From edd20387bec0223aa84c441d407f7dbec4d7fbab Mon Sep 17 00:00:00 2001
From: alandgri <30902862+alandgri@users.noreply.github.com>
Date: Mon, 25 May 2020 17:23:10 +0000
Subject: [PATCH] Use more secure random for generateRandomClue

Modify generateRandomClue to use a source of true randomness from the openssl series of cryptographic functions.
---
 code/rfc6238.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/code/rfc6238.php b/code/rfc6238.php
index 522665e..d9d719c 100644
--- a/code/rfc6238.php
+++ b/code/rfc6238.php
@@ -77,8 +77,10 @@ public static function generateRandomClue($length = 16) {
   		$b32 	= "234567QWERTYUIOPASDFGHJKLZXCVBNM";
   		$s 	= "";
 
+ 	$srand = openssl_random_pseudo_bytes($length, $strong);
+
       for ($i = 0; $i < $length; $i++)
-			  $s .= $b32[rand(0,31)];
+			   $s .= $b32[ord($srand[$i]) % 32];
 
         return $s;
     }
@@ -186,4 +188,4 @@ private static function oath_truncate($hash, $length = 6, $debug=false) {
       return $result;
 		}
 		
-	}
\ No newline at end of file
+	}