Commit 6de36231 authored by webchick's avatar webchick

Issue #1929288 by ParisLiakos, Dave Reid: Move cryptographic functions to Crypt component.

parent aad2d4a6
<?php
use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\Settings;
use Drupal\Component\Utility\String;
......@@ -1899,102 +1900,6 @@ function drupal_set_title($title = NULL, $output = CHECK_PLAIN) {
return $stored_title;
}
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* This function is better than simply calling mt_rand() or any other built-in
* PHP function because it can return a long string of bytes (compared to < 4
* bytes normally from mt_rand()) and uses the best available pseudo-random
* source.
*
* @param $count
* The number of characters (bytes) to return in the string.
*/
function drupal_random_bytes($count) {
// $random_state does not use drupal_static as it stores random bytes.
static $random_state, $bytes, $php_compatible;
// Initialize on the first call. The contents of $_SERVER includes a mix of
// user-specific and system information that varies a little with each page.
if (!isset($random_state)) {
$random_state = print_r($_SERVER, TRUE);
if (function_exists('getmypid')) {
// Further initialize with the somewhat random PHP process ID.
$random_state .= getmypid();
}
$bytes = '';
}
if (strlen($bytes) < $count) {
// PHP versions prior 5.3.4 experienced openssl_random_pseudo_bytes()
// locking on Windows and rendered it unusable.
if (!isset($php_compatible)) {
$php_compatible = version_compare(PHP_VERSION, '5.3.4', '>=');
}
// /dev/urandom is available on many *nix systems and is considered the
// best commonly available pseudo-random source.
if ($fh = @fopen('/dev/urandom', 'rb')) {
// PHP only performs buffered reads, so in reality it will always read
// at least 4096 bytes. Thus, it costs nothing extra to read and store
// that much so as to speed any additional invocations.
$bytes .= fread($fh, max(4096, $count));
fclose($fh);
}
// openssl_random_pseudo_bytes() will find entropy in a system-dependent
// way.
elseif ($php_compatible && function_exists('openssl_random_pseudo_bytes')) {
$bytes .= openssl_random_pseudo_bytes($count - strlen($bytes));
}
// If /dev/urandom is not available or returns no bytes, this loop will
// generate a good set of pseudo-random bytes on any system.
// Note that it may be important that our $random_state is passed
// through hash() prior to being rolled into $output, that the two hash()
// invocations are different, and that the extra input into the first one -
// the microtime() - is prepended rather than appended. This is to avoid
// directly leaking $random_state via the $output stream, which could
// allow for trivial prediction of further "random" numbers.
while (strlen($bytes) < $count) {
$random_state = hash('sha256', microtime() . mt_rand() . $random_state);
$bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
}
}
$output = substr($bytes, 0, $count);
$bytes = substr($bytes, $count);
return $output;
}
/**
* Calculates a base-64 encoded, URL-safe sha-256 hmac.
*
* @param $data
* String to be validated with the hmac.
* @param $key
* A secret string key.
*
* @return
* A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and
* any = padding characters removed.
*/
function drupal_hmac_base64($data, $key) {
$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
// Modify the hmac so it's safe to use in URLs.
return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
}
/**
* Calculates a base-64 encoded, URL-safe sha-256 hash.
*
* @param $data
* String to be hashed.
*
* @return
* A base-64 encoded sha-256 hash, with + replaced with -, / with _ and
* any = padding characters removed.
*/
function drupal_hash_base64($data) {
$hash = base64_encode(hash('sha256', $data, TRUE));
// Modify the hash so it's safe to use in URLs.
return strtr($hash, array('+' => '-', '/' => '_', '=' => ''));
}
/**
* Generates a default anonymous $user object.
*
......@@ -2579,9 +2484,13 @@ function drupal_valid_test_ua($new_prefix = NULL) {
// The file properties add more entropy not easily accessible to others.
$key = drupal_get_hash_salt() . filectime(__FILE__) . fileinode(__FILE__);
$time_diff = REQUEST_TIME - $time;
// We cant use Crypt::hmacBase64() yet because this can be called in very
// early bootstrap when autoloader has not been initialized yet.
