Skip to content

Support random_bytes() as an additional randomness source #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kerwus wants to merge 6 commits into
base: 1.0
Choose a base branch
from
Open

Support random_bytes() as an additional randomness source #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
19c6561
Updated code to use 'random_bytes' instead of 'mcrypt_create_iv'
Feb 28, 2019
12b684c
Updated code to use 'random_bytes' instead of 'mcrypt_create_iv'
Feb 28, 2019
85c9a3f
openbasedir error fix
Feb 28, 2019
41cfbb1
init
Feb 28, 2019
27e4a50
changed fopen to @fopen && replaced mcrypt_create_iv <<deprecated>> w…
Mar 1, 2019
e4b358d
changed fopen to @fopen && replaced mcrypt_create_iv <<deprecated>> w…
Mar 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions .idea/deployment.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions .idea/dictionaries/jonas.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions .idea/misc.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions .idea/vcs.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

206 changes: 206 additions & 0 deletions .idea/workspace.xml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 0 additions & 3 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@
"require-dev": {
"phpunit/phpunit": ">=4.0.0"
},
"suggest": {
"ext-mcrypt": "The mcrypt extension must be installed if /dev/urandom is not available."
},
"autoload": {
"psr-4": { "CouponCode\\": "src/" }
}
Expand Down
30 changes: 16 additions & 14 deletions src/CouponCode.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,22 +233,24 @@ protected function _normalize($string, array $options = []) {
return $string;
}

/**
* Generates a cryptographically secure sequence of bytes.
*
* @param integer $bytes Number of bytes to return.
* @return string
*/
/**
* Generates a cryptographically secure sequence of bytes.
*
* @param integer $bytes Number of bytes to return.
* @return string
* @throws Exception
*/
Copy link
Owner

@mariuswilms mariuswilms Mar 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't change the identation style

protected function _random($bytes) {
if (is_readable('/dev/urandom')) {
Copy link
Owner

@mariuswilms mariuswilms Mar 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you run into openbasedir issues with this line, than your openbasedir configuration needs to be changed as it is too strict. It is safe to generally include /dev/urandom.

$stream = fopen('/dev/urandom', 'rb');
$result = fread($stream, $bytes);
//if (is_readable('/dev/urandom')) {
if ($fh = @fopen('/dev/urandom', 'rb')) {
Copy link
Owner

@mariuswilms mariuswilms Mar 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Errors should not be surpressed.

$stream = fopen('/dev/urandom', 'rb');
$result = fread($stream, $bytes);

fclose($stream);
return $result;
}
if (function_exists('mcrypt_create_iv')) {
return mcrypt_create_iv($bytes, MCRYPT_DEV_RANDOM);
fclose($stream);
return $result;
}
if (function_exists('random_bytes')) {
return random_bytes($bytes);
Copy link
Owner

@mariuswilms mariuswilms Mar 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line will not be reachable unless the mcrypt extension is installed, which is not what you want. How about adding a similar block as a first possible source of randomness in our _random() method here? That'd come before the check for using /dev/urandom. Before being able to use random_bytes() check if the function is present, older PHP versions may not have it and we still want to support those.

}
throw new Exception("No source for generating a cryptographically secure seed found.");
}
Expand Down