Spade
Mini Shell
| Directory:~$ /home/lmsyaran/public_html/joomla4/ |
| [Home] [System Details] [Kill Me] |
PK;
�[S���Cipher/BlowfishCipher.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Cipher;
defined('JPATH_PLATFORM') or die;
/**
* Crypt cipher for Blowfish encryption, decryption and key generation.
*
* @since 3.0.0
* @deprecated 4.0 Without replacement use CryptoCipher
*/
class BlowfishCipher extends McryptCipher
{
/**
* @var integer The mcrypt cipher constant.
* @link https://www.php.net/manual/en/mcrypt.ciphers.php
* @since 3.0.0
*/
protected $type = MCRYPT_BLOWFISH;
/**
* @var integer The mcrypt block cipher mode.
* @link https://www.php.net/manual/en/mcrypt.constants.php
* @since 3.0.0
*/
protected $mode = MCRYPT_MODE_CBC;
/**
* @var string The JCrypt key type for validation.
* @since 3.0.0
*/
protected $keyType = 'blowfish';
}
PK;
�[3�~
~
Cipher/CryptoCipher.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Cipher;
defined('JPATH_PLATFORM') or die;
use Joomla\CMS\Crypt\CipherInterface;
use Joomla\CMS\Crypt\Key;
/**
* Crypt cipher for encryption, decryption and key generation via the
php-encryption library.
*
* @since 3.5
*/
class CryptoCipher implements CipherInterface
{
/**
* Method to decrypt a data string.
*
* @param string $data The encrypted string to decrypt.
* @param Key $key The key object to use for decryption.
*
* @return string The decrypted data string.
*
* @since 3.5
* @throws \RuntimeException
*/
public function decrypt($data, Key $key)
{
// Validate key.
if ($key->type != 'crypto')
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected crypto.');
}
// Decrypt the data.
try
{
return \Crypto::Decrypt($data, $key->public);
}
catch (\InvalidCiphertextException $ex)
{
throw new \RuntimeException('DANGER! DANGER! The ciphertext has
been tampered with!', $ex->getCode(), $ex);
}
catch (\CryptoTestFailedException $ex)
{
throw new \RuntimeException('Cannot safely perform
decryption', $ex->getCode(), $ex);
}
catch (\CannotPerformOperationException $ex)
{
throw new \RuntimeException('Cannot safely perform
decryption', $ex->getCode(), $ex);
}
}
/**
* Method to encrypt a data string.
*
* @param string $data The data string to encrypt.
* @param Key $key The key object to use for encryption.
*
* @return string The encrypted data string.
*
* @since 3.5
* @throws \RuntimeException
*/
public function encrypt($data, Key $key)
{
// Validate key.
if ($key->type != 'crypto')
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected crypto.');
}
// Encrypt the data.
try
{
return \Crypto::Encrypt($data, $key->public);
}
catch (\CryptoTestFailedException $ex)
{
throw new \RuntimeException('Cannot safely perform
encryption', $ex->getCode(), $ex);
}
catch (\CannotPerformOperationException $ex)
{
throw new \RuntimeException('Cannot safely perform
encryption', $ex->getCode(), $ex);
}
}
/**
* Method to generate a new encryption key object.
*
* @param array $options Key generation options.
*
* @return Key
*
* @since 3.5
* @throws \RuntimeException
*/
public function generateKey(array $options = array())
{
// Create the new encryption key object.
$key = new Key('crypto');
// Generate the encryption key.
try
{
$key->public = \Crypto::CreateNewRandomKey();
}
catch (\CryptoTestFailedException $ex)
{
throw new \RuntimeException('Cannot safely create a key',
$ex->getCode(), $ex);
}
catch (\CannotPerformOperationException $ex)
{
throw new \RuntimeException('Cannot safely create a key',
$ex->getCode(), $ex);
}
// Explicitly flag the private as unused in this cipher.
$key->private = 'unused';
return $key;
}
}
PK;
�[Ίl���Cipher/McryptCipher.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Cipher;
defined('JPATH_PLATFORM') or die;
use Joomla\CMS\Crypt\CipherInterface;
use Joomla\CMS\Crypt\Crypt;
use Joomla\CMS\Crypt\Key;
/**
* Crypt cipher for mcrypt algorithm encryption, decryption and key
generation.
*
* @since 3.0.0
* @deprecated 4.0 Without replacement use CryptoCipher
*/
abstract class McryptCipher implements CipherInterface
{
/**
* @var integer The mcrypt cipher constant.
* @link https://www.php.net/manual/en/mcrypt.ciphers.php
* @since 3.0.0
*/
protected $type;
/**
* @var integer The mcrypt block cipher mode.
* @link https://www.php.net/manual/en/mcrypt.constants.php
* @since 3.0.0
*/
protected $mode;
/**
* @var string The Crypt key type for validation.
* @since 3.0.0
*/
protected $keyType;
/**
* Constructor.
*
* @since 3.0.0
* @throws \RuntimeException
*/
public function __construct()
{
if (!is_callable('mcrypt_encrypt'))
{
throw new \RuntimeException('The mcrypt extension is not
available.');
}
}
/**
* Method to decrypt a data string.
*
* @param string $data The encrypted string to decrypt.
* @param Key $key The key object to use for decryption.
*
* @return string The decrypted data string.
*
* @since 3.0.0
* @throws \InvalidArgumentException
*/
public function decrypt($data, Key $key)
{
// Validate key.
if ($key->type != $this->keyType)
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected ' . $this->keyType .
'.');
}
// Decrypt the data.
$decrypted = trim(mcrypt_decrypt($this->type, $key->private, $data,
$this->mode, $key->public));
return $decrypted;
}
/**
* Method to encrypt a data string.
*
* @param string $data The data string to encrypt.
* @param Key $key The key object to use for encryption.
*
* @return string The encrypted data string.
*
* @since 3.0.0
* @throws \InvalidArgumentException
*/
public function encrypt($data, Key $key)
{
// Validate key.
if ($key->type != $this->keyType)
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected ' . $this->keyType .
'.');
}
// Encrypt the data.
$encrypted = mcrypt_encrypt($this->type, $key->private, $data,
$this->mode, $key->public);
return $encrypted;
}
/**
* Method to generate a new encryption key object.
*
* @param array $options Key generation options.
*
* @return Key
*
* @since 3.0.0
* @throws \InvalidArgumentException
*/
public function generateKey(array $options = array())
{
// Create the new encryption key object.
$key = new Key($this->keyType);
// Generate an initialisation vector based on the algorithm.
$key->public = mcrypt_create_iv(mcrypt_get_iv_size($this->type,
$this->mode), MCRYPT_DEV_URANDOM);
// Get the salt and password setup.
$salt = (isset($options['salt'])) ? $options['salt']
: substr(pack('h*', md5(Crypt::genRandomBytes())), 0, 16);
if (!isset($options['password']))
{
throw new \InvalidArgumentException('Password is not set.');
}
// Generate the derived key.
$key->private = $this->pbkdf2($options['password'],
$salt, mcrypt_get_key_size($this->type, $this->mode));
return $key;
}
/**
* PBKDF2 Implementation for deriving keys.
*
* @param string $p Password
* @param string $s Salt
* @param integer $kl Key length
* @param integer $c Iteration count
* @param string $a Hash algorithm
*
* @return string The derived key.
*
* @link https://en.wikipedia.org/wiki/PBKDF2
* @link http://www.ietf.org/rfc/rfc2898.txt
* @since 3.0.0
*/
public function pbkdf2($p, $s, $kl, $c = 10000, $a = 'sha256')
{
// Hash length.
$hl = strlen(hash($a, null, true));
// Key blocks to compute.
$kb = ceil($kl / $hl);
// Derived key.
$dk = '';
// Create the key.
for ($block = 1; $block <= $kb; $block++)
{
// Initial hash for this block.
$ib = $b = hash_hmac($a, $s . pack('N', $block), $p, true);
// Perform block iterations.
for ($i = 1; $i < $c; $i++)
{
$ib ^= ($b = hash_hmac($a, $b, $p, true));
}
// Append the iterated block.
$dk .= $ib;
}
// Return derived key of correct length.
return substr($dk, 0, $kl);
}
}
PK;
�[g����
Cipher/Rijndael256Cipher.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Cipher;
defined('JPATH_PLATFORM') or die;
/**
* Crypt cipher for Rijndael 256 encryption, decryption and key generation.
*
* @since 3.0.0
* @deprecated 4.0 Without replacement use CryptoCipher
*/
class Rijndael256Cipher extends McryptCipher
{
/**
* @var integer The mcrypt cipher constant.
* @link https://www.php.net/manual/en/mcrypt.ciphers.php
* @since 3.0.0
*/
protected $type = MCRYPT_RIJNDAEL_256;
/**
* @var integer The mcrypt block cipher mode.
* @link https://www.php.net/manual/en/mcrypt.constants.php
* @since 3.0.0
*/
protected $mode = MCRYPT_MODE_CBC;
/**
* @var string The JCrypt key type for validation.
* @since 3.0.0
*/
protected $keyType = 'rijndael256';
}
PK;
�[���Cipher/SimpleCipher.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Cipher;
defined('JPATH_PLATFORM') or die;
use Joomla\CMS\Crypt\CipherInterface;
use Joomla\CMS\Crypt\Crypt;
use Joomla\CMS\Crypt\Key;
/**
* Crypt cipher for Simple encryption, decryption and key generation.
*
* @since 3.0.0
* @deprecated 4.0 (CMS)
*/
class SimpleCipher implements CipherInterface
{
/**
* Method to decrypt a data string.
*
* @param string $data The encrypted string to decrypt.
* @param Key $key The key[/pair] object to use for decryption.
*
* @return string The decrypted data string.
*
* @since 3.0.0
* @throws \InvalidArgumentException
*/
public function decrypt($data, Key $key)
{
// Validate key.
if ($key->type != 'simple')
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected simple.');
}
$decrypted = '';
$tmp = $key->public;
// Convert the HEX input into an array of integers and get the number of
characters.
$chars = $this->_hexToIntArray($data);
$charCount = count($chars);
// Repeat the key as many times as necessary to ensure that the key is at
least as long as the input.
for ($i = 0; $i < $charCount; $i = strlen($tmp))
{
$tmp = $tmp . $tmp;
}
// Get the XOR values between the ASCII values of the input and key
characters for all input offsets.
for ($i = 0; $i < $charCount; $i++)
{
$decrypted .= chr($chars[$i] ^ ord($tmp[$i]));
}
return $decrypted;
}
/**
* Method to encrypt a data string.
*
* @param string $data The data string to encrypt.
* @param Key $key The key[/pair] object to use for encryption.
*
* @return string The encrypted data string.
*
* @since 3.0.0
* @throws \InvalidArgumentException
*/
public function encrypt($data, Key $key)
{
// Validate key.
if ($key->type != 'simple')
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected simple.');
}
$encrypted = '';
$tmp = $key->private;
// Split up the input into a character array and get the number of
characters.
$chars = preg_split('//', $data, -1, PREG_SPLIT_NO_EMPTY);
$charCount = count($chars);
// Repeat the key as many times as necessary to ensure that the key is at
least as long as the input.
for ($i = 0; $i < $charCount; $i = strlen($tmp))
{
$tmp = $tmp . $tmp;
}
// Get the XOR values between the ASCII values of the input and key
characters for all input offsets.
for ($i = 0; $i < $charCount; $i++)
{
$encrypted .= $this->_intToHex(ord($tmp[$i]) ^ ord($chars[$i]));
}
return $encrypted;
}
/**
* Method to generate a new encryption key[/pair] object.
*
* @param array $options Key generation options.
*
* @return Key
*
* @since 3.0.0
*/
public function generateKey(array $options = array())
{
// Create the new encryption key[/pair] object.
$key = new Key('simple');
// Just a random key of a given length.
$key->private = Crypt::genRandomBytes(256);
$key->public = $key->private;
return $key;
}
/**
* Convert hex to an integer
*
* @param string $s The hex string to convert.
* @param integer $i The offset?
*
* @return integer
*
* @since 1.7.0
*/
private function _hexToInt($s, $i)
{
$j = (int) $i * 2;
$k = 0;
$s1 = (string) $s;
// Get the character at position $j.
$c = substr($s1, $j, 1);
// Get the character at position $j + 1.
$c1 = substr($s1, $j + 1, 1);
switch ($c)
{
case 'A':
$k += 160;
break;
case 'B':
$k += 176;
break;
case 'C':
$k += 192;
break;
case 'D':
$k += 208;
break;
case 'E':
$k += 224;
break;
case 'F':
$k += 240;
break;
case ' ':
$k += 0;
break;
default:
(int) $k = $k + (16 * (int) $c);
break;
}
switch ($c1)
{
case 'A':
$k += 10;
break;
case 'B':
$k += 11;
break;
case 'C':
$k += 12;
break;
case 'D':
$k += 13;
break;
case 'E':
$k += 14;
break;
case 'F':
$k += 15;
break;
case ' ':
$k += 0;
break;
default:
$k += (int) $c1;
break;
}
return $k;
}
/**
* Convert hex to an array of integers
*
* @param string $hex The hex string to convert to an integer array.
*
* @return array An array of integers.
*
* @since 1.7.0
*/
private function _hexToIntArray($hex)
{
$array = array();
$j = (int) strlen($hex) / 2;
for ($i = 0; $i < $j; $i++)
{
$array[$i] = (int) $this->_hexToInt($hex, $i);
}
return $array;
}
/**
* Convert an integer to a hexadecimal string.
*
* @param integer $i An integer value to convert to a hex string.
*
* @return string
*
* @since 1.7.0
*/
private function _intToHex($i)
{
// Sanitize the input.
$i = (int) $i;
// Get the first character of the hexadecimal string if there is one.
$j = (int) ($i / 16);
if ($j === 0)
{
$s = ' ';
}
else
{
$s = strtoupper(dechex($j));
}
// Get the second character of the hexadecimal string.
$k = $i - $j * 16;
$s = $s . strtoupper(dechex($k));
return $s;
}
}
PK;
�[���
�
Cipher/SodiumCipher.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Cipher;
defined('JPATH_PLATFORM') or die;
use Joomla\CMS\Crypt\CipherInterface;
use Joomla\CMS\Crypt\Key;
use ParagonIE\Sodium\Compat;
/**
* JCrypt cipher for sodium algorithm encryption, decryption and key
generation.
*
* @since 3.8.0
*/
class SodiumCipher implements CipherInterface
{
/**
* The message nonce to be used with encryption/decryption
*
* @var string
* @since 3.8.0
*/
private $nonce;
/**
* Method to decrypt a data string.
*
* @param string $data The encrypted string to decrypt.
* @param Key $key The key object to use for decryption.
*
* @return string The decrypted data string.
*
* @since 3.8.0
* @throws \RuntimeException
*/
public function decrypt($data, Key $key)
{
// Validate key.
if ($key->type !== 'sodium')
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected sodium.');
}
if (!$this->nonce)
{
throw new \RuntimeException('Missing nonce to decrypt data');
}
$decrypted = Compat::crypto_box_open(
$data,
$this->nonce,
Compat::crypto_box_keypair_from_secretkey_and_publickey($key->private,
$key->public)
);
if ($decrypted === false)
{
throw new \RuntimeException('Malformed message or invalid
MAC');
}
return $decrypted;
}
/**
* Method to encrypt a data string.
*
* @param string $data The data string to encrypt.
* @param Key $key The key object to use for encryption.
*
* @return string The encrypted data string.
*
* @since 3.8.0
* @throws \RuntimeException
*/
public function encrypt($data, Key $key)
{
// Validate key.
if ($key->type !== 'sodium')
{
throw new \InvalidArgumentException('Invalid key of type: ' .
$key->type . '. Expected sodium.');
}
if (!$this->nonce)
{
throw new \RuntimeException('Missing nonce to decrypt data');
}
return Compat::crypto_box(
$data,
$this->nonce,
Compat::crypto_box_keypair_from_secretkey_and_publickey($key->private,
$key->public)
);
}
/**
* Method to generate a new encryption key object.
*
* @param array $options Key generation options.
*
* @return Key
*
* @since 3.8.0
* @throws RuntimeException
*/
public function generateKey(array $options = array())
{
// Create the new encryption key object.
$key = new Key('sodium');
// Generate the encryption key.
$pair = Compat::crypto_box_keypair();
$key->public = Compat::crypto_box_publickey($pair);
$key->private = Compat::crypto_box_secretkey($pair);
return $key;
}
/**
* Set the nonce to use for encrypting/decrypting messages
*
* @param string $nonce The message nonce
*
* @return void
*
* @since 3.8.0
*/
public function setNonce($nonce)
{
$this->nonce = $nonce;
}
}
PK;
�[�U���Cipher/TripleDesCipher.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Cipher;
defined('JPATH_PLATFORM') or die;
/**
* JCrypt cipher for Triple DES encryption, decryption and key generation.
