2010-12-05 01:18:19 +01:00
|
|
|
<?php
|
2016-06-23 01:37:22 +02:00
|
|
|
|
|
|
|
namespace SilverStripe\Security;
|
|
|
|
|
|
|
|
use Exception;
|
|
|
|
|
2010-12-05 01:18:19 +01:00
|
|
|
/**
|
|
|
|
* Generates entropy values based on strongest available methods
|
|
|
|
* (mcrypt_create_iv(), openssl_random_pseudo_bytes(), /dev/urandom, COM.CAPICOM.Utilities.1, mt_rand()).
|
|
|
|
* Chosen method depends on operating system and PHP version.
|
2014-08-15 08:53:05 +02:00
|
|
|
*
|
2012-04-12 08:02:46 +02:00
|
|
|
* @package framework
|
2010-12-05 01:18:19 +01:00
|
|
|
* @subpackage security
|
|
|
|
* @author Ingo Schommer
|
|
|
|
*/
|
|
|
|
class RandomGenerator {
|
|
|
|
|
|
|
|
/**
|
2010-12-05 05:41:49 +01:00
|
|
|
* Note: Returned values are not guaranteed to be crypto-safe,
|
|
|
|
* depending on the used retrieval method.
|
2014-08-15 08:53:05 +02:00
|
|
|
*
|
2010-12-05 01:18:19 +01:00
|
|
|
* @return string Returns a random series of bytes
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public function generateEntropy() {
|
2010-12-05 05:41:49 +01:00
|
|
|
$isWin = preg_match('/WIN/', PHP_OS);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-12-05 05:41:49 +01:00
|
|
|
// TODO Fails with "Could not gather sufficient random data" on IIS, temporarily disabled on windows
|
|
|
|
if(!$isWin) {
|
2012-04-18 08:44:33 +02:00
|
|
|
if(function_exists('mcrypt_create_iv')) {
|
|
|
|
$e = mcrypt_create_iv(64, MCRYPT_DEV_URANDOM);
|
|
|
|
if($e !== false) return $e;
|
|
|
|
}
|
2010-12-05 01:18:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// Fall back to SSL methods - may slow down execution by a few ms
|
|
|
|
if (function_exists('openssl_random_pseudo_bytes')) {
|
|
|
|
$e = openssl_random_pseudo_bytes(64, $strong);
|
|
|
|
// Only return if strong algorithm was used
|
|
|
|
if($strong) return $e;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read from the unix random number generator
|
2010-12-22 22:01:27 +01:00
|
|
|
if(!$isWin && !ini_get('open_basedir') && is_readable('/dev/urandom') && ($h = fopen('/dev/urandom', 'rb'))) {
|
2010-12-05 01:18:19 +01:00
|
|
|
$e = fread($h, 64);
|
|
|
|
fclose($h);
|
|
|
|
return $e;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Warning: Both methods below are considered weak
|
|
|
|
|
|
|
|
// try to read from the windows RNG
|
2010-12-05 05:41:49 +01:00
|
|
|
if($isWin && class_exists('COM')) {
|
2010-12-05 01:18:19 +01:00
|
|
|
try {
|
2016-06-23 01:37:22 +02:00
|
|
|
$comObj = new \COM('CAPICOM.Utilities.1');
|
2012-07-01 11:04:50 +02:00
|
|
|
|
|
|
|
if(is_callable(array($comObj,'GetRandom'))) {
|
|
|
|
return base64_decode($comObj->GetRandom(64, 0));
|
|
|
|
}
|
2010-12-05 01:18:19 +01:00
|
|
|
} catch (Exception $ex) {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Fallback to good old mt_rand()
|
|
|
|
return uniqid(mt_rand(), true);
|
|
|
|
}
|
2012-11-08 04:33:19 +01:00
|
|
|
|
2010-12-05 01:18:19 +01:00
|
|
|
/**
|
2012-11-08 04:33:19 +01:00
|
|
|
* Generates a random token that can be used for session IDs, CSRF tokens etc., based on
|
|
|
|
* hash algorithms.
|
|
|
|
*
|
2014-08-15 08:53:05 +02:00
|
|
|
* If you are using it as a password equivalent (e.g. autologin token) do NOT store it
|
2012-11-08 04:33:19 +01:00
|
|
|
* in the database as a plain text but encrypt it with Member::encryptWithUserSettings.
|
2014-08-15 08:53:05 +02:00
|
|
|
*
|
2010-12-05 01:18:19 +01:00
|
|
|
* @param String $algorithm Any identifier listed in hash_algos() (Default: whirlpool)
|
2012-11-08 04:33:19 +01:00
|
|
|
*
|
2010-12-05 01:18:19 +01:00
|
|
|
* @return String Returned length will depend on the used $algorithm
|
|
|
|
*/
|
2012-11-08 04:33:19 +01:00
|
|
|
public function randomToken($algorithm = 'whirlpool') {
|
2010-12-05 01:18:19 +01:00
|
|
|
return hash($algorithm, $this->generateEntropy());
|
2012-11-08 04:33:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|