": "2.0.3.0", + "source": { + "type": "git", + "url": "https://github.com/paragonie/constant_time_encoding.git", + "reference": "e085e08c939de49707dbf64315d178d90fbc708d" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/e085e08c939de49707dbf64315d178d90fbc708d", + "reference": "e085e08c939de49707dbf64315d178d90fbc708d", + "shasum": "" + }, + "require": { + "php": "^7" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "time": "2016-07-11 20:32:06", + "type": "library", + "installation-source": "dist", + "autoload": { + "psr-4": { + "ParagonIE\\ConstantTime\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com", + "role": "Maintainer" + }, + { + "name": "Steve 'Sc00bz' Thomas", + "email": "steve@tobtu.com", + "homepage": "https://www.tobtu.com", + "role": "Original Developer" + } + ], + "description": "Constant-time Implementations of RFC 4648 Encoding (Base-64, Base-32, Base-16)", + "keywords": [ + "base16", + "base32", + "base32_decode", + "base32_encode", + "base64", + "base64_decode", + "base64_encode", + "bin2hex", + "encoding", + "hex", + "hex2bin", + "rfc4648" + ] + }, + { + "name": "paragonie/random_compat", + "version": "v2.0.2", + "version_normalized": "2.0.2.0", + "source": { + "type": "git", + "url": "https://github.com/paragonie/random_compat.git", + "reference": "088c04e2f261c33bed6ca5245491cfca69195ccf" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/088c04e2f261c33bed6ca5245491cfca69195ccf", + "reference": "088c04e2f261c33bed6ca5245491cfca69195ccf", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "time": "2016-04-03 06:00:07", + "type": "library", + "installation-source": "dist", + "autoload": { + "files": [ + "lib/random.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "pseudorandom", + "random" + ] } ] diff --git a/vendor/paragonie/constant_time_encoding/.gitignore b/vendor/paragonie/constant_time_encoding/.gitignore new file mode 100644 index 00000000..e0caea8f --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/.gitignore @@ -0,0 +1,2 @@ +.idea/ +vendor/ \ No newline at end of file diff --git a/vendor/paragonie/constant_time_encoding/.travis.yml b/vendor/paragonie/constant_time_encoding/.travis.yml new file mode 100644 index 00000000..a78dfe92 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/.travis.yml @@ -0,0 +1,15 @@ +language: php +sudo: false + +php: + - "7.0" + +matrix: + fast_finish: true + +install: + - composer self-update + - composer update + +script: + - vendor/bin/phpunit diff --git a/vendor/paragonie/constant_time_encoding/LICENSE.txt b/vendor/paragonie/constant_time_encoding/LICENSE.txt new file mode 100644 index 00000000..06302425 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/LICENSE.txt @@ -0,0 +1,48 @@ +The MIT License (MIT) + +Copyright (c) 2016 Paragon Initiative Enterprises + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +------------------------------------------------------------------------------ +This library was based on the work of Steve "Sc00bz" Thomas. +------------------------------------------------------------------------------ + +The MIT License (MIT) + +Copyright (c) 2014 Steve Thomas + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/vendor/paragonie/constant_time_encoding/README.md b/vendor/paragonie/constant_time_encoding/README.md new file mode 100644 index 00000000..8e6b835b --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/README.md @@ -0,0 +1,75 @@ +# Constant-Time Encoding + +[![Build Status](https://travis-ci.org/paragonie/constant_time_encoding.svg?branch=master)](https://travis-ci.org/paragonie/constant_time_encoding) + +Based on the [constant-time base64 implementation made by Steve "Sc00bz" Thomas](https://github.com/Sc00bz/ConstTimeEncoding), +this library aims to offer character encoding functions that do not leak +information about what you are encoding/decoding via processor cache +misses. Further reading on [cache-timing attacks](http://blog.ircmaxell.com/2014/11/its-all-about-time.html). + +Our fork offers the following enchancements: + +* `mbstring.func_overload` resistance +* Unit tests +* Composer- and Packagist-ready +* Base16 encoding +* Base32 encoding +* Uses `pack()` and `unpack()` instead of `chr()` and `ord()` + +## PHP Version Requirements + +Version 2 of this library should work on **PHP 7** or newer. For PHP 5 +support, see [the v1.x branch](https://github.com/paragonie/constant_time_encoding/tree/v1.x). + +If you are adding this as a dependency to a project intended to work on both PHP 5 and PHP 7, please set the required version to `^1|^2` instead of just `^1` or `^2`. + +## How to Install + +```sh +composer require paragonie/constant_time_encoding +``` + +## How to Use + +```php +use \ParagonIE\ConstantTime\Encoding; + +// possibly (if applicable): +// require 'vendor/autoload.php'; + +$data = random_bytes(32); +echo Encoding::base64Encode($data), "\n"; +echo Encoding::base32EncodeUpper($data), "\n"; +echo Encoding::base32Encode($data), "\n"; +echo Encoding::hexEncode($data), "\n"; +echo Encoding::hexEncodeUpper($data), "\n"; +``` + +Example output: + +``` +1VilPkeVqirlPifk5scbzcTTbMT2clp+Zkyv9VFFasE= +2VMKKPSHSWVCVZJ6E7SONRY3ZXCNG3GE6ZZFU7TGJSX7KUKFNLAQ==== +2vmkkpshswvcvzj6e7sonry3zxcng3ge6zzfu7tgjsx7kukfnlaq==== +d558a53e4795aa2ae53e27e4e6c71bcdc4d36cc4f6725a7e664caff551456ac1 +D558A53E4795AA2AE53E27E4E6C71BDCC4D36CC4F6725A7E664CAFF551456AC1 +``` + +If you only need a particular variant, you can just reference the +required class like so: + +```php +use \ParagonIE\ConstantTime\Base64; +use \ParagonIE\ConstantTime\Base32; + +$data = random_bytes(32); +echo Base64::encode($data), "\n"; +echo Base32::encode($data), "\n"; +``` + +Example output: + +``` +1VilPkeVqirlPifk5scbzcTTbMT2clp+Zkyv9VFFasE= +2vmkkpshswvcvzj6e7sonry3zxcng3ge6zzfu7tgjsx7kukfnlaq==== +``` diff --git a/vendor/paragonie/constant_time_encoding/composer.json b/vendor/paragonie/constant_time_encoding/composer.json new file mode 100644 index 00000000..46c354ed --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/composer.json @@ -0,0 +1,39 @@ +{ + "name": "paragonie/constant_time_encoding", + "description": "Constant-time Implementations of RFC 4648 Encoding (Base-64, Base-32, Base-16)", + "keywords": [ + "base64", "encoding", "rfc4648", "base32", "base16", "hex", "bin2hex", "hex2bin", "base64_encode", "base64_decode", "base32_encode", "base32_decode" + ], + "license": "MIT", + "type": "library", + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com", + "role": "Maintainer" + }, + { + "name": "Steve 'Sc00bz' Thomas", + "email": "steve@tobtu.com", + "homepage": "https://www.tobtu.com", + "role": "Original Developer" + } + ], + "support": { + "issues": "https://github.com/paragonie/constant_time_encoding/issues", + "email": "info@paragonie.com", + "source": "https://github.com/paragonie/constant_time_encoding" + }, + "require": { + "php": "^7" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "autoload": { + "psr-4": { + "ParagonIE\\ConstantTime\\": "src/" + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/phpunit.xml.dist b/vendor/paragonie/constant_time_encoding/phpunit.xml.dist new file mode 100644 index 00000000..d6e196ab --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/phpunit.xml.dist @@ -0,0 +1,29 @@ + + + + + tests + + + + + ./tests + + + + + ./src + + + \ No newline at end of file diff --git a/vendor/paragonie/constant_time_encoding/src/Base32.php b/vendor/paragonie/constant_time_encoding/src/Base32.php new file mode 100644 index 00000000..a65c1c73 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/Base32.php @@ -0,0 +1,396 @@ + 96 && $src < 123) $ret += $src - 97 + 1; // -64 + $ret += (((0x60 - $src) & ($src - 0x7b)) >> 8) & ($src - 96); + + // if ($src > 0x31 && $src < 0x38) $ret += $src - 24 + 1; // -23 + $ret += (((0x31 - $src) & ($src - 0x38)) >> 8) & ($src - 23); + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 5-bit integers + * into 8-bit integers. + * + * Uppercase variant. + * + * @param int $src + * @return int + */ + protected static function decode5BitsUpper(int $src): int + { + $ret = -1; + + // if ($src > 64 && $src < 91) $ret += $src - 65 + 1; // -64 + $ret += (((0x40 - $src) & ($src - 0x5b)) >> 8) & ($src - 64); + + // if ($src > 0x31 && $src < 0x38) $ret += $src - 24 + 1; // -23 + $ret += (((0x31 - $src) & ($src - 0x38)) >> 8) & ($src - 23); + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 5-bit integers. + * + * @param $src + * @return string + */ + protected static function encode5Bits(int $src): string + { + $diff = 0x61; + + // if ($src > 25) $ret -= 72; + $diff -= ((25 - $src) >> 8) & 73; + + return \pack('C', $src + $diff); + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 5-bit integers. + * + * Uppercase variant. + * + * @param $src + * @return string + */ + protected static function encode5BitsUpper(int $src): string + { + $diff = 0x41; + + // if ($src > 25) $ret -= 40; + $diff -= ((25 - $src) >> 8) & 41; + + return \pack('C', $src + $diff); + } + + + /** + * Base32 decoding + * + * @param string $src + * @param bool $upper + * @param bool $strictPadding + * @return string + */ + protected static function doDecode(string $src, bool $upper = false, bool $strictPadding = false): string + { + // We do this to reduce code duplication: + $method = $upper + ? 'decode5BitsUpper' + : 'decode5Bits'; + + // Remove padding + $srcLen = Binary::safeStrlen($src); + if ($srcLen === 0) { + return ''; + } + if ($strictPadding) { + if (($srcLen & 7) === 0) { + for ($j = 0; $j < 7; ++$j) { + if ($src[$srcLen - 1] === '=') { + $srcLen--; + } else { + break; + } + } + } + if (($srcLen & 7) === 1) { + throw new \RangeException( + 'Incorrect padding' + ); + } + } else { + $src = \rtrim($src, '='); + $srcLen = Binary::safeStrlen($src); + } + + $err = 0; + $dest = ''; + // Main loop (no padding): + for ($i = 0; $i + 8 <= $srcLen; $i += 8) { + $chunk = \unpack('C*', Binary::safeSubstr($src, $i, 8)); + $c0 = static::$method($chunk[1]); + $c1 = static::$method($chunk[2]); + $c2 = static::$method($chunk[3]); + $c3 = static::$method($chunk[4]); + $c4 = static::$method($chunk[5]); + $c5 = static::$method($chunk[6]); + $c6 = static::$method($chunk[7]); + $c7 = static::$method($chunk[8]); + + $dest .= \pack( + 'CCCCC', + (($c0 << 3) | ($c1 >> 2) ) & 0xff, + (($c1 << 6) | ($c2 << 1) | ($c3 >> 4)) & 0xff, + (($c3 << 4) | ($c4 >> 1) ) & 0xff, + (($c4 << 7) | ($c5 << 2) | ($c6 >> 3)) & 0xff, + (($c6 << 5) | ($c7 ) ) & 0xff + ); + $err |= ($c0 | $c1 | $c2 | $c3 | $c4 | $c5 | $c6 | $c7) >> 8; + } + // The last chunk, which may have padding: + if ($i < $srcLen) { + $chunk = \unpack('C*', Binary::safeSubstr($src, $i, $srcLen - $i)); + $c0 = static::$method($chunk[1]); + + if ($i + 6 < $srcLen) { + $c1 = static::$method($chunk[2]); + $c2 = static::$method($chunk[3]); + $c3 = static::$method($chunk[4]); + $c4 = static::$method($chunk[5]); + $c5 = static::$method($chunk[6]); + $c6 = static::$method($chunk[7]); + + $dest .