mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-21 08:00:37 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'MDL-79679_upgrade-constant-time' of https://github.com/ziegenberg/moodle

Browse Source
This commit is contained in:
Jun Pataleta 2024-11-11 11:47:47 +08:00
commit 5b2b63c349
No known key found for this signature in database
GPG Key ID: F83510526D99E2C7
8 changed files with 301 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

195
admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime/Base32.php
View File

@ -1,8 +1,13 @@
<?php
declare(strict_types=1);
namespace ParagonIE\ConstantTime;
use InvalidArgumentException;
use RangeException;
use TypeError;
/**
* Copyright (c) 2016 - 2017 Paragon Initiative Enterprises.
* Copyright (c) 2016 - 2022 Paragon Initiative Enterprises.
* Copyright (c) 2014 Steve "Sc00bz" Thomas (steve at tobtu dot com)
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
@ -35,13 +40,16 @@ abstract class Base32 implements EncoderInterface
/**
* Decode a Base32-encoded string into raw binary
*
* @param string $src
* @param string $encodedString
* @param bool $strictPadding
* @return string
*/
public static function decode($src, $strictPadding = \false)
{
return static::doDecode($src, \false, $strictPadding);
public static function decode(
#[\SensitiveParameter]
string $encodedString,
bool $strictPadding = false
): string {
return static::doDecode($encodedString, false, $strictPadding);
}
/**
@ -51,9 +59,26 @@ abstract class Base32 implements EncoderInterface
* @param bool $strictPadding
* @return string
*/
public static function decodeUpper($src, $strictPadding = \false)
{
return static::doDecode($src, \true, $strictPadding);
public static function decodeUpper(
#[\SensitiveParameter]
string $src,
bool $strictPadding = false
): string {
return static::doDecode($src, true, $strictPadding);
}
/**
* Encode into Base32 (RFC 4648)
*
* @param string $binString
* @return string
* @throws TypeError
*/
public static function encode(
#[\SensitiveParameter]
string $binString
): string {
return static::doEncode($binString, false, true);
}
/**
@ -61,21 +86,12 @@ abstract class Base32 implements EncoderInterface
*
* @param string $src
* @return string
* @throws TypeError
*/
public static function encode($src)
{
return static::doEncode($src, \false);
}
/**
* Encode into Base32 (RFC 4648)
*
* @param string $src
* @return string
* @throws \TypeError
*/
public static function encodeUnpadded($src)
{
public static function encodeUnpadded(
#[\SensitiveParameter]
string $src
): string {
return static::doEncode($src, false, false);
}
@ -84,10 +100,13 @@ abstract class Base32 implements EncoderInterface
*
* @param string $src
* @return string
* @throws TypeError
*/
public static function encodeUpper($src)
{
return static::doEncode($src, \true);
public static function encodeUpper(
#[\SensitiveParameter]
string $src
): string {
return static::doEncode($src, true, true);
}
/**
@ -95,10 +114,12 @@ abstract class Base32 implements EncoderInterface
*
* @param string $src
* @return string
* @throws \TypeError
* @throws TypeError
*/
public static function encodeUpperUnpadded($src)
{
public static function encodeUpperUnpadded(
#[\SensitiveParameter]
string $src
): string {
return static::doEncode($src, true, false);
}
@ -109,7 +130,7 @@ abstract class Base32 implements EncoderInterface
* @param int $src
* @return int
*/
protected static function decode5Bits($src)
protected static function decode5Bits(int $src): int
{
$ret = -1;
@ -131,7 +152,7 @@ abstract class Base32 implements EncoderInterface
* @param int $src
* @return int
*/
protected static function decode5BitsUpper($src)
protected static function decode5BitsUpper(int $src): int
{
$ret = -1;
@ -151,7 +172,7 @@ abstract class Base32 implements EncoderInterface
* @param int $src
* @return string
*/
protected static function encode5Bits($src)
protected static function encode5Bits(int $src): string
{
$diff = 0x61;
@ -170,7 +191,7 @@ abstract class Base32 implements EncoderInterface
* @param int $src
* @return string
*/
protected static function encode5BitsUpper($src)
protected static function encode5BitsUpper(int $src): string
{
$diff = 0x41;
@ -180,6 +201,35 @@ abstract class Base32 implements EncoderInterface
return \pack('C', $src + $diff);
}
/**
* @param string $encodedString
* @param bool $upper
* @return string
*/
public static function decodeNoPadding(
#[\SensitiveParameter]
string $encodedString,
bool $upper = false
): string {
$srcLen = Binary::safeStrlen($encodedString);
if ($srcLen === 0) {
return '';
}
if (($srcLen & 7) === 0) {
for ($j = 0; $j < 7 && $j < $srcLen; ++$j) {
if ($encodedString[$srcLen - $j - 1] === '=') {
throw new InvalidArgumentException(
"decodeNoPadding() doesn't tolerate padding"
);
}
}
}
return static::doDecode(
$encodedString,
$upper,
true
);
}
/**
* Base32 decoding
@ -188,9 +238,15 @@ abstract class Base32 implements EncoderInterface
* @param bool $upper
* @param bool $strictPadding
* @return string
*
* @throws TypeError
*/
protected static function doDecode($src, $upper = \false, $strictPadding = \true)
{
protected static function doDecode(
#[\SensitiveParameter]
string $src,
bool $upper = false,
bool $strictPadding = false
