From 54536ecf45fc0951977ed75ce11923af9be8480f Mon Sep 17 00:00:00 2001 From: pdontthink Date: Mon, 27 Dec 2010 00:35:24 +0000 Subject: [PATCH] Refine HMAC-MD5 generator; use native PHP Hash extension if available git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14083 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- functions/auth.php | 85 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 59 insertions(+), 26 deletions(-) diff --git a/functions/auth.php b/functions/auth.php index fbc28e06..17d4d625 100644 --- a/functions/auth.php +++ b/functions/auth.php @@ -270,37 +270,70 @@ function digest_md5_parse_challenge($challenge) { } /** - * Creates a HMAC digest that can be used for auth purposes - * See RFCs 2104, 2617, 2831 - * Uses mhash() extension if available - * - * @param string $data Data to apply hash function to. - * @param string $key Optional key, which, if supplied, will be used to - * calculate data's HMAC. - * @return string HMAC Digest string - * @since 1.4.0 - */ + * Creates a HMAC digest that can be used for authentication purposes + * See RFCs 2104, 2617, 2831 + * + * Uses PHP's Hash extension if available (enabled by default in PHP + * 5.1.2+ - see http://www.php.net/manual/en/hash.requirements.php + * or, if installed on earlier PHP versions, the PECL hash module - + * see http://pecl.php.net/package/hash + * + * Otherwise, will attempt to use the Mhash extension - see + * http://www.php.net/manual/en/mhash.requirements.php + * + * Finally, a fall-back custom implementation is used if none of + * the above are available. + * + * @param string $data The data to be encoded/hashed + * @param string $key The (shared) secret key that will be used + * to build the keyed hash. This argument is + * technically optional, but only for internal + * use (when the custom hash implementation is + * being used) - external callers should always + * specify a value for this argument. + * + * @return string The HMAC-MD5 digest string + * @since 1.4.0 + * + */ function hmac_md5($data, $key='') { + + // use PHP's native Hash extension if possible + // + if (function_exists('hash_hmac')) + return pack('H*', hash_hmac('md5', $data, $key)); + + + // otherwise, use (obsolete) mhash extension if available + // if (extension_loaded('mhash')) { - if ($key== '') { - $mhash=mhash(MHASH_MD5,$data); - } else { - $mhash=mhash(MHASH_MD5,$data,$key); - } + + if ($key == '') + $mhash = mhash(MHASH_MD5, $data); + else + $mhash = mhash(MHASH_MD5, $data, $key); + return $mhash; } - if (!$key) { - return pack('H*',md5($data)); - } - $key = str_pad($key,64,chr(0x00)); - if (strlen($key) > 64) { - $key = pack("H*",md5($key)); - } - $k_ipad = $key ^ str_repeat(chr(0x36), 64) ; - $k_opad = $key ^ str_repeat(chr(0x5c), 64) ; - /* Heh, let's get recursive. */ - $hmac=hmac_md5($k_opad . pack("H*",md5($k_ipad . $data)) ); + + + // or, our own implementation... + // + if (!$key) + return pack('H*', md5($data)); + + $key = str_pad($key, 64, chr(0x00)); + + if (strlen($key) > 64) + $key = pack("H*", md5($key)); + + $k_ipad = $key ^ str_repeat(chr(0x36), 64); + $k_opad = $key ^ str_repeat(chr(0x5c), 64); + + $hmac = hmac_md5($k_opad . pack('H*', md5($k_ipad . $data))); + return $hmac; + } /** -- 2.25.1