= \pack( + 'CCCC', + (($c0 << 3) | ($c1 >> 2) ) & 0xff, + (($c1 << 6) | ($c2 << 1) | ($c3 >> 4)) & 0xff, + (($c3 << 4) | ($c4 >> 1) ) & 0xff, + (($c4 << 7) | ($c5 << 2) | ($c6 >> 3)) & 0xff + ); + $err |= ($c0 | $c1 | $c2 | $c3 | $c4 | $c5 | $c6) >> 8; + } elseif ($i + 5 < $srcLen) { + $c1 = static::$method($chunk[2]); + $c2 = static::$method($chunk[3]); + $c3 = static::$method($chunk[4]); + $c4 = static::$method($chunk[5]); + $c5 = static::$method($chunk[6]); + + $dest .= \pack( + 'CCCC', + (($c0 << 3) | ($c1 >> 2) ) & 0xff, + (($c1 << 6) | ($c2 << 1) | ($c3 >> 4)) & 0xff, + (($c3 << 4) | ($c4 >> 1) ) & 0xff, + (($c4 << 7) | ($c5 << 2) ) & 0xff + ); + $err |= ($c0 | $c1 | $c2 | $c3 | $c4 | $c5) >> 8; + } elseif ($i + 4 < $srcLen) { + $c1 = static::$method($chunk[2]); + $c2 = static::$method($chunk[3]); + $c3 = static::$method($chunk[4]); + $c4 = static::$method($chunk[5]); + + $dest .= \pack( + 'CCC', + (($c0 << 3) | ($c1 >> 2) ) & 0xff, + (($c1 << 6) | ($c2 << 1) | ($c3 >> 4)) & 0xff, + (($c3 << 4) | ($c4 >> 1) ) & 0xff + ); + $err |= ($c0 | $c1 | $c2 | $c3 | $c4) >> 8; + } elseif ($i + 3 < $srcLen) { + $c1 = static::$method($chunk[2]); + $c2 = static::$method($chunk[3]); + $c3 = static::$method($chunk[4]); + + $dest .= \pack( + 'CC', + (($c0 << 3) | ($c1 >> 2) ) & 0xff, + (($c1 << 6) | ($c2 << 1) | ($c3 >> 4)) & 0xff + ); + $err |= ($c0 | $c1 | $c2 | $c3) >> 8; + } elseif ($i + 2 < $srcLen) { + $c1 = static::$method($chunk[2]); + $c2 = static::$method($chunk[3]); + + $dest .= \pack( + 'CC', + (($c0 << 3) | ($c1 >> 2) ) & 0xff, + (($c1 << 6) | ($c2 << 1) ) & 0xff + ); + $err |= ($c0 | $c1 | $c2) >> 8; + } elseif ($i + 1 < $srcLen) { + $c1 = static::$method($chunk[2]); + + $dest .= \pack( + 'C', + (($c0 << 3) | ($c1 >> 2) ) & 0xff + ); + $err |= ($c0 | $c1) >> 8; + } else { + $dest .= \pack( + 'C', + (($c0 << 3) ) & 0xff + ); + $err |= ($c0) >> 8; + } + } + if ($err !== 0) { + throw new \RangeException( + 'Base32::doDecode() only expects characters in the correct base32 alphabet' + ); + } + return $dest; + } + + /** + * Base32 Decoding + * + * @param string $src + * @param bool $upper + * @return string + */ + protected static function doEncode(string $src, bool $upper = false): string + { + // We do this to reduce code duplication: + $method = $upper + ? 'encode5BitsUpper' + : 'encode5Bits'; + + $dest = ''; + $srcLen = Binary::safeStrlen($src); + + // Main loop (no padding): + for ($i = 0; $i + 5 <= $srcLen; $i += 5) { + $chunk = \unpack('C*', Binary::safeSubstr($src, $i, 5)); + $b0 = $chunk[1]; + $b1 = $chunk[2]; + $b2 = $chunk[3]; + $b3 = $chunk[4]; + $b4 = $chunk[5]; + $dest .= + static::$method( ($b0 >> 3) & 31) . + static::$method((($b0 << 2) | ($b1 >> 6)) & 31) . + static::$method((($b1 >> 1) ) & 31) . + static::$method((($b1 << 4) | ($b2 >> 4)) & 31) . + static::$method((($b2 << 1) | ($b3 >> 7)) & 31) . + static::$method((($b3 >> 2) ) & 31) . + static::$method((($b3 << 3) | ($b4 >> 5)) & 31) . + static::$method( $b4 & 31); + } + // The last chunk, which may have padding: + if ($i < $srcLen) { + $chunk = \unpack('C*', Binary::safeSubstr($src, $i, $srcLen - $i)); + $b0 = $chunk[1]; + if ($i + 3 < $srcLen) { + $b1 = $chunk[2]; + $b2 = $chunk[3]; + $b3 = $chunk[4]; + $dest .= + static::$method( ($b0 >> 3) & 31) . + static::$method((($b0 << 2) | ($b1 >> 6)) & 31) . + static::$method((($b1 >> 1) ) & 31) . + static::$method((($b1 << 4) | ($b2 >> 4)) & 31) . + static::$method((($b2 << 1) | ($b3 >> 7)) & 31) . + static::$method((($b3 >> 2) ) & 31) . + static::$method((($b3 << 3) ) & 31) . + '='; + } elseif ($i + 2 < $srcLen) { + $b1 = $chunk[2]; + $b2 = $chunk[3]; + $dest .= + static::$method( ($b0 >> 3) & 31) . + static::$method((($b0 << 2) | ($b1 >> 6)) & 31) . + static::$method((($b1 >> 1) ) & 31) . + static::$method((($b1 << 4) | ($b2 >> 4)) & 31) . + static::$method((($b2 << 1) ) & 31) . + '==='; + } elseif ($i + 1 < $srcLen) { + $b1 = $chunk[2]; + $dest .= + static::$method( ($b0 >> 3) & 31) . + static::$method((($b0 << 2) | ($b1 >> 6)) & 31) . + static::$method((($b1 >> 1) ) & 31) . + static::$method((($b1 << 4) ) & 31) . + '===='; + } else { + $dest .= + static::$method( ($b0 >> 3) & 31) . + static::$method( ($b0 << 2) & 31) . + '======'; + } + } + return $dest; + } +} diff --git a/vendor/paragonie/constant_time_encoding/src/Base32Hex.php b/vendor/paragonie/constant_time_encoding/src/Base32Hex.php new file mode 100644 index 00000000..5aff0a6b --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/Base32Hex.php @@ -0,0 +1,111 @@ + 0x30 && $src < 0x3a) ret += $src - 0x2e + 1; // -47 + $ret += (((0x2f - $src) & ($src - 0x3a)) >> 8) & ($src - 47); + + // if ($src > 0x60 && $src < 0x77) ret += $src - 0x61 + 10 + 1; // -86 + $ret += (((0x60 - $src) & ($src - 0x77)) >> 8) & ($src - 86); + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 5-bit integers + * into 8-bit integers. + * + * @param int $src + * @return int + */ + protected static function decode5BitsUpper(int $src): int + { + $ret = -1; + + // if ($src > 0x30 && $src < 0x3a) ret += $src - 0x2e + 1; // -47 + $ret += (((0x2f - $src) & ($src - 0x3a)) >> 8) & ($src - 47); + + // if ($src > 0x40 && $src < 0x57) ret += $src - 0x41 + 10 + 1; // -54 + $ret += (((0x40 - $src) & ($src - 0x57)) >> 8) & ($src - 54); + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 5-bit integers. + * + * @param int $src + * @return string + */ + protected static function encode5Bits(int $src): string + { + $src += 0x30; + + // if ($src > 0x39) $src += 0x61 - 0x3a; // 39 + $src += ((0x39 - $src) >> 8) & 39; + + return \pack('C', $src); + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 5-bit integers. + * + * Uppercase variant. + * + * @param int $src + * @return string + */ + protected static function encode5BitsUpper(int $src): string + { + $src += 0x30; + + // if ($src > 0x39) $src += 0x41 - 0x3a; // 7 + $src += ((0x39 - $src) >> 8) & 7; + + return \pack('C', $src); + } +} \ No newline at end of file diff --git a/vendor/paragonie/constant_time_encoding/src/Base64.php b/vendor/paragonie/constant_time_encoding/src/Base64.php new file mode 100644 index 00000000..c29c080d --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/Base64.php @@ -0,0 +1,231 @@ +> 2 ) . + static::encode6Bits((($b0 << 4) | ($b1 >> 4)) & 63) . + static::encode6Bits((($b1 << 2) | ($b2 >> 6)) & 63) . + static::encode6Bits( $b2 & 63); + } + // The last chunk, which may have padding: + if ($i < $srcLen) { + $chunk = \unpack('C*', Binary::safeSubstr($src, $i, $srcLen - $i)); + $b0 = $chunk[1]; + if ($i + 1 < $srcLen) { + $b1 = $chunk[2]; + $dest .= + static::encode6Bits( $b0 >> 2 ) . + static::encode6Bits((($b0 << 4) | ($b1 >> 4)) & 63) . + static::encode6Bits( ($b1 << 2) & 63) . '='; + } else { + $dest .= + static::encode6Bits( $b0 >> 2) . + static::encode6Bits(($b0 << 4) & 63) . '=='; + } + } + return $dest; + } + + /** + * decode from base64 into binary + * + * Base64 character set "./[A-Z][a-z][0-9]" + * + * @param string $src + * @param bool $strictPadding + * @return string|bool + * @throws \RangeException + */ + public static function decode(string $src, bool $strictPadding = false): string + { + // Remove padding + $srcLen = Binary::safeStrlen($src); + if ($srcLen === 0) { + return ''; + } + + if ($strictPadding) { + if (($srcLen & 3) === 0) { + if ($src[$srcLen - 1] === '=') { + $srcLen--; + if ($src[$srcLen - 1] === '=') { + $srcLen--; + } + } + } + if (($srcLen & 3) === 1) { + throw new \RangeException( + 'Incorrect padding' + ); + } + if ($src[$srcLen - 1] === '=') { + throw new \RangeException( + 'Incorrect padding' + ); + } + } else { + $src = \rtrim($src, '='); + $srcLen = Binary::safeStrlen($src); + } + + $err = 0; + $dest = ''; + // Main loop (no padding): + for ($i = 0; $i + 4 <= $srcLen; $i += 4) { + $chunk = \unpack('C*', Binary::safeSubstr($src, $i, 4)); + $c0 = static::decode6Bits($chunk[1]); + $c1 = static::decode6Bits($chunk[2]); + $c2 = static::decode6Bits($chunk[3]); + $c3 = static::decode6Bits($chunk[4]); + + $dest .= \pack( + 'CCC', + ((($c0 << 2) | ($c1 >> 4)) & 0xff), + ((($c1 << 4) | ($c2 >> 2)) & 0xff), + ((($c2 << 6) | $c3 ) & 0xff) + ); + $err |= ($c0 | $c1 | $c2 | $c3) >> 8; + } + // The last chunk, which may have padding: + if ($i < $srcLen) { + $chunk = \unpack('C*', Binary::safeSubstr($src, $i, $srcLen - $i)); + $c0 = static::decode6Bits($chunk[1]); + + if ($i + 2 < $srcLen) { + $c1 = static::decode6Bits($chunk[2]); + $c2 = static::decode6Bits($chunk[3]); + $dest .= \pack( + 'CC', + ((($c0 << 2) | ($c1 >> 4)) & 0xff), + ((($c1 << 4) | ($c2 >> 2)) & 0xff) + ); + $err |= ($c0 | $c1 | $c2) >> 8; + } elseif ($i + 1 < $srcLen) { + $c1 = static::decode6Bits($chunk[2]); + $dest .= \pack( + 'C', + ((($c0 << 2) | ($c1 >> 4)) & 0xff) + ); + $err |= ($c0 | $c1) >> 8; + } elseif ($i < $srcLen && $strictPadding) { + $err |= 1; + } + } + if ($err !