<?php
/**
* Zend Framework (http://framework.zend.com/)
*
* @link http://github.com/zendframework/zf2 for the canonical source repository
* @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
namespace Zend\Stdlib {
use Traversable;
/**
* Utility class for testing and manipulation of PHP arrays.
*
* Declared abstract, as we have no need for instantiation.
*/
abstract class ArrayUtils
{
/**
* Test whether an array contains one or more string keys
*
* @param mixed $value
* @param bool $allowEmpty Should an empty array() return true
* @return bool
*/
public static function hasStringKeys($value, $allowEmpty = false)
{
if (!is_array($value)) {
return false;
}
if (!$value) {
return $allowEmpty;
}
return count(array_filter(array_keys($value), 'is_string')) > 0;
}
/**
* Test whether an array contains one or more integer keys
*
* @param mixed $value
* @param bool $allowEmpty Should an empty array() return true
* @return bool
*/
public static function hasIntegerKeys($value, $allowEmpty = false)
{
if (!is_array($value)) {
return false;
}
if (!$value) {
return $allowEmpty;
}
return count(array_filter(array_keys($value), 'is_int')) > 0;
}
/**
* Test whether an array contains one or more numeric keys.
*
* A numeric key can be one of the following:
* - an integer 1,
* - a string with a number '20'
* - a string with negative number: '-1000'
* - a float: 2.2120, -78.150999
* - a string with float: '4000.99999', '-10.10'
*
* @param mixed $value
* @param bool $allowEmpty Should an empty array() return true
* @return bool
*/
public static function hasNumericKeys($value, $allowEmpty = false)
{
if (!is_array($value)) {
return false;
}
if (!$value) {
return $allowEmpty;
}
return count(array_filter(array_keys($value), 'is_numeric')) > 0;
}
/**
* Test whether an array is a list
*
* A list is a collection of values assigned to continuous integer keys
* starting at 0 and ending at count() - 1.
*
* For example:
* <code>
* $list = array('a', 'b', 'c', 'd');
* $list = array(
* 0 => 'foo',
* 1 => 'bar',
* 2 => array('foo' => 'baz'),
* );
* </code>
*
* @param mixed $value
* @param bool $allowEmpty Is an empty list a valid list?
* @return bool
*/
public static function isList($value, $allowEmpty = false)
{
if (!is_array($value)) {
return false;
}
if (!$value) {
return $allowEmpty;
}
return (array_values($value) === $value);
}
/**
* Test whether an array is a hash table.
*
* An array is a hash table if:
*
* 1. Contains one or more non-integer keys, or
* 2. Integer keys are non-continuous or misaligned (not starting with 0)
*
* For example:
* <code>
* $hash = array(
* 'foo' => 15,
* 'bar' => false,
* );
* $hash = array(
* 1995 => 'Birth of PHP',
* 2009 => 'PHP 5.3.0',
* 2012 => 'PHP 5.4.0',
* );
* $hash = array(
* 'formElement,
* 'options' => array( 'debug' => true ),
* );
* </code>
*
* @param mixed $value
* @param bool $allowEmpty Is an empty array() a valid hash table?
* @return bool
*/
public static function isHashTable($value, $allowEmpty = false)
{
if (!is_array($value)) {
return false;
}
if (!$value) {
return $allowEmpty;
}
return (array_values($value) !== $value);
}
/**
* Checks if a value exists in an array.
*
* Due to "foo" == 0 === TRUE with in_array when strict = false, an option
* has been added to prevent this. When $strict = 0/false, the most secure
* non-strict check is implemented. if $strict = -1, the default in_array
* non-strict behaviour is used.
*
* @param mixed $needle
* @param array $haystack
* @param int|bool $strict
* @return bool
*/
public static function inArray($needle, array $haystack, $strict = false)
{
if (!$strict) {
if (is_int($needle) || is_float($needle)) {
$needle = (string) $needle;
}
if (is_string($needle)) {
foreach ($haystack as &$h) {
if (is_int($h) || is_float($h)) {
$h = (string) $h;
}
}
}
}
return in_array($needle, $haystack, $strict);
}
/**
* Convert an iterator to an array.
*
* Converts an iterator to an array. The $recursive flag, on by default,
* hints whether or not you want to do so recursively.