$test_hmac = base64_encode(hash_hmac('sha256', $check_string, $key, TRUE));
$test_hmac = strtr($test_hmac, array('+' => '-', '/' => '_', '=' => ''));
// Since we are making a local request a 5 second time window is allowed,
// and the HMAC must match.
if ($time_diff >= 0 && $time_diff <= 5 && $hmac == drupal_hmac_base64($check_string, $key)) {
if ($time_diff >= 0 && $time_diff <= 5 && $hmac == $test_hmac) {
$test_prefix = $prefix;
_drupal_load_test_overrides($test_prefix);
return $test_prefix;
......@@ -2644,7 +2553,7 @@ function drupal_generate_test_ua($prefix) {
// Generate a moderately secure HMAC based on the database credentials.
$salt = uniqid('', TRUE);
$check_string = $prefix . ';' . time() . ';' . $salt;
return $check_string . ';' . drupal_hmac_base64($check_string, $key);
return $check_string . ';' . Crypt::hmacBase64($check_string, $key);
}
/**
......
<?php
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Cache\Cache;
use Symfony\Component\DependencyInjection\Container;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
......@@ -2874,7 +2875,7 @@ function drupal_build_css_cache($css) {
// Prefix filename to prevent blocking by firewalls which reject files
// starting with "ad*".
$filename = 'css_' . drupal_hash_base64($data) . '.css';
$filename = 'css_' . Crypt::hashBase64($data) . '.css';
// Create the css/ within the files folder.
$csspath = 'public://css';
$uri = $csspath . '/' . $filename;
......@@ -4453,7 +4454,7 @@ function drupal_build_js_cache($files) {
}
// Prefix filename to prevent blocking by firewalls which reject files
// starting with "ad*".
$filename = 'js_' . drupal_hash_base64($contents) . '.js';
$filename = 'js_' . Crypt::hashBase64($contents) . '.js';
// Create the js/ within the files folder.
$jspath = 'public://js';
$uri = $jspath . '/' . $filename;
......@@ -4521,7 +4522,7 @@ function drupal_json_decode($var) {
*/
function drupal_get_private_key() {
if (!($key = state()->get('system.private_key'))) {
$key = drupal_hash_base64(drupal_random_bytes(55));
$key = Crypt::randomStringHashed(55);
state()->set('system.private_key', $key);
}
return $key;
......@@ -4541,7 +4542,7 @@ function drupal_get_private_key() {
* @see drupal_get_hash_salt()
*/
function drupal_get_token($value = '') {
return drupal_hmac_base64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
return Crypt::hmacBase64($value, session_id() . drupal_get_private_key() . drupal_get_hash_salt());
}
/**
......
......@@ -5,6 +5,7 @@
* Functions for form and batch generation and processing.
*/
use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\NestedArray;
use Drupal\Core\Form\FormInterface;
use Drupal\Core\Form\BaseFormIdInterface;
......@@ -503,7 +504,7 @@ function drupal_rebuild_form($form_id, &$form_state, $old_form = NULL) {
$form['#build_id'] = $old_form['#build_id'];
}
else {
$form['#build_id'] = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());
$form['#build_id'] = 'form-' . Crypt::hashBase64(uniqid(mt_rand(), TRUE) . mt_rand());
}
// #action defaults to request_uri(), but in case of Ajax and other partial
......@@ -1028,7 +1029,7 @@ function drupal_prepare_form($form_id, &$form, &$form_state) {
// @see drupal_build_form()
// @see drupal_rebuild_form()
if (!isset($form['#build_id'])) {
$form['#build_id'] = 'form-' . drupal_hash_base64(uniqid(mt_rand(), TRUE) . mt_rand());
$form['#build_id'] = 'form-' . Crypt::hashBase64(uniqid(mt_rand(), TRUE) . mt_rand());
}
$form['form_build_id'] = array(
'#type' => 'hidden',
......
<?php
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Config\FileStorage;
use Drupal\Core\DrupalKernel;
use Drupal\Core\CoreBundle;
......@@ -1140,11 +1142,11 @@ function install_settings_form_submit($form, &$form_state) {
// Update global settings array and save.
$settings['databases'] = (object) array(
'value' => array('default' => array('default' => $form_state['storage']['database'])),
'value' => array('default' => array('default' => $form_state['storage']['database'])),
'required' => TRUE,
);
$settings['drupal_hash_salt'] = (object) array(
'value' => drupal_hash_base64(drupal_random_bytes(55)),
'value' => Crypt::randomStringHashed(55),
'required' => TRUE,
);
......
......@@ -5,6 +5,7 @@
* API functions for installing modules and themes.