== 0) { + throw new \RangeException( + 'Base64::decode() only expects characters in the correct base64 alphabet' + ); + } + return $dest; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 6-bit integers + * into 8-bit integers. + * + * Base64 character set: + * [A-Z] [a-z] [0-9] + / + * 0x41-0x5a, 0x61-0x7a, 0x30-0x39, 0x2b, 0x2f + * + * @param int $src + * @return int + */ + protected static function decode6Bits(int $src): int + { + $ret = -1; + + // if ($src > 0x40 && $src < 0x5b) $ret += $src - 0x41 + 1; // -64 + $ret += (((0x40 - $src) & ($src - 0x5b)) >> 8) & ($src - 64); + + // if ($src > 0x60 && $src < 0x7b) $ret += $src - 0x61 + 26 + 1; // -70 + $ret += (((0x60 - $src) & ($src - 0x7b)) >> 8) & ($src - 70); + + // if ($src > 0x2f && $src < 0x3a) $ret += $src - 0x30 + 52 + 1; // 5 + $ret += (((0x2f - $src) & ($src - 0x3a)) >> 8) & ($src + 5); + + // if ($src == 0x2b) $ret += 62 + 1; + $ret += (((0x2a - $src) & ($src - 0x2c)) >> 8) & 63; + + // if ($src == 0x2f) ret += 63 + 1; + $ret += (((0x2e - $src) & ($src - 0x30)) >> 8) & 64; + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 6-bit integers. + * + * @param int $src + * @return string + */ + protected static function encode6Bits(int $src): string + { + $diff = 0x41; + + // if ($src > 25) $diff += 0x61 - 0x41 - 26; // 6 + $diff += ((25 - $src) >> 8) & 6; + + // if ($src > 51) $diff += 0x30 - 0x61 - 26; // -75 + $diff -= ((51 - $src) >> 8) & 75; + + // if ($src > 61) $diff += 0x2b - 0x30 - 10; // -15 + $diff -= ((61 - $src) >> 8) & 15; + + // if ($src > 62) $diff += 0x2f - 0x2b - 1; // 3 + $diff += ((62 - $src) >> 8) & 3; + + return \pack('C', $src + $diff); + } +} diff --git a/vendor/paragonie/constant_time_encoding/src/Base64DotSlash.php b/vendor/paragonie/constant_time_encoding/src/Base64DotSlash.php new file mode 100644 index 00000000..7f975139 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/Base64DotSlash.php @@ -0,0 +1,88 @@ + 0x2d && $src < 0x30) ret += $src - 0x2e + 1; // -45 + $ret += (((0x2d - $src) & ($src - 0x30)) >> 8) & ($src - 45); + + // if ($src > 0x40 && $src < 0x5b) ret += $src - 0x41 + 2 + 1; // -62 + $ret += (((0x40 - $src) & ($src - 0x5b)) >> 8) & ($src - 62); + + // if ($src > 0x60 && $src < 0x7b) ret += $src - 0x61 + 28 + 1; // -68 + $ret += (((0x60 - $src) & ($src - 0x7b)) >> 8) & ($src - 68); + + // if ($src > 0x2f && $src < 0x3a) ret += $src - 0x30 + 54 + 1; // 7 + $ret += (((0x2f - $src) & ($src - 0x3a)) >> 8) & ($src + 7); + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 6-bit integers. + * + * @param int $src + * @return string + */ + protected static function encode6Bits(int $src): string + { + $src += 0x2e; + + // if ($src > 0x2f) $src += 0x41 - 0x30; // 17 + $src += ((0x2f - $src) >> 8) & 17; + + // if ($src > 0x5a) $src += 0x61 - 0x5b; // 6 + $src += ((0x5a - $src) >> 8) & 6; + + // if ($src > 0x7a) $src += 0x30 - 0x7b; // -75 + $src -= ((0x7a - $src) >> 8) & 75; + + return \pack('C', $src); + } +} diff --git a/vendor/paragonie/constant_time_encoding/src/Base64DotSlashOrdered.php b/vendor/paragonie/constant_time_encoding/src/Base64DotSlashOrdered.php new file mode 100644 index 00000000..3fb4209e --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/Base64DotSlashOrdered.php @@ -0,0 +1,82 @@ + 0x2d && $src < 0x3a) ret += $src - 0x2e + 1; // -45 + $ret += (((0x2d - $src) & ($src - 0x3a)) >> 8) & ($src - 45); + + // if ($src > 0x40 && $src < 0x5b) ret += $src - 0x41 + 12 + 1; // -52 + $ret += (((0x40 - $src) & ($src - 0x5b)) >> 8) & ($src - 52); + + // if ($src > 0x60 && $src < 0x7b) ret += $src - 0x61 + 38 + 1; // -58 + $ret += (((0x60 - $src) & ($src - 0x7b)) >> 8) & ($src - 58); + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 6-bit integers. + * + * @param int $src + * @return string + */ + protected static function encode6Bits(int $src): string + { + $src += 0x2e; + + // if ($src > 0x39) $src += 0x41 - 0x3a; // 7 + $src += ((0x39 - $src) >> 8) & 7; + + // if ($src > 0x5a) $src += 0x61 - 0x5b; // 6 + $src += ((0x5a - $src) >> 8) & 6; + + return \pack('C', $src); + } +} diff --git a/vendor/paragonie/constant_time_encoding/src/Base64UrlSafe.php b/vendor/paragonie/constant_time_encoding/src/Base64UrlSafe.php new file mode 100644 index 00000000..f250095d --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/Base64UrlSafe.php @@ -0,0 +1,95 @@ + 0x40 && $src < 0x5b) $ret += $src - 0x41 + 1; // -64 + $ret += (((0x40 - $src) & ($src - 0x5b)) >> 8) & ($src - 64); + + // if ($src > 0x60 && $src < 0x7b) $ret += $src - 0x61 + 26 + 1; // -70 + $ret += (((0x60 - $src) & ($src - 0x7b)) >> 8) & ($src - 70); + + // if ($src > 0x2f && $src < 0x3a) $ret += $src - 0x30 + 52 + 1; // 5 + $ret += (((0x2f - $src) & ($src - 0x3a)) >> 8) & ($src + 5); + + // if ($src == 0x2c) $ret += 62 + 1; + $ret += (((0x2c - $src) & ($src - 0x2e)) >> 8) & 63; + + // if ($src == 0x5f) ret += 63 + 1; + $ret += (((0x5e - $src) & ($src - 0x60)) >> 8) & 64; + + return $ret; + } + + /** + * Uses bitwise operators instead of table-lookups to turn 8-bit integers + * into 6-bit integers. + * + * @param int $src + * @return string + */ + protected static function encode6Bits(int $src): string + { + $diff = 0x41; + + // if ($src > 25) $diff += 0x61 - 0x41 - 26; // 6 + $diff += ((25 - $src) >> 8) & 6; + + // if ($src > 51) $diff += 0x30 - 0x61 - 26; // -75 + $diff -= ((51 - $src) >> 8) & 75; + + // if ($src > 61) $diff += 0x2d - 0x30 - 10; // -13 + $diff -= ((61 - $src) >> 8) & 13; + + // if ($src > 62) $diff += 0x5f - 0x2b - 1; // 3 + $diff += ((62 - $src) >> 8) & 49; + + return \pack('C', $src + $diff); + } +} diff --git a/vendor/paragonie/constant_time_encoding/src/Binary.php b/vendor/paragonie/constant_time_encoding/src/Binary.php new file mode 100644 index 00000000..1028e66e --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/Binary.php @@ -0,0 +1,98 @@ += 0) { + $length = self::safeStrlen($str) - $start; + } else { + $length = -$start; + } + } + // $length calculation above might result in a 0-length string + if ($length === 0) { + return ''; + } + return \mb_substr($str, $start, $length, '8bit'); + } + if ($length === 0) { + return ''; + } + // Unlike mb_substr(), substr() doesn't accept NULL for length + if ($length !== null) { + return \substr($str, $start, $length); + } else { + return \substr($str, $start); + } + } +} \ No newline at end of file diff --git a/vendor/paragonie/constant_time_encoding/src/EncoderInterface.php b/vendor/paragonie/constant_time_encoding/src/EncoderInterface.php new file mode 100644 index 00000000..ca699168 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/EncoderInterface.php @@ -0,0 +1,52 @@ +> 4; + $hex .= pack( + 'CC', + (87 + $b + ((($b - 10) >> 8) & ~38)), + (87 + $c + ((($c - 10) >> 8) & ~38)) + ); + } + return $hex; + } + + /** + * Convert a binary string into a hexadecimal string without cache-timing + * leaks, returning uppercase letters (as per RFC 4648) + * + * @param string $bin_string (raw binary) + * @return string + */ + public static function encodeUpper(string $bin_string): string + { + $hex = ''; + $len = Binary::safeStrlen($bin_string); + for ($i = 0; $i < $len; ++$i) { + $chunk = \unpack('C', Binary::safeSubstr($bin_string, $i, 2)); + $c = $chunk[1] & 0xf; + $b = $chunk[1] >> 4; + $hex .= pack( + 'CC', + (55 + $b + ((($b - 10) >> 8) & ~6)), + (55 + $c + ((($c - 10) >> 8) & ~6)) + ); + } + return $hex; + } + + /** + * Convert a hexadecimal string into a binary string without cache-timing + * leaks + * + * @param string $hex_string + * @param bool $strictPadding + * @return string (raw binary) + * @throws \RangeException + */ + public static function decode(string $hexString, bool $strictPadding = false): string + { + $hex_pos = 0; + $bin = ''; + $c_acc = 0; + $hex_len = Binary::safeStrlen($hexString); + $state = 0; + if (($hex_len & 1) !== 0) { + if ($strictPadding) { + throw new \RangeException( + 'Expected an even number of hexadecimal characters' + ); + } else { + $hexString = '0' . $hexString; + ++$hex_len; + } + } + + $chunk = \unpack('C*', $hexString); + while ($hex_pos < $hex_len) { + ++$hex_pos; + $c = $chunk[$hex_pos]; + $c_num = $c ^ 48; + $c_num0 = ($c_num - 10) >> 8; + $c_alpha = ($c & ~32) - 55; + $c_alpha0 = (($c_alpha - 10) ^ ($c_alpha - 16)) >> 8; + if (($c_num0 | $c_alpha0) === 0) { + throw new \RangeException( + 'hexEncode() only expects hexadecimal characters' + ); + } + $c_val = ($c_num0 & $c_num) | ($c_alpha & $c_alpha0); + if ($state === 0) { + $c_acc = $c_val * 16; + } else { + $bin .= \pack('C', $c_acc | $c_val); + } + $state ^= 1; + } + return $bin; + } +} diff --git a/vendor/paragonie/constant_time_encoding/src/RFC4648.php b/vendor/paragonie/constant_time_encoding/src/RFC4648.php new file mode 100644 index 00000000..63b2ee69 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/src/RFC4648.php @@ -0,0 +1,166 @@ + "Zm9v" + * + * @param string $str + * @return string + */ + public function base64Encode(string $str): string + { + return Base64::encode($str); + } + + /** + * RFC 4648 Base64 decoding + * + * "Zm9v" -> "foo" + * + * @param string $str + * @return string + */ + public function base64Decode(string $str): string + { + return Base64::decode($str, true); + } + + /** + * RFC 4648 Base64 (URL Safe) encoding + * + * "foo" -> "Zm9v" + * + * @param string $str + * @return string + */ + public function base64UrlSafeEncode(string $str): string + { + return Base64UrlSafe::encode($str); + } + + /** + * RFC 4648 Base64 (URL Safe) decoding + * + * "Zm9v" -> "foo" + * + * @param string $str + * @return string + */ + public function base64UrlSafeDecode(string $str): string + { + return Base64UrlSafe::decode($str, true); + } + + /** + * RFC 4648 Base32 encoding + * + * "foo" -> "MZXW6===" + * + * @param string $str + * @return string + */ + public function base32Encode(string $str): string + { + return Base32::encodeUpper($str); + } + + /** + * RFC 4648 Base32 encoding + * + * "MZXW6===" -> "foo" + * + * @param string $str + * @return string + */ + public function base32Decode(string $str): string + { + return Base32::decodeUpper($str, true); + } + + /** + * RFC 4648 Base32-Hex encoding + * + * "foo" -> "CPNMU===" + * + * @param string $str + * @return string + */ + public function base32HexEncode(string $str): string + { + return Base32::encodeUpper($str); + } + + /** + * RFC 4648 Base32-Hex decoding + * + * "CPNMU===" -> "foo" + * + * @param string $str + * @return string + */ + public function base32HexDecode(string $str): string + { + return Base32::decodeUpper($str, true); + } + + /** + * RFC 4648 Base16 decoding + * + * "foo" -> "666F6F" + * + * @param string $str + * @return string + */ + public function base16Encode(string $str): string + { + return Hex::encodeUpper($str); + } + + /** + * RFC 4648 Base16 decoding + * + * "666F6F" -> "foo" + * + * @param string $str + * @return string + */ + public function base16Decode(string $str): string + { + return Hex::decode($str, true); + } +} \ No newline at end of file diff --git a/vendor/paragonie/constant_time_encoding/tests/Base32HexTest.php b/vendor/paragonie/constant_time_encoding/tests/Base32HexTest.php new file mode 100644 index 00000000..68bf46ab --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/Base32HexTest.php @@ -0,0 +1,32 @@ +assertSame( + $random, + Base32Hex::decode($enc) + ); + + $enc = Base32Hex::encodeUpper($random); + $this->assertSame( + $random, + Base32Hex::decodeUpper($enc) + ); + } + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/tests/Base32Test.php b/vendor/paragonie/constant_time_encoding/tests/Base32Test.php new file mode 100644 index 00000000..47dac373 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/Base32Test.php @@ -0,0 +1,32 @@ +assertSame( + $random, + Base32::decode($enc) + ); + + $enc = Base32::encodeUpper($random); + $this->assertSame( + $random, + Base32::decodeUpper($enc) + ); + } + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/tests/Base64DotSlashOrderedTest.php b/vendor/paragonie/constant_time_encoding/tests/Base64DotSlashOrderedTest.php new file mode 100644 index 00000000..cf6a0ef4 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/Base64DotSlashOrderedTest.php @@ -0,0 +1,24 @@ +assertSame( + $random, + Base64DotSlashOrdered::decode($enc) + ); + } + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/tests/Base64DotSlashTest.php b/vendor/paragonie/constant_time_encoding/tests/Base64DotSlashTest.php new file mode 100644 index 00000000..565f010d --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/Base64DotSlashTest.php @@ -0,0 +1,24 @@ +assertSame( + $random, + Base64DotSlash::decode($enc) + ); + } + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/tests/Base64Test.php b/vendor/paragonie/constant_time_encoding/tests/Base64Test.php new file mode 100644 index 00000000..6ac3a66c --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/Base64Test.php @@ -0,0 +1,75 @@ +assertSame( + $random, + Base64::decode($enc) + ); + $this->assertSame( + \base64_encode($random), + $enc + ); + + $unpadded = \rtrim($enc, '='); + $this->assertSame( + $random, + Base64::decode($unpadded) + ); + } + } + $str = 'MIIFzzCCBLegAwIBAgIDAfdlMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNVBAYTAlBM' . + 'MSgwJgYDVQQKDB9LcmFqb3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMSQwIgYDVQQ' . + 'DDBtDT1BFIFNaQUZJUiAtIEt3YWxpZmlrb3dhbnkxFDASBgNVBAUTC05yIHdwaXN1Oi' . + 'A2MB4XDTExMTEwOTA2MDAwMFoXDTEzMTEwOTA2MDAwMFowgdkxCzAJBgNVBAYTAlBMM' . + 'RwwGgYDVQQKDBNVcnrEhWQgTWlhc3RhIEdkeW5pMRswGQYDVQQFExJQRVNFTDogNjEw' . + 'NjA2MDMxMTgxGTAXBgNVBAMMEEplcnp5IFByemV3b3Jza2kxTzBNBgNVBBAwRgwiQWw' . + 'uIE1hcnN6YcWCa2EgUGnFgnN1ZHNraWVnbyA1Mi81NAwNODEtMzgyIEdkeW5pYQwGUG' . + '9sc2thDAlwb21vcnNraWUxDjAMBgNVBCoMBUplcnp5MRMwEQYDVQQEDApQcnpld29yc' . + '2tpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCMm5vjGqHPthJCMqKpqssSISRo' . + 's0PYDTcEQzyyurfX67EJWKtZj6HNwuDMEGJ02iBNZfjUl7r8dIi28bSKhNlsfycXZKY' . + 'RcIjp0+r5RqtR2auo9GQ6veKb61DEAGIqaR+uLLcJVTHCu0w9oXLGbRlGth5eNoj03C' . + 'xXVAH2IfhbNwIDAQABo4IChzCCAoMwDAYDVR0TAQH/BAIwADCCAUgGA1UdIAEB/wSCA' . + 'TwwggE4MIIBNAYJKoRoAYb3IwEBMIIBJTCB3QYIKwYBBQUHAgIwgdAMgc1EZWtsYXJh' . + 'Y2phIHRhIGplc3Qgb8Wbd2lhZGN6ZW5pZW0gd3lkYXdjeSwgxbxlIHRlbiBjZXJ0eWZ' . + 'pa2F0IHpvc3RhxYIgd3lkYW55IGpha28gY2VydHlmaWthdCBrd2FsaWZpa293YW55IH' . + 'pnb2RuaWUgeiB3eW1hZ2FuaWFtaSB1c3Rhd3kgbyBwb2RwaXNpZSBlbGVrdHJvbmlje' . + 'm55bSBvcmF6IHRvd2FyenlzesSFY3ltaSBqZWogcm96cG9yesSFZHplbmlhbWkuMEMG' . + 'CCsGAQUFBwIBFjdodHRwOi8vd3d3Lmtpci5jb20ucGwvY2VydHlmaWthY2phX2tsdWN' . + '6eS9wb2xpdHlrYS5odG1sMAkGA1UdCQQCMAAwIQYDVR0RBBowGIEWai5wcnpld29yc2' . + 'tpQGdkeW5pYS5wbDAOBgNVHQ8BAf8EBAMCBkAwgZ4GA1UdIwSBljCBk4AU3TGldJXip' . + 'N4oGS3ZYmnBDMFs8gKhd6R1MHMxCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFqb3dh' . + 'IEl6YmEgUm96bGljemVuaW93YSBTLkEuMSQwIgYDVQQDDBtDT1BFIFNaQUZJUiAtIEt' . + '3YWxpZmlrb3dhbnkxFDASBgNVBAUTC05yIHdwaXN1OiA2ggJb9jBIBgNVHR8EQTA/MD' . + '2gO6A5hjdodHRwOi8vd3d3Lmtpci5jb20ucGwvY2VydHlmaWthY2phX2tsdWN6eS9DU' . + 'kxfT1pLMzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBYPIqnAreyeql7/opJjcar/qWZ' . + 'y9ruhB2q0lZFsJOhwgMnbQXzp/4vv93YJqcHGAXdHP6EO8FQX47mjo2ZKQmi+cIHJHL' . + 'ONdX/3Im+M17V0iNAh7Z1lOSfTRT+iiwe/F8phcEaD5q2RmvYusR7zXZq/cLL0If0hX' . + 'oPZ/EHQxjN8pxzxiUx6bJAgturnIMEfRNesxwghdr1dkUjOhGLf3kHVzgM6j3VAM7oF' . + 'mMUb5y5s96Bzl10DodWitjOEH0vvnIcsppSxH1C1dCAi0o9f/1y2XuLNhBNHMAyTqpY' . + 'PX8Yvav1c+Z50OMaSXHAnTa20zv8UtiHbaAhwlifCelUMj93S'; + + try { + Base64::decode($str, true); + $this->fail('Strict padding not enforced'); + } catch (\Exception $ex) { + + $this->assertSame( + Base64::decode($str), + \base64_decode($str) + ); + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/tests/Base64UrlSafeTest.php b/vendor/paragonie/constant_time_encoding/tests/Base64UrlSafeTest.php new file mode 100644 index 00000000..806dbaeb --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/Base64UrlSafeTest.php @@ -0,0 +1,29 @@ +assertSame( + $random, + Base64UrlSafe::decode($enc) + ); + $this->assertSame( + \strtr(\base64_encode($random), '+/', '-_'), + $enc + ); + + } + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/tests/EncodingTest.php b/vendor/paragonie/constant_time_encoding/tests/EncodingTest.php new file mode 100644 index 00000000..0c3ebaf9 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/EncodingTest.php @@ -0,0 +1,307 @@ +assertSame( + Encoding::base32Encode("\x00"), + 'aa======' + ); + $this->assertSame( + Encoding::base32Encode("\x00\x00"), + 'aaaa====' + ); + $this->assertSame( + Encoding::base32Encode("\x00\x00\x00"), + 'aaaaa===' + ); + $this->assertSame( + Encoding::base32Encode("\x00\x00\x00\x00"), + 'aaaaaaa=' + ); + $this->assertSame( + Encoding::base32Encode("\x00\x00\x00\x00\x00"), + 'aaaaaaaa' + ); + $this->assertSame( + Encoding::base32Encode("\x00\x00\x0F\xFF\xFF"), + 'aaaa7777' + ); + $this->assertSame( + Encoding::base32Encode("\xFF\xFF\xF0\x00\x00"), + '7777aaaa' + ); + + $this->assertSame( + Encoding::base32Encode("\xce\x73\x9c\xe7\x39"), + 'zzzzzzzz' + ); + $this->assertSame( + Encoding::base32Encode("\xd6\xb5\xad\x6b\x5a"), + '22222222' + ); + $this->assertSame( + Base32::encodeUpper("\x00"), + 'AA======' + ); + $this->assertSame( + Base32::encodeUpper("\x00\x00"), + 'AAAA====' + ); + $this->assertSame( + Base32::encodeUpper("\x00\x00\x00"), + 'AAAAA===' + ); + $this->assertSame( + Base32::encodeUpper("\x00\x00\x00\x00"), + 'AAAAAAA=' + ); + $this->assertSame( + Base32::encodeUpper("\x00\x00\x00\x00\x00"), + 'AAAAAAAA' + ); + $this->assertSame( + Base32::encodeUpper("\x00\x00\x0F\xFF\xFF"), + 'AAAA7777' + ); + $this->assertSame( + Base32::encodeUpper("\xFF\xFF\xF0\x00\x00"), + '7777AAAA' + ); + + $this->assertSame( + Base32::encodeUpper("\xce\x73\x9c\xe7\x39"), + 'ZZZZZZZZ' + ); + $this->assertSame( + Base32::encodeUpper("\xd6\xb5\xad\x6b\x5a"), + '22222222' + ); + } + + public function testBase32Hex() + { + $this->assertSame( + Base32Hex::encode("\x00"), + '00======' + ); + $this->assertSame( + Base32Hex::encode("\x00\x00"), + '0000====' + ); + $this->assertSame( + Base32Hex::encode("\x00\x00\x00"), + '00000===' + ); + $this->assertSame( + Base32Hex::encode("\x00\x00\x00\x00"), + '0000000=' + ); + $this->assertSame( + Base32Hex::encode("\x00\x00\x00\x00\x00"), + '00000000' + ); + $this->assertSame( + Base32Hex::encode("\x00\x00\x0F\xFF\xFF"), + '0000vvvv' + ); + $this->assertSame( + Base32Hex::encode("\xFF\xFF\xF0\x00\x00"), + 'vvvv0000' + ); + + + } + + /** + * Based on test vectors from RFC 4648 + */ + public function testBase32Decode() + { + $this->assertSame( + "\x00\x00\x00\x00\x00\x00", + Encoding::base32Decode('aaaaaaaaaa======') + ); + $this->assertSame( + "\x00\x00\x00\x00\x00\x00\x00", + Encoding::base32Decode('aaaaaaaaaaaa====') + ); + $this->assertSame( + "\x00\x00\x00\x00\x00\x00\x00\x00", + Encoding::base32Decode('aaaaaaaaaaaaa===') + ); + $this->assertSame( + "\x00\x00\x00\x00\x00\x00\x00\x00\x00", + Encoding::base32Decode('aaaaaaaaaaaaaaa=') + ); + $this->assertSame( + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", + Encoding::base32Decode('aaaaaaaaaaaaaaaa') + ); + $this->assertSame( + "\x00", + Encoding::base32Decode('aa======') + ); + $this->assertSame( + "\x00\x00", + Encoding::base32Decode('aaaa====') + ); + $this->assertSame( + "\x00\x00\x00", + Encoding::base32Decode('aaaaa===') + ); + $this->assertSame( + "\x00\x00\x00\x00", + Encoding::base32Decode('aaaaaaa=') + ); + $this->assertSame( + "\x00\x00\x00\x00\x00", + Encoding::base32Decode('aaaaaaaa') + ); + $this->assertSame( + "\x00\x00\x0F\xFF\xFF", + Encoding::base32Decode('aaaa7777') + ); + $this->assertSame( + "\xFF\xFF\xF0\x00\x00", + Encoding::base32Decode('7777aaaa') + ); + $this->assertSame( + "\xce\x73\x9c\xe7\x39", + Encoding::base32Decode('zzzzzzzz') + ); + $this->assertSame( + "\xd6\xb5\xad\x6b\x5a", + Encoding::base32Decode('22222222') + ); + $this->assertSame( + 'foobar', + Encoding::base32Decode('mzxw6ytboi======') + ); + + $rand = random_bytes(9); + $enc = Encoding::base32Encode($rand); + + $this->assertSame( + Encoding::base32Encode($rand), + Encoding::base32Encode(Encoding::base32Decode($enc)) + ); + $this->assertSame( + $rand, + Encoding::base32Decode($enc) + ); + } + + /** + * @covers Encoding::hexDecode() + * @covers Encoding::hexEncode() + * @covers Encoding::base32Decode() + * @covers Encoding::base32Encode() + * @covers Encoding::base64Decode() + * @covers Encoding::base64Encode() + * @covers Encoding::base64DotSlashDecode() + * @covers Encoding::base64DotSlashEncode() + * @covers Encoding::base64DotSlashOrderedDecode() + * @covers Encoding::base64DotSlashOrderedEncode() + */ + public function testBasicEncoding() + { + // Re-run the test at least 3 times for each length + for ($j = 0; $j < 3; ++$j) { + for ($i = 1; $i < 84; ++$i) { + $rand = random_bytes($i); + $enc = Encoding::hexEncode($rand); + $this->assertSame( + \bin2hex($rand), + $enc, + "Hex Encoding - Length: " . $i + ); + $this->assertSame( + $rand, + Encoding::hexDecode($enc), + "Hex Encoding - Length: " . $i + ); + + // Uppercase variant: + $enc = Hex::encodeUpper($rand); + $this->assertSame( + \strtoupper(\bin2hex($rand)), + $enc, + "Hex Encoding - Length: " . $i + ); + $this->assertSame( + $rand, + Hex::decode($enc), + "HexUpper Encoding - Length: " . $i + ); + + $enc = Encoding::base32Encode($rand); + $this->assertSame( + $rand, + Encoding::base32Decode($enc), + "Base32 Encoding - Length: " . $i + ); + + $enc = Encoding::base32EncodeUpper($rand); + $this->assertSame( + $rand, + Encoding::base32DecodeUpper($enc), + "Base32Upper Encoding - Length: " . $i + ); + + $enc = Encoding::base32HexEncode($rand); + $this->assertSame( + bin2hex($rand), + bin2hex(Encoding::base32HexDecode($enc)), + "Base32Hex Encoding - Length: " . $i + ); + + $enc = Encoding::base32HexEncodeUpper($rand); + $this->assertSame( + bin2hex($rand), + bin2hex(Encoding::base32HexDecodeUpper($enc)), + "Base32HexUpper Encoding - Length: " . $i + ); + + $enc = Encoding::base64Encode($rand); + $this->assertSame( + $rand, + Encoding::base64Decode($enc), + "Base64 Encoding - Length: " . $i + ); + + $enc = Encoding::base64EncodeDotSlash($rand); + $this->assertSame( + $rand, + Encoding::base64DecodeDotSlash($enc), + "Base64 DotSlash Encoding - Length: " . $i + ); + $enc = Encoding::base64EncodeDotSlashOrdered($rand); + $this->assertSame( + $rand, + Encoding::base64DecodeDotSlashOrdered($enc), + "Base64 Ordered DotSlash Encoding - Length: " . $i + ); + + $enc = Base64UrlSafe::encode($rand); + $this->assertSame( + \strtr(\base64_encode($rand), '+/', '-_'), + $enc + ); + $this->assertSame( + $rand, + Base64UrlSafe::decode($enc) + ); + } + } + } +} \ No newline at end of file diff --git a/vendor/paragonie/constant_time_encoding/tests/HexTest.php b/vendor/paragonie/constant_time_encoding/tests/HexTest.php new file mode 100644 index 00000000..18fafdb2 --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/HexTest.php @@ -0,0 +1,39 @@ +assertSame( + $random, + Hex::decode($enc) + ); + $this->assertSame( + \bin2hex($random), + $enc + ); + + $enc = Hex::encodeUpper($random); + $this->assertSame( + $random, + Hex::decode($enc) + ); + $this->assertSame( + \strtoupper(\bin2hex($random)), + $enc + ); + } + } + } +} diff --git a/vendor/paragonie/constant_time_encoding/tests/RFC4648Test.php b/vendor/paragonie/constant_time_encoding/tests/RFC4648Test.php new file mode 100644 index 00000000..8dfbb12a --- /dev/null +++ b/vendor/paragonie/constant_time_encoding/tests/RFC4648Test.php @@ -0,0 +1,84 @@ +assertSame(Base64::encode(''), ''); + $this->assertSame(Base64::encode('f'), 'Zg=='); + $this->assertSame(Base64::encode('fo'), 'Zm8='); + $this->assertSame(Base64::encode('foo'), 'Zm9v'); + $this->assertSame(Base64::encode('foob'), 'Zm9vYg=='); + $this->assertSame(Base64::encode('fooba'), 'Zm9vYmE='); + $this->assertSame(Base64::encode('foobar'), 'Zm9vYmFy'); + } + + public function testVectorBase32() + { + $this->assertSame(Base32::encode(''), ''); + $this->assertSame(Base32::encode('f'), 'my======'); + $this->assertSame(Base32::encode('fo'), 'mzxq===='); + $this->assertSame(Base32::encode('foo'), 'mzxw6==='); + $this->assertSame(Base32::encode('foob'), 'mzxw6yq='); + $this->assertSame(Base32::encode('fooba'), 'mzxw6ytb'); + $this->assertSame(Base32::encode('foobar'), 'mzxw6ytboi======'); + + $this->assertSame(Base32::encodeUpper(''), ''); + $this->assertSame(Base32::encodeUpper('f'), 'MY======'); + $this->assertSame(Base32::encodeUpper('fo'), 'MZXQ===='); + $this->assertSame(Base32::encodeUpper('foo'), 'MZXW6==='); + $this->assertSame(Base32::encodeUpper('foob'), 'MZXW6YQ='); + $this->assertSame(Base32::encodeUpper('fooba'), 'MZXW6YTB'); + $this->assertSame(Base32::encodeUpper('foobar'), 'MZXW6YTBOI======'); + } + + public function testVectorBase32Hex() + { + $this->assertSame(Base32Hex::encode(''), ''); + $this->assertSame(Base32Hex::encode('f'), 'co======'); + $this->assertSame(Base32Hex::encode('fo'), 'cpng===='); + $this->assertSame(Base32Hex::encode('foo'), 'cpnmu==='); + $this->assertSame(Base32Hex::encode('foob'), 'cpnmuog='); + $this->assertSame(Base32Hex::encode('fooba'), 'cpnmuoj1'); + $this->assertSame(Base32Hex::encode('foobar'), 'cpnmuoj1e8======'); + + $this->assertSame(Base32Hex::encodeUpper(''), ''); + $this->assertSame(Base32Hex::encodeUpper('f'), 'CO======'); + $this->assertSame(Base32Hex::encodeUpper('fo'), 'CPNG===='); + $this->assertSame(Base32Hex::encodeUpper('foo'), 'CPNMU==='); + $this->assertSame(Base32Hex::encodeUpper('foob'), 'CPNMUOG='); + $this->assertSame(Base32Hex::encodeUpper('fooba'), 'CPNMUOJ1'); + $this->assertSame(Base32Hex::encodeUpper('foobar'), 'CPNMUOJ1E8======'); + } + + public function testVectorBase16() + { + $this->assertSame(Hex::encode(''), ''); + $this->assertSame(Hex::encode('f'), '66'); + $this->assertSame(Hex::encode('fo'), '666f'); + $this->assertSame(Hex::encode('foo'), '666f6f'); + $this->assertSame(Hex::encode('foob'), '666f6f62'); + $this->assertSame(Hex::encode('fooba'), '666f6f6261'); + $this->assertSame(Hex::encode('foobar'), '666f6f626172'); + + $this->assertSame(Hex::encodeUpper(''), ''); + $this->assertSame(Hex::encodeUpper('f'), '66'); + $this->assertSame(Hex::encodeUpper('fo'), '666F'); + $this->assertSame(Hex::encodeUpper('foo'), '666F6F'); + $this->assertSame(Hex::encodeUpper('foob'), '666F6F62'); + $this->assertSame(Hex::encodeUpper('fooba'), '666F6F6261'); + $this->assertSame(Hex::encodeUpper('foobar'), '666F6F626172'); + } +} diff --git a/vendor/paragonie/random_compat/CHANGELOG.md b/vendor/paragonie/random_compat/CHANGELOG.md new file mode 100644 index 00000000..247deace --- /dev/null +++ b/vendor/paragonie/random_compat/CHANGELOG.md @@ -0,0 +1,260 @@ +### Version 2.0.2 - 2016-04-03 + +Added a consistency check (discovered by Taylor Hornby in his +[PHP encryption library](https://github.com/defuse/php-encryption)). It +wasn't likely causing any trouble for us. + +### Version 2.0.1 - 2016-03-18 + +Update comment in random.php + +### Version 2.0.0 - 2016-03-18 + +Due to downstream errors, the OpenSSL removal now belongs in version +2.0.0. + +### Version 1.3.1 - 2016-03-18 + +* Add more possible values to `open_baseir` check. + +### Version 1.3.0 - 2016-03-17 + +* Removed `openssl_random_pseudo_bytes()` entirely. If you are using + random_compat in PHP on a Unix-like OS but cannot access + `/dev/urandom`, version 1.3+ will throw an `Exception`. If you want to + trust OpenSSL, feel free to write your own fallback code. e.g. + + ```php + try { + $bytes = random_bytes(32); + } catch (Exception $ex) { + $strong = false; + $bytes = openssl_random_pseudo_bytes(32, $strong); + if (!$strong) { + throw $ex; + } + } + ``` + +### Version 1.2.2 - 2016-03-11 + +* To prevent applications from hanging, if `/dev/urandom` is not + accessible to PHP, skip mcrypt (which just fails before giving OpenSSL + a chance and was morally equivalent to not offering OpenSSL at all). + +### Version 1.2.1 - 2016-02-29 + +* PHP 5.6.10 - 5.6.12 will hang when mcrypt is used on Unix-based operating + systems ([PHP bug 69833](https://bugs.php.net/bug.php?id=69833)). If you are + running one of these versions, please upgrade (or make sure `/dev/urandom` is + readable) otherwise you're relying on OpenSSL. + +### Version 1.2.0 - 2016-02-05 + +* Whitespace and other cosmetic changes +* Added a changelog. +* We now ship with a command line utility to build a PHP Archive from the + command line. + + Every time we publish a new release, we will also upload a .phar + to Github. Our public key is signed by our GPG key. + +### Version 1.1.6 - 2016-01-29 + +* Eliminate `open_basedir` warnings by detecting this configuration setting. + (Thanks [@oucil](https://github.com/oucil) for reporting this.) +* Added install instructions to the README. +* Documentation cleanup (there is, in fact, no `MCRYPT_CREATE_IV` constant, I + meant to write `MCRYPT_DEV_URANDOM`) + +### Version 1.1.5 - 2016-01-06 + +Prevent fatal errors on platforms with older versions of libsodium. + +### Version 1.1.4 - 2015-12-10 + +Thanks [@narfbg](https://github.com/narfbg) for [critiquing the previous patch](https://github.com/paragonie/random_compat/issues/79#issuecomment-163590589) +and suggesting a fix. + +### Version 1.1.3 - 2015-12-09 + +The test for COM in disabled_classes is now case-insensitive. + +### Version 1.1.2 - 2015-12-09 + +Don't instantiate COM if it's a disabled class. Removes the E_WARNING on Windows. + +### Version 1.1.1 - 2015-11-30 + +Fix a performance issue with `/dev/urandom` buffering. + +### Version 1.1.0 - 2015-11-09 + +Fix performance issues with ancient versions of PHP on Windows, but dropped +support for PHP < 5.4.1 without mcrypt on Windows 7+ in the process. Since this + is a BC break, semver dictates a minor version bump. + +### Version 1.0.10 - 2015-10-23 + +* Avoid a performance killer with OpenSSL on Windows PHP 5.3.0 - 5.3.3 that was + affecting [WordPress users](https://core.trac.wordpress.org/ticket/34409). +* Use `$var = null` instead of `unset($var)` to avoid triggering the garbage + collector and slowing things down. + +### Version 1.0.9 - 2015-10-20 + +There is an outstanding issue `mcrypt_create_iv()` and PHP 7's `random_bytes()` +on Windows reported by [@nicolas-grekas](https://github.com/nicolas-grekas) caused by `proc_open()` and environment +variable handling (discovered by Appveyor when developing Symfony). + +Since the break is consistent, it's not our responsibility to fix it, but we +should fail the same way PHP 7 will (i.e. throw an `Exception` rather than raise +an error and then throw an `Exception`). + +### Version 1.0.8 - 2015-10-18 + +* Fix usability issues with Windows (`new COM('CAPICOM.Utilities.1')` is not + always available). +* You can now test all the possible drivers by running `phpunit.sh each` in the + `tests` directory. + +### Version 1.0.7 - 2015-10-16 + +Several large integer handling bugfixes were contributed by [@oittaa](https://github.com/oittaa). + +### Version 1.0.6 - 2015-10-15 + +Don't let the version number fool you, this was a pretty significant change. + +1. Added support for ext-libsodium, if it exists on the system. This is morally + equivalent to adding `getrandom(2)` support without having to expose the + syscall interface in PHP-land. +2. Relaxed open_basedir restrictions. In previous versions, if open_basedir was + set, PHP wouldn't even try to read from `/dev/urandom`. Now it will still do + so if you can. +3. Fixed integer casting inconsistencies between random_compat and PHP 7. +4. Handle edge cases where an integer overflow turns one of the parameters into + a float. + +One change that we discussed was making `random_bytes()` and `random_int()` +strict typed; meaning you could *only* pass integers to either function. While +most veteran programmers are probably only doing this already (we strongly +encourage it), it wouldn't be consistent with how these functions behave in PHP +7. Please use these functions responsibly. + +We've had even more of the PHP community involved in this release; the +contributors list has been updated. If I forgot anybody, I promise you it's not +because your contributions (either code or ideas) aren't valued, it's because +I'm a bit overloaded with information at the moment. Please let me know +immediately and I will correct my oversight. + +Thanks everyone for helping make random_compat better. + +### Version 1.0.5 - 2015-10-08 + +Got rid of the methods in the `Throwable` interface, which was causing problems +on PHP 5.2. While we would normally not care about 5.2 (since [5.4 and earlier are EOL'd](https://secure.php.net/supported-versions.php)), +we do want to encourage widespread adoption (e.g. [Wordpress](https://core.trac.wordpress.org/ticket/28633)). + +### Version 1.0.4 - 2015-10-02 + +Removed redundant `if()` checks, since `lib/random.php` is the entrypoint people +should use. + +### Version 1.0.3 - 2015-10-02 + +This release contains bug fixes contributed by the community. + +* Avoid a PHP Notice when PHP is running without the mbstring extension +* Use a compatible version of PHPUnit for testing on older versions of PHP + +Although none of these bugs were outright security-affecting, updating ASAP is +still strongly encouraged. + +### Version 1.0.2 - 2015-09-23 + +Less strict input validation on `random_int()` parameters. PHP 7's `random_int()` +accepts strings and floats that look like numbers, so we should too. + +Thanks [@dd32](https://github.com/@dd32) for correcting this oversight. + +### Version 1.0.1 - 2015-09-10 + +Instead of throwing an Exception immediately on insecure platforms, only do so +when `random_bytes()` is invoked. + +### Version 1.0.0 - 2015-09-07 + +Our API is now stable and forward-compatible with the CSPRNG features in PHP 7 +(as of 7.0.0 RC3). + +A lot of great people have contributed their time and expertise to make this +compatibility library possible. That this library has reached a stable release +is more a reflection on the community than it is on PIE. + +We are confident that random_compat will serve as the simplest and most secure +CSPRNG interface available for PHP5 projects. + +### Version 0.9.7 (pre-release) - 2015-09-01 + +An attempt to achieve compatibility with Error/TypeError in the RFC. + +This should be identical to 1.0.0 sans any last-minute changes or performance enhancements. + +### Version 0.9.6 (pre-release) - 2015-08-06 + +* Split the implementations into their own file (for ease of auditing) +* Corrected the file type check after `/dev/urandom` has been opened (thanks + [@narfbg](https://github.com/narfbg) and [@jedisct1](https://github.com/jedisct1)) + +### Version 0.9.5 (pre-release) - 2015-07-31 + +* Validate that `/dev/urandom` is a character device + * Reported by [@lokdnet](https://twitter.com/lokdnet) + * Investigated by [@narfbg](https://github.com/narfbg) and [frymaster](http://stackoverflow.com/users/1226810/frymaster) on [StackOverflow](http://stackoverflow.com/q/31631066/2224584) +* Remove support for `/dev/arandom` which is an old OpenBSD feature, thanks [@jedisct1](https://github.com/jedisct1) +* Prevent race conditions on the `filetype()` check, thanks [@jedisct1](https://github.com/jedisct1) +* Buffer file reads to 8 bytes (performance optimization; PHP defaults to 8192 bytes) + +### Version 0.9.4 (pre-release) - 2015-07-27 + +* Add logic to verify that `/dev/arandom` and `/dev/urandom` are actually devices. +* Some clean-up in the comments + +### Version 0.9.3 (pre-release) - 2015-07-22 + +Unless the Exceptions change to PHP 7 fails, this should be the last pre-release +version. If need be, we'll make one more pre-release version with compatible +behavior. + +Changes since 0.9.2: + +* Prioritize `/dev/arandom` and `/dev/urandom` over mcrypt. +[@oittaa](https://github.com/oittaa) removed the -1 and +1 juggling on `$range` calculations for `random_int()` +* Whitespace and comment clean-up, plus better variable names +* Actually put a description in the composer.json file... + +### Version 0.9.2 (pre-release) - 2015-07-16 + +* Consolidated `$range > PHP_INT_MAX` logic with `$range <= PHP_INT_MAX` (thanks + [@oittaa](https://github.com/oittaa) and [@CodesInChaos](https://github.com/CodesInChaos)) +* `tests/phpunit.sh` now also runs the tests with `mbstring.func_overload` and + `open_basedir` +* Style consistency, whitespace cleanup, more meaningful variable names + +### Version 0.9.1 (pre-release) - 2015-07-09 + +* Return random values on integer ranges > `PHP_INT_MAX` (thanks [@CodesInChaos](https://github.com/CodesInChaos)) +* Determined CSPRNG preference: + 1. `mcrypt_create_iv()` with `MCRYPT_DEV_URANDOM` + 2. `/dev/arandom` + 3. `/dev/urandom` + 4. `openssl_random_pseudo_bytes()` +* Optimized backend selection (thanks [@lt](https://github.com/lt)) +* Fix #3 (thanks [@scottchiefbaker](https://github.com/scottchiefbaker)) + +### Version 0.9.0 (pre-release) - 2015-07-07 + +This should be a sane polyfill for PHP 7's `random_bytes()` and `random_int()`. +We hesitate to call it production ready until it has received sufficient third +party review. \ No newline at end of file diff --git a/vendor/paragonie/random_compat/ERRATA.md b/vendor/paragonie/random_compat/ERRATA.md new file mode 100644 index 00000000..0561630d --- /dev/null +++ b/vendor/paragonie/random_compat/ERRATA.md @@ -0,0 +1,34 @@ +## Errata (Design Decisions) + +### Reasoning Behind the Order of Preferred Random Data Sources + +The order is: + + 1. `libsodium if available` + 2. `fread() /dev/urandom if available` + 3. `mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM)` + 4. `COM('CAPICOM.Utilities.1')->GetRandom()` + +If libsodium is available, we get random data from it. This is the preferred +method on all OSes, but libsodium is not very widely installed, so other +fallbacks are available. + +Next, we read `/dev/urandom` (if it exists). This is the preferred file to read +for random data for cryptographic purposes for BSD and Linux. + +Despite [strongly urging people not to use mcrypt in their projects](https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong), +because libmcrypt is abandonware and the API puts too much responsibility on the +implementor, we prioritize `mcrypt_create_iv()` with `MCRYPT_DEV_URANDOM` above +the remaining implementations. + +The reason is simple: `mcrypt_create_iv()` is part of PHP's `ext/mcrypt` code, +and is not part `libmcrypt`. It actually does the right thing: + + * On Unix-based operating systems, it reads from `/dev/urandom`, which unlike `/dev/random` + is the sane and correct thing to do. + * On Windows, it reads from `CryptGenRandom`, which is an exclusively Windows + way to get random bytes. + +If we're on Windows and don't have access to `mcrypt`, we use `CAPICOM.Utilities.1`. + +As of random_compat 1.3, we no longer fall through to OpenSSL. diff --git a/vendor/paragonie/random_compat/LICENSE b/vendor/paragonie/random_compat/LICENSE new file mode 100644 index 00000000..45c7017d --- /dev/null +++ b/vendor/paragonie/random_compat/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2015 Paragon Initiative Enterprises + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/vendor/paragonie/random_compat/README.md b/vendor/paragonie/random_compat/README.md new file mode 100644 index 00000000..80560862 --- /dev/null +++ b/vendor/paragonie/random_compat/README.md @@ -0,0 +1,176 @@ +# random_compat + +[![Build Status](https://travis-ci.org/paragonie/random_compat.svg?branch=master)](https://travis-ci.org/paragonie/random_compat) +[![Scrutinizer](https://scrutinizer-ci.com/g/paragonie/random_compat/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/paragonie/random_compat) + +PHP 5.x polyfill for `random_bytes()` and `random_int()` created and maintained +by [Paragon Initiative Enterprises](https://paragonie.com). + +Although this library *should* function in earlier versions of PHP, we will only +consider issues relevant to [supported PHP versions](https://secure.php.net/supported-versions.php). +**If you are using an unsupported version of PHP, please upgrade as soon as possible.** + +## Important + +Although this library has been examined by some security experts in the PHP +community, there will always be a chance that we overlooked something. Please +ask your favorite trusted hackers to hammer it for implementation errors and +bugs before even thinking about deploying it in production. + +**Do not use the master branch, use a [stable release](https://github.com/paragonie/random_compat/releases/latest).** + +For the background of this library, please refer to our blog post on +[Generating Random Integers and Strings in PHP](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php). + +### Usability Notice + +If PHP cannot safely generate random data, this library will throw an `Exception`. +It will never fall back to insecure random data. If this keeps happening, upgrade +to a newer version of PHP immediately. + +## Installing + +**With [Composer](https://getcomposer.org):** + + composer require paragonie/random_compat + +**Signed PHP Archive:** + +As of version 1.2.0, we also ship an ECDSA-signed PHP Archive with each stable +release on Github. + +1. Download [the `.phar`, `.phar.pubkey`, and `.phar.pubkey.asc`](https://github.com/paragonie/random_compat/releases/latest) files. +2. (**Recommended** but not required) Verify the PGP signature of `.phar.pubkey` + (contained within the `.asc` file) using the [PGP public key for Paragon Initiative Enterprises](https://paragonie.com/static/gpg-public-key.txt). +3. Extract both `.phar` and `.phar.pubkey` files to the same directory. +4. `require_once "/path/to/random_compat.phar";` +5. When a new version is released, you only need to replace the `.phar` file; + the `.pubkey` will not change (unless our signing key is ever compromised). + +**Manual Installation:** + +1. Download [a stable release](https://github.com/paragonie/random_compat/releases/latest). +2. Extract the files into your project. +3. `require_once "/path/to/random_compat/lib/random.php";` + +## Usage + +This library exposes the [CSPRNG functions added in PHP 7](https://secure.php.net/manual/en/ref.csprng.php) +for use in PHP 5 projects. Their behavior should be identical. + +### Generate a string of random bytes + +```php +try { + $string = random_bytes(32); +} catch (TypeError $e) { + // Well, it's an integer, so this IS unexpected. + die("An unexpected error has occurred"); +} catch (Error $e) { + // This is also unexpected because 32 is a reasonable integer. + die("An unexpected error has occurred"); +} catch (Exception $e) { + // If you get this message, the CSPRNG failed hard. + die("Could not generate a random string. Is our OS secure?"); +} + +var_dump(bin2hex($string)); +// string(64) "5787c41ae124b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2eeac6f" +``` + +### Generate a random integer between two given integers (inclusive) + +```php +try { + $int = random_int(0,255); + +} catch (TypeError $e) { + // Well, it's an integer, so this IS unexpected. + die("An unexpected error has occurred"); +} catch (Error $e) { + // This is also unexpected because 0 and 255 are both reasonable integers. + die("An unexpected error has occurred"); +} catch (Exception $e) { + // If you get this message, the CSPRNG failed hard. + die("Could not generate a random string. Is our OS secure?"); +} + +var_dump($int); +// int(47) +``` + +### Exception handling + +When handling exceptions and errors you must account for differences between +PHP 5 and PHP7. + +The differences: + +* Catching `Error` works, so long as it is caught before `Exception`. +* Catching `Exception` has different behavior, without previously catching `Error`. +* There is *no* portable way to catch all errors/exceptions. + +#### Our recommendation + +**Always** catch `Error` before `Exception`. + +#### Example + +```php +try { + return random_int(1, $userInput); +} catch (TypeError $e) { + // This is okay, so long as `Error` is caught before `Exception`. + throw new Exception('Please enter a number!'); +} catch (Error $e) { + // This is required, if you do not need to do anything just rethrow. + throw $e; +} catch (Exception $e) { + // This is optional and maybe omitted if you do not want to handle errors + // during generation. + throw new InternalServerErrorException( + 'Oops, our server is bust and cannot generate any random data.', + 500, + $e + ); +} +``` + +## Contributors + +This project would not be anywhere near as excellent as it is today if it +weren't for the contributions of the following individuals: + +* [@AndrewCarterUK (Andrew Carter)](https://github.com/AndrewCarterUK) +* [@asgrim (James Titcumb)](https://github.com/asgrim) +* [@bcremer (Benjamin Cremer)](https://github.com/bcremer) +* [@CodesInChaos (Christian Winnerlein)](https://github.com/CodesInChaos) +* [@chriscct7 (Chris Christoff)](https://github.com/chriscct7) +* [@cs278 (Chris Smith)](https://github.com/cs278) +* [@cweagans (Cameron Eagans)](https://github.com/cweagans) +* [@dd32 (Dion Hulse)](https://github.com/dd32) +* [@geggleto (Glenn Eggleton)](https://github.com/geggleto) +* [@ircmaxell (Anthony Ferrara)](https://github.com/ircmaxell) +* [@jedisct1 (Frank Denis)](https://github.com/jedisct1) +* [@juliangut (Julián Gutiérrez)](https://github.com/juliangut) +* [@kelunik (Niklas Keller)](https://github.com/kelunik) +* [@lt (Leigh)](https://github.com/lt) +* [@MasonM (Mason Malone)](https://github.com/MasonM) +* [@mmeyer2k (Michael M)](https://github.com/mmeyer2k) +* [@narfbg (Andrey Andreev)](https://github.com/narfbg) +* [@nicolas-grekas (Nicolas Grekas)](https://github.com/nicolas-grekas) +* [@oittaa](https://github.com/oittaa) +* [@oucil (Kevin Farley)](https://github.com/oucil) +* [@redragonx (Stephen Chavez)](https://github.com/redragonx) +* [@rchouinard (Ryan Chouinard)](https://github.com/rchouinard) +* [@SammyK (Sammy Kaye Powers)](https://github.com/SammyK) +* [@scottchiefbaker (Scott Baker)](https://github.com/scottchiefbaker) +* [@skyosev (Stoyan Kyosev)](https://github.com/skyosev) +* [@stof (Christophe Coevoet)](https://github.com/stof) +* [@teohhanhui (Teoh Han Hui)](https://github.com/teohhanhui) +* [@tom-- (Tom Worster)](https://github.com/tom--) +* [@tsyr2ko](https://github.com/tsyr2ko) +* [@trowski (Aaron Piotrowski)](https://github.com/trowski) +* [@twistor (Chris Lepannen)](https://github.com/twistor) +* [@voku (Lars Moelleken)](https://github.com/voku) +* [@xabbuh (Christian Flothmann)](https://github.com/xabbuh) diff --git a/vendor/paragonie/random_compat/SECURITY.md b/vendor/paragonie/random_compat/SECURITY.md new file mode 100644 index 00000000..8f731b38 --- /dev/null +++ b/vendor/paragonie/random_compat/SECURITY.md @@ -0,0 +1,108 @@ +# An Invitation to Security Researchers + +Every company says they take security "very seriously." Rather than bore anyone +with banal boilerplate, here are some quick answers followed by detailed +elaboration. If you have any questions about our policies, please email them to +`scott@paragonie.com`. + +## Quick Answers + +* There is no compulsion to disclose vulnerabilities privately, but we + appreciate a head's up. +* `security@paragonie.com` will get your reports to the right person. Our GPG + fingerprint, should you decide to encrypt your report, is + `7F52 D5C6 1D12 55C7 3136 2E82 6B97 A1C2 8264 04DA`. + +* **YES**, we will reward security researchers who disclose vulnerabilities in + our software. +* In most cases, **No Proof-of-Concept Required.** + +## How to Report a Security Bug to Paragon Initiative Enterprises + +### There is no compulsion to disclose privately. + +We believe vulnerability disclosure style is a personal choice and enjoy working +with a diverse community. We understand and appreciate the importance of Full +Disclosure in the history and practice of security research. + +We would *like* to know about high-severity bugs before they become public +knowledge, so we can fix them in a timely manner, but **we do not believe in +threatening researchers or trying to enforce vulnerability embargoes**. + +Ultimately, if you discover a security-affecting vulnerability, what you do with +it is your choice. We would like to work with people, and to celebrate and +reward their skill, experience, and dedication. We appreciate being informed of +our mistakes so we can learn from them and build a better product. Our goal is +to empower the community. + +### Where to Send Security Vulnerabilities + +Our security email address is `security@paragonie.com`. Also feel free to open a +new issue on Github if you want to disclose publicly. + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG + +mQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5 +qBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA +ivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0 +z1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk +6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn +syrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1 +cml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI +AgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/ +WLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD +Vj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC +9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d +cp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05 +WrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5 +AQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU +335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE +0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z +vy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm +hjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy +gF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb +DAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv +rKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH +6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx +qSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje +oLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q +ha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1 +=xJPW +-----END PGP PUBLIC KEY BLOCK----- +``` + +### We Will Reward Security Researchers + +**This process has not been formalized; nor have dollar amounts been +discussed.** + +However, if you report a valid security-affecting bug, we will compensate you +for the time spent finding the vulnerability and reward you for being a good +neighbor. + +#### What does a "valid" bug mean? + +There are two sides to this: + +1. Some have spammed projects with invalid bug reports hoping to collect + bounties for pressing a button and running an automated analysis tool. This + is not cool. +2. There is a potential for the developers of a project to declare all security + bug reports as invalid to save money. + +Our team members have an established history of reporting vulnerabilities to +large open source projects. **We aren't in the business of ripping people off.** +When in doubt, our policy is to err on the side of generosity. + +### No Proof-of-Concept Required + +We might ask for one if we feel we do not understand some of the details +pertaining to a specific vulnerability. We certainly appreciate them if you +include them in your report, but we believe **the burden lies with the developer +to prove their software *is* secure** rather than with the researcher to prove +that it isn't. + +In our experience, most bugs are simpler to fix than they are to exploit. + diff --git a/vendor/paragonie/random_compat/build-phar.sh b/vendor/paragonie/random_compat/build-phar.sh new file mode 100755 index 00000000..b4a5ba31 --- /dev/null +++ b/vendor/paragonie/random_compat/build-phar.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +basedir=$( dirname $( readlink -f ${BASH_SOURCE[0]} ) ) + +php -dphar.readonly=0 "$basedir/other/build_phar.php" $* \ No newline at end of file diff --git a/vendor/paragonie/random_compat/composer.json b/vendor/paragonie/random_compat/composer.json new file mode 100644 index 00000000..d363f4c8 --- /dev/null +++ b/vendor/paragonie/random_compat/composer.json @@ -0,0 +1,35 @@ +{ + "name": "paragonie/random_compat", + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "random", + "pseudorandom" + ], + "license": "MIT", + "type": "library", + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "support": { + "issues": "https://github.com/paragonie/random_compat/issues", + "email": "info@paragonie.com", + "source": "https://github.com/paragonie/random_compat" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "autoload": { + "files": ["lib/random.php"] + } +} diff --git a/vendor/paragonie/random_compat/lib/byte_safe_strings.php b/vendor/paragonie/random_compat/lib/byte_safe_strings.php new file mode 100644 index 00000000..dec5d306 --- /dev/null +++ b/vendor/paragonie/random_compat/lib/byte_safe_strings.php @@ -0,0 +1,181 @@ + RandomCompat_strlen($binary_string)) { + return false; + } + + return mb_substr($binary_string, $start, $length, '8bit'); + } + + } else { + + /** + * substr() implementation that isn't brittle to mbstring.func_overload + * + * This version just uses the default substr() + * + * @param string $binary_string + * @param int $start + * @param int $length (optional) + * + * @throws TypeError + * + * @return string + */ + function RandomCompat_substr($binary_string, $start, $length = null) + { + if (!is_string($binary_string)) { + throw new TypeError( + 'RandomCompat_substr(): First argument should be a string' + ); + } + + if (!is_int($start)) { + throw new TypeError( + 'RandomCompat_substr(): Second argument should be an integer' + ); + } + + if ($length !== null) { + if (!is_int($length)) { + throw new TypeError( + 'RandomCompat_substr(): Third argument should be an integer, or omitted' + ); + } + + return substr($binary_string, $start, $length); + } + + return substr($binary_string, $start); + } + } +} diff --git a/vendor/paragonie/random_compat/lib/cast_to_int.php b/vendor/paragonie/random_compat/lib/cast_to_int.php new file mode 100644 index 00000000..f441c5d9 --- /dev/null +++ b/vendor/paragonie/random_compat/lib/cast_to_int.php @@ -0,0 +1,71 @@ + operators might accidentally let a float + * through. + * + * @param int|float $number The number we want to convert to an int + * @param boolean $fail_open Set to true to not throw an exception + * + * @return int (or float if $fail_open) + * + * @throws TypeError + */ + function RandomCompat_intval($number, $fail_open = false) + { + if (is_numeric($number)) { + $number += 0; + } + + if ( + is_float($number) + && + $number > ~PHP_INT_MAX + && + $number < PHP_INT_MAX + ) { + $number = (int) $number; + } + + if (is_int($number) || $fail_open) { + return $number; + } + + throw new TypeError( + 'Expected an integer.' + ); + } +} diff --git a/vendor/paragonie/random_compat/lib/error_polyfill.php b/vendor/paragonie/random_compat/lib/error_polyfill.php new file mode 100644 index 00000000..57cfefdc --- /dev/null +++ b/vendor/paragonie/random_compat/lib/error_polyfill.php @@ -0,0 +1,42 @@ +GetRandom() + * 5. openssl_random_pseudo_bytes() (absolute last resort) + * + * See ERRATA.md for our reasoning behind this particular order + */ + if (extension_loaded('libsodium')) { + // See random_bytes_libsodium.php + if (PHP_VERSION_ID >= 50300 && function_exists('\\Sodium\\randombytes_buf')) { + require_once $RandomCompatDIR.'/random_bytes_libsodium.php'; + } elseif (method_exists('Sodium', 'randombytes_buf')) { + require_once $RandomCompatDIR.'/random_bytes_libsodium_legacy.php'; + } + } + + /** + * Reading directly from /dev/urandom: + */ + if (DIRECTORY_SEPARATOR === '/') { + // DIRECTORY_SEPARATOR === '/' on Unix-like OSes -- this is a fast + // way to exclude Windows. + $RandomCompatUrandom = true; + $RandomCompat_basedir = ini_get('open_basedir'); + + if (!empty($RandomCompat_basedir)) { + $RandomCompat_open_basedir = explode( + PATH_SEPARATOR, + strtolower($RandomCompat_basedir) + ); + $RandomCompatUrandom = (array() !== array_intersect( + array('/dev', '/dev/', '/dev/urandom'), + $RandomCompat_open_basedir + )); + $RandomCompat_open_basedir = null; + } + + if ( + !function_exists('random_bytes') + && + $RandomCompatUrandom + && + @is_readable('/dev/urandom') + ) { + // Error suppression on is_readable() in case of an open_basedir + // or safe_mode failure. All we care about is whether or not we + // can read it at this point. If the PHP environment is going to + // panic over trying to see if the file can be read in the first + // place, that is not helpful to us here. + + // See random_bytes_dev_urandom.php + require_once $RandomCompatDIR.'/random_bytes_dev_urandom.php'; + } + // Unset variables after use + $RandomCompat_basedir = null; + } else { + $RandomCompatUrandom = false; + } + + /** + * mcrypt_create_iv() + */ + if ( + !function_exists('random_bytes') + && + PHP_VERSION_ID >= 50307 + && + extension_loaded('mcrypt') + && + (DIRECTORY_SEPARATOR !== '/' || $RandomCompatUrandom) + ) { + // Prevent this code from hanging indefinitely on non-Windows; + // see https://bugs.php.net/bug.php?id=69833 + if ( + DIRECTORY_SEPARATOR !== '/' || + (PHP_VERSION_ID <= 50609 || PHP_VERSION_ID >= 50613) + ) { + // See random_bytes_mcrypt.php + require_once $RandomCompatDIR.'/random_bytes_mcrypt.php'; + } + } + $RandomCompatUrandom = null; + + if ( + !function_exists('random_bytes') + && + extension_loaded('com_dotnet') + && + class_exists('COM') + ) { + $RandomCompat_disabled_classes = preg_split( + '#\s*,\s*#', + strtolower(ini_get('disable_classes')) + ); + + if (!in_array('com', $RandomCompat_disabled_classes)) { + try { + $RandomCompatCOMtest = new COM('CAPICOM.Utilities.1'); + if (method_exists($RandomCompatCOMtest, 'GetRandom')) { + // See random_bytes_com_dotnet.php + require_once $RandomCompatDIR.'/random_bytes_com_dotnet.php'; + } + } catch (com_exception $e) { + // Don't try to use it. + } + } + $RandomCompat_disabled_classes = null; + $RandomCompatCOMtest = null; + } + + /** + * throw new Exception + */ + if (!function_exists('random_bytes')) { + /** + * We don't have any more options, so let's throw an exception right now + * and hope the developer won't let it fail silently. + */ + function random_bytes($length) + { + throw new Exception( + 'There is no suitable CSPRNG installed on your system' + ); + } + } + } + + if (!function_exists('random_int')) { + require_once $RandomCompatDIR.'/random_int.php'; + } + + $RandomCompatDIR = null; +} diff --git a/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php b/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php new file mode 100644 index 00000000..34228254 --- /dev/null +++ b/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php @@ -0,0 +1,81 @@ +GetRandom($bytes, 0)); + if (RandomCompat_strlen($buf) >= $bytes) { + /** + * Return our random entropy buffer here: + */ + return RandomCompat_substr($buf, 0, $bytes); + } + ++$execCount; + } while ($execCount < $bytes); + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); +} diff --git a/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php b/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php new file mode 100644 index 00000000..db93b075 --- /dev/null +++ b/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php @@ -0,0 +1,148 @@ + 0); + + /** + * Is our result valid? + */ + if ($buf !== false) { + if (RandomCompat_strlen($buf) === $bytes) { + /** + * Return our random entropy buffer here: + */ + return $buf; + } + } + } + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Error reading from source device' + ); +} diff --git a/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php b/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php new file mode 100644 index 00000000..f802d4e1 --- /dev/null +++ b/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php @@ -0,0 +1,86 @@ + 2147483647) { + $buf = ''; + for ($i = 0; $i < $bytes; $i += 1073741824) { + $n = ($bytes - $i) > 1073741824 + ? 1073741824 + : $bytes - $i; + $buf .= \Sodium\randombytes_buf($n); + } + } else { + $buf = \Sodium\randombytes_buf($bytes); + } + + if ($buf !== false) { + if (RandomCompat_strlen($buf) === $bytes) { + return $buf; + } + } + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); +} diff --git a/vendor/paragonie/random_compat/lib/random_bytes_libsodium_legacy.php b/vendor/paragonie/random_compat/lib/random_bytes_libsodium_legacy.php new file mode 100644 index 00000000..44fddbf6 --- /dev/null +++ b/vendor/paragonie/random_compat/lib/random_bytes_libsodium_legacy.php @@ -0,0 +1,86 @@ + 2147483647) { + $buf = ''; + for ($i = 0; $i < $bytes; $i += 1073741824) { + $n = ($bytes - $i) > 1073741824 + ? 1073741824 + : $bytes - $i; + $buf .= Sodium::randombytes_buf($n); + } + } else { + $buf = Sodium::randombytes_buf($bytes); + } + + if ($buf !== false) { + if (RandomCompat_strlen($buf) === $bytes) { + return $buf; + } + } + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); +} diff --git a/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php b/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php new file mode 100644 index 00000000..7ac9d910 --- /dev/null +++ b/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php @@ -0,0 +1,76 @@ + operators might accidentally let a float + * through. + */ + + try { + $min = RandomCompat_intval($min); + } catch (TypeError $ex) { + throw new TypeError( + 'random_int(): $min must be an integer' + ); + } + + try { + $max = RandomCompat_intval($max); + } catch (TypeError $ex) { + throw new TypeError( + 'random_int(): $max must be an integer' + ); + } + + /** + * Now that we've verified our weak typing system has given us an integer, + * let's validate the logic then we can move forward with generating random + * integers along a given range. + */ + if ($min > $max) { + throw new Error( + 'Minimum value must be less than or equal to the maximum value' + ); + } + + if ($max === $min) { + return $min; + } + + /** + * Initialize variables to 0 + * + * We want to store: + * $bytes => the number of random bytes we need + * $mask => an integer bitmask (for use with the &) operator + * so we can minimize the number of discards + */ + $attempts = $bits = $bytes = $mask = $valueShift = 0; + + /** + * At this point, $range is a positive number greater than 0. It might + * overflow, however, if $max - $min > PHP_INT_MAX. PHP will cast it to + * a float and we will lose some precision. + */ + $range = $max - $min; + + /** + * Test for integer overflow: + */ + if (!is_int($range)) { + + /** + * Still safely calculate wider ranges. + * Provided by @CodesInChaos, @oittaa + * + * @ref https://gist.github.com/CodesInChaos/03f9ea0b58e8b2b8d435 + * + * We use ~0 as a mask in this case because it generates all 1s + * + * @ref https://eval.in/400356 (32-bit) + * @ref http://3v4l.org/XX9r5 (64-bit) + */ + $bytes = PHP_INT_SIZE; + $mask = ~0; + + } else { + + /** + * $bits is effectively ceil(log($range, 2)) without dealing with + * type juggling + */ + while ($range > 0) { + if ($bits % 8 === 0) { + ++$bytes; + } + ++$bits; + $range >>= 1; + $mask = $mask << 1 | 1; + } + $valueShift = $min; + } + + /** + * Now that we have our parameters set up, let's begin generating + * random integers until one falls between $min and $max + */ + do { + /** + * The rejection probability is at most 0.5, so this corresponds + * to a failure probability of 2^-128 for a working RNG + */ + if ($attempts > 128) { + throw new Exception( + 'random_int: RNG is broken - too many rejections' + ); + } + + /** + * Let's grab the necessary number of random bytes + */ + $randomByteString = random_bytes($bytes); + if ($randomByteString === false) { + throw new Exception( + 'Random number generator failure' + ); + } + + /** + * Let's turn $randomByteString into an integer + * + * This uses bitwise operators (<< and |) to build an integer + * out of the values extracted from ord() + * + * Example: [9F] | [6D] | [32] | [0C] => + * 159 + 27904 + 3276800 + 201326592 => + * 204631455 + */ + $val = 0; + for ($i = 0; $i < $bytes; ++$i) { + $val |= ord($randomByteString[$i]) << ($i * 8); + } + + /** + * Apply mask + */ + $val &= $mask; + $val += $valueShift; + + ++$attempts; + /** + * If $val overflows to a floating point number, + * ... or is larger than $max, + * ... or smaller than $min, + * then try again. + */ + } while (!is_int($val) || $val > $max || $val < $min); + + return (int) $val; +} diff --git a/vendor/paragonie/random_compat/other/build_phar.php b/vendor/paragonie/random_compat/other/build_phar.php new file mode 100644 index 00000000..70ef4b2e --- /dev/null +++ b/vendor/paragonie/random_compat/other/build_phar.php @@ -0,0 +1,57 @@ +buildFromDirectory(dirname(__DIR__).'/lib'); +rename( + dirname(__DIR__).'/lib/index.php', + dirname(__DIR__).'/lib/random.php' +); + +/** + * If we pass an (optional) path to a private key as a second argument, we will + * sign the Phar with OpenSSL. + * + * If you leave this out, it will produce an unsigned .phar! + */ +if ($argc > 1) { + if (!@is_readable($argv[1])) { + echo 'Could not read the private key file:', $argv[1], "\n"; + exit(255); + } + $pkeyFile = file_get_contents($argv[1]); + + $private = openssl_get_privatekey($pkeyFile); + if ($private !== false) { + $pkey = ''; + openssl_pkey_export($private, $pkey); + $phar->setSignatureAlgorithm(Phar::OPENSSL, $pkey); + + /** + * Save the corresponding public key to the file + */ + if (!@is_readable($dist.'/random_compat.phar.pubkey')) { + $details = openssl_pkey_get_details($private); + file_put_contents( + $dist.'/random_compat.phar.pubkey', + $details['key'] + ); + } + } else { + echo 'An error occurred reading the private key from OpenSSL.', "\n"; + exit(255); + } +}