[CORE] Use random_bytes() if available and improve common_confirmation_code() randomness.
With PHP 7 comes the [random_bytes()](https://php.net/manual/en/function.random-bytes.php) and the [random_int()](https://www.php.net/manual/en/function.random-int.php) function which generates cryptographically secure pseudo-random bytes and integers, respectively.
This commit is contained in:
Diogo Cordeiro
parent
f0f5ecb756
commit
d705bcbd98
|
|
@ -32,7 +32,7 @@ defined('GNUSOCIAL') || die();
|
|||
define('GNUSOCIAL_ENGINE', 'GNU social');
|
||||
define('GNUSOCIAL_ENGINE_URL', 'https://www.gnu.org/software/social/');
|
||||
|
||||
define('GNUSOCIAL_BASE_VERSION', '1.20.8');
|
||||
define('GNUSOCIAL_BASE_VERSION', '1.20.9');
|
||||
define('GNUSOCIAL_LIFECYCLE', 'release'); // 'dev', 'alpha[0-9]+', 'beta[0-9]+', 'rc[0-9]+', 'release'
|
||||
|
||||
define('GNUSOCIAL_VERSION', GNUSOCIAL_BASE_VERSION . '-' . GNUSOCIAL_LIFECYCLE);
|
||||
|
|
|
|||
33
lib/util.php
33
lib/util.php
|
|
@ -1744,13 +1744,7 @@ function common_random_rawstr($bytes)
|
|||
*/
|
||||
function common_random_hexstr($bytes)
|
||||
{
|
||||
$str = common_random_rawstr($bytes);
|
||||
|
||||
$hexstr = '';
|
||||
for ($i = 0; $i < $bytes; $i++) {
|
||||
$hexstr .= sprintf("%02x", ord($str[$i]));
|
||||
}
|
||||
return $hexstr;
|
||||
return bin2hex(random_bytes($bytes));
|
||||
}
|
||||
|
||||
function common_urandom($bytes)
|
||||
|
|
@ -2224,20 +2218,21 @@ function common_user_uri(&$user)
|
|||
false);
|
||||
}
|
||||
|
||||
// 36 alphanums - lookalikes (0, O, 1, I) = 32 chars = 5 bits
|
||||
|
||||
function common_confirmation_code($bits)
|
||||
{
|
||||
// 36 alphanums - lookalikes (0, O, 1, I) = 32 chars = 5 bits
|
||||
static $codechars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ';
|
||||
/**
|
||||
* Generates cryptographically secure pseudo-random strings out of a allowed chars string
|
||||
*
|
||||
* @param $bits int strength of the confirmation code
|
||||
* @param $codechars allowed characters to be used in the confirmation code, by default we use 36 upper case
|
||||
* alphanums and remove lookalikes (0, O, 1, I) = 32 chars = 5 bits to make it easy for the user to type in
|
||||
* @return string confirmation_code of length $bits/5
|
||||
*/
|
||||
function common_confirmation_code($bits, $codechars = '23456789ABCDEFGHJKLMNPQRSTUVWXYZ') {
|
||||
$chars = ceil($bits/5);
|
||||
$codechars_length = strlen($codechars)-1;
|
||||
$code = '';
|
||||
for ($i = 0; $i < $chars; $i++) {
|
||||
// XXX: convert to string and back
|
||||
$num = hexdec(common_random_hexstr(1));
|
||||
// XXX: randomness is too precious to throw away almost
|
||||
// 40% of the bits we get!
|
||||
$code .= $codechars[$num%32];
|
||||
for($i = 0; $i < $chars; ++$i) {
|
||||
$random_char = $codechars[random_int(0, $codechars_length)];
|
||||
$code .= $random_char;
|
||||
}
|
||||
return $code;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue