mollom.module

/**
 * This function generate an array with all the information required to
 * authenticate against Mollom. To prevent that requests are forged and
 * that you are impersonated, each request is signed with a hash computed
 * based on a private key and a timestamp.
 *
 * Both the client and the server share the secret key that is used to
 * create the authentication hash based on a timestamp.  They both hash
 * the timestamp with the secret key, and if the hashes match, the
 * authenticity of the message has been validated.
 *
 * To avoid that someone can intercept a (hash, timestamp)-pair and
 * use that to impersonate a client, Mollom will reject the request
 * when the timestamp is more than 15 minutes off.
 *
 * Make sure your server's time is synchronized with the world clocks,
 * and that you don't share your private key with anyone else.
 */

function _mollom_authentication() {

  $public_key = variable_get('mollom_public_key', '');
  $private_key = variable_get('mollom_private_key', '');

  // Generate a timestamp according to the dateTime format (http://www.w3.org/TR/xmlschema-2/#dateTime):
  $time = gmdate("Y-m-d\TH:i:s.\\0\\0\\0O", time());

  // Generate a random number:
  $nonce = md5(mt_rand());

  // Calculate a HMAC-SHA1 according to RFC2104 (http://www.ietf.org/rfc/rfc2104.txt):
  $hash = base64_encode(
    pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x5c), 64))) .
    pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x36), 64))) .
    $time .':'. $nonce .':'. $private_key))))
  );

  // Store everything in an array. Elsewhere in the code, we'll add the
  // actual data before we pass it onto the XML-RPC library:
  $data['public_key'] = $public_key;
  $data['time'] = $time;
  $data['hash'] = $hash;
  $data['nonce'] = $nonce;

  return $data;
}