*/
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Database\Database;
use Drupal\Core\DrupalKernel;
use Drupal\locale\Gettext;
......@@ -445,7 +446,7 @@ function drupal_install_config_directories() {
// Add a randomized config directory name to settings.php, unless it was
// manually defined in the existing already.
if (empty($config_directories)) {
$config_directories_hash = drupal_hash_base64(drupal_random_bytes(55));
$config_directories_hash = Crypt::randomStringHashed(55);
$settings['config_directories'] = array(
CONFIG_ACTIVE_DIRECTORY => array(
'path' => (object) array(
......
......@@ -16,6 +16,8 @@
* data should instead be accessed via the $_SESSION superglobal.
*/
use Drupal\Component\Utility\Crypt;
/**
* Session handler assigned by session_set_save_handler().
*
......@@ -260,10 +262,10 @@ function drupal_session_initialize() {
// Less random sessions (which are much faster to generate) are used for
// anonymous users than are generated in drupal_session_regenerate() when
// a user becomes authenticated.
session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE)));
session_id(Crypt::hashBase64(uniqid(mt_rand(), TRUE)));
if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
$insecure_session_name = substr(session_name(), 1);
$session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE));
$session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE));
$_COOKIE[$insecure_session_name] = $session_id;
}
}
......@@ -360,7 +362,7 @@ function drupal_session_regenerate() {
$old_insecure_session_id = $_COOKIE[$insecure_session_name];
}
$params = session_get_cookie_params();
$session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55));
$session_id = Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55));
// If a session cookie lifetime is set, the session will expire
// $params['lifetime'] seconds from the current request. If it is not set,
// it will expire when the browser is closed.
......@@ -372,7 +374,7 @@ function drupal_session_regenerate() {
if (drupal_session_started()) {
$old_session_id = session_id();
}
session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55)));
session_id(Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55)));
if (isset($old_session_id)) {
$params = session_get_cookie_params();
......
<?php
/**
* @file
* Contains \Drupal\Component\Utility\Crypt.
*/
namespace Drupal\Component\Utility;
/**
* Utility class for cryptographically-secure string handling routines.
*/
class Crypt {
/**
* Returns a string of highly randomized bytes (over the full 8-bit range).
*
* This function is better than simply calling mt_rand() or any other built-in
* PHP function because it can return a long string of bytes (compared to < 4
* bytes normally from mt_rand()) and uses the best available pseudo-random
* source.
*
* @param int $count
* The number of characters (bytes) to return in the string.
*
* @return string
* A randomly generated string.
*/
public static function randomBytes($count) {
static $random_state, $bytes;
// Initialize on the first call. The contents of $_SERVER includes a mix of
// user-specific and system information that varies a little with each page.
if (!isset($random_state)) {
$random_state = print_r($_SERVER, TRUE);
if (function_exists('getmypid')) {
// Further initialize with the somewhat random PHP process ID.
$random_state .= getmypid();
}
$bytes = '';
}
if (strlen($bytes) < $count) {
// /dev/urandom is available on many *nix systems and is considered the
// best commonly available pseudo-random source.
if ($fh = @fopen('/dev/urandom', 'rb')) {
// PHP only performs buffered reads, so in reality it will always read
// at least 4096 bytes. Thus, it costs nothing extra to read and store
// that much so as to speed any additional invocations.
$bytes .= fread($fh, max(4096, $count));
fclose($fh);
}
// openssl_random_pseudo_bytes() will find entropy in a system-dependent
// way.
elseif (function_exists('openssl_random_pseudo_bytes')) {
$bytes .= openssl_random_pseudo_bytes($count - strlen($bytes));
}
// If /dev/urandom is not available or returns no bytes, this loop will
// generate a good set of pseudo-random bytes on any system.
// Note that it may be important that our $random_state is passed
// through hash() prior to being rolled into $output, that the two hash()
// invocations are different, and that the extra input into the first one -
// the microtime() - is prepended rather than appended. This is to avoid
// directly leaking $random_state via the $output stream, which could
// allow for trivial prediction of further "random" numbers.
while (strlen($bytes) < $count) {
$random_state = hash('sha256', microtime() . mt_rand() . $random_state);
$bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
}
}
$output = substr($bytes, 0, $count);
$bytes = substr($bytes, $count);
return $output;
}
/**
* Calculates a base-64 encoded, URL-safe sha-256 hmac.
*
* @param string $data
* String to be validated with the hmac.
* @param string $key
* A secret string key.
*
* @return string
* A base-64 encoded sha-256 hmac, with + replaced with -, / with _ and
* any = padding characters removed.
*/
public static function hmacBase64($data, $key) {
$hmac = base64_encode(hash_hmac('sha256', $data, $key, TRUE));
// Modify the hmac so it's safe to use in URLs.
return strtr($hmac, array('+' => '-', '/' => '_', '=' => ''));
}
/**
* Calculates a base-64 encoded, URL-safe sha-256 hash.
*
* @param string $data
* String to be hashed.
*
* @return string
* A base-64 encoded sha-256 hash, with + replaced with -, / with _ and
* any = padding characters removed.
*/
public static function hashBase64($data) {
$hash = base64_encode(hash('sha256', $data, TRUE));
// Modify the hash so it's safe to use in URLs.
return strtr($hash, array('+' => '-', '/' => '_', '=' => ''));
}
/**
* Generates a random, base-64 encoded, URL-safe, sha-256 hashed string.
*
* @param int $count
* The number of characters (bytes) of the string to be hashed.
*
* @return string
* A base-64 encoded sha-256 hash, with + replaced with -, / with _ and
* any = padding characters removed.
*
* @see \Drupal\Component\Utility\Crypt::randomBytes()
* @see \Drupal\Component\Utility\Crypt::hashBase64()
*/
public static function randomStringHashed($count) {
return static::hashBase64(static::randomBytes($count));
}
}
......@@ -7,6 +7,8 @@
namespace Drupal\Component\Uuid;
use Drupal\Component\Utility\Crypt;
/**
* Generates a UUID v4 using PHP code.
*
......@@ -20,7 +22,7 @@ class Php implements UuidInterface {
* Implements Drupal\Component\Uuid\UuidInterface::generate().
*/
public function generate() {
$hex = substr(hash('sha256', drupal_random_bytes(16)), 0, 32);
$hex = substr(hash('sha256', Crypt::randomBytes(16)), 0, 32);
// The field names refer to RFC 4122 section 4.1.2.
$time_low = substr($hex, 0, 8);
......
......@@ -7,6 +7,8 @@
namespace Drupal\Core\Password;
use Drupal\Component\Utility\Crypt;
/**
* Secure password hashing functions based on the Portable PHP password
* hashing framework.
......@@ -109,7 +111,7 @@ protected function generateSalt() {
// We encode the final log2 iteration count in base 64.
$output .= static::$ITOA64[$this->countLog2];
// 6 bytes is the standard salt for a portable phpass hash.
$output .= $this->base64Encode(drupal_random_bytes(6), 6);
$output .= $this->base64Encode(Crypt::randomBytes(6), 6);
return $output;
}
......
......@@ -5,6 +5,8 @@
* This is the Actions module for executing stored actions.
*/
use Drupal\Component\Utility\Crypt;
/**
* @defgroup actions Actions
* @{
......@@ -280,7 +282,7 @@ function action_get_all_actions() {
function action_actions_map($actions) {
$actions_map = array();
foreach ($actions as $callback => $array) {
$key = drupal_hash_base64($callback);
$key = Crypt::hashBase64($callback);
$actions_map[$key]['callback'] = isset($array['callback']) ? $array['callback'] : $callback;
$actions_map[$key]['label'] = $array['label'];
$actions_map[$key]['type'] = $array['type'];
......@@ -306,7 +308,7 @@ function action_function_lookup($hash) {
// Check for a function name match.
$actions_list = action_list();
foreach ($actions_list as $function => $array) {
if (drupal_hash_base64($function) == $hash) {
if (Crypt::hashBase64($function) == $hash) {
return $function;
}
}
......@@ -314,7 +316,7 @@ function action_function_lookup($hash) {
// Must be a configurable action; check database.
$result = db_query("SELECT aid FROM {actions} WHERE parameters <> ''")->fetchAll(PDO::FETCH_ASSOC);
foreach ($result as $row) {
if (drupal_hash_base64($row['aid']) == $hash) {
if (Crypt::hashBase64($row['aid']) == $hash) {
$aid = $row['aid'];
break;
}
......
......@@ -6,6 +6,7 @@
namespace Drupal\action\Form;
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Form\FormInterface;
/**
......@@ -39,7 +40,7 @@ public function buildForm(array $form, array &$form_state, $action = NULL) {
$edit['action_label'] = $data->label;
$edit['action_type'] = $data->type;
$function = $data->callback;
$action = drupal_hash_base64($data->callback);
$action = Crypt::hashBase64($data->callback);
$params = unserialize($data->parameters);
if ($params) {
foreach ($params as $name => $val) {
......
