Permalink
Browse files

Improve random generation to only trust openssl if strong is true (wh…

…ich is still bad due to openssl, but better)
  • Loading branch information...
ircmaxell committed Aug 11, 2015
1 parent 402677b commit 1ecb013b51756effed3a3c446a314084b54c9916
Showing with 8 additions and 5 deletions.
  1. +8 −5 lib/password.php
View
@@ -108,22 +108,25 @@ function password_hash($password, $algo, array $options = array()) {
}
}
if (!$buffer_valid && function_exists('openssl_random_pseudo_bytes')) {
$buffer = openssl_random_pseudo_bytes($raw_salt_len);
if ($buffer) {
$strong = false;
$buffer = openssl_random_pseudo_bytes($raw_salt_len, $strong);
if ($buffer && $strong) {
$buffer_valid = true;
}
}
if (!$buffer_valid && @is_readable('/dev/urandom')) {
$file = fopen('/dev/urandom', 'r');
$read = PasswordCompat\binary\_strlen($buffer);
$read = 0;
$local_buffer = '';
while ($read < $raw_salt_len) {
$buffer .= fread($file, $raw_salt_len - $read);
$read = PasswordCompat\binary\_strlen($buffer);
$local_buffer .= fread($file, $raw_salt_len - $read);
$read = PasswordCompat\binary\_strlen($local_buffer);
}
fclose($file);
if ($read >= $raw_salt_len) {
$buffer_valid = true;
}
$buffer = str_pad($buffer, $raw_salt_len, "\0") ^ str_pad($local_buffer, $raw_salt_len, "\0");
}
if (!$buffer_valid || PasswordCompat\binary\_strlen($buffer) < $raw_salt_len) {
$buffer_length = PasswordCompat\binary\_strlen($buffer);

3 comments on commit 1ecb013

@GrahamCampbell

This comment has been minimized.

Contributor

GrahamCampbell replied Aug 11, 2015

This probably warrants a new patch release.

@ircmaxell

This comment has been minimized.

Owner

ircmaxell replied Aug 11, 2015

Yes. It will. I just want to get some people using it first before it's promoted to stable.

@GrahamCampbell

This comment has been minimized.

Contributor

GrahamCampbell replied Aug 11, 2015

Sure. :)

Please sign in to comment.