7 files changed, 151 insertions, 31 deletions

diff --git a/HISTORY b/HISTORY
index ea5fe089..5d6f635f 100644
--- a/HISTORY
+++ b/HISTORY
@@ -5,6 +5,10 @@ BUG: Issue #413 - TActiveDatePicker does not fire TCallbackClientSide's events (
 BUG: Issue #414 - ActiveDatagrid's pager does not fire TCallbackClientSide's events (ctrlaltca)
 BUG: Issue #415 - prado-cli throws an error if the application is making use of THttpSession (ctrlaltca)
 
+EHN: Permit to change the default cipher in TSecurityManager::setEncryption(); changed the default cipher from 3DES to AES256 (ctrlaltca)
+EHN: Use php's hash_hmac() when available in TSecurityManager, and permit the use of all algorithms supported by php (ctrlaltca)
+EHN: Use mbstring when available in TSecurityManager to better handle multibyte text (ctrlaltca)
+
 Version 3.2.0 Jun 25, 2012
 BUG: Fixed an inconsistency in TRegularExpressionValidator
 ENH: Update TDraggable::revert property to accept "failure" value (Christophe)
diff --git a/UPGRADE b/UPGRADE
index fe7d1028..0212a540 100644
--- a/UPGRADE
+++ b/UPGRADE
@@ -9,6 +9,14 @@ if you want to upgrade from version A to version C and there is
 version B between A and C, you need to following the instructions
 for both A and B.
 
+Upgrading from v3.2.0
+---------------------
+- The TSecurityManagerValidationMode class and TSecurityManager's Validation property have been deprecated.
+  Instead, use the new TSecurityManager's HashAlgorithm property that permits the use of any hashing
+  algorithm supported by the local php installation.
+- TSecurityManager's Encryption property has been deprecated (it was unusable). Instead, use the new
+  CryptAlgorithm property that permites the use of any algorithm supported by the local php installation.
+
 Upgrading from v3.1.10
 ---------------------
 - Prado 3.2 requires PHP >= 5.3.3 
diff --git a/framework/Exceptions/messages/messages.txt b/framework/Exceptions/messages/messages.txt
index cc72d6a2..69fd89fc 100644
--- a/framework/Exceptions/messages/messages.txt
+++ b/framework/Exceptions/messages/messages.txt
@@ -53,6 +53,7 @@ appconfig_tag_invalid					= Application configuration cannot contain element <{0
 securitymanager_validationkey_invalid	= TSecurityManager.ValidationKey must not be empty.
 securitymanager_encryptionkey_invalid	= TSecurityManager.EncryptionKey must not be empty.
 securitymanager_mcryptextension_required = Mcrypt PHP extension is required in order to use TSecurityManager's encryption feature.
+securitymanager_mcryptextension_initfailed = TSecurityManager failed to initialize the mcrypt module.
 
 uri_format_invalid						= '{0}' is not a valid URI.
 
diff --git a/framework/Security/TSecurityManager.php b/framework/Security/TSecurityManager.php
index 89f1ff30..d5c43238 100644
--- a/framework/Security/TSecurityManager.php
+++ b/framework/Security/TSecurityManager.php
@@ -47,8 +47,9 @@ class TSecurityManager extends TModule
 
 	private $_validationKey = null;
 	private $_encryptionKey = null;
-	private $_validation = TSecurityManagerValidationMode::SHA1;
-	private $_encryption = 'rijndael-256';
+	private $_hashAlgorithm = 'sha1';
+	private $_cryptAlgorithm = 'rijndael-256';
+	private $_mbstring;
 
 	/**
 	 * Initializes the module.
@@ -57,6 +58,7 @@ class TSecurityManager extends TModule
 	 */
 	public function init($config)
 	{
+		$this->_mbstring=extension_loaded('mbstring');
 		$this->getApplication()->setSecurityManager($this);
 	}
 
@@ -65,7 +67,7 @@ class TSecurityManager extends TModule
 	 */
 	protected function generateRandomKey()
 	{
-		return rand().rand().rand().rand();
+		return sprintf('%08x%08x%08x%08x',mt_rand(),mt_rand(),mt_rand(),mt_rand());
 	}
 
 	/**
@@ -123,35 +125,79 @@ class TSecurityManager extends TModule
 	}
 
 	/**
-	 * @return TSecurityManagerValidationMode hashing algorithm used to generate HMAC. Defaults to TSecurityManagerValidationMode::SHA1.
+	 * This method has been deprecated since version 3.2.1.
+	 * Please use {@link getHashAlgorithm()} instead.
+	 * @return string hashing algorithm used to generate HMAC. Defaults to 'sha1'.
 	 */
 	public function getValidation()
 	{
-		return $this->_validation;
+		return $this->_hashAlgorithm;
 	}
 
 	/**
+	 * @return string hashing algorithm used to generate HMAC. Defaults to 'sha1'.
+	 */
+	public function getHashAlgorithm()
+	{
+		return $this->_hashAlgorithm;
+	}
+
+	/**
+	 * This method has been deprecated since version 3.2.1.
+	 * Please use {@link setHashAlgorithm()} instead.
 	 * @param TSecurityManagerValidationMode hashing algorithm used to generate HMAC.
 	 */
 	public function setValidation($value)
 	{
-		$this->_validation = TPropertyValue::ensureEnum($value, 'TSecurityManagerValidationMode');
+		$this->_hashAlgorithm = TPropertyValue::ensureEnum($value, 'TSecurityManagerValidationMode');
 	}
 
 	/**
-	 * @return string the algorithm used to encrypt/decrypt data. Defaults to 'rijndael-256'.
+	 * @param string hashing algorithm used to generate HMAC.
+	 */
+	public function setHashAlgorithm($value)
+	{
+		$this->_hashAlgorithm = TPropertyValue::ensureString($value);
+	}
+
+	/**
+	 * This method has been deprecated since version 3.2.1.
+	 * Please use {@link getCryptAlgorithm()} instead.
+	 * @return string the algorithm used to encrypt/decrypt data.
 	 */
 	public function getEncryption()
 	{
-		return $this->_encryption;
+		if(is_string($this->_cryptAlgorithm))
+			return $this->_cryptAlgorithm;
+		// fake the pre-3.2.1 answer
+		return "3DES";
 	}
 
 	/**
-	 * @throws TNotSupportedException Do not call this method presently.
+	 * This method has been deprecated since version 3.2.1.
+	 * Please use {@link setCryptAlgorithm()} instead.
+	 * @param string cipther name
 	 */
 	public function setEncryption($value)
 	{
-		throw new TNotSupportedException('Currently only rijndael-256 encryption is supported');
+		$this->_cryptAlgorithm = $value;
+	}
+
+	/**
+	 * @return mixed the algorithm used to encrypt/decrypt data. Defaults to the string 'rijndael-256'.
+	 */
+	public function getCryptAlgorithm()
+	{
+		return $this->_cryptAlgorithm;
+	}
+
+	/**
+	 * Sets the crypt algorithm (also known as cipher or cypher) that will be used for {@link encrypt} and {@link decrypt}.
+	 * @param mixed either a string containing the cipther name or an array containing the full parameters to call mcrypt_module_open().
+	 */
+	public function setCryptAlgorithm($value)
+	{
+		$this->_cryptAlgorithm = $value;
 	}
 
 	/**
@@ -162,11 +208,8 @@ class TSecurityManager extends TModule
 	 */
 	public function encrypt($data)
 	{
-		if(!function_exists('mcrypt_encrypt'))
-			throw new TNotSupportedException('securitymanager_mcryptextension_required');
-
-		$module = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CBC, '');
-		$key = substr(md5($this->getEncryptionKey()), 0, mcrypt_enc_get_key_size($module));
+		$module=$this->openCryptModule();
+		$key = $this->substr(md5($this->getEncryptionKey()), 0, mcrypt_enc_get_key_size($module));
 		srand();
 		$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND);
 		mcrypt_generic_init($module, $key, $iv);
@@ -184,21 +227,41 @@ class TSecurityManager extends TModule
 	 */
 	public function decrypt($data)
 	{
-		if(!function_exists('mcrypt_decrypt'))
-			throw new TNotSupportedException('securitymanager_mcryptextension_required');
-		
-		$module = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CBC, '');
-		$key = substr(md5($this->getEncryptionKey()), 0, mcrypt_enc_get_key_size($module));
+		$module=$this->openCryptModule();
+		$key = $this->substr(md5($this->getEncryptionKey()), 0, mcrypt_enc_get_key_size($module));
 		$ivSize = mcrypt_enc_get_iv_size($module);
-		$iv = substr($data, 0, $ivSize);
+		$iv = $this->substr($data, 0, $ivSize);
 		mcrypt_generic_init($module, $key, $iv);
-		$decrypted = mdecrypt_generic($module, substr($data, $ivSize));
+		$decrypted = mdecrypt_generic($module, $this->substr($data, $ivSize));
 		mcrypt_generic_deinit($module);
 		mcrypt_module_close($module);
 		return $decrypted;
 	}
 
 	/**
+	 * Opens the mcrypt module with the configuration specified in {@link cryptAlgorithm}.
+	 * @return resource the mycrypt module handle.
+	 * @since 3.2.1
+	 */
+	protected function openCryptModule()
+	{
+		if(extension_loaded('mcrypt'))
+		{
+			if(is_array($this->_cryptAlgorithm))
+				$module=@call_user_func_array('mcrypt_module_open',$this->_cryptAlgorithm);
+			else
+				$module=@mcrypt_module_open($this->_cryptAlgorithm,'', MCRYPT_MODE_CBC,'');
+
+			if($module===false)
+				throw new TNotSupportedException('securitymanager_mcryptextension_initfailed');
+
+			return $module;
+		}
+		else
+			throw new TNotSupportedException('securitymanager_mcryptextension_required');
+	}
+
+	/**
 	 * Prefixes data with an HMAC.
 	 * @param string data to be hashed.
 	 * @return string data prefixed with HMAC
@@ -218,12 +281,13 @@ class TSecurityManager extends TModule
 	 */
 	public function validateData($data)
 	{
-		$len = 'SHA1' === $this->_validation ? 40 : 32;
-		if(strlen($data) < $len)
+		$len=$this->strlen($this->computeHMAC('test'));
+
+		if($this->strlen($data) < $len)
 			return false;
 