......@@ -7,6 +7,7 @@
namespace Drupal\action\Tests;
use Drupal\Component\Utility\Crypt;
use Drupal\simpletest\WebTestBase;
/**
......@@ -39,7 +40,7 @@ function testActionConfiguration() {
// Make a POST request to admin/config/system/actions.
$edit = array();
$edit['action'] = drupal_hash_base64('action_goto_action');
$edit['action'] = Crypt::hashBase64('action_goto_action');
$this->drupalPost('admin/config/system/actions', $edit, t('Create'));
// Make a POST request to the individual action configuration page.
......@@ -47,7 +48,7 @@ function testActionConfiguration() {
$action_label = $this->randomName();
$edit['action_label'] = $action_label;
$edit['url'] = 'admin';
$this->drupalPost('admin/config/system/actions/configure/' . drupal_hash_base64('action_goto_action'), $edit, t('Save'));
$this->drupalPost('admin/config/system/actions/configure/' . Crypt::hashBase64('action_goto_action'), $edit, t('Save'));
// Make sure that the new complex action was saved properly.
$this->assertText(t('The action has been successfully saved.'), "Make sure we get a confirmation that we've successfully saved the complex action.");
......
<?php
use Drupal\Component\Utility\Crypt;
/**
* Implements hook_menu().
*/
......@@ -31,7 +33,7 @@ function aggregator_test_menu() {
*/
function aggregator_test_feed($use_last_modified = FALSE, $use_etag = FALSE) {
$last_modified = strtotime('Sun, 19 Nov 1978 05:00:00 GMT');
$etag = drupal_hash_base64($last_modified);
$etag = Crypt::hashBase64($last_modified);
$if_modified_since = isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ? strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE']) : FALSE;
$if_none_match = isset($_SERVER['HTTP_IF_NONE_MATCH']) ? stripslashes($_SERVER['HTTP_IF_NONE_MATCH']) : FALSE;
......
......@@ -5,6 +5,7 @@
* Administration page callbacks for the Book module.
*/
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Entity\EntityInterface;
/**
......@@ -117,7 +118,7 @@ function _book_admin_table(EntityInterface $node, &$form) {
$tree = book_menu_subtree_data($node->book);
$tree = array_shift($tree); // Do not include the book item itself.
if ($tree['below']) {
$hash = drupal_hash_base64(serialize($tree['below']));
$hash = Crypt::hashBase64(serialize($tree['below']));
// Store the hash value as a hidden form element so that we can detect
// if another user changed the book hierarchy.
$form['tree_hash'] = array(
......
......@@ -8,6 +8,7 @@
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\BinaryFileResponse;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Drupal\Component\Utility\Crypt;
use Drupal\Component\Uuid\Uuid;
use Drupal\file\Plugin\Core\Entity\File;
use Drupal\image\Plugin\Core\Entity\ImageStyle;
......@@ -567,7 +568,7 @@ function image_style_deliver($style, $scheme) {
// Don't start generating the image if the derivative already exists or if
// generation is in progress in another thread.
$lock_name = 'image_style_deliver:' . $style->id() . ':' . drupal_hash_base64($image_uri);
$lock_name = 'image_style_deliver:' . $style->id() . ':' . Crypt::hashBase64($image_uri);
if (!file_exists($derivative_uri)) {
$lock_acquired = lock()->acquire($lock_name);
if (!$lock_acquired) {
......@@ -761,7 +762,7 @@ function image_style_url($style_name, $path) {
*/
function image_style_path_token($style_name, $uri) {
// Return the first eight characters.
return substr(drupal_hmac_base64($style_name . ':' . $uri, drupal_get_private_key() . drupal_get_hash_salt()), 0, 8);
return substr(Crypt::hmacBase64($style_name . ':' . $uri, drupal_get_private_key() . drupal_get_hash_salt()), 0, 8);
}
/**
......
......@@ -16,6 +16,7 @@
use Drupal\locale\StringDatabaseStorage;
use Drupal\locale\TranslationsStream;
use Drupal\Core\Database\Database;
use Drupal\Component\Utility\Crypt;
/**
* Regular expression pattern used to localize JavaScript strings.
