nextcloud/lib/public/Security/ISecureRandom.php

<?php

declare(strict_types=1);
/**
 * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */
namespace OCP\Security;

/**
 * Class SecureRandom provides a wrapper around the random_int function to generate
 * secure random strings. For PHP 7 the native CSPRNG is used, older versions do
 * use a fallback.
 *
 * Usage:
 * \OCP\Server::get(ISecureRandom::class)->generate(10);
 *
 * @since 8.0.0
 */
interface ISecureRandom {
	/**
	 * Flags for characters that can be used for <code>generate($length, $characters)</code>
	 * @since 8.0.0
	 */
	public const CHAR_UPPER = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';

	/**
	 * @since 8.0.0
	 */
	public const CHAR_LOWER = 'abcdefghijklmnopqrstuvwxyz';

	/**
	 * @since 8.0.0
	 */
	public const CHAR_DIGITS = '0123456789';

	/**
	 * @since 8.0.0
	 */
	public const CHAR_SYMBOLS = '!\"#$%&\\\'()*+,-./:;<=>?@[\]^_`{|}~';

	/**
	 * @since 12.0.0
	 */
	public const CHAR_ALPHANUMERIC = self::CHAR_UPPER . self::CHAR_LOWER . self::CHAR_DIGITS;

	/**
	 * Characters that can be used for <code>generate($length, $characters)</code>, to
	 * generate human-readable random strings. Lower- and upper-case characters and digits
	 * are included. Characters which are ambiguous are excluded, such as I, l, and 1 and so on.
	 *
	 * @since 23.0.0
	 */
	public const CHAR_HUMAN_READABLE = 'abcdefgijkmnopqrstwxyzABCDEFGHJKLMNPQRSTWXYZ23456789';

	/**
	 * Generate a random string of specified length.
	 * @param int $length The length of the generated string
	 * @param string $characters An optional list of characters to use if no character list is
	 *                           specified all valid base64 characters are used.
	 * @return string
	 * @since 8.0.0
	 */
	public function generate(int $length,
		string $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'): string;
}
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`<?php`
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2019-12-03 13:57:53 -05:00
Fix tests Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-14 05:33:53 -05:00			`declare(strict_types=1);`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-23 03:26:56 -04:00			`* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`*/`
			`namespace OCP\Security;`

			`/**`
Use PHP polyfills 2015-12-11 00:17:47 -05:00			`* Class SecureRandom provides a wrapper around the random_int function to generate`
			`* secure random strings. For PHP 7 the native CSPRNG is used, older versions do`
			`* use a fallback.`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`*`
			`* Usage:`
refactor: migrate from OC to OCP in public interfaces Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> 2025-05-14 18:19:38 -04:00			`* \OCP\Server::get(ISecureRandom::class)->generate(10);`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`*`
Add @since tags to all methods in public namespace * enhance the app development experience - you can look up the method introduction right inside the code without searching via git blame * easier to write apps for multiple versions 2015-04-16 11:00:08 -04:00			`* @since 8.0.0`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`*/`
			`interface ISecureRandom {`
Add char consts, hash the specified password for the HMAC 2014-09-03 05:03:27 -04:00			`/**`
			`* Flags for characters that can be used for <code>generate($length, $characters)</code>`
fix(OCP): Add since tag for all constants Signed-off-by: Joas Schilling <coding@schilljs.com> 2024-02-14 14:48:27 -05:00			`* @since 8.0.0`
Add char consts, hash the specified password for the HMAC 2014-09-03 05:03:27 -04:00			`*/`
Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 10:54:27 -04:00			`public const CHAR_UPPER = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';`
fix(OCP): Add since tag for all constants Signed-off-by: Joas Schilling <coding@schilljs.com> 2024-02-14 14:48:27 -05:00
			`/**`
			`* @since 8.0.0`
			`*/`
Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 10:54:27 -04:00			`public const CHAR_LOWER = 'abcdefghijklmnopqrstuvwxyz';`
fix(OCP): Add since tag for all constants Signed-off-by: Joas Schilling <coding@schilljs.com> 2024-02-14 14:48:27 -05:00
			`/**`
			`* @since 8.0.0`
			`*/`
Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 10:54:27 -04:00			`public const CHAR_DIGITS = '0123456789';`
fix(OCP): Add since tag for all constants Signed-off-by: Joas Schilling <coding@schilljs.com> 2024-02-14 14:48:27 -05:00
			`/**`
			`* @since 8.0.0`
			`*/`
Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 10:54:27 -04:00			public const CHAR_SYMBOLS = '!\"#$%&\\\'()*+,-./:;<=>?@[\]^_`{\|}~';
fix(OCP): Add since tag for all constants Signed-off-by: Joas Schilling <coding@schilljs.com> 2024-02-14 14:48:27 -05:00
			`/**`
			`* @since 12.0.0`
			`*/`
Introduce ISecureRandom::CHAR_ALPHANUMERIC Signed-off-by: J0WI <J0WI@users.noreply.github.com> 2021-07-07 11:52:46 -04:00			`public const CHAR_ALPHANUMERIC = self::CHAR_UPPER . self::CHAR_LOWER . self::CHAR_DIGITS;`
Add char consts, hash the specified password for the HMAC 2014-09-03 05:03:27 -04:00
Increase device password entropy. Use lower- and upper-case characters and digits, but exclude ambiguous characters. The number of digits has also been increased to 25. Signed-off-by: Fabrizio Steiner <fabrizio.steiner@gmail.com> 2017-05-07 17:10:02 -04:00			`/**`
			`* Characters that can be used for <code>generate($length, $characters)</code>, to`
fix(OCP): Add since tag for all constants Signed-off-by: Joas Schilling <coding@schilljs.com> 2024-02-14 14:48:27 -05:00			`* generate human-readable random strings. Lower- and upper-case characters and digits`
Increase device password entropy. Use lower- and upper-case characters and digits, but exclude ambiguous characters. The number of digits has also been increased to 25. Signed-off-by: Fabrizio Steiner <fabrizio.steiner@gmail.com> 2017-05-07 17:10:02 -04:00			`* are included. Characters which are ambiguous are excluded, such as I, l, and 1 and so on.`
fix(OCP): Add since tag for all constants Signed-off-by: Joas Schilling <coding@schilljs.com> 2024-02-14 14:48:27 -05:00			`*`
			`* @since 23.0.0`
Increase device password entropy. Use lower- and upper-case characters and digits, but exclude ambiguous characters. The number of digits has also been increased to 25. Signed-off-by: Fabrizio Steiner <fabrizio.steiner@gmail.com> 2017-05-07 17:10:02 -04:00			`*/`
Add visibility to all constants Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-04-10 10:54:27 -04:00			`public const CHAR_HUMAN_READABLE = 'abcdefgijkmnopqrstwxyzABCDEFGHJKLMNPQRSTWXYZ23456789';`
Increase device password entropy. Use lower- and upper-case characters and digits, but exclude ambiguous characters. The number of digits has also been increased to 25. Signed-off-by: Fabrizio Steiner <fabrizio.steiner@gmail.com> 2017-05-07 17:10:02 -04:00
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`/**`
			`* Generate a random string of specified length.`
Fix type annotation Obviously should be an int 2015-04-27 07:31:18 -04:00			`* @param int $length The length of the generated string`
Use native CSPRNG if available Unfortunately only PHP 7… 2015-11-06 10:24:26 -05:00			`* @param string $characters An optional list of characters to use if no character list is`
URLEncode logout attribute Otherwise logout can fail if the requesttoken contains a + 2015-02-13 05:35:12 -05:00			`* specified all valid base64 characters are used.`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`* @return string`
Add @since tags to all methods in public namespace * enhance the app development experience - you can look up the method introduction right inside the code without searching via git blame * easier to write apps for multiple versions 2015-04-16 11:00:08 -04:00			`* @since 8.0.0`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`*/`
Strict ISecure random * Declare strict * Scalar arguments * Return type * Use fully qualified name for strlen Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2018-01-13 15:39:34 -05:00			`public function generate(int $length,`
			`string $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'): string;`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`}`