*
* @param array|Traversable $iterator The array or Traversable object to convert
* @param bool $recursive Recursively check all nested structures
* @throws Exception\InvalidArgumentException if $iterator is not an array or a Traversable object
* @return array
*/
public static function iteratorToArray($iterator, $recursive = true)
{
if (!is_array($iterator) && !$iterator instanceof Traversable) {
throw new Exception\InvalidArgumentException(__METHOD__ . ' expects an array or Traversable object');
}
if (!$recursive) {
if (is_array($iterator)) {
return $iterator;
}
return iterator_to_array($iterator);
}
if (method_exists($iterator, 'toArray')) {
return $iterator->toArray();
}
$array = array();
foreach ($iterator as $key => $value) {
if (is_scalar($value)) {
$array[$key] = $value;
continue;
}
if ($value instanceof Traversable) {
$array[$key] = static::iteratorToArray($value, $recursive);
continue;
}
if (is_array($value)) {
$array[$key] = static::iteratorToArray($value, $recursive);
continue;
}
$array[$key] = $value;
}
return $array;
}
/**
* Merge two arrays together.
*
* If an integer key exists in both arrays, the value from the second array
* will be appended the the first array. If both values are arrays, they
* are merged together, else the value of the second array overwrites the
* one of the first array.
*
* @param array $a
* @param array $b
* @return array
*/
public static function merge(array $a, array $b)
{
foreach ($b as $key => $value) {
if (array_key_exists($key, $a)) {
if (is_int($key)) {
$a[] = $value;
} elseif (is_array($value) && is_array($a[$key])) {
$a[$key] = static::merge($a[$key], $value);
} else {
$a[$key] = $value;
}
} else {
$a[$key] = $value;
}
}
return $a;
}
}
}
namespace Zend\Crypt\Password {
interface PasswordInterface
{
/**
* Create a password hash for a given plain text password
*
* @param string $password The password to hash
* @return string The formatted password hash
*/
public function create($password);
/**
* Verify a password hash against a given plain text password
*
* @param string $password The password to hash
* @param string $hash The supplied hash to validate
* @return bool Does the password validate against the hash
*/
public function verify($password, $hash);
}
}
/**
* Zend Framework (http://framework.zend.com/)
*
* @link http://github.com/zendframework/zf2 for the canonical source repository
* @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
namespace Zend\Math {
use RandomLib;
/**
* Pseudorandom number generator (PRNG)
*/
abstract class Rand
{
/**
* Alternative random byte generator using RandomLib
*
* @var RandomLib\Generator
*/
protected static $generator = null;
/**
* Generate random bytes using OpenSSL or Mcrypt and mt_rand() as fallback
*
* @param int $length
* @param bool $strong true if you need a strong random generator (cryptography)
* @return string
* @throws Exception\RuntimeException
*/
public static function getBytes($length, $strong = false)
{
if ($length <= 0) {
return false;
}
$bytes = '';
if (function_exists('openssl_random_pseudo_bytes')
&& (version_compare(PHP_VERSION, '5.3.4') >= 0
|| strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')
) {
$bytes = openssl_random_pseudo_bytes($length, $usable);
if (true === $usable) {
return $bytes;
}
}
if (function_exists('mcrypt_create_iv')
&& (version_compare(PHP_VERSION, '5.3.7') >= 0
|| strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')
) {
$bytes = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
if ($bytes !== false && strlen($bytes) === $length) {
return $bytes;
}
}
$checkAlternatives = (file_exists('/dev/urandom') && is_readable('/dev/urandom'))
|| class_exists('\\COM', false);
if (true === $strong && false === $checkAlternatives) {
throw new Exception\RuntimeException (
'This PHP environment doesn\'t support secure random number generation. ' .
'Please consider installing the OpenSSL and/or Mcrypt extensions'
);
}
$generator = self::getAlternativeGenerator();
return $generator->generate($length);
}
/**
* Retrieve a fallback/alternative RNG generator
*
* @return RandomLib\Generator
*/
public static function getAlternativeGenerator()
{
if (!is_null(static::$generator)) {
return static::$generator;
}
if (!class_exists('RandomLib\\Factory')) {
throw new Exception\RuntimeException(
'The RandomLib fallback pseudorandom number generator (PRNG) '
. ' must be installed in the absence of the OpenSSL and '
. 'Mcrypt extensions'
);
}
$factory = new RandomLib\Factory;
$factory->registerSource(
'HashTiming',
'Zend\Math\Source\HashTiming'
);
static::$generator = $factory->getMediumStrengthGenerator();
return static::$generator;
}
/**
* Generate random boolean
*
* @param bool $strong true if you need a strong random generator (cryptography)
* @return bool
*/
public static function getBoolean($strong = false)
{
$byte = static::getBytes(1, $strong);
return (bool) (ord($byte) % 2);
}
/**
* Generate a random integer between $min and $max
*
* @param int $min
* @param int $max
* @param bool $strong true if you need a strong random generator (cryptography)
* @return int
* @throws Exception\DomainException
*/
public static function getInteger($min, $max, $strong = false)
{
if ($min > $max) {
throw new Exception\DomainException(
'The min parameter must be lower than max parameter'
);
}
$range = $max - $min;
if ($range == 0) {
return $max;
} elseif ($range > PHP_INT_MAX || is_float($range)) {
throw new Exception\DomainException(
'The supplied range is too great to generate'
);
}
$log = log($range, 2);
$bytes = (int) ($log / 8) + 1;
$bits = (int) $log + 1;
$filter = (int) (1 << $bits) - 1;
do {
$rnd = hexdec(bin2hex(self::getBytes($bytes, $strong)));
$rnd = $rnd & $filter;
} while ($rnd > $range);
return ($min + $rnd);
}
/**
* Generate random float (0..1)
* This function generates floats with platform-dependent precision
*
* PHP uses double precision floating-point format (64-bit) which has
* 52-bits of significand precision. We gather 7 bytes of random data,
* and we fix the exponent to the bias (1023). In this way we generate
* a float of 1.mantissa.
*
* @param bool $strong true if you need a strong random generator (cryptography)
* @return float
*/
public static function getFloat($strong = false)
{
$bytes = static::getBytes(7, $strong);
$bytes[6] = $bytes[6] | chr(0xF0);
$bytes .= chr(63); // exponent bias (1023)
list(, $float) = unpack('d', $bytes);
return ($float - 1);
}
/**
* Generate a random string of specified length.
*
* Uses supplied character list for generating the new string.
* If no character list provided - uses Base 64 character set.
*
* @param int $length
* @param string|null $charlist
* @param bool $strong true if you need a strong random generator (cryptography)
* @return string
* @throws Exception\DomainException
*/
public static function getString($length, $charlist = null, $strong = false)
{
if ($length < 1) {
throw new Exception\DomainException('Length should be >= 1');
}
// charlist is empty or not provided
if (empty($charlist)) {
$numBytes = ceil($length * 0.75);
$bytes = static::getBytes($numBytes, $strong);
return substr(rtrim(base64_encode($bytes), '='), 0, $length);
}
$listLen = strlen($charlist);
if ($listLen == 1) {
return str_repeat($charlist, $length);
}
$bytes = static::getBytes($length, $strong);
$pos = 0;
$result = '';
for ($i = 0; $i < $length; $i++) {
$pos = ($pos + ord($bytes[$i])) % $listLen;
$result .= $charlist[$pos];
}
return $result;
}
}
}
/**
* Zend Framework (http://framework.zend.com/)
*
* @link http://github.com/zendframework/zf2 for the canonical source repository
* @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
namespace Zend\Crypt\Password {
use Traversable;
use Zend\Math\Rand;
use Zend\Stdlib\ArrayUtils;
/**
* Bcrypt algorithm using crypt() function of PHP
*/
class Bcrypt implements PasswordInterface
{
const MIN_SALT_SIZE = 16;
/**
* @var string
*/
protected $cost = '14';
/**
* @var string
*/
protected $salt;
/**
* @var bool
*/
protected $backwardCompatibility = false;
/**
* Constructor
*
* @param array|Traversable $options
* @throws Exception\InvalidArgumentException
*/
public function __construct($options = array())
{
if (!empty($options)) {
if ($options instanceof Traversable) {
$options = ArrayUtils::iteratorToArray($options);
} elseif (!is_array($options)) {
throw new Exception\InvalidArgumentException(
'The options parameter must be an array or a Traversable'
);
}
foreach ($options as $key => $value) {
switch (strtolower($key)) {
case 'salt':
$this->setSalt($value);
break;
case 'cost':
$this->setCost($value);
break;
}
}
}
}
/**
* Bcrypt
*
* @param string $password
* @throws Exception\RuntimeException
* @return string
*/
public function create($password)
{
if (empty($this->salt)) {
$salt = Rand::getBytes(self::MIN_SALT_SIZE);
} else {
$salt = $this->salt;
}
$salt64 = substr(str_replace('+', '.', base64_encode($salt)), 0, 22);
/**
* Check for security flaw in the bcrypt implementation used by crypt()
* @see http://php.net/security/crypt_blowfish.php
*/
if ((version_compare(PHP_VERSION, '5.3.7') >= 0) && !$this->backwardCompatibility) {
$prefix = '$2y$';
} else {
$prefix = '$2a$';
// check if the password contains 8-bit character
if (preg_match('/[\x80-\xFF]/', $password)) {
throw new Exception\RuntimeException(
'The bcrypt implementation used by PHP can contain a security flaw ' .
