[Fusionforge-commits] r12806 - in trunk/src: common/include plugins/oauthprovider/include

Roland Mas lolando at fusionforge.org
Wed Mar 16 21:59:56 CET 2011


Author: lolando
Date: 2011-03-16 21:59:55 +0100 (Wed, 16 Mar 2011)
New Revision: 12806

Modified:
   trunk/src/common/include/utils.php
   trunk/src/plugins/oauthprovider/include/fusionforge_oauth_datastore.php
Log:
Handle error conditions in util_randbytes(), and re-use that function in oauthprovider instead of reimplementing it

Modified: trunk/src/common/include/utils.php
===================================================================
--- trunk/src/common/include/utils.php	2011-03-16 20:59:34 UTC (rev 12805)
+++ trunk/src/common/include/utils.php	2011-03-16 20:59:55 UTC (rev 12806)
@@ -3,7 +3,7 @@
  * FusionForge miscellaneous utils
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
- * Copyright 2009-2010, Roland Mas
+ * Copyright 2009-2011, Roland Mas
  * Copyright 2009-2010, Franck Villaume - Capgemini
  * Copyright 2010, Thorsten Glaser <t.glaser at tarent.de>
  * Copyright 2010-2011, Alain Peyrat - Alcatel-Lucent
@@ -1394,14 +1394,30 @@
 }
 
 function util_randbytes($num=6) {
-	$f = fopen("/dev/urandom", "rb");
-	$b = fread($f, $num);
-	fclose($f);
+	$b = '';
 
-	if (strlen($b) != $num)
-		exit_error(_('Internal Error'),
-			   _('Could not read from random device'));
+	// Let's try /dev/urandom first
+	$f = @fopen("/dev/urandom", "rb");
+	if ($f !== FALSE) {
+		$b .= @fread($f, $num);
+		fclose($f);
+	}
 
+	// Hm.  No /dev/urandom?  Try /dev/random.
+	if (strlen($b) < $num) {
+		$f = @fopen("/dev/random", "rb");
+		if ($f !== FALSE) {
+			$b .= @fread($f, $num);
+			fclose($f);
+		}
+	}
+
+	// Still no luck?  Fall back to PHP's built-in PRNG
+	while (strlen($b) < $num) {
+		$b .= uniqid(mt_rand(), true);
+	}
+
+	$b = substr($b, 0, $num);
 	return ($b);
 }
 

Modified: trunk/src/plugins/oauthprovider/include/fusionforge_oauth_datastore.php
===================================================================
--- trunk/src/plugins/oauthprovider/include/fusionforge_oauth_datastore.php	2011-03-16 20:59:34 UTC (rev 12805)
+++ trunk/src/plugins/oauthprovider/include/fusionforge_oauth_datastore.php	2011-03-16 20:59:55 UTC (rev 12806)
@@ -218,8 +218,8 @@
 	 */
 	function new_consumer_keys()
 	{
-		$key = md5($this->key_secret_generator(20));
-		$secret = md5($this->key_secret_generator(20));
+		$key = md5($this->util_randbytes(20));
+		$secret = md5($this->util_randbytes(20));
 		return array($key, $secret);
 	}
 
@@ -439,30 +439,6 @@
 	}
 
 	/**
-	 * Generates random key-secret values
-	 *  
-	 */
-	protected function key_secret_generator($len)	{
-		$pr_bits = '';
-		
-		//use openssl_random_pseudo_bytes??
-
-		//cannot use util_randbytes as it exits if unsuccessful
-		$fp = @fopen('/dev/urandom','rb');
-		if ($fp !== FALSE) {
-    		$pr_bits .= @fread($fp,$len);
-    		@fclose($fp);
-		}
-				
-        // in case the above doesnt work or is not enough
-        $pr_bits .= uniqid(mt_rand(), true);
-        //$hash = sha1($pr_bits);  // sha1 gives us a 40-byte hash, md5 32
-        		
-		return $pr_bits;
-	}
-	
-
-	/**
 	 * Generates an new token in the DB
 	 * 
  	 * It will auto-purge request tokens older than 24 hours that haven't been converted to access tokens in time (cleanup made every 100 request token creation)
@@ -474,8 +450,7 @@
 	protected function new_token($consumer, $token_type, $role_id=0) {
 		$t_token_table = $this->token_table_name($token_type);
 
-		// TODO : use some PRNG maybe
-		$random = $this->key_secret_generator(32);
+		$random = $this->util_randbytes(32);
 		$hash = sha1($random);
 		$key = substr($hash, 0, 20);
 		$secret = substr($hash, 20, 40);




More information about the Fusionforge-commits mailing list