-		$hmac = substr($data, 0, $len);
-		$data2 = substr($data, $len);
+		$hmac = $this->substr($data, 0, $len);
+		$data2 = $this->substr($data, $len);
 		return $hmac === $this->computeHMAC($data2) ? $data2 : false;
 	}
 
@@ -234,21 +298,53 @@ class TSecurityManager extends TModule
 	 */
 	protected function computeHMAC($data)
 	{
-		if('SHA1' === $this->_validation) {
+		$key = $this->getValidationKey();
+
+		if(function_exists('hash_hmac'))
+			return hash_hmac($this->_hashAlgorithm, $data, $key);
+
+		if(!strcasecmp($this->_hashAlgorithm,'sha1'))
+		{
 			$pack = 'H40';
 			$func = 'sha1';
 		} else {
 			$pack = 'H32';
 			$func = 'md5';
 		}
-		$key = $this->getValidationKey();
 		$key = str_pad($func($key), 64, chr(0));
 		return $func((str_repeat(chr(0x5C), 64) ^ substr($key, 0, 64)) . pack($pack, $func((str_repeat(chr(0x36), 64) ^ substr($key, 0, 64)) . $data)));
 	}
+
+	/**
+	 * Returns the length of the given string.
+	 * If available uses the multibyte string function mb_strlen.
+	 * @param string $string the string being measured for length
+	 * @return int the length of the string
+	 */
+	private function strlen($string)
+	{
+		return $this->_mbstring ? mb_strlen($string,'8bit') : strlen($string);
+	}
+
+	/**
+	 * Returns the portion of string specified by the start and length parameters.
+	 * If available uses the multibyte string function mb_substr
+	 * @param string $string the input string. Must be one character or longer.
+	 * @param int $start the starting position
+	 * @param int $length the desired portion length
+	 * @return string the extracted part of string, or FALSE on failure or an empty string.
+	 */
+	private function substr($string,$start,$length)
+	{
+		return $this->_mbstring ? mb_substr($string,$start,$length,'8bit') : substr($string,$start,$length);
+	}
 }
 
 /**
  * TSecurityManagerValidationMode class.
+ *
+ * This class has been deprecated since version 3.2.1.
+ *
  * TSecurityManagerValidationMode defines the enumerable type for the possible validation modes
  * that can be used by {@link TSecurityManager}.
  *
diff --git a/framework/Web/UI/TPage.php b/framework/Web/UI/TPage.php
index c227562c..cc1a480a 100644
--- a/framework/Web/UI/TPage.php
+++ b/framework/Web/UI/TPage.php
@@ -1339,5 +1339,3 @@ class TPageStateFormatter
 		return null;

 	}

 }

-

-?>
\ No newline at end of file
diff --git a/requirements/index.php b/requirements/index.php
index 8e2bee08..6366b494 100644
--- a/requirements/index.php
+++ b/requirements/index.php
@@ -25,7 +25,6 @@
  * Its localized version is stored in template-<language code>.html.

  */

 

-// TO BE CONFIRMED: PHP 5.1.0 has problem with I18N and L10N

 /**

  * @var array List of requirements (required or not, check item, hint)

  */

@@ -121,6 +120,16 @@ $requirements = array(
 		'Mcrypt extension optional'),

 	array(

 		false,

+		extension_loaded("mbstring"),

+		'Mbstring extension check',

+		'Mbstring extension optional'),

+	array(

+		false,

+		extension_loaded("hash"),

+		'Hash extension check',

+		'Hash extension optional'),

+	array(

+		false,

 		extension_loaded("xsl"),

 		'XSL extension check',

 		'XSL extension optional'),

diff --git a/requirements/messages.txt b/requirements/messages.txt
index 9e9c595e..519fc239 100644
--- a/requirements/messages.txt
+++ b/requirements/messages.txt
@@ -19,6 +19,10 @@ ICONV extension check			= ICONV extension check
 ICONV extension optional		= ICONV extension is optional. If it is absent, some internationalization components may not work properly.

 Mcrypt extension check			= Mcrypt extension check

 Mcrypt extension optional		= Mcrypt extension is optional. If it is absent, sensitive data, such as viewstate, cannot be encrypted.

+Mbstring extension check		= Mbstring extension check

+Mbstring extension optional		= Mbstring extension is optional. If it is absent, prado will fallback using the not unicode-aware functions.

+Hash extension check			= Hash extension check

+Hash extension optional			= Hash extension is optional. If it is absent, only md5 and sha1 will be supported.

 XSL extension check			= XSL extension check

 XSL extension optional			= XSL extension is optional. If it is absent, you will not be able to use TXmlTransform.

 $_SERVER["HTTP_ACCEPT"] check		= $_SERVER["HTTP_ACCEPT"] check