): string {
// We do this to reduce code duplication:
$method = $upper
? 'decode5BitsUpper'
@ -212,7 +268,7 @@ abstract class Base32 implements EncoderInterface
}
}
if (($srcLen & 7) === 1) {
throw new \RangeException(
throw new RangeException(
'Incorrect padding'
);
}
@ -225,14 +281,23 @@ abstract class Base32 implements EncoderInterface
$dest = '';
// Main loop (no padding):
for ($i = 0; $i + 8 <= $srcLen; $i += 8) {
/** @var array<int, int> $chunk */
$chunk = \unpack('C*', Binary::safeSubstr($src, $i, 8));
/** @var int $c0 */
$c0 = static::$method($chunk[1]);
/** @var int $c1 */
$c1 = static::$method($chunk[2]);
/** @var int $c2 */
$c2 = static::$method($chunk[3]);
/** @var int $c3 */
$c3 = static::$method($chunk[4]);
/** @var int $c4 */
$c4 = static::$method($chunk[5]);
/** @var int $c5 */
$c5 = static::$method($chunk[6]);
/** @var int $c6 */
$c6 = static::$method($chunk[7]);
/** @var int $c7 */
$c7 = static::$method($chunk[8]);
$dest .= \pack(
@ -247,15 +312,23 @@ abstract class Base32 implements EncoderInterface
}
// The last chunk, which may have padding:
if ($i < $srcLen) {
/** @var array<int, int> $chunk */
$chunk = \unpack('C*', Binary::safeSubstr($src, $i, $srcLen - $i));
/** @var int $c0 */
$c0 = static::$method($chunk[1]);
if ($i + 6 < $srcLen) {
/** @var int $c1 */
$c1 = static::$method($chunk[2]);
/** @var int $c2 */
$c2 = static::$method($chunk[3]);
/** @var int $c3 */
$c3 = static::$method($chunk[4]);
/** @var int $c4 */
$c4 = static::$method($chunk[5]);
/** @var int $c5 */
$c5 = static::$method($chunk[6]);
/** @var int $c6 */
$c6 = static::$method($chunk[7]);
$dest .= \pack(
@ -266,11 +339,19 @@ abstract class Base32 implements EncoderInterface
(($c4 << 7) | ($c5 << 2) | ($c6 >> 3)) & 0xff
);
$err |= ($c0 | $c1 | $c2 | $c3 | $c4 | $c5 | $c6) >> 8;
if ($strictPadding) {
$err |= ($c6 << 5) & 0xff;
}
} elseif ($i + 5 < $srcLen) {
/** @var int $c1 */
$c1 = static::$method($chunk[2]);
/** @var int $c2 */
$c2 = static::$method($chunk[3]);
/** @var int $c3 */
$c3 = static::$method($chunk[4]);
/** @var int $c4 */
$c4 = static::$method($chunk[5]);
/** @var int $c5 */
$c5 = static::$method($chunk[6]);
$dest .= \pack(
@ -282,9 +363,13 @@ abstract class Base32 implements EncoderInterface
);
$err |= ($c0 | $c1 | $c2 | $c3 | $c4 | $c5) >> 8;
} elseif ($i + 4 < $srcLen) {
/** @var int $c1 */
$c1 = static::$method($chunk[2]);
/** @var int $c2 */
$c2 = static::$method($chunk[3]);
/** @var int $c3 */
$c3 = static::$method($chunk[4]);
/** @var int $c4 */
$c4 = static::$method($chunk[5]);
$dest .= \pack(
@ -294,9 +379,15 @@ abstract class Base32 implements EncoderInterface
(($c3 << 4) | ($c4 >> 1) ) & 0xff
);
$err |= ($c0 | $c1 | $c2 | $c3 | $c4) >> 8;
if ($strictPadding) {
$err |= ($c4 << 7) & 0xff;
}
} elseif ($i + 3 < $srcLen) {
/** @var int $c1 */
$c1 = static::$method($chunk[2]);
/** @var int $c2 */
$c2 = static::$method($chunk[3]);
/** @var int $c3 */
$c3 = static::$method($chunk[4]);
$dest .= \pack(
@ -305,8 +396,13 @@ abstract class Base32 implements EncoderInterface
(($c1 << 6) | ($c2 << 1) | ($c3 >> 4)) & 0xff
);
$err |= ($c0 | $c1 | $c2 | $c3) >> 8;
if ($strictPadding) {
$err |= ($c3 << 4) & 0xff;
}
} elseif ($i + 2 < $srcLen) {
/** @var int $c1 */
$c1 = static::$method($chunk[2]);
/** @var int $c2 */
$c2 = static::$method($chunk[3]);
$dest .= \pack(
@ -315,7 +411,11 @@ abstract class Base32 implements EncoderInterface
(($c1 << 6) | ($c2 << 1) ) & 0xff
);
$err |= ($c0 | $c1 | $c2) >> 8;
if ($strictPadding) {
$err |= ($c2 << 6) & 0xff;
}
} elseif ($i + 1 < $srcLen) {
/** @var int $c1 */
$c1 = static::$method($chunk[2]);
$dest .= \pack(
@ -323,6 +423,9 @@ abstract class Base32 implements EncoderInterface
(($c0 << 3) | ($c1 >> 2) ) & 0xff
);
$err |= ($c0 | $c1) >> 8;
if ($strictPadding) {
$err |= ($c1 << 6) & 0xff;
}
} else {
$dest .= \pack(
'C',
@ -331,8 +434,9 @@ abstract class Base32 implements EncoderInterface
$err |= ($c0) >> 8;
}
}
if ($err !== 0) {
throw new \RangeException(
$check = ($err === 0);
if (!$check) {
throw new RangeException(
'Base32::doDecode() only expects characters in the correct base32 alphabet'
);
}
@ -340,25 +444,31 @@ abstract class Base32 implements EncoderInterface
}
/**
* Base32 Decoding
* Base32 Encoding
*
* @param string $src
* @param bool $upper
* @param bool $pad
* @return string
* @throws TypeError
*/
protected static function doEncode($src, $upper = \false, $pad = \true)
{
protected static function doEncode(
#[\SensitiveParameter]
string $src,
bool $upper = false,
$pad = true
): string {
// We do this to reduce code duplication:
$method = $upper
? 'encode5BitsUpper'
: 'encode5Bits';
$dest = '';
$srcLen = Binary::safeStrlen($src);
// Main loop (no padding):
for ($i = 0; $i + 5 <= $srcLen; $i += 5) {
/** @var array<int, int> $chunk */
$chunk = \unpack('C*', Binary::safeSubstr($src, $i, 5));
$b0 = $chunk[1];
$b1 = $chunk[2];
@ -377,6 +487,7 @@ abstract class Base32 implements EncoderInterface
}
// The last chunk, which may have padding:
if ($i < $srcLen) {
/** @var array<int, int> $chunk */
$chunk = \unpack('C*', Binary::safeSubstr($src, $i, $srcLen - $i));
$b0 = $chunk[1];
if ($i + 3 < $srcLen) {
@ -427,4 +538,4 @@ abstract class Base32 implements EncoderInterface
}
return $dest;
}
}
}

54
admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime/Binary.php
View File

@ -1,8 +1,11 @@
<?php
declare(strict_types=1);
namespace ParagonIE\ConstantTime;
use TypeError;
/**
* Copyright (c) 2016 - 2017 Paragon Initiative Enterprises.
* Copyright (c) 2016 - 2022 Paragon Initiative Enterprises.
* Copyright (c) 2014 Steve "Sc00bz" Thomas (steve at tobtu dot com)
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
@ -42,12 +45,16 @@ abstract class Binary
* @param string $str
* @return int
*/
public static function safeStrlen($str)
{
public static function safeStrlen(
#[\SensitiveParameter]
string $str
): int {
if (\function_exists('mb_strlen')) {
// mb_strlen in PHP 7.x can return false.
/** @psalm-suppress RedundantCast */
return (int) \mb_strlen($str, '8bit');
} else {
return (int) \strlen($str);
return \strlen($str);
}
}
@ -59,39 +66,28 @@ abstract class Binary
* @staticvar boolean $exists
* @param string $str
* @param int $start
* @param int $length
* @param ?int $length
* @return string
* @throws \TypeError
*
* @throws TypeError
*/
public static function safeSubstr(
$str,
$start = 0,
$length = \null
) {
if (\function_exists('mb_substr')) {
// mb_substr($str, 0, null, '8bit') returns an empty string on PHP
// 5.3, so we have to find the length ourselves.
if (\is_null($length)) {
if ($start >= 0) {
$length = self::safeStrlen($str) - $start;
} else {
$length = -$start;
}
}
// $length calculation above might result in a 0-length string
if ($length === 0) {
return '';
}
return \mb_substr($str, $start, $length, '8bit');
}
#[\SensitiveParameter]
string $str,
int $start = 0,
?int $length = null
): string {
if ($length === 0) {
return '';
}
// Unlike mb_substr(), substr() doesn't accept null for length
if (!is_null($length)) {
if (\function_exists('mb_substr')) {
return \mb_substr($str, $start, $length, '8bit');
}
// Unlike mb_substr(), substr() doesn't accept NULL for length
if ($length !== null) {
return \substr($str, $start, $length);
} else {
return \substr($str, $start);
}
}
}
}

14
admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime/EncoderInterface.php
View File

@ -1,8 +1,9 @@
<?php
declare(strict_types=1);
namespace ParagonIE\ConstantTime;
/**
* Copyright (c) 2016 - 2017 Paragon Initiative Enterprises.
* Copyright (c) 2016 - 2022 Paragon Initiative Enterprises.
* Copyright (c) 2014 Steve "Sc00bz" Thomas (steve at tobtu dot com)
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
@ -34,17 +35,18 @@ interface EncoderInterface
* Convert a binary string into a hexadecimal string without cache-timing
* leaks
*
* @param string $bin_string (raw binary)
* @param string $binString (raw binary)
* @return string
*/
public static function encode($bin_string);
public static function encode(string $binString): string;
/**
* Convert a binary string into a hexadecimal string without cache-timing
* leaks
*
* @param string $encoded_string
* @param string $encodedString
* @param bool $strictPadding Error on invalid padding
* @return string (raw binary)
*/
public static function decode($encoded_string);
}
public static function decode(string $encodedString, bool $strictPadding = false): string;
}

2
admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime/LICENSE.txt
View File

@ -1,6 +1,6 @@
The MIT License (MIT)
Copyright (c) 2016 Paragon Initiative Enterprises
Copyright (c) 2016 - 2022 Paragon Initiative Enterprises
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

88
admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime/README.md Normal file
View File

@ -0,0 +1,88 @@
# Constant-Time Encoding
[![Build Status](https://github.com/paragonie/constant_time_encoding/actions/workflows/ci.yml/badge.svg)](https://github.com/paragonie/constant_time_encoding/actions)
[![Static Analysis](https://github.com/paragonie/constant_time_encoding/actions/workflows/psalm.yml/badge.svg)](https://github.com/paragonie/constant_time_encoding/actions)
[![Latest Stable Version](https://poser.pugx.org/paragonie/constant_time_encoding/v/stable)](https://packagist.org/packages/paragonie/constant_time_encoding)
[![Latest Unstable Version](https://poser.pugx.org/paragonie/constant_time_encoding/v/unstable)](https://packagist.org/packages/paragonie/constant_time_encoding)
[![License](https://poser.pugx.org/paragonie/constant_time_encoding/license)](https://packagist.org/packages/paragonie/constant_time_encoding)
[![Downloads](https://img.shields.io/packagist/dt/paragonie/constant_time_encoding.svg)](https://packagist.org/packages/paragonie/constant_time_encoding)
Based on the [constant-time base64 implementation made by Steve "Sc00bz" Thomas](https://github.com/Sc00bz/ConstTimeEncoding),
this library aims to offer character encoding functions that do not leak
information about what you are encoding/decoding via processor cache
misses. Further reading on [cache-timing attacks](http://blog.ircmaxell.com/2014/11/its-all-about-time.html).
Our fork offers the following enhancements:
* `mbstring.func_overload` resistance
* Unit tests
* Composer- and Packagist-ready
* Base16 encoding
* Base32 encoding
* Uses `pack()` and `unpack()` instead of `chr()` and `ord()`
## PHP Version Requirements
Version 3 of this library should work on **PHP 8** or newer.
Version 2 of this library should work on **PHP 7** or newer. See [the v2.x branch](https://github.com/paragonie/constant_time_encoding/tree/v2.x).
For PHP 5 support, see [the v1.x branch](https://github.com/paragonie/constant_time_encoding/tree/v1.x).
If you are adding this as a dependency to a project intended to work on PHP 5 through 8.4, please set the required version to `^1|^2|^3`.
## How to Install
```sh
composer require paragonie/constant_time_encoding
```
## How to Use
```php
use ParagonIE\ConstantTime\Encoding;
// possibly (if applicable):
// require 'vendor/autoload.php';
$data = random_bytes(32);
echo Encoding::base64Encode($data), "\n";
echo Encoding::base32EncodeUpper($data), "\n";
echo Encoding::base32Encode($data), "\n";
echo Encoding::hexEncode($data), "\n";
echo Encoding::hexEncodeUpper($data), "\n";
```
Example output:
```
1VilPkeVqirlPifk5scbzcTTbMT2clp+Zkyv9VFFasE=
2VMKKPSHSWVCVZJ6E7SONRY3ZXCNG3GE6ZZFU7TGJSX7KUKFNLAQ====
2vmkkpshswvcvzj6e7sonry3zxcng3ge6zzfu7tgjsx7kukfnlaq====
d558a53e4795aa2ae53e27e4e6c71bcdc4d36cc4f6725a7e664caff551456ac1
D558A53E4795AA2AE53E27E4E6C71BDCC4D36CC4F6725A7E664CAFF551456AC1
```
If you only need a particular variant, you can just reference the
required class like so:
```php
use ParagonIE\ConstantTime\Base64;
use ParagonIE\ConstantTime\Base32;
$data = random_bytes(32);
echo Base64::encode($data), "\n";
echo Base32::encode($data), "\n";
```
Example output:
```
1VilPkeVqirlPifk5scbzcTTbMT2clp+Zkyv9VFFasE=
2vmkkpshswvcvzj6e7sonry3zxcng3ge6zzfu7tgjsx7kukfnlaq====
```
## Support Contracts
If your company uses this library in their products or services, you may be
interested in [purchasing a support contract from Paragon Initiative Enterprises](https://paragonie.com/enterprise).