*
* @since 3.0.0
* @deprecated 4.0 Without replacement use CryptoCipher
*/
class TripleDesCipher extends McryptCipher
{
/**
* @var integer The mcrypt cipher constant.
* @link https://www.php.net/manual/en/mcrypt.ciphers.php
* @since 3.0.0
*/
protected $type = MCRYPT_3DES;
/**
* @var integer The mcrypt block cipher mode.
* @link https://www.php.net/manual/en/mcrypt.constants.php
* @since 3.0.0
*/
protected $mode = MCRYPT_MODE_CBC;
/**
* @var string The Crypt key type for validation.
* @since 3.0.0
*/
protected $keyType = '3des';
}
PK;
�[ ���CipherInterface.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt;
defined('JPATH_PLATFORM') or die;
/**
* Crypt cipher interface.
*
* @since 3.0.0
*/
interface CipherInterface
{
/**
* Method to decrypt a data string.
*
* @param string $data The encrypted string to decrypt.
* @param Key $key The key[/pair] object to use for decryption.
*
* @return string The decrypted data string.
*
* @since 3.0.0
*/
public function decrypt($data, Key $key);
/**
* Method to encrypt a data string.
*
* @param string $data The data string to encrypt.
* @param Key $key The key[/pair] object to use for encryption.
*
* @return string The encrypted data string.
*
* @since 3.0.0
*/
public function encrypt($data, Key $key);
/**
* Method to generate a new encryption key[/pair] object.
*
* @param array $options Key generation options.
*
* @return Key
*
* @since 3.0.0
*/
public function generateKey(array $options = array());
}
PK;
�[��3�� Crypt.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt;
defined('JPATH_PLATFORM') or die;
use Joomla\CMS\Crypt\Cipher\SimpleCipher;
use Joomla\CMS\Log\Log;
/**
* Crypt is a Joomla Platform class for handling basic
encryption/decryption of data.
*
* @since 3.0.0
*/
class Crypt
{
/**
* @var CipherInterface The encryption cipher object.
* @since 3.0.0
*/
private $_cipher;
/**
* @var Key The encryption key[/pair)].
* @since 3.0.0
*/
private $_key;
/**
* Object Constructor takes an optional key to be used for
encryption/decryption. If no key is given then the
* secret word from the configuration object is used.
*
* @param CipherInterface $cipher The encryption cipher object.
* @param Key $key The encryption key[/pair)].
*
* @since 3.0.0
*/
public function __construct(CipherInterface $cipher = null, Key $key =
null)
{
// Set the encryption key[/pair)].
$this->_key = $key;
// Set the encryption cipher.
$this->_cipher = isset($cipher) ? $cipher : new SimpleCipher;
}
/**
* Method to decrypt a data string.
*
* @param string $data The encrypted string to decrypt.
*
* @return string The decrypted data string.
*
* @since 3.0.0
* @throws \InvalidArgumentException
*/
public function decrypt($data)
{
try
{
return $this->_cipher->decrypt($data, $this->_key);
}
catch (\InvalidArgumentException $e)
{
return false;
}
}
/**
* Method to encrypt a data string.
*
* @param string $data The data string to encrypt.
*
* @return string The encrypted data string.
*
* @since 3.0.0
*/
public function encrypt($data)
{
return $this->_cipher->encrypt($data, $this->_key);
}
/**
* Method to generate a new encryption key[/pair] object.
*
* @param array $options Key generation options.
*
* @return Key
*
* @since 3.0.0
*/
public function generateKey(array $options = array())
{
return $this->_cipher->generateKey($options);
}
/**
* Method to set the encryption key[/pair] object.
*
* @param Key $key The key object to set.
*
* @return Crypt
*
* @since 3.0.0
*/
public function setKey(Key $key)
{
$this->_key = $key;
return $this;
}
/**
* Generate random bytes.
*
* @param integer $length Length of the random data to generate
*
* @return string Random binary data
*
* @since 3.0.0
*/
public static function genRandomBytes($length = 16)
{
return random_bytes($length);
}
/**
* A timing safe comparison method.
*
* This defeats hacking attempts that use timing based attack vectors.
*
* NOTE: Length will leak.
