2012-04-30 01:15:06 +08:00
|
|
|
<?php
|
|
|
|
/**
|
2016-07-11 17:58:15 +08:00
|
|
|
* PrivateBin
|
2012-04-30 01:15:06 +08:00
|
|
|
*
|
|
|
|
* a zero-knowledge paste bin
|
|
|
|
*
|
2016-07-11 17:58:15 +08:00
|
|
|
* @link https://github.com/PrivateBin/PrivateBin
|
2012-04-30 01:15:06 +08:00
|
|
|
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
|
2016-07-19 19:56:52 +08:00
|
|
|
* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
|
2017-10-05 02:05:46 +08:00
|
|
|
* @version 1.1.1
|
2012-04-30 01:15:06 +08:00
|
|
|
*/
|
2016-12-13 01:43:23 +08:00
|
|
|
|
2016-12-13 01:50:00 +08:00
|
|
|
namespace PrivateBin;
|
2016-07-21 23:09:48 +08:00
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
/**
|
2016-08-09 17:54:42 +08:00
|
|
|
* Sjcl
|
2012-04-30 01:15:06 +08:00
|
|
|
*
|
|
|
|
* Provides SJCL validation function.
|
|
|
|
*/
|
2016-08-09 17:54:42 +08:00
|
|
|
class Sjcl
|
2012-04-30 01:15:06 +08:00
|
|
|
{
|
|
|
|
/**
|
|
|
|
* SJCL validator
|
|
|
|
*
|
|
|
|
* Checks if a json string is a proper SJCL encrypted message.
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @static
|
|
|
|
* @param string $encoded JSON
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public static function isValid($encoded)
|
|
|
|
{
|
2016-10-29 16:24:08 +08:00
|
|
|
$accepted_keys = array('iv', 'v', 'iter', 'ks', 'ts', 'mode', 'adata', 'cipher', 'salt', 'ct');
|
2012-04-30 01:15:06 +08:00
|
|
|
|
|
|
|
// Make sure content is valid json
|
|
|
|
$decoded = json_decode($encoded);
|
2016-07-26 14:19:35 +08:00
|
|
|
if (is_null($decoded)) {
|
|
|
|
return false;
|
|
|
|
}
|
2012-04-30 01:15:06 +08:00
|
|
|
$decoded = (array) $decoded;
|
|
|
|
|
2012-09-09 01:54:24 +08:00
|
|
|
// Make sure no additionnal keys were added.
|
|
|
|
if (
|
|
|
|
count(array_keys($decoded)) != count($accepted_keys)
|
2016-07-26 14:19:35 +08:00
|
|
|
) {
|
|
|
|
return false;
|
|
|
|
}
|
2012-09-09 01:54:24 +08:00
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
// Make sure required fields are present and contain base64 data.
|
2016-07-26 14:19:35 +08:00
|
|
|
foreach ($accepted_keys as $k) {
|
|
|
|
if (!array_key_exists($k, $decoded)) {
|
|
|
|
return false;
|
|
|
|
}
|
2012-04-30 01:15:06 +08:00
|
|
|
}
|
|
|
|
|
2013-02-24 05:44:46 +08:00
|
|
|
// Make sure some fields are base64 data.
|
2016-07-26 14:19:35 +08:00
|
|
|
if (!base64_decode($decoded['iv'], true)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!base64_decode($decoded['salt'], true)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!($ct = base64_decode($decoded['ct'], true))) {
|
|
|
|
return false;
|
|
|
|
}
|
2013-02-24 05:44:46 +08:00
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
// Make sure some fields have a reasonable size.
|
2016-07-26 14:19:35 +08:00
|
|
|
if (strlen($decoded['iv']) > 24) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (strlen($decoded['salt']) > 14) {
|
|
|
|
return false;
|
|
|
|
}
|
2012-04-30 01:15:06 +08:00
|
|
|
|
2013-02-24 05:44:46 +08:00
|
|
|
// Make sure some fields contain no unsupported values.
|
2016-07-26 14:19:35 +08:00
|
|
|
if (!(is_int($decoded['v']) || is_float($decoded['v'])) || (float) $decoded['v'] < 1) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!is_int($decoded['iter']) || $decoded['iter'] <= 100) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!in_array($decoded['ks'], array(128, 192, 256), true)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!in_array($decoded['ts'], array(64, 96, 128), true)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (!in_array($decoded['mode'], array('ccm', 'ocb2', 'gcm'), true)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if ($decoded['cipher'] !== 'aes') {
|
|
|
|
return false;
|
|
|
|
}
|
2013-02-24 05:44:46 +08:00
|
|
|
|
2012-09-09 01:54:24 +08:00
|
|
|
// Reject data if entropy is too low
|
2016-07-26 14:19:35 +08:00
|
|
|
if (strlen($ct) > strlen(gzdeflate($ct))) {
|
|
|
|
return false;
|
|
|
|
}
|
2012-09-09 01:54:24 +08:00
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|