From f51ee90c66527fd7ff634f3e8d414cb670da068d Mon Sep 17 00:00:00 2001 From: plegall Date: Tue, 26 Apr 2016 11:07:44 +0200 Subject: bug #470, use a dedicated lib to generate random bytes --- include/functions_session.inc.php | 37 ++-- include/random_compat/byte_safe_strings.php | 181 +++++++++++++++++++ include/random_compat/cast_to_int.php | 71 ++++++++ include/random_compat/error_polyfill.php | 42 +++++ include/random_compat/random.php | 197 +++++++++++++++++++++ include/random_compat/random_bytes_com_dotnet.php | 81 +++++++++ include/random_compat/random_bytes_dev_urandom.php | 148 ++++++++++++++++ include/random_compat/random_bytes_libsodium.php | 86 +++++++++ .../random_bytes_libsodium_legacy.php | 86 +++++++++ include/random_compat/random_bytes_mcrypt.php | 76 ++++++++ include/random_compat/random_int.php | 191 ++++++++++++++++++++ 11 files changed, 1170 insertions(+), 26 deletions(-) create mode 100644 include/random_compat/byte_safe_strings.php create mode 100644 include/random_compat/cast_to_int.php create mode 100644 include/random_compat/error_polyfill.php create mode 100644 include/random_compat/random.php create mode 100644 include/random_compat/random_bytes_com_dotnet.php create mode 100644 include/random_compat/random_bytes_dev_urandom.php create mode 100644 include/random_compat/random_bytes_libsodium.php create mode 100644 include/random_compat/random_bytes_libsodium_legacy.php create mode 100644 include/random_compat/random_bytes_mcrypt.php create mode 100644 include/random_compat/random_int.php diff --git a/include/functions_session.inc.php b/include/functions_session.inc.php index fe43bc570..0829bcfda 100644 --- a/include/functions_session.inc.php +++ b/include/functions_session.inc.php @@ -62,32 +62,17 @@ if (isset($conf['session_save_handler']) */ function generate_key($size) { - if ( - is_callable('openssl_random_pseudo_bytes') - and !(version_compare(PHP_VERSION, '5.3.4') < 0 and defined('PHP_WINDOWS_VERSION_MAJOR')) - ) - { - return substr( - str_replace( - array('+', '/'), - '', - base64_encode(openssl_random_pseudo_bytes($size+10)) - ), - 0, - $size - ); - } - else - { - $alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; - $l = strlen($alphabet)-1; - $key = ''; - for ($i=0; $i<$size; $i++) - { - $key.= $alphabet[mt_rand(0, $l)]; - } - return $key; - } + include_once(PHPWG_ROOT_PATH.'include/random_compat/random.php'); + + return substr( + str_replace( + array('+', '/'), + '', + base64_encode(random_bytes($size+10)) + ), + 0, + $size + ); } /** diff --git a/include/random_compat/byte_safe_strings.php b/include/random_compat/byte_safe_strings.php new file mode 100644 index 000000000..dec5d3062 --- /dev/null +++ b/include/random_compat/byte_safe_strings.php @@ -0,0 +1,181 @@ + RandomCompat_strlen($binary_string)) { + return false; + } + + return mb_substr($binary_string, $start, $length, '8bit'); + } + + } else { + + /** + * substr() implementation that isn't brittle to mbstring.func_overload + * + * This version just uses the default substr() + * + * @param string $binary_string + * @param int $start + * @param int $length (optional) + * + * @throws TypeError + * + * @return string + */ + function RandomCompat_substr($binary_string, $start, $length = null) + { + if (!is_string($binary_string)) { + throw new TypeError( + 'RandomCompat_substr(): First argument should be a string' + ); + } + + if (!is_int($start)) { + throw new TypeError( + 'RandomCompat_substr(): Second argument should be an integer' + ); + } + + if ($length !