*
* @param string $known A known string to check against.
* @param string $unknown An unknown string to check.
*
* @return boolean True if the two strings are exactly the same.
*
* @since 3.2
*/
public static function timingSafeCompare($known, $unknown)
{
// This function is native in PHP as of 5.6 and backported via the
symfony/polyfill-56 library
return hash_equals((string) $known, (string) $unknown);
}
/**
* Tests for the availability of updated crypt().
* Based on a method by Anthony Ferrera
*
* @return boolean Always returns true since 3.3
*
* @note To be removed when PHP 5.3.7 or higher is the minimum
supported version.
* @link
https://github.com/ircmaxell/password_compat/blob/master/version-test.php
* @since 3.2
* @deprecated 4.0
*/
public static function hasStrongPasswordSupport()
{
// Log usage of deprecated function
Log::add(__METHOD__ . '() is deprecated without replacement.',
Log::WARNING, 'deprecated');
if (!defined('PASSWORD_DEFAULT'))
{
// Always make sure that the password hashing API has been defined.
include_once JPATH_ROOT .
'/vendor/ircmaxell/password-compat/lib/password.php';
}
return true;
}
/**
* Safely detect a string's length
*
* This method is derived from \ParagonIE\Halite\Util::safeStrlen()
*
* @param string $str String to check the length of
*
* @return integer
*
* @since 3.5
* @ref mbstring.func_overload
* @throws \RuntimeException
*/
public static function safeStrlen($str)
{
static $exists = null;
if ($exists === null)
{
$exists = function_exists('mb_strlen');
}
if ($exists)
{
$length = mb_strlen($str, '8bit');
if ($length === false)
{
throw new \RuntimeException('mb_strlen() failed
unexpectedly');
}
return $length;
}
// If we reached here, we can rely on strlen to count bytes:
return \strlen($str);
}
/**
* Safely extract a substring
*
* This method is derived from \ParagonIE\Halite\Util::safeSubstr()
*
* @param string $str The string to extract the substring from
* @param integer $start The starting position to extract from
* @param integer $length The length of the string to return
*
* @return string
*
* @since 3.5
*/
public static function safeSubstr($str, $start, $length = null)
{
static $exists = null;
if ($exists === null)
{
$exists = function_exists('mb_substr');
}
if ($exists)
{
// In PHP 5.3 mb_substr($str, 0, NULL, '8bit') returns an
empty string, so we have to find the length ourselves.
if ($length === null)
{
if ($start >= 0)
{
$length = static::safeStrlen($str) - $start;
}
else
{
$length = -$start;
}
}
return mb_substr($str, $start, $length, '8bit');
}
// Unlike mb_substr(), substr() doesn't accept NULL for length
if ($length !== null)
{
return substr($str, $start, $length);
}
return substr($str, $start);
}
}
PK<
�[�5P���CryptPassword.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt;
defined('JPATH_PLATFORM') or die;
/**
* Joomla Platform Password Hashing Interface
*
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
interface CryptPassword
{
const BLOWFISH = '$2y$';
const JOOMLA = 'Joomla';
const PBKDF = '$pbkdf$';
const MD5 = '$1$';
/**
* Creates a password hash
*
* @param string $password The password to hash.
* @param string $type The type of hash. This determines the
prefix of the hashing function.
*
* @return string The hashed password.
*
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function create($password, $type = null);
/**
* Verifies a password hash
*
* @param string $password The password to verify.
* @param string $hash The password hash to check.
*
* @return boolean True if the password is valid, false otherwise.
*
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function verify($password, $hash);
/**
* Sets a default prefix
*
* @param string $type The prefix to set as default
*
* @return void
*
* @since 3.1.4
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function setDefaultType($type);
/**
* Gets the default type
*
* @return void
*
* @since 3.1.4
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function getDefaultType();
}
PK<
�[k�IKey.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt;
defined('JPATH_PLATFORM') or die;
/**
* Encryption key object for the Joomla Platform.
*
* @property-read string $type The key type.
*
* @since 3.0.0
*/
class Key
{
/**
* @var string The private key.
* @since 3.0.0
*/
public $private;
/**
* @var string The public key.
* @since 3.0.0
*/
public $public;
/**
* @var string The key type.
* @since 3.0.0
*/
protected $type;
/**
* Constructor.
*
* @param string $type The key type.
