ParagonIE\Halite\Util::raw_keyed_hash PHP Method

Util Class Documentation Usage Examples Of ParagonIE\Halite\Util::raw_keyed_hash Show file Open project: paragonie/halite

raw_keyed_hash() public static method

Expects a key (binary string). Returns raw binary.

public static raw_keyed_hash ( string $input, string $key, integer $length = Sodium\CRYPTO_GENERICHASH_BYTES ) : string
$input	string
$key	string
$length	integer
return	string

    public static function raw_keyed_hash(string $input, string $key, int $length = \Sodium\CRYPTO_GENERICHASH_BYTES) : string
    {
        if ($length < \Sodium\CRYPTO_GENERICHASH_BYTES_MIN) {
            throw new CannotPerformOperation(\sprintf('Output length must be at least %d bytes.', \Sodium\CRYPTO_GENERICHASH_BYTES_MIN));
        }
        if ($length > \Sodium\CRYPTO_GENERICHASH_BYTES_MAX) {
            throw new CannotPerformOperation(\sprintf('Output length must be at most %d bytes.', \Sodium\CRYPTO_GENERICHASH_BYTES_MAX));
        }
        return \Sodium\crypto_generichash($input, $key, $length);
    }

Usage Example

Example #1

Show file

File: CSRF.php Project: paragonie/airship

 /**
  * Validate a request based on $_SESSION and $_POST data
  *
  * @return bool
  */
 public function check() : bool
 {
     if (!isset($_SESSION[$this->sessionIndex])) {
         // We don't even have a session array initialized
         $_SESSION[$this->sessionIndex] = [];
         return false;
     }
     if (!isset($_POST[self::FORM_TOKEN]) || !\is_string($_POST[self::FORM_TOKEN])) {
         return false;
     }
     if (\strpos($_POST[self::FORM_TOKEN], ':') === false) {
         return false;
     }
     // Let's pull the POST data
     list($index, $token) = \explode(':', $_POST[self::FORM_TOKEN]);
     if (empty($index) || empty($token)) {
         return false;
     }
     if (!isset($_SESSION[$this->sessionIndex][$index])) {
         // CSRF Token not found
         return false;
     }
     // Grab the value stored at $index
     $stored = $_SESSION[$this->sessionIndex][$index];
     // We don't need this anymore
     unset($_SESSION[$this->sessionIndex][$index]);
     // Which form action="" is this token locked to?
     $lockTo = $_SERVER['REQUEST_URI'];
     if (\preg_match('#/$#', $lockTo)) {
         // Trailing slashes are to be ignored
         $lockTo = substr($lockTo, 0, strlen($lockTo) - 1);
     }
     if (!empty($stored['lockto'])) {
         if (!\hash_equals($lockTo, $stored['lockto'])) {
             // Form target did not match the request this token is locked to!
             return false;
         }
     }
     // This is the expected token value
     if ($this->hmacIP === false) {
         // We just stored it wholesale
         $expected = $stored['token'];
     } else {
         // We mixed in the client IP address to generate the output
         $expected = Base64UrlSafe::encode(CryptoUtil::raw_keyed_hash($_SERVER['REMOTE_ADDR'] ?? '127.0.0.1', Base64UrlSafe::decode($stored['token'])));
     }
     return \hash_equals($token, $expected);
 }

Util

__construct

hash

hkdfBlake2b

keyed_hash

raw_hash

raw_keyed_hash

safeStrcpy

safeStrlen

safeSubstr

xorStrings