== null) { + if (!is_int($length)) { + throw new TypeError( + 'RandomCompat_substr(): Third argument should be an integer, or omitted' + ); + } + + return substr($binary_string, $start, $length); + } + + return substr($binary_string, $start); + } + } +} diff --git a/include/random_compat/cast_to_int.php b/include/random_compat/cast_to_int.php new file mode 100644 index 000000000..f441c5d98 --- /dev/null +++ b/include/random_compat/cast_to_int.php @@ -0,0 +1,71 @@ + operators might accidentally let a float + * through. + * + * @param int|float $number The number we want to convert to an int + * @param boolean $fail_open Set to true to not throw an exception + * + * @return int (or float if $fail_open) + * + * @throws TypeError + */ + function RandomCompat_intval($number, $fail_open = false) + { + if (is_numeric($number)) { + $number += 0; + } + + if ( + is_float($number) + && + $number > ~PHP_INT_MAX + && + $number < PHP_INT_MAX + ) { + $number = (int) $number; + } + + if (is_int($number) || $fail_open) { + return $number; + } + + throw new TypeError( + 'Expected an integer.' + ); + } +} diff --git a/include/random_compat/error_polyfill.php b/include/random_compat/error_polyfill.php new file mode 100644 index 000000000..57cfefdcd --- /dev/null +++ b/include/random_compat/error_polyfill.php @@ -0,0 +1,42 @@ +GetRandom() + * 5. openssl_random_pseudo_bytes() (absolute last resort) + * + * See ERRATA.md for our reasoning behind this particular order + */ + if (extension_loaded('libsodium')) { + // See random_bytes_libsodium.php + if (PHP_VERSION_ID >= 50300 && function_exists('\\Sodium\\randombytes_buf')) { + require_once $RandomCompatDIR.'/random_bytes_libsodium.php'; + } elseif (method_exists('Sodium', 'randombytes_buf')) { + require_once $RandomCompatDIR.'/random_bytes_libsodium_legacy.php'; + } + } + + /** + * Reading directly from /dev/urandom: + */ + if (DIRECTORY_SEPARATOR === '/') { + // DIRECTORY_SEPARATOR === '/' on Unix-like OSes -- this is a fast + // way to exclude Windows. + $RandomCompatUrandom = true; + $RandomCompat_basedir = ini_get('open_basedir'); + + if (!empty($RandomCompat_basedir)) { + $RandomCompat_open_basedir = explode( + PATH_SEPARATOR, + strtolower($RandomCompat_basedir) + ); + $RandomCompatUrandom = (array() !== array_intersect( + array('/dev', '/dev/', '/dev/urandom'), + $RandomCompat_open_basedir + )); + $RandomCompat_open_basedir = null; + } + + if ( + !function_exists('random_bytes') + && + $RandomCompatUrandom + && + @is_readable('/dev/urandom') + ) { + // Error suppression on is_readable() in case of an open_basedir + // or safe_mode failure. All we care about is whether or not we + // can read it at this point. If the PHP environment is going to + // panic over trying to see if the file can be read in the first + // place, that is not helpful to us here. + + // See random_bytes_dev_urandom.php + require_once $RandomCompatDIR.'/random_bytes_dev_urandom.php'; + } + // Unset variables after use + $RandomCompat_basedir = null; + } else { + $RandomCompatUrandom = false; + } + + /** + * mcrypt_create_iv() + */ + if ( + !function_exists('random_bytes') + && + PHP_VERSION_ID >= 50307 + && + extension_loaded('mcrypt') + && + (DIRECTORY_SEPARATOR !== '/' || $RandomCompatUrandom) + ) { + // Prevent this code from hanging indefinitely on non-Windows; + // see https://bugs.php.net/bug.php?id=69833 + if ( + DIRECTORY_SEPARATOR !== '/' || + (PHP_VERSION_ID <= 50609 || PHP_VERSION_ID >= 50613) + ) { + // See random_bytes_mcrypt.php + require_once $RandomCompatDIR.'/random_bytes_mcrypt.php'; + } + } + $RandomCompatUrandom = null; + + if ( + !function_exists('random_bytes') + && + extension_loaded('com_dotnet') + && + class_exists('COM') + ) { + $RandomCompat_disabled_classes = preg_split( + '#\s*,\s*#', + strtolower(ini_get('disable_classes')) + ); + + if (!in_array('com', $RandomCompat_disabled_classes)) { + try { + $RandomCompatCOMtest = new COM('CAPICOM.Utilities.1'); + if (method_exists($RandomCompatCOMtest, 'GetRandom')) { + // See random_bytes_com_dotnet.php + require_once $RandomCompatDIR.'/random_bytes_com_dotnet.php'; + } + } catch (com_exception $e) { + // Don't try to use it. + } + } + $RandomCompat_disabled_classes = null; + $RandomCompatCOMtest = null; + } + + /** + * throw new Exception + */ + if (!function_exists('random_bytes')) { + /** + * We don't have any more options, so let's throw an exception right now + * and hope the developer won't let it fail silently. + */ + function random_bytes($length) + { + throw new Exception( + 'There is no suitable CSPRNG installed on your system' + ); + } + } + } + + if (!function_exists('random_int')) { + require_once $RandomCompatDIR.'/random_int.php'; + } + + $RandomCompatDIR = null; +} diff --git a/include/random_compat/random_bytes_com_dotnet.php b/include/random_compat/random_bytes_com_dotnet.php new file mode 100644 index 000000000..342282549 --- /dev/null +++ b/include/random_compat/random_bytes_com_dotnet.php @@ -0,0 +1,81 @@ +GetRandom($bytes, 0)); + if (RandomCompat_strlen($buf) >= $bytes) { + /** + * Return our random entropy buffer here: + */ + return RandomCompat_substr($buf, 0, $bytes); + } + ++$execCount; + } while ($execCount < $bytes); + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); +} diff --git a/include/random_compat/random_bytes_dev_urandom.php b/include/random_compat/random_bytes_dev_urandom.php new file mode 100644 index 000000000..db93b0757 --- /dev/null +++ b/include/random_compat/random_bytes_dev_urandom.php @@ -0,0 +1,148 @@ + 0); + + /** + * Is our result valid? + */ + if ($buf !== false) { + if (RandomCompat_strlen($buf) === $bytes) { + /** + * Return our random entropy buffer here: + */ + return $buf; + } + } + } + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Error reading from source device' + ); +} diff --git a/include/random_compat/random_bytes_libsodium.php b/include/random_compat/random_bytes_libsodium.php new file mode 100644 index 000000000..f802d4e12 --- /dev/null +++ b/include/random_compat/random_bytes_libsodium.php @@ -0,0 +1,86 @@ + 2147483647) { + $buf = ''; + for ($i = 0; $i < $bytes; $i += 1073741824) { + $n = ($bytes - $i) > 1073741824 + ? 1073741824 + : $bytes - $i; + $buf .= \Sodium\randombytes_buf($n); + } + } else { + $buf = \Sodium\randombytes_buf($bytes); + } + + if ($buf !== false) { + if (RandomCompat_strlen($buf) === $bytes) { + return $buf; + } + } + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); +} diff --git a/include/random_compat/random_bytes_libsodium_legacy.php b/include/random_compat/random_bytes_libsodium_legacy.php new file mode 100644 index 000000000..44fddbf6f --- /dev/null +++ b/include/random_compat/random_bytes_libsodium_legacy.php @@ -0,0 +1,86 @@ + 2147483647) { + $buf = ''; + for ($i = 0; $i < $bytes; $i += 1073741824) { + $n = ($bytes - $i) > 1073741824 + ? 1073741824 + : $bytes - $i; + $buf .= Sodium::randombytes_buf($n); + } + } else { + $buf = Sodium::randombytes_buf($bytes); + } + + if ($buf !== false) { + if (RandomCompat_strlen($buf) === $bytes) { + return $buf; + } + } + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); +} diff --git a/include/random_compat/random_bytes_mcrypt.php b/include/random_compat/random_bytes_mcrypt.php new file mode 100644 index 000000000..7ac9d9105 --- /dev/null +++ b/include/random_compat/random_bytes_mcrypt.php @@ -0,0 +1,76 @@ + operators might accidentally let a float + * through. + */ + + try { + $min = RandomCompat_intval($min); + } catch (TypeError $ex) { + throw new TypeError( + 'random_int(): $min must be an integer' + ); + } + + try { + $max = RandomCompat_intval($max); + } catch (TypeError $ex) { + throw new TypeError( + 'random_int(): $max must be an integer' + ); + } + + /** + * Now that we've verified our weak typing system has given us an integer, + * let's validate the logic then we can move forward with generating random + * integers along a given range. + */ + if ($min > $max) { + throw new Error( + 'Minimum value must be less than or equal to the maximum value' + ); + } + + if ($max === $min) { + return $min; + } + + /** + * Initialize variables to 0 + * + * We want to store: + * $bytes => the number of random bytes we need + * $mask => an integer bitmask (for use with the &) operator + * so we can minimize the number of discards + */ + $attempts = $bits = $bytes = $mask = $valueShift = 0; + + /** + * At this point, $range is a positive number greater than 0. It might + * overflow, however, if $max - $min > PHP_INT_MAX. PHP will cast it to + * a float and we will lose some precision. + */ + $range = $max - $min; + + /** + * Test for integer overflow: + */ + if (!is_int($range)) { + + /** + * Still safely calculate wider ranges. + * Provided by @CodesInChaos, @oittaa + * + * @ref https://gist.github.com/CodesInChaos/03f9ea0b58e8b2b8d435 + * + * We use ~0 as a mask in this case because it generates all 1s + * + * @ref https://eval.in/400356 (32-bit) + * @ref http://3v4l.org/XX9r5 (64-bit) + */ + $bytes = PHP_INT_SIZE; + $mask = ~0; + + } else { + + /** + * $bits is effectively ceil(log($range, 2)) without dealing with + * type juggling + */ + while ($range > 0) { + if ($bits % 8 === 0) { + ++$bytes; + } + ++$bits; + $range >>= 1; + $mask = $mask << 1 | 1; + } + $valueShift = $min; + } + + /** + * Now that we have our parameters set up, let's begin generating + * random integers until one falls between $min and $max + */ + do { + /** + * The rejection probability is at most 0.5, so this corresponds + * to a failure probability of 2^-128 for a working RNG + */ + if ($attempts > 128) { + throw new Exception( + 'random_int: RNG is broken - too many rejections' + ); + } + + /** + * Let's grab the necessary number of random bytes + */ + $randomByteString = random_bytes($bytes); + if ($randomByteString === false) { + throw new Exception( + 'Random number generator failure' + ); + } + + /** + * Let's turn $randomByteString into an integer + * + * This uses bitwise operators (<< and |) to build an integer + * out of the values extracted from ord() + * + * Example: [9F] | [6D] | [32] | [0C] => + * 159 + 27904 + 3276800 + 201326592 => + * 204631455 + */ + $val = 0; + for ($i = 0; $i < $bytes; ++$i) { + $val |= ord($randomByteString[$i]) << ($i * 8); + } + + /** + * Apply mask + */ + $val &= $mask; + $val += $valueShift; + + ++$attempts; + /** + * If $val overflows to a floating point number, + * ... or is larger than $max, + * ... or smaller than $min, + * then try again. + */ + } while (!is_int($val) || $val > $max || $val < $min); + + return (int) $val; +} -- cgit v1.2.3