paste.chapril.org-privatebin/lib/Sjcl.php

<?php
/**
 * PrivateBin
 *
 * a zero-knowledge paste bin
 *
 * @link      https://github.com/PrivateBin/PrivateBin
 * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
 * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
 * @version   0.22
 */

namespace PrivateBin;

/**
 * Sjcl
 *
 * Provides SJCL validation function.
 */
class Sjcl
{
    /**
     * SJCL validator
     *
     * Checks if a json string is a proper SJCL encrypted message.
     *
     * @access public
     * @static
     * @param  string $encoded JSON
     * @return bool
     */
    public static function isValid($encoded)
    {
        $accepted_keys = array('iv','v','iter','ks','ts','mode','adata','cipher','salt','ct');

        // Make sure content is valid json
        $decoded = json_decode($encoded);
        if (is_null($decoded)) {
            return false;
        }
        $decoded = (array) $decoded;

        // Make sure no additionnal keys were added.
        if (
            count(array_keys($decoded)) != count($accepted_keys)
        ) {
            return false;
        }

        // Make sure required fields are present and contain base64 data.
        foreach ($accepted_keys as $k) {
            if (!array_key_exists($k, $decoded)) {
                return false;
            }
        }

        // Make sure some fields are base64 data.
        if (!base64_decode($decoded['iv'], true)) {
            return false;
        }
        if (!base64_decode($decoded['salt'], true)) {
            return false;
        }
        if (!($ct = base64_decode($decoded['ct'], true))) {
            return false;
        }

        // Make sure some fields have a reasonable size.
        if (strlen($decoded['iv']) > 24) {
            return false;
        }
        if (strlen($decoded['salt']) > 14) {
            return false;
        }

        // Make sure some fields contain no unsupported values.
        if (!(is_int($decoded['v']) || is_float($decoded['v'])) || (float) $decoded['v'] < 1) {
            return false;
        }
        if (!is_int($decoded['iter']) || $decoded['iter'] <= 100) {
            return false;
        }
        if (!in_array($decoded['ks'], array(128, 192, 256), true)) {
            return false;
        }
        if (!in_array($decoded['ts'], array(64, 96, 128), true)) {
            return false;
        }
        if (!in_array($decoded['mode'], array('ccm', 'ocb2', 'gcm'), true)) {
            return false;
        }
        if ($decoded['cipher'] !== 'aes') {
            return false;
        }

        // Reject data if entropy is too low
        if (strlen($ct) > strlen(gzdeflate($ct))) {
            return false;
        }

        return true;
    }
}
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`<?php`
			`/**`
renaming the fork to PrivateBin 2016-07-11 11:58:15 +02:00			`* PrivateBin`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*`
			`* a zero-knowledge paste bin`
			`*`
renaming the fork to PrivateBin 2016-07-11 11:58:15 +02:00			`* @link https://github.com/PrivateBin/PrivateBin`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)`
Replace HTTP links with HTTPS Using this regexp: https://regex101.com/r/rZ2dE2/1 2016-07-19 13:56:52 +02:00			`* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License`
incrementing version, updating changelog, added missing phpdoc comments 2015-11-09 21:39:42 +01:00			`* @version 0.22`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*/`

Introduce PSR-4 autoloading 2016-07-21 17:09:48 +02:00			`namespace PrivateBin;`

Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`/**`
Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00			`* Sjcl`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`*`
			`* Provides SJCL validation function.`
			`*/`
Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00			`class Sjcl`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`{`
			`/**`
			`* SJCL validator`
			`*`
			`* Checks if a json string is a proper SJCL encrypted message.`
			`*`
			`* @access public`
			`* @static`
			`* @param string $encoded JSON`
			`* @return bool`
			`*/`
			`public static function isValid($encoded)`
			`{`
Updated json checking. - adapted to SJCL changed - added entropy checking (from https://github.com/vikstrous/ZeroBin/commit/f2ee2e8ba2f9c4cb1f16e81554c104109e202f24) (cherry picked from commit 57e6274c64e2c99c754b63586af6b34c374fbc2b) Conflicts: index.php 2013-02-23 22:44:46 +01:00			`$accepted_keys = array('iv','v','iter','ks','ts','mode','adata','cipher','salt','ct');`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00
			`// Make sure content is valid json`
			`$decoded = json_decode($encoded);`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`if (is_null($decoded)) {`
			`return false;`
			`}`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`$decoded = (array) $decoded;`

