Merge pull request #8310 from cakephp/secure-random

2.x - Secure random
This commit is contained in:
Mark Story 2016-02-25 22:05:08 -05:00
commit 31b3f39b67
4 changed files with 46 additions and 2 deletions

View file

@ -534,7 +534,7 @@ class SecurityComponent extends Component {
}
return false;
}
$authKey = Security::generateAuthKey();
$authKey = hash('sha512', Security::randomBytes(16), false);
$token = array(
'key' => $authKey,
'allowedControllers' => $this->allowedControllers,

View file

@ -346,6 +346,7 @@ class MemcachedEngineTest extends CakeTestCase {
* @return void
*/
public function testSaslAuthException() {
$this->skipIf(version_compare(PHP_VERSION, '7.0.0', '>='));
$Memcached = new TestMemcachedEngine();
$settings = array(
'engine' => 'Memcached',

View file

@ -424,4 +424,16 @@ class SecurityTest extends CakeTestCase {
Security::decrypt($txt, $key);
}
/**
* Test the random method.
*
* @return void
*/
public function testRandomBytes() {
$value = Security::randomBytes(16);
$this->assertSame(16, strlen($value));
$value = Security::randomBytes(64);
$this->assertSame(64, strlen($value));
}
}

View file

@ -61,6 +61,7 @@ class Security {
* Generate authorization hash.
*
* @return string Hash
* @deprecated 2.8.1 This method was removed in 3.0.0
*/
public static function generateAuthKey() {
return Security::hash(CakeText::uuid());
@ -71,6 +72,7 @@ class Security {
*
* @param string $authKey Authorization hash
* @return bool Success
* @deprecated 2.8.1 This method was removed in 3.0.0
*/
public static function validateAuthKey($authKey) {
return true;
@ -166,6 +168,35 @@ class Security {
static::$hashCost = $cost;
}
/**
* Get random bytes from a secure source.
*
* This method will fall back to an insecure source an trigger a warning
* if it cannot find a secure source of random data.
*
* @param int $length The number of bytes you want.
* @return string Random bytes in binary.
*/
public static function randomBytes($length) {
if (function_exists('random_bytes')) {
return random_bytes($length);
}
if (function_exists('openssl_random_pseudo_bytes')) {
return openssl_random_pseudo_bytes($length);
}
trigger_error(
'You do not have a safe source of random data available. ' .
'Install either the openssl extension, or paragonie/random_compat. ' .
'Falling back to an insecure random source.',
E_USER_WARNING
);
$bytes = '';
while ($bytes < $length) {
$bytes .= static::hash(CakeText::uuid() . uniqid(mt_rand(), true), 'sha512', true);
}
return substr($bytes, 0, $length);
}
/**
* Runs $text through a XOR cipher.
*