* @param string $private The private key.
* @param string $public The public key.
*
* @since 3.0.0
*/
public function __construct($type, $private = null, $public = null)
{
// Set the key type.
$this->type = (string) $type;
// Set the optional public/private key strings.
$this->private = isset($private) ? (string) $private : null;
$this->public = isset($public) ? (string) $public : null;
}
/**
* Magic method to return some protected property values.
*
* @param string $name The name of the property to return.
*
* @return mixed
*
* @since 3.0.0
*/
public function __get($name)
{
if ($name == 'type')
{
return $this->type;
}
trigger_error('Cannot access property ' . __CLASS__ .
'::' . $name, E_USER_WARNING);
}
}
PK<
�[݉�nn Password/SimpleCryptPassword.phpnu�[���<?php
/**
* Joomla! Content Management System
*
* @copyright Copyright (C) 2005 - 2020 Open Source Matters, Inc. All
rights reserved.
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\Crypt\Password;
defined('JPATH_PLATFORM') or die;
use Joomla\CMS\Crypt\Crypt;
use Joomla\CMS\Crypt\CryptPassword;
/**
* Joomla Platform Password Crypter
*
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
class SimpleCryptPassword implements CryptPassword
{
/**
* @var integer The cost parameter for hashing algorithms.
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
protected $cost = 10;
/**
* @var string The default hash type
* @since 3.1.4
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
protected $defaultType = '$2y$';
/**
* Creates a password hash
*
* @param string $password The password to hash.
* @param string $type The hash type.
*
* @return mixed The hashed password or false if the password is too
long.
*
* @since 3.0.1
* @throws \InvalidArgumentException
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function create($password, $type = null)
{
if (empty($type))
{
$type = $this->defaultType;
}
switch ($type)
{
case '$2a$':
case CryptPassword::BLOWFISH:
$type = '$2a$';
if (Crypt::hasStrongPasswordSupport())
{
$type = '$2y$';
}
$salt = $type . str_pad($this->cost, 2, '0', STR_PAD_LEFT)
. '$' . $this->getSalt(22);
return crypt($password, $salt);
case CryptPassword::MD5:
$salt = $this->getSalt(12);
$salt = '$1$' . $salt;
return crypt($password, $salt);
case CryptPassword::JOOMLA:
$salt = $this->getSalt(32);
return md5($password . $salt) . ':' . $salt;
default:
throw new \InvalidArgumentException(sprintf('Hash type %s is not
supported', $type));
break;
}
}
/**
* Sets the cost parameter for the generated hash for algorithms that use
a cost factor.
*
* @param integer $cost The new cost value.
*
* @return void
*
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function setCost($cost)
{
$this->cost = $cost;
}
/**
* Generates a salt of specified length. The salt consists of characters
in the set [./0-9A-Za-z].
*
* @param integer $length The number of characters to return.
*
* @return string The string of random characters.
*
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
protected function getSalt($length)
{
$bytes = ceil($length * 6 / 8);
$randomData = str_replace('+', '.',
base64_encode(Crypt::genRandomBytes($bytes)));
return substr($randomData, 0, $length);
}
/**
* Verifies a password hash
*
* @param string $password The password to verify.
* @param string $hash The password hash to check.
*
* @return boolean True if the password is valid, false otherwise.
*
* @since 3.0.1
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function verify($password, $hash)
{
// Check if the hash is a blowfish hash.
if (substr($hash, 0, 4) == '$2a$' || substr($hash, 0, 4) ==
'$2y$')
{
$type = '$2a$';
if (Crypt::hasStrongPasswordSupport())
{
$type = '$2y$';
}
return password_verify($password, $hash);
}
// Check if the hash is an MD5 hash.
if (substr($hash, 0, 3) == '$1$')
{
return Crypt::timingSafeCompare(crypt($password, $hash), $hash);
}
// Check if the hash is a Joomla hash.
if (preg_match('#[a-z0-9]{32}:[A-Za-z0-9]{32}#', $hash) === 1)
{
// Check the password
$parts = explode(':', $hash);
$salt = @$parts[1];
// Compile the hash to compare
// If the salt is empty AND there is a ':' in the original
hash, we must append ':' at the end
$testcrypt = md5($password . $salt) . ($salt ? ':' . $salt :
(strpos($hash, ':') !== false ? ':' : ''));
return Crypt::timingSafeCompare($hash, $testcrypt);
}
return false;
}
/**
* Sets a default type
*
* @param string $type The value to set as default.