'using password with 8-bit character. ' .
'We suggest to upgrade to PHP 5.3.7+ or use passwords with only 7-bit characters'
);
}
}
$hash = crypt($password, $prefix . $this->cost . '$' . $salt64);
if (strlen($hash) < 13) {
throw new Exception\RuntimeException('Error during the bcrypt generation');
}
return $hash;
}
/**
* Verify if a password is correct against an hash value
*
* @param string $password
* @param string $hash
* @throws Exception\RuntimeException when the hash is unable to be processed
* @return bool
*/
public function verify($password, $hash)
{
$result = crypt($password, $hash);
if ($result === $hash) {
return true;
}
if (strlen($result) <= 13) {
/* This should only happen if the algorithm that generated hash is
* either unsupported by this version of crypt(), or is invalid.
*
* An example of when this can happen, is if you generate
* non-backwards-compatible hashes on 5.3.7+, and then try to verify
* them on < 5.3.7.
*
* This is needed, because version comparisons are not possible due
* to back-ported functionality by some distributions.
*/
throw new Exception\RuntimeException(
'The supplied password hash could not be verified. Please check ' .
'backwards compatibility settings.'
);
}
return false;
}
/**
* Set the cost parameter
*
* @param int|string $cost
* @throws Exception\InvalidArgumentException
* @return Bcrypt
*/
public function setCost($cost)
{
if (!empty($cost)) {
$cost = (int) $cost;
if ($cost < 4 || $cost > 31) {
throw new Exception\InvalidArgumentException(
'The cost parameter of bcrypt must be in range 04-31'
);
}
$this->cost = sprintf('%1$02d', $cost);
}
return $this;
}
/**
* Get the cost parameter
*
* @return string
*/
public function getCost()
{
return $this->cost;
}
/**
* Set the salt value
*
* @param string $salt
* @throws Exception\InvalidArgumentException
* @return Bcrypt
*/
public function setSalt($salt)
{
if (strlen($salt) < self::MIN_SALT_SIZE) {
throw new Exception\InvalidArgumentException(
'The length of the salt must be at least ' . self::MIN_SALT_SIZE . ' bytes'
);
}
$this->salt = $salt;
return $this;
}
/**
* Get the salt value
*
* @return string
*/
public function getSalt()
{
return $this->salt;
}
/**
* Set the backward compatibility $2a$ instead of $2y$ for PHP 5.3.7+
*
* @param bool $value
* @return Bcrypt
*/
public function setBackwardCompatibility($value)
{
$this->backwardCompatibility = (bool) $value;
return $this;
}
/**
* Get the backward compatibility
*
* @return bool
*/
public function getBackwardCompatibility()
{
return $this->backwardCompatibility;
}
}
}
namespace MyStuff {
try {
$key = '123456';
echo "{$key}<br />";
$crypt = new \Zend\Crypt\Password\Bcrypt();
$crypt->setCost(14);
$hash = $crypt->create($key);
echo "{$hash}<br />";
var_dump($crypt->verify($key, $hash));
} catch (\Exception $e) {
echo $e->getMessage();
}
}