From 3994b3a26c252cba4070337b036e3a1c12c81369 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Sat, 23 May 2015 03:42:11 -0400
Subject: [PATCH] Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)

---
 program/lib/Roundcube/rcube.php       |    3 -
 CHANGELOG                             |    1 
 program/include/rcmail_install.php    |   25 +-----------
 tests/Framework/Utils.php             |   11 +++++
 program/lib/Roundcube/rcube_utils.php |   30 +++++++++++++++
 5 files changed, 45 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 8693f63..2706171 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -10,6 +10,7 @@
 - Plugin API: Add special onload() method to execute plugin actions before startup (session and GUI initialization)
 - Implemented UI element to jump to specified page of the messages list (#1485235)
 - Fix so unrecognized TNEF attachments are displayed on the list of attachments (#1490351)
+- Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
 
 RELEASE 1.1.2
 -------------
diff --git a/program/include/rcmail_install.php b/program/include/rcmail_install.php
index e161779..aea9ebb 100644
--- a/program/include/rcmail_install.php
+++ b/program/include/rcmail_install.php
@@ -163,7 +163,7 @@
     $value = $this->config[$name];
 
     if ($name == 'des_key' && !$this->configured && !isset($_REQUEST["_$name"]))
-      $value = self::random_key(24);
+      $value = rcube_utils::random_bytes(24);
 
     return $value !== null && $value !== '' ? $value : $default;
   }
@@ -193,7 +193,7 @@
 
       // generate new encryption key, never use the default value
       if ($prop == 'des_key' && $value == $this->defaults[$prop])
-        $value = $this->random_key(24);
+        $value = rcube_utils::random_bytes(24);
 
       // convert some form data
       if ($prop == 'debug_level' && !$is_default) {
@@ -785,25 +785,4 @@
   {
       $this->last_error = $p;
   }
-
-
-  /**
-   * Generarte a ramdom string to be used as encryption key
-   *
-   * @param int Key length
-   * @return string The generated random string
-   * @static
-   */
-  function random_key($length)
-  {
-    $alpha = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
-    $out = '';
-
-    for ($i=0; $i < $length; $i++)
-      $out .= $alpha{rand(0, strlen($alpha)-1)};
-
-    return $out;
-  }
-
 }
-
diff --git a/program/lib/Roundcube/rcube.php b/program/lib/Roundcube/rcube.php
index ae5957e..fe355fb 100644
--- a/program/lib/Roundcube/rcube.php
+++ b/program/lib/Roundcube/rcube.php
@@ -999,8 +999,7 @@
             if (empty($_SESSION['secure_token']) && $generate) {
                 // generate x characters long token
                 $length = $len > 1 ? $len : 16;
-                $token  = openssl_random_pseudo_bytes($length / 2);
-                $token  = bin2hex($token);
+                $token  = rcube_utils::random_bytes($length);
 
                 $plugin = $this->plugins->exec_hook('secure_token',
                     array('value' => $token, 'length' => $length));
diff --git a/program/lib/Roundcube/rcube_utils.php b/program/lib/Roundcube/rcube_utils.php
index 0ca2a9e..4db57b4 100644
--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -1138,4 +1138,34 @@
 
         return $url;
     }
+
+    /**
+     * Generate a ramdom string
+     *
+     * @param int String length
+     *
+     * @return string The generated random string
+     */
+    public static function random_bytes($length)
+    {
+        if (function_exists('openssl_random_pseudo_bytes')) {
+            $random = openssl_random_pseudo_bytes(ceil($length / 2));
+            $random = bin2hex($random);
+
+            // if the length wasn't even...
+            if ($length < strlen($random)) {
+                $random = substr($random, 0, $length);
+            }
+        }
+        else {
+            $alpha  = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
+            $random = '';
+
+            for ($i = 0; $i < $length; $i++) {
+                $random .= $alpha[rand(0, strlen($alpha)-1)];
+            }
+        }
+
+        return $random;
+    }
 }
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php
index b881cea..b9b99ff 100644
--- a/tests/Framework/Utils.php
+++ b/tests/Framework/Utils.php
@@ -419,4 +419,15 @@
             $this->assertSame($output, $result);
         }
     }
+
+    /**
+     * rcube:utils::random_bytes()
+     */
+    function test_random_bytes()
+    {
+        $this->assertSame(15, strlen(rcube_utils::random_bytes(15)));
+        $this->assertSame(1, strlen(rcube_utils::random_bytes(1)));
+        $this->assertSame(0, strlen(rcube_utils::random_bytes(0)));
+        $this->assertSame(0, strlen(rcube_utils::random_bytes(-1)));
+    }
 }

--
Gitblit v1.9.1