*
* @return void
*
* @since 3.1.4
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function setDefaultType($type)
{
if (!empty($type))
{
$this->defaultType = $type;
}
}
/**
* Gets the default type
*
* @return string $type The default type
*
* @since 3.1.4
* @deprecated 4.0 Use PHP 5.5's native password hashing API
*/
public function getDefaultType()
{
return $this->defaultType;
}
}
PK<
�[���
+
+
README.mdnu�[���# Important Security Information
If you're going to use JCrypt in any of your extensions, make *sure*
you use **CryptoCipher** or **SodiumCipher**; These are the only two which
are cryptographically secure.
```php
use Joomla\CMS\Crypt\Cipher\SodiumCipher;
$cipher = new SodiumCipher;
$key = $cipher->generateKey();
$data = 'My encrypted data.';
$cipher->setNonce(\Sodium\randombytes_buf(\Sodium\CRYPTO_BOX_NONCEBYTES));
$encrypted = $cipher->encrypt($data, $key);
$decrypted = $cipher->decrypt($encrypted, $key);
if ($decrypted !== $data)
{
throw new RuntimeException('The data was not decrypted
correctly.');
}
```
```php
use Joomla\CMS\Crypt\Cipher\CryptoCipher;
$cipher = new CryptoCipher();
$key = $cipher->generateKey(); // Store this for long-term use
$message = "We're all living on a yellow submarine!";
$ciphertext = $cipher->encrypt($message, $key);
$decrypted = $cipher->decrypt($ciphertext, $key);
```
## Avoid these Ciphers if Possible
* `JCryptCipher3Des`
* `JCryptCipherBlowfish`
* `JCryptCipherMcrypt`
* `JCryptCipherRijndael256`
All of these ciphers are vulnerable to something called a
[chosen-ciphertext
attack](https://en.wikipedia.org/wiki/Chosen-ciphertext_attack). The only
provable way to prevent chosen-ciphertext attacks is to [use authenticated
encryption](https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly),
preferrably in an [Encrypt-then-MAC
construction](http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/).
The only JCrypt cipher that meets the *authenticated encryption* criteria
is **`JCryptCipherCrypto`**.
## Absolutely Avoid JCryptCipherSimple
`JCryptCipherSimple` is deprecated and will be removed in Joomla 4.
It's vulnerable to a known plaintext attack: If you know any
information about the plaintext (e.g. the first character is
'<'), an attacker can recover bits of the encryption key with
ease.
If an attacker can influence the message, they can actually steal your
encryption key. Here's how:
1. Feed `str_repeat('A', 256)` into your application, towards
`JCryptCipherSimple`.
2. Observe the output of the cipher (the ciphertext).
3. Run it through this code:
```php
function recoverJcryptCipherSimpleKey($ciphertext, $knownPlaintext)
{
$key = '';
for ($i = 0; $i < strlen($knownPlaintext); ++$i) {
$key.= chr(ord($ciphertext[$i]) ^ ord($knownPlaintext[$i]));
}
}
$key = recoverJcryptCipherSimpleKey(
$someEncryptedTextOutput,
str_repeat('A', 256)
);
```
Given how trivial it is to steal the encryption key from this cipher, you
absolutely should not use it.
PK;
�[S���Cipher/BlowfishCipher.phpnu�[���PK;
�[3�~
~
Cipher/CryptoCipher.phpnu�[���PK;
�[Ίl����Cipher/McryptCipher.phpnu�[���PK;
�[g����
�"Cipher/Rijndael256Cipher.phpnu�[���PK;
�[���#'Cipher/SimpleCipher.phpnu�[���PK;
�[���
�
h<Cipher/SodiumCipher.phpnu�[���PK;
�[�U����HCipher/TripleDesCipher.phpnu�[���PK;
�[ ����LCipherInterface.phpnu�[���PK;
�[��3�� �QCrypt.phpnu�[���PK<
�[�5P����hCryptPassword.phpnu�[���PK<
�[k�I�oKey.phpnu�[���PK<
�[݉�nn
vPassword/SimpleCryptPassword.phpnu�[���PK<
�[���
+
+
ÈREADME.mdnu�[���PK
H'