24
admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime/composer.json
View File

@ -2,7 +2,18 @@
"name": "paragonie/constant_time_encoding",
"description": "Constant-time Implementations of RFC 4648 Encoding (Base-64, Base-32, Base-16)",
"keywords": [
"base64", "encoding", "rfc4648", "base32", "base16", "hex", "bin2hex", "hex2bin", "base64_encode", "base64_decode", "base32_encode", "base32_decode"
"base64",
"encoding",
"rfc4648",
"base32",
"base16",
"hex",
"bin2hex",
"hex2bin",
"base64_encode",
"base64_decode",
"base32_encode",
"base32_decode"
],
"license": "MIT",
"type": "library",
@ -26,15 +37,20 @@
"source": "https://github.com/paragonie/constant_time_encoding"
},
"require": {
"php": "^7"
"php": "^8"
},
"require-dev": {
"phpunit/phpunit": "^6",
"vimeo/psalm": "^0.3|^"
"phpunit/phpunit": "^9",
"vimeo/psalm": "^4|^5"
},
"autoload": {
"psr-4": {
"ParagonIE\\ConstantTime\\": "src/"
}
},
"autoload-dev": {
"psr-4": {
"ParagonIE\\ConstantTime\\Tests\\": "tests/"
}
}
}

10
admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime/readme_moodle.txt
View File

@ -1,17 +1,17 @@
Constant-Time Encoding 2.1.1
Constant-Time Encoding
--------------
https://github.com/paragonie/constant_time_encoding/releases/tag/v2.1.1
Instructions to import WebAuthn into Moodle:
Instructions to import Constant-Time Encoding into Moodle:
1. Download the latest release from https://github.com/paragonie/constant_time_encoding/releases/tag/vx.x.x
(choose "Source code")
2. Unzip the source code
3. Copy the following files from constant_time_encoding-x.x/lib/constant_time_encoding into admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime:
3. Copy the following files from constant_time_encoding-x.x/src into admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime:
1. Base32.php
2. Binary.php
3. EncoderInterface.php
4. Copy the following files from constant_time_encoding-x.x into admin/tool/mfa/factor/totp/extlib/ParagonIE/ConstantTime:
1. LICENSE
2. composer.json
2. README.md
3. composer.json

2
admin/tool/mfa/factor/totp/thirdpartylibs.xml
View File

@ -10,7 +10,7 @@
<library>
<location>extlib/ParagonIE/ConstantTime</location>
<name>Constant-Time Encoding</name>
<version>2.1.1</version>
<version>3.0.0</version>
<license>MIT</license>
<repository>https://github.com/paragonie/constant_time_encoding</repository>
</library>