......@@ -1276,7 +1277,7 @@ function _locale_rebuild_js($langcode = NULL) {
}
$data .= "'strings': " . drupal_json_encode($translations) . " };";
$data_hash = drupal_hash_base64($data);
$data_hash = Crypt::hashBase64($data);
}
// Construct the filepath where JS translation files are stored.
......
......@@ -7,6 +7,7 @@
namespace Drupal\simpletest;
use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\NestedArray;
use Drupal\Core\DrupalKernel;
use Drupal\Core\Database\Database;
......@@ -657,7 +658,7 @@ protected function drupalUserIsLoggedIn($account) {
*/
protected function drupalGetToken($value = '') {
$private_key = drupal_get_private_key();
return drupal_hmac_base64($value, $this->session_id . $private_key);
return Crypt::hmacBase64($value, $this->session_id . $private_key);
}
/*
......
......@@ -7,6 +7,7 @@
namespace Drupal\system\Tests\Upgrade;
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Database\Database;
use Drupal\simpletest\WebTestBase;
use Exception;
......@@ -52,7 +53,7 @@ protected function prepareD8Session() {
// Generate and set a D7-compatible session cookie.
$this->curlInitialize();
$sid = drupal_hash_base64(uniqid(mt_rand(), TRUE) . drupal_random_bytes(55));
$sid = Crypt::hashBase64(uniqid(mt_rand(), TRUE) . Crypt::randomBytes(55));
curl_setopt($this->curlHandle, CURLOPT_COOKIE, rawurlencode(session_name()) . '=' . rawurlencode($sid));
// Force our way into the session of the child site.
......
<?php
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Database\Database;
/**
......@@ -531,7 +532,7 @@ function system_install() {
->save();
// Populate the cron key state variable.
$cron_key = drupal_hash_base64(drupal_random_bytes(55));
$cron_key = Crypt::randomStringHashed(55);
state()->set('system.cron_key', $cron_key);
}
......
......@@ -7,6 +7,7 @@
use Symfony\Component\HttpFoundation\JsonResponse;
use Drupal\Core\Template\Attribute;
use Drupal\Component\Utility\Crypt;
/**
* Implements hook_help().
......@@ -666,7 +667,7 @@ function _toolbar_get_subtree_hash() {
}
else {
$subtrees = toolbar_get_rendered_subtrees();
$hash = drupal_hash_base64(serialize($subtrees));
$hash = Crypt::hashBase64(serialize($subtrees));
cache('toolbar')->set($cid, $hash);
}
return $hash;
......
......@@ -6,6 +6,7 @@
*/
use Guzzle\Http\Exception\RequestException;
use Drupal\Component\Utility\Crypt;
/**
* Page callback: Checks for updates and displays the update status report.
......@@ -145,7 +146,7 @@ function _update_process_fetch_task($project) {
$success = FALSE;
$available = array();
$site_key = drupal_hmac_base64($base_url, drupal_get_private_key());
$site_key = Crypt::hmacBase64($base_url, drupal_get_private_key());
$url = _update_build_fetch_url($project, $site_key);
$fetch_url_base = _update_get_fetch_url_base($project);
$project_name = $project['name'];
......
<?php
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Database\Query\SelectInterface;
use Drupal\Core\Entity\EntityInterface;
use Drupal\comment\Plugin\Core\Entity\Comment;
......@@ -1541,7 +1542,7 @@ function user_cancel_url($account, $options = array()) {
* A string that is safe for use in URLs and SQL statements.
*/
function user_pass_rehash($password, $timestamp, $login) {
return drupal_hmac_base64($timestamp . $login, drupal_get_hash_salt() . $password);
return Crypt::hmacBase64($timestamp . $login, drupal_get_hash_salt() . $password);
}
/**
......
......@@ -10,6 +10,7 @@
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Drupal\Component\Utility\Crypt;
/**
* Form builder; Request a password reset.
......@@ -129,7 +130,7 @@ function user_pass_reset($form, &$form_state, $uid, $timestamp, $hashed_pass, $a
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
// Let the user's password be changed without the current password check.
$token = drupal_hash_base64(drupal_random_bytes(55));
$token = Crypt::randomStringHashed(55);
$_SESSION['pass_reset_' . $user->uid] = $token;
drupal_goto('user/' . $user->uid . '/edit', array('query' => array('pass-reset-token' => $token)));
}
......
<?php
/**
* @file
* Contains \Drupal\Tests\Component\Utility\CryptTest.
*/