From bea9a577a67087feb9ce40b55d80c315b08009b7 Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 10 Aug 2016 23:15:06 +0200 Subject: [PATCH] Use better random number generator #29 --- composer.json | 3 +- lib/Persistence/ServerSalt.php | 31 +++++++-------- tst/Persistence/ServerSaltTest.php | 20 ---------- vendor/composer/autoload_classmap.php | 22 +++++++++- vendor/composer/autoload_files.php | 4 +- vendor/composer/autoload_namespaces.php | 6 --- vendor/composer/autoload_static.php | 29 +++++++++++--- vendor/composer/installed.json | 53 ++++++++++++++++++++++++- 8 files changed, 117 insertions(+), 51 deletions(-) diff --git a/composer.json b/composer.json index ccad6bd..227e99c 100644 --- a/composer.json +++ b/composer.json @@ -18,7 +18,8 @@ } ], "require": { - "php": "^5.2.6 || ^7.0" + "php": "^5.2.6 || ^7.0", + "paragonie/random_compat": "^2.0" }, "require-dev": { "codacy/coverage": "dev-master", diff --git a/lib/Persistence/ServerSalt.php b/lib/Persistence/ServerSalt.php index a8a6614..70cc264 100644 --- a/lib/Persistence/ServerSalt.php +++ b/lib/Persistence/ServerSalt.php @@ -26,6 +26,15 @@ use Exception; */ class ServerSalt extends AbstractPersistence { + /** + * file where salt is saved to + * + * @access private + * @static + * @var string + */ + private static $_file = 'salt.php'; + /** * generated salt * @@ -44,16 +53,7 @@ class ServerSalt extends AbstractPersistence */ public static function generate() { - $randomSalt = ''; - if (function_exists('mcrypt_create_iv')) { - $randomSalt = bin2hex(mcrypt_create_iv(256, MCRYPT_DEV_URANDOM)); - } else { - // fallback to mt_rand() - - for ($i = 0; $i < 256; ++$i) { - $randomSalt .= base_convert(mt_rand(), 10, 16); - } - } + $randomSalt = bin2hex(random_bytes(256)); return $randomSalt; } @@ -71,19 +71,18 @@ class ServerSalt extends AbstractPersistence return self::$_salt; } - $file = 'salt.php'; - if (self::_exists($file)) { - if (is_readable(self::getPath($file))) { - $items = explode('|', file_get_contents(self::getPath($file))); + if (self::_exists(self::$_file)) { + if (is_readable(self::getPath(self::$_file))) { + $items = explode('|', file_get_contents(self::getPath(self::$_file))); } if (!isset($items) || !is_array($items) || count($items) != 3) { - throw new Exception('unable to read file ' . self::getPath($file), 20); + throw new Exception('unable to read file ' . self::getPath(self::$_file), 20); } self::$_salt = $items[1]; } else { self::$_salt = self::generate(); self::_store( - $file, + self::$_file, '' ); } diff --git a/tst/Persistence/ServerSaltTest.php b/tst/Persistence/ServerSaltTest.php index 8533723..ecdc0f8 100644 --- a/tst/Persistence/ServerSaltTest.php +++ b/tst/Persistence/ServerSaltTest.php @@ -43,26 +43,6 @@ class ServerSaltTest extends PHPUnit_Framework_TestCase ServerSalt::setPath($this->_path); $salt = ServerSalt::get(); - // mcrypt mock - if (!function_exists('mcrypt_create_iv')) { - if (!defined('MCRYPT_DEV_URANDOM')) { - define('MCRYPT_DEV_URANDOM', 1); - } - function mcrypt_create_iv($int, $flag) - { - $randomSalt = ''; - for ($i = 0; $i < $int; ++$i) { - $randomSalt .= base_convert(mt_rand(), 10, 16); - } - // hex2bin requires an even length, pad if necessary - if (strlen($randomSalt) % 2) { - $randomSalt = '0' . $randomSalt; - } - return hex2bin($randomSalt); - } - $this->assertNotEquals($salt, ServerSalt::generate()); - } - // try setting a different path and resetting it ServerSalt::setPath($this->_otherPath); $this->assertNotEquals($salt, ServerSalt::get()); diff --git a/vendor/composer/autoload_classmap.php b/vendor/composer/autoload_classmap.php index 5936f84..3de58e9 100644 --- a/vendor/composer/autoload_classmap.php +++ b/vendor/composer/autoload_classmap.php @@ -5,4 +5,24 @@ $vendorDir = dirname(dirname(__FILE__)); $baseDir = dirname($vendorDir); -return array(); +return array( + 'PrivateBin\\Configuration' => $baseDir . '/lib/Configuration.php', + 'PrivateBin\\Data\\AbstractData' => $baseDir . '/lib/Data/AbstractData.php', + 'PrivateBin\\Data\\Database' => $baseDir . '/lib/Data/Database.php', + 'PrivateBin\\Data\\Filesystem' => $baseDir . '/lib/Data/Filesystem.php', + 'PrivateBin\\Filter' => $baseDir . '/lib/Filter.php', + 'PrivateBin\\I18n' => $baseDir . '/lib/I18n.php', + 'PrivateBin\\Model' => $baseDir . '/lib/Model.php', + 'PrivateBin\\Model\\AbstractModel' => $baseDir . '/lib/Model/AbstractModel.php', + 'PrivateBin\\Model\\Paste' => $baseDir . '/lib/Model/Paste.php', + 'PrivateBin\\Persistence\\AbstractPersistence' => $baseDir . '/lib/Persistence/AbstractPersistence.php', + 'PrivateBin\\Persistence\\PurgeLimiter' => $baseDir . '/lib/Persistence/PurgeLimiter.php', + 'PrivateBin\\Persistence\\ServerSalt' => $baseDir . '/lib/Persistence/ServerSalt.php', + 'PrivateBin\\Persistence\\TrafficLimiter' => $baseDir . '/lib/Persistence/TrafficLimiter.php', + 'PrivateBin\\PrivateBin' => $baseDir . '/lib/PrivateBin.php', + 'PrivateBin\\Request' => $baseDir . '/lib/Request.php', + 'PrivateBin\\Sjcl' => $baseDir . '/lib/Sjcl.php', + 'PrivateBin\\View' => $baseDir . '/lib/View.php', + 'PrivateBin\\Vizhash16x16' => $baseDir . '/lib/Vizhash16x16.php', + 'PrivateBin\\model\\Comment' => $baseDir . '/lib/Model/Comment.php', +); diff --git a/vendor/composer/autoload_files.php b/vendor/composer/autoload_files.php index 5ca408a..4d80bcb 100644 --- a/vendor/composer/autoload_files.php +++ b/vendor/composer/autoload_files.php @@ -5,4 +5,6 @@ $vendorDir = dirname(dirname(__FILE__)); $baseDir = dirname($vendorDir); -return array(); +return array( + '5255c38a0faeba867671b61dfda6d864' => $vendorDir . '/paragonie/random_compat/lib/random.php', +); diff --git a/vendor/composer/autoload_namespaces.php b/vendor/composer/autoload_namespaces.php index 6ba5e59..b7fc012 100644 --- a/vendor/composer/autoload_namespaces.php +++ b/vendor/composer/autoload_namespaces.php @@ -6,10 +6,4 @@ $vendorDir = dirname(dirname(__FILE__)); $baseDir = dirname($vendorDir); return array( - 'Psr\\Log\\' => array($vendorDir . '/psr/log'), - 'Prophecy\\' => array($vendorDir . '/phpspec/prophecy/src'), - 'Guzzle\\Tests' => array($vendorDir . '/guzzle/guzzle/tests'), - 'Guzzle' => array($vendorDir . '/guzzle/guzzle/src'), - 'CodeClimate\\Component' => array($vendorDir . '/codeclimate/php-test-reporter/src'), - 'CodeClimate\\Bundle' => array($vendorDir . '/codeclimate/php-test-reporter/src'), ); diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php index bad7819..11fdcd9 100644 --- a/vendor/composer/autoload_static.php +++ b/vendor/composer/autoload_static.php @@ -6,7 +6,9 @@ namespace Composer\Autoload; class ComposerStaticInitDontChange { - public static $files = array (); + public static $files = array ( + '5255c38a0faeba867671b61dfda6d864' => __DIR__ . '/..' . '/paragonie/random_compat/lib/random.php', + ); public static $prefixLengthsPsr4 = array ( 'P' => @@ -22,16 +24,33 @@ class ComposerStaticInitDontChange ), ); - public static $prefixesPsr0 = array (); - - public static $classMap = array (); + public static $classMap = array ( + 'PrivateBin\\Configuration' => __DIR__ . '/../..' . '/lib/Configuration.php', + 'PrivateBin\\Data\\AbstractData' => __DIR__ . '/../..' . '/lib/Data/AbstractData.php', + 'PrivateBin\\Data\\Database' => __DIR__ . '/../..' . '/lib/Data/Database.php', + 'PrivateBin\\Data\\Filesystem' => __DIR__ . '/../..' . '/lib/Data/Filesystem.php', + 'PrivateBin\\Filter' => __DIR__ . '/../..' . '/lib/Filter.php', + 'PrivateBin\\I18n' => __DIR__ . '/../..' . '/lib/I18n.php', + 'PrivateBin\\Model' => __DIR__ . '/../..' . '/lib/Model.php', + 'PrivateBin\\Model\\AbstractModel' => __DIR__ . '/../..' . '/lib/Model/AbstractModel.php', + 'PrivateBin\\Model\\Paste' => __DIR__ . '/../..' . '/lib/Model/Paste.php', + 'PrivateBin\\Persistence\\AbstractPersistence' => __DIR__ . '/../..' . '/lib/Persistence/AbstractPersistence.php', + 'PrivateBin\\Persistence\\PurgeLimiter' => __DIR__ . '/../..' . '/lib/Persistence/PurgeLimiter.php', + 'PrivateBin\\Persistence\\ServerSalt' => __DIR__ . '/../..' . '/lib/Persistence/ServerSalt.php', + 'PrivateBin\\Persistence\\TrafficLimiter' => __DIR__ . '/../..' . '/lib/Persistence/TrafficLimiter.php', + 'PrivateBin\\PrivateBin' => __DIR__ . '/../..' . '/lib/PrivateBin.php', + 'PrivateBin\\Request' => __DIR__ . '/../..' . '/lib/Request.php', + 'PrivateBin\\Sjcl' => __DIR__ . '/../..' . '/lib/Sjcl.php', + 'PrivateBin\\View' => __DIR__ . '/../..' . '/lib/View.php', + 'PrivateBin\\Vizhash16x16' => __DIR__ . '/../..' . '/lib/Vizhash16x16.php', + 'PrivateBin\\model\\Comment' => __DIR__ . '/../..' . '/lib/Model/Comment.php', + ); public static function getInitializer(ClassLoader $loader) { return \Closure::bind(function () use ($loader) { $loader->prefixLengthsPsr4 = ComposerStaticInitDontChange::$prefixLengthsPsr4; $loader->prefixDirsPsr4 = ComposerStaticInitDontChange::$prefixDirsPsr4; - $loader->prefixesPsr0 = ComposerStaticInitDontChange::$prefixesPsr0; $loader->classMap = ComposerStaticInitDontChange::$classMap; }, null, ClassLoader::class); diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index fe51488..5bad253 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -1 +1,52 @@ -[] +[ + { + "name": "paragonie/random_compat", + "version": "v2.0.2", + "version_normalized": "2.0.2.0", + "source": { + "type": "git", + "url": "https://github.com/paragonie/random_compat.git", + "reference": "088c04e2f261c33bed6ca5245491cfca69195ccf" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/088c04e2f261c33bed6ca5245491cfca69195ccf", + "reference": "088c04e2f261c33bed6ca5245491cfca69195ccf", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "time": "2016-04-03 06:00:07", + "type": "library", + "installation-source": "dist", + "autoload": { + "files": [ + "lib/random.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "pseudorandom", + "random" + ] + } +]