From bc2454aa797b98c8c7d33b75bc216eca908aca6f Mon Sep 17 00:00:00 2001 From: oittaa Date: Mon, 3 Oct 2016 00:44:30 +0300 Subject: [PATCH 1/2] [CryptoHelper.php] use random_bytes() function --- app/Helpers/CryptoHelper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Helpers/CryptoHelper.php b/app/Helpers/CryptoHelper.php index d8c61f2..f8e4366 100644 --- a/app/Helpers/CryptoHelper.php +++ b/app/Helpers/CryptoHelper.php @@ -3,7 +3,7 @@ namespace App\Helpers; class CryptoHelper { public static function generateRandomHex($rand_bytes_num) { - $rand_bytes = openssl_random_pseudo_bytes($rand_bytes_num, $crypt_secure); + $rand_bytes = random_bytes($rand_bytes_num); return bin2hex($rand_bytes); } } From 30886414a1b8305b50071996647429bba6326f02 Mon Sep 17 00:00:00 2001 From: Chaoyi Zha Date: Sun, 2 Oct 2016 22:20:26 -0400 Subject: [PATCH 2/2] Explicitly require ^1.0.6 random_compat --- composer.json | 3 +- composer.lock | 12 +-- vendor/composer/autoload_files.php | 2 +- vendor/composer/autoload_static.php | 2 +- vendor/composer/installed.json | 100 +++++++++--------- vendor/paragonie/random_compat/CHANGELOG.md | 49 ++++++++- vendor/paragonie/random_compat/ERRATA.md | 4 +- vendor/paragonie/random_compat/lib/random.php | 26 +++-- 8 files changed, 129 insertions(+), 69 deletions(-) diff --git a/composer.json b/composer.json index d674253..c1a5c8b 100644 --- a/composer.json +++ b/composer.json @@ -9,7 +9,8 @@ "laravel/lumen-framework": "5.1.*", "vlucas/phpdotenv": "~1.0", "illuminate/mail": "~5.1", - "yajra/laravel-datatables-oracle": "~6.0" + "yajra/laravel-datatables-oracle": "~6.0", + "paragonie/random_compat": "^1.0.6" }, "require-dev": { "fzaninotto/faker": "~1.0", diff --git a/composer.lock b/composer.lock index 14c37b3..ea11e1a 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "b5a3fc2934cddc65939bd467cd3def24", + "content-hash": "c9b3d1fae340ed50d76dbc8c5ec73ab2", "packages": [ { "name": "danielstjules/stringy", @@ -1860,16 +1860,16 @@ }, { "name": "paragonie/random_compat", - "version": "v1.2.0", + "version": "v1.4.1", "source": { "type": "git", "url": "https://github.com/paragonie/random_compat.git", - "reference": "b0e69d10852716b2ccbdff69c75c477637220790" + "reference": "c7e26a21ba357863de030f0b9e701c7d04593774" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/paragonie/random_compat/zipball/b0e69d10852716b2ccbdff69c75c477637220790", - "reference": "b0e69d10852716b2ccbdff69c75c477637220790", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/c7e26a21ba357863de030f0b9e701c7d04593774", + "reference": "c7e26a21ba357863de030f0b9e701c7d04593774", "shasum": "" }, "require": { @@ -1904,7 +1904,7 @@ "pseudorandom", "random" ], - "time": "2016-02-06 03:52:05" + "time": "2016-03-18 20:34:03" }, { "name": "phenx/php-font-lib", diff --git a/vendor/composer/autoload_files.php b/vendor/composer/autoload_files.php index 6125251..309641d 100644 --- a/vendor/composer/autoload_files.php +++ b/vendor/composer/autoload_files.php @@ -9,8 +9,8 @@ return array( '65fec9ebcfbb3cbb4fd0d519687aea01' => $vendorDir . '/danielstjules/stringy/src/Create.php', '72579e7bd17821bb1321b87411366eae' => $vendorDir . '/illuminate/support/helpers.php', '667aeda72477189d0494fecd327c3641' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php', - '5255c38a0faeba867671b61dfda6d864' => $vendorDir . '/paragonie/random_compat/lib/random.php', '2c102faa651ef8ea5874edb585946bce' => $vendorDir . '/swiftmailer/swiftmailer/lib/swift_required.php', + '5255c38a0faeba867671b61dfda6d864' => $vendorDir . '/paragonie/random_compat/lib/random.php', '253c157292f75eb38082b5acb06f3f01' => $vendorDir . '/nikic/fast-route/src/functions.php', 'f18cc91337d49233e5754e93f3ed9ec3' => $vendorDir . '/laravelcollective/html/src/helpers.php', 'bee9632da3ca00a99623b9c35d0c4f8b' => $vendorDir . '/laravel/lumen-framework/src/helpers.php', diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php index 09e9c63..d6bdd90 100644 --- a/vendor/composer/autoload_static.php +++ b/vendor/composer/autoload_static.php @@ -10,8 +10,8 @@ class ComposerStaticInit1022d009db9f708df68c1991f93b734b '65fec9ebcfbb3cbb4fd0d519687aea01' => __DIR__ . '/..' . '/danielstjules/stringy/src/Create.php', '72579e7bd17821bb1321b87411366eae' => __DIR__ . '/..' . '/illuminate/support/helpers.php', '667aeda72477189d0494fecd327c3641' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php', - '5255c38a0faeba867671b61dfda6d864' => __DIR__ . '/..' . '/paragonie/random_compat/lib/random.php', '2c102faa651ef8ea5874edb585946bce' => __DIR__ . '/..' . '/swiftmailer/swiftmailer/lib/swift_required.php', + '5255c38a0faeba867671b61dfda6d864' => __DIR__ . '/..' . '/paragonie/random_compat/lib/random.php', '253c157292f75eb38082b5acb06f3f01' => __DIR__ . '/..' . '/nikic/fast-route/src/functions.php', 'f18cc91337d49233e5754e93f3ed9ec3' => __DIR__ . '/..' . '/laravelcollective/html/src/helpers.php', 'bee9632da3ca00a99623b9c35d0c4f8b' => __DIR__ . '/..' . '/laravel/lumen-framework/src/helpers.php', diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index 5ed17e8..50c5c69 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -2273,56 +2273,6 @@ "description": "Symfony DomCrawler Component", "homepage": "https://symfony.com" }, - { - "name": "paragonie/random_compat", - "version": "v1.2.0", - "version_normalized": "1.2.0.0", - "source": { - "type": "git", - "url": "https://github.com/paragonie/random_compat.git", - "reference": "b0e69d10852716b2ccbdff69c75c477637220790" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/paragonie/random_compat/zipball/b0e69d10852716b2ccbdff69c75c477637220790", - "reference": "b0e69d10852716b2ccbdff69c75c477637220790", - "shasum": "" - }, - "require": { - "php": ">=5.2.0" - }, - "require-dev": { - "phpunit/phpunit": "4.*|5.*" - }, - "suggest": { - "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." - }, - "time": "2016-02-06 03:52:05", - "type": "library", - "installation-source": "dist", - "autoload": { - "files": [ - "lib/random.php" - ] - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "MIT" - ], - "authors": [ - { - "name": "Paragon Initiative Enterprises", - "email": "security@paragonie.com", - "homepage": "https://paragonie.com" - } - ], - "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", - "keywords": [ - "csprng", - "pseudorandom", - "random" - ] - }, { "name": "symfony/security-core", "version": "v2.7.9", @@ -4314,5 +4264,55 @@ "laravel4", "laravel5" ] + }, + { + "name": "paragonie/random_compat", + "version": "v1.4.1", + "version_normalized": "1.4.1.0", + "source": { + "type": "git", + "url": "https://github.com/paragonie/random_compat.git", + "reference": "c7e26a21ba357863de030f0b9e701c7d04593774" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/paragonie/random_compat/zipball/c7e26a21ba357863de030f0b9e701c7d04593774", + "reference": "c7e26a21ba357863de030f0b9e701c7d04593774", + "shasum": "" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "time": "2016-03-18 20:34:03", + "type": "library", + "installation-source": "dist", + "autoload": { + "files": [ + "lib/random.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" + } + ], + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "pseudorandom", + "random" + ] } ] diff --git a/vendor/paragonie/random_compat/CHANGELOG.md b/vendor/paragonie/random_compat/CHANGELOG.md index f5f1927..0a1d694 100644 --- a/vendor/paragonie/random_compat/CHANGELOG.md +++ b/vendor/paragonie/random_compat/CHANGELOG.md @@ -1,4 +1,49 @@ -### Version 1.2.0 - 2015-02-05 +### Version 1.4.1 - 2016-03-18 + +Update comment in random.php + +### Version 1.4.0 - 2016-03-18 + +Restored OpenSSL in the version 1 branch in preparation to remove +OpenSSL in version 2. + +### Version 1.3.1/1.2.3 - 2016-03-18 + +* Add more possible values to `open_baseir` check. + +### Version 1.3.0 - 2016-03-17 + +* Removed `openssl_random_pseudo_bytes()` entirely. If you are using + random_compat in PHP on a Unix-like OS but cannot access + `/dev/urandom`, version 1.3+ will throw an `Exception`. If you want to + trust OpenSSL, feel free to write your own fallback code. e.g. + + ```php + try { + $bytes = random_bytes(32); + } catch (Exception $ex) { + $strong = false; + $bytes = openssl_random_pseudo_bytes(32, $strong); + if (!$strong) { + throw $ex; + } + } + ``` + +### Version 1.2.2 - 2016-03-11 + +* To prevent applications from hanging, if `/dev/urandom` is not + accessible to PHP, skip mcrypt (which just fails before giving OpenSSL + a chance and was morally equivalent to not offering OpenSSL at all). + +### Version 1.2.1 - 2016-02-29 + +* PHP 5.6.10 - 5.6.12 will hang when mcrypt is used on Unix-based operating + systems ([PHP bug 69833](https://bugs.php.net/bug.php?id=69833)). If you are + running one of these versions, please upgrade (or make sure `/dev/urandom` is + readable) otherwise you're relying on OpenSSL. + +### Version 1.2.0 - 2016-02-05 * Whitespace and other cosmetic changes * Added a changelog. @@ -8,7 +53,7 @@ Every time we publish a new release, we will also upload a .phar to Github. Our public key is signed by our GPG key. -### Version 1.1.6 - 2015-01-29 +### Version 1.1.6 - 2016-01-29 * Eliminate `open_basedir` warnings by detecting this configuration setting. (Thanks [@oucil](https://github.com/oucil) for reporting this.) diff --git a/vendor/paragonie/random_compat/ERRATA.md b/vendor/paragonie/random_compat/ERRATA.md index 4990273..371a23f 100644 --- a/vendor/paragonie/random_compat/ERRATA.md +++ b/vendor/paragonie/random_compat/ERRATA.md @@ -25,8 +25,8 @@ the remaining implementations. The reason is simple: `mcrypt_create_iv()` is part of PHP's `ext/mcrypt` code, and is not part `libmcrypt`. It actually does the right thing: - * On Unix-based operating systems, it reads from `/dev/urandom`, which is the - sane and correct thing to do. + * On Unix-based operating systems, it reads from `/dev/urandom`, which unlike `/dev/random` + is the sane and correct thing to do. * On Windows, it reads from `CryptGenRandom`, which is an exclusively Windows way to get random bytes. diff --git a/vendor/paragonie/random_compat/lib/random.php b/vendor/paragonie/random_compat/lib/random.php index 42237ea..f29cefd 100644 --- a/vendor/paragonie/random_compat/lib/random.php +++ b/vendor/paragonie/random_compat/lib/random.php @@ -2,6 +2,9 @@ /** * Random_* Compatibility Library * for using the new PHP 7 random_* API in PHP 5 projects + * + * @version 1.4.1 + * @released 2016-03-18 * * The MIT License (MIT) * @@ -89,10 +92,10 @@ if (PHP_VERSION_ID < 70000) { PATH_SEPARATOR, strtolower($RandomCompat_basedir) ); - $RandomCompatUrandom = in_array( - '/dev', + $RandomCompatUrandom = (array() !== array_intersect( + array('/dev', '/dev/', '/dev/urandom'), $RandomCompat_open_basedir - ); + )); $RandomCompat_open_basedir = null; } @@ -113,8 +116,9 @@ if (PHP_VERSION_ID < 70000) { require_once $RandomCompatDIR.'/random_bytes_dev_urandom.php'; } // Unset variables after use - $RandomCompatUrandom = null; $RandomCompat_basedir = null; + } else { + $RandomCompatUrandom = false; } /** @@ -126,10 +130,20 @@ if (PHP_VERSION_ID < 70000) { PHP_VERSION_ID >= 50307 && extension_loaded('mcrypt') + && + (DIRECTORY_SEPARATOR !== '/' || $RandomCompatUrandom) ) { - // See random_bytes_mcrypt.php - require_once $RandomCompatDIR.'/random_bytes_mcrypt.php'; + // Prevent this code from hanging indefinitely on non-Windows; + // see https://bugs.php.net/bug.php?id=69833 + if ( + DIRECTORY_SEPARATOR !== '/' || + (PHP_VERSION_ID <= 50609 || PHP_VERSION_ID >= 50613) + ) { + // See random_bytes_mcrypt.php + require_once $RandomCompatDIR.'/random_bytes_mcrypt.php'; + } } + $RandomCompatUrandom = null; if ( !function_exists('random_bytes')