Permalink
Browse files

Switched random generators to use openssl if it's available

  • Loading branch information...
sergeychernyshev committed Dec 23, 2017
1 parent 84bac70 commit 1fe91bbcff6814cdf5bb728a25ce2d2a6116da91
Showing with 14 additions and 7 deletions.
  1. +5 −6 classes/User.php
  2. +9 −1 tools.php
View
@@ -633,7 +633,7 @@ public static function verifyEmailLinkCode($code, User $user = null) {
public function getEmailVerificationCode() {
$db = UserConfig::getDB();
$code = substr(base64_encode(mcrypt_create_iv(50, MCRYPT_DEV_URANDOM)), 0, 10);
$code = substr(base64_encode(UserTools::randomBytes(50)), 0, 10);
if ($stmt = $db->prepare('UPDATE u_users SET
email_verification_code = ?,
@@ -866,8 +866,8 @@ public static function createNew($name, $username, $email, $password) {
$user = null;
$salt = substr(base64_encode(mcrypt_create_iv(50, MCRYPT_DEV_URANDOM)), 0, 13);
;
$salt = substr(base64_encode(UserTools::randomBytes(50)), 0, 13);
$pass = sha1($salt . $password);
if ($stmt = $db->prepare("INSERT INTO u_users (regmodule, tos_version, name, username, email, pass, salt) VALUES ('userpass', ?, ?, ?, ?, ?, ?)")) {
@@ -1861,8 +1861,7 @@ public function getActivity($all, $pagenumber = 0, $perpage = 20) {
public function generateTemporaryPassword() {
$db = UserConfig::getDB();
$temppass = substr(base64_encode(mcrypt_create_iv(50, MCRYPT_DEV_URANDOM)), 0, 13);
;
$temppass = substr(base64_encode(UserTools::randomBytes(50)), 0, 13);
if ($stmt = $db->prepare('UPDATE u_users SET temppass = ?, temppasstime = now() WHERE id = ?')) {
if (!$stmt->bind_param('si', $temppass, $this->userid)) {
@@ -2565,7 +2564,7 @@ public function checkPass($password) {
public function setPass($password) {
$db = UserConfig::getDB();
$salt = substr(base64_encode(mcrypt_create_iv(50, MCRYPT_DEV_URANDOM)), 0, 13);
$salt = substr(base64_encode(UserTools::randomBytes(50)), 0, 13);
$pass = sha1($salt . $password);
if ($stmt = $db->prepare('UPDATE u_users SET pass = ?, salt = ? WHERE id = ?')) {
View
@@ -35,6 +35,14 @@ public static function spaceencode($string) {
return str_replace('+', '%20', urlencode($string));
}
public static function randomBytes($length) {
if (function_exists('openssl_random_pseudo_bytes')) {
return openssl_random_pseudo_bytes($length);
} else {
return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
}
}
/**
* Prevents CSRF for all POST requests by comparing cookie and POST nonces.
*
@@ -81,7 +89,7 @@ public static function preventCSRF() {
$unused_nonces = $passed_nonces;
}
self::$CSRF_NONCE = base64_encode(mcrypt_create_iv(50, MCRYPT_DEV_URANDOM));
self::$CSRF_NONCE = base64_encode(self::randomBytes(50));
// adding new nonce in front
array_unshift($unused_nonces, self::$CSRF_NONCE);

0 comments on commit 1fe91bb

Please sign in to comment.