diff options
| author | François Kooman <fkooman@tuxed.net> | 2017-03-03 17:37:05 +0100 |
|---|---|---|
| committer | François Kooman <fkooman@tuxed.net> | 2017-03-03 17:37:05 +0100 |
| commit | a55a09b05bf3dd65a8e8e6ed8890165ba2c91a45 (patch) | |
| tree | a9a1651f15897218df63cfac54dd4f2ddcfd1fea | |
| parent | 83f941e1ad6f7a2ff318e30cbf5b3219e63a9a62 (diff) | |
| download | otp-a55a09b05bf3dd65a8e8e6ed8890165ba2c91a45.zip otp-a55a09b05bf3dd65a8e8e6ed8890165ba2c91a45.tar.gz otp-a55a09b05bf3dd65a8e8e6ed8890165ba2c91a45.tar.bz2 | |
use paragonie/random_compat
it is better to use random_compat for CSRPNG,
see https://paragonie.com/blog/2016/05/how-generate-secure-random-numbers-in-various-programming-languages#php-csprng
| -rw-r--r-- | composer.json | 6 | ||||
| -rw-r--r-- | src/GoogleAuthenticator.php | 30 |
2 files changed, 4 insertions, 32 deletions
diff --git a/composer.json b/composer.json index e434580..f6ffeda 100644 --- a/composer.json +++ b/composer.json @@ -15,7 +15,8 @@ ], "require": { "php": ">=5.4.0", - "christian-riesen/base32": "^1.0" + "christian-riesen/base32": "^1.0", + "paragonie/random_compat": "^1|^2" }, "require-dev": { "phpunit/phpunit": "^4.8" @@ -30,9 +31,6 @@ "Otp\\Tests\\": "tests/" } }, - "suggest": { - "paragonie/random_compat": "Optional polyfill for a more secure random generator for pre PHP7 versions" - }, "extra": { "branch-alias": { "dev-master": "2.x-dev" diff --git a/src/GoogleAuthenticator.php b/src/GoogleAuthenticator.php index 0925510..8e90532 100644 --- a/src/GoogleAuthenticator.php +++ b/src/GoogleAuthenticator.php @@ -161,7 +161,7 @@ class GoogleAuthenticator $string = ''; for ($i = 0; $i < $length; $i++) { - $string .= $keys[self::getRand()]; + $string .= $keys[random_int(0, 31)]; } return $string; @@ -187,7 +187,7 @@ class GoogleAuthenticator // Generate codes $code = ''; for ($i = 1; $i <= $length; $i++) { - $code .= self::getRand(9); + $code .= random_int(0, 9); } // To make sure no duplicates get in @@ -198,30 +198,4 @@ class GoogleAuthenticator return $codes; } - - /** - * Get random number - * - * @return integer Random number between 0 and 31 (including) - */ - private static function getRand($max = 31) - { - if (function_exists('random_int')) { - // Uses either the PHP7 internal function or the polyfill if present - return random_int(0, $max); - } elseif (function_exists('openssl_random_pseudo_bytes')) { - // For those not wanting either PHP7 or the polyfill, this works well enough - $bytes = openssl_random_pseudo_bytes(2); - $number = hexdec(bin2hex($bytes)); - - if ($number > $max) { - $number = $number % ($max + 1); - } - - return $number; - } else { - // And last case, this does the trick too - return mt_rand(0, $max); - } - } } |