8000 [5.0] Ensure openssl's vulnerable random generation is not used by GrahamCampbell · Pull Request #12764 · laravel/framework · GitHub
[go: up one dir, main page]
Skip to content

[5.0] Ensure openssl's vulnerable random generation is not used #12764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from Mar 18, 2016
Merged

[5.0] Ensure openssl's vulnerable random generation is not used #12764

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Ensure openssl's vulnerable random generation is not used
  • Loading branch information
@GrahamCampbell
GrahamCampbell committed Mar 17, 2016
commit b4ad9a2a4fe3499afda333f87fbc8491048bc8b9
1 change: 1 addition & 0 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
"monolog/monolog": "~1.11",
"mtdowling/cron-expression": "~1.0",
"nesbot/carbon": "~1.0",
"paragonie/random_compat": "~1.3",
"psy/psysh": "0.4.*",
"swiftmailer/swiftmailer": "~5.1",
"symfony/console": "2.6.*",
Expand Down
4 changes: 2 additions & 2 deletions src/Illuminate/Encryption/Encrypter.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<?php namespace Illuminate\Encryption;

use Exception;
use Illuminate\Support\Str;
use Illuminate\Contracts\Encryption\DecryptException;
use Symfony\Component\Security\Core\Util\StringUtils;
use Symfony\Component\Security\Core\Util\SecureRandom;
use Illuminate\Contracts\Encryption\Encrypter as EncrypterContract;

class Encrypter implements EncrypterContract {
Expand Down Expand Up @@ -160,7 +160,7 @@ protected function getJsonPayload($payload)
*/
protected function validMac(array $payload)
{
$bytes = (new SecureRandom)->nextBytes(16);
$bytes = Str::randomBytes(16);

$calcMac = hash_hmac('sha256', $this->hash($payload['iv'], $payload['value']), $bytes, true);

Expand Down
1 change: 1 addition & 0 deletions src/Illuminate/Encryption/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
"ext-openssl": "*",
"illuminate/contracts": "5.0.*",
"illuminate/support": "5.0.*",
"paragonie/random_compat": "~1.3",
"symfony/security-core": "2.6.*"
},
"autoload": {
Expand Down
2 changes: 0 additions & 2 deletions src/Illuminate/Foundation/Console/Optimize/config.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,8 +187,6 @@
$basePath.'/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/ResponseHeaderBag.php',
$basePath.'/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Cookie.php',
$basePath.'/vendor/symfony/security-core/Symfony/Component/Security/Core/Util/StringUtils.php',
$basePath.'/vendor/symfony/security-core/Symfony/Component/Security/Core/Util/SecureRandomInterface.php',
$basePath.'/vendor/symfony/security-core/Symfony/Component/Security/Core/Util/SecureRandom.php',
$basePath.'/vendor/symfony/finder/Symfony/Component/Finder/SplFileInfo.php',
$basePath.'/vendor/symfony/finder/Symfony/Component/Finder/Expression/Regex.php',
$basePath.'/vendor/symfony/finder/Symfony/Component/Finder/Expression/ValueInterface.php',
Expand Down
24 changes: 1 addition & 23 deletions src/Illuminate/Support/Str.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
<?php namespace Illuminate\Support;

use RuntimeException;
use Stringy\StaticStringy;
use Illuminate\Support\Traits\Macroable;

Expand Down Expand Up @@ -208,8 +207,6 @@ public static function plural($value, $count = 2)
*
* @param int $length
* @return string
*
* @throws \RuntimeException
*/
public static function random($length = 16)
{
Expand All @@ -230,29 +227,10 @@ public static function random($length = 16)
*
* @param int $length
* @return string
*
* @throws \RuntimeException
*/
public static function randomBytes($length = 16)
{
if (function_exists('random_bytes'))
{
$bytes = random_bytes($length);
}
elseif (function_exists('openssl_random_pseudo_bytes'))
{
$bytes = openssl_random_pseudo_bytes($length, $strong);
if ($bytes === false || $strong === false)
{
throw new RuntimeException('Unable to generate random string.');
}
}
else
{
throw new RuntimeException('OpenSSL extension is required for PHP 5 users.');
}

return $bytes;
return random_bytes($length);
}

/**
Expand Down
3 changes: 2 additions & 1 deletion src/Illuminate/Support/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@
"ext-mbstring": "*",
"illuminate/contracts": "5.0.*",
"doctrine/inflector": "~1.0",
"danielstjules/stringy": "~1.8"
"danielstjules/stringy": "~1.8",
"paragonie/random_compat": "~1.3"
},
"autoload": {
"psr-4": {
Expand Down
0