added test for entropy of cypher text - closes #3 2012-09-08 19:54:24 +02:00			`// Make sure no additionnal keys were added.`
			`if (`
			`count(array_keys($decoded)) != count($accepted_keys)`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`) {`
			`return false;`
			`}`
added test for entropy of cypher text - closes #3 2012-09-08 19:54:24 +02:00
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`// Make sure required fields are present and contain base64 data.`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`foreach ($accepted_keys as $k) {`
			`if (!array_key_exists($k, $decoded)) {`
			`return false;`
			`}`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`}`

Updated json checking. - adapted to SJCL changed - added entropy checking (from https://github.com/vikstrous/ZeroBin/commit/f2ee2e8ba2f9c4cb1f16e81554c104109e202f24) (cherry picked from commit 57e6274c64e2c99c754b63586af6b34c374fbc2b) Conflicts: index.php 2013-02-23 22:44:46 +01:00			`// Make sure some fields are base64 data.`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`if (!base64_decode($decoded['iv'], true)) {`
			`return false;`
			`}`
			`if (!base64_decode($decoded['salt'], true)) {`
			`return false;`
			`}`
			`if (!($ct = base64_decode($decoded['ct'], true))) {`
			`return false;`
			`}`
Updated json checking. - adapted to SJCL changed - added entropy checking (from https://github.com/vikstrous/ZeroBin/commit/f2ee2e8ba2f9c4cb1f16e81554c104109e202f24) (cherry picked from commit 57e6274c64e2c99c754b63586af6b34c374fbc2b) Conflicts: index.php 2013-02-23 22:44:46 +01:00
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`// Make sure some fields have a reasonable size.`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`if (strlen($decoded['iv']) > 24) {`
			`return false;`
			`}`
			`if (strlen($decoded['salt']) > 14) {`
			`return false;`
			`}`
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00
Updated json checking. - adapted to SJCL changed - added entropy checking (from https://github.com/vikstrous/ZeroBin/commit/f2ee2e8ba2f9c4cb1f16e81554c104109e202f24) (cherry picked from commit 57e6274c64e2c99c754b63586af6b34c374fbc2b) Conflicts: index.php 2013-02-23 22:44:46 +01:00			`// Make sure some fields contain no unsupported values.`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`if (!(is_int($decoded['v']) \|\| is_float($decoded['v'])) \|\| (float) $decoded['v'] < 1) {`
			`return false;`
			`}`
			`if (!is_int($decoded['iter']) \|\| $decoded['iter'] <= 100) {`
			`return false;`
			`}`
			`if (!in_array($decoded['ks'], array(128, 192, 256), true)) {`
			`return false;`
			`}`
			`if (!in_array($decoded['ts'], array(64, 96, 128), true)) {`
			`return false;`
			`}`
			`if (!in_array($decoded['mode'], array('ccm', 'ocb2', 'gcm'), true)) {`
			`return false;`
			`}`
			`if ($decoded['cipher'] !== 'aes') {`
			`return false;`
			`}`
Updated json checking. - adapted to SJCL changed - added entropy checking (from https://github.com/vikstrous/ZeroBin/commit/f2ee2e8ba2f9c4cb1f16e81554c104109e202f24) (cherry picked from commit 57e6274c64e2c99c754b63586af6b34c374fbc2b) Conflicts: index.php 2013-02-23 22:44:46 +01:00
added test for entropy of cypher text - closes #3 2012-09-08 19:54:24 +02:00			`// Reject data if entropy is too low`
Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00			`if (strlen($ct) > strlen(gzdeflate($ct))) {`
			`return false;`
			`}`
added test for entropy of cypher text - closes #3 2012-09-08 19:54:24 +02:00
Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00			`return true;`
			`}`
			`}`