function __checkBlowfish(){ global $error; if(!function_exists('crypt')){ $error[] = 'requires the PHP crypt() function. This system does not have it.'; }
if(!defined('CRYPT_BLOWFISH') || !CRYPT_BLOWFISH){ $error[] = 'requires the Blowfish option of the PHP crypt() function. This system does not have it.'; } }
function __generateSalt($cost=13){ global $error;
if(($random=__generateRandomString(22,true))===false) if(($random=__generateRandomString(22,false))===false) $error[] = 'Unable to generate random string.'; return sprintf('$2y$%02d$',$cost).strtr($random,array('_'=>'.','~'=>'/')); }
function __generateRandomString($length,$cryptographicallyStrong=true){ if(($randomBytes=__generateRandomBytes($length+2,$cryptographicallyStrong))!==false) return strtr(substr(base64_encode($randomBytes),0,$length),array('+'=>'_','/'=>'~')); return false; }
// These calls are (supposed to be, according to PHP manual) safe even if // there is already an active session for the calling script. @session_start(); @session_regenerate_id();
$bytes=session_id(); if(!$bytes) return false;
// $bytes has 20 bytes of entropy but the session manager converts the binary // random bytes into something readable. We have to convert that back. // SHA-1 should do it without losing entropy. return sha1($bytes,true); }
function __generatePseudoRandomBlock(){ $bytes='';
if (function_exists('openssl_random_pseudo_bytes') && ($bytes=openssl_random_pseudo_bytes(512))!==false && strlen($bytes)>=512) { return substr($bytes,0,512); }
// On UNIX and UNIX-like operating systems the numerical values in `ps`, `uptime` and `iostat` // ought to be fairly unpredictable. Gather the non-zero digits from those. foreach(array('ps','uptime','iostat') as $command) { @exec($command,$commandResult,$retVal); if(is_array($commandResult) && !empty($commandResult) && $retVal==0) $bytes.=preg_replace('/[^1-9]/','',implode('',$commandResult)); }
// Gather the current time's microsecond part. Note: this is only a source of entropy on // the first call! If multiple calls are made, the entropy is only as much as the // randomness in the time between calls. $bytes.=substr(microtime(),2,6);
// Concatenate everything gathered, mix it with sha512. hash() is part of PHP core and // enabled by default but it can be disabled at compile time but we ignore that possibility here. return hash('sha512',$bytes,true); }