Created
December 23, 2008 13:59
-
-
Save tmcw/39338 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
* This function generate an array with all the information required to | |
* authenticate against Mollom. To prevent that requests are forged and | |
* that you are impersonated, each request is signed with a hash computed | |
* based on a private key and a timestamp. | |
* | |
* Both the client and the server share the secret key that is used to | |
* create the authentication hash based on a timestamp. They both hash | |
* the timestamp with the secret key, and if the hashes match, the | |
* authenticity of the message has been validated. | |
* | |
* To avoid that someone can intercept a (hash, timestamp)-pair and | |
* use that to impersonate a client, Mollom will reject the request | |
* when the timestamp is more than 15 minutes off. | |
* | |
* Make sure your server's time is synchronized with the world clocks, | |
* and that you don't share your private key with anyone else. | |
*/ | |
function _mollom_authentication() { | |
$public_key = variable_get('mollom_public_key', ''); | |
$private_key = variable_get('mollom_private_key', ''); | |
// Generate a timestamp according to the dateTime format (http://www.w3.org/TR/xmlschema-2/#dateTime): | |
$time = gmdate("Y-m-d\TH:i:s.\\0\\0\\0O", time()); | |
// Generate a random number: | |
$nonce = md5(mt_rand()); | |
// Calculate a HMAC-SHA1 according to RFC2104 (http://www.ietf.org/rfc/rfc2104.txt): | |
$hash = base64_encode( | |
pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x5c), 64))) . | |
pack('H*', sha1((str_pad($private_key, 64, chr(0x00)) ^ (str_repeat(chr(0x36), 64))) . | |
$time .':'. $nonce .':'. $private_key)))) | |
); | |
// Store everything in an array. Elsewhere in the code, we'll add the | |
// actual data before we pass it onto the XML-RPC library: | |
$data['public_key'] = $public_key; | |
$data['time'] = $time; | |
$data['hash'] = $hash; | |
$data['nonce'] = $nonce; | |
return $data; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment