More secure randomness on PHP5, 256 bits of entropy in random strings

There was a bug that caused seemingly 256-bit keys
to actually contain only 128 bits of entropy.

Also: because Adminer doesn't state hash extension
as a requirement, don't rely on it for hmac

Author: pavetheway91

admin/core/Hash.php

@@ -0,0 +1,67 @@
+<?php
+
+namespace AdminNeo;
+
+class Hash
+{
+	/**
+	 * HKDF function. To make sure that this is always available, algo cannot be chosen.
+	 *
+	 * @see https://www.rfc-editor.org/rfc/rfc5869
+	 *
+	 * @param int $length Output length.
+	 * @param string $key Input keying material.
+	 * @param string $info Optional context and application specific information.
+	 * @param string $salt Optional salt value (a non-secret random value).
+	 *
+	 * @return string|false Derived key.
+	 */
+	public static function hkdf(int $length, string $key, string $info = "", string $salt = "")
+	{
+		if (extension_loaded("hash") && PHP_VERSION_ID >= 70120) {
+			return hash_hkdf("sha1", $key, $length, $info, $salt);
+		}
+
+		if ($salt == "") {
+			$salt = str_repeat("\0", 20);
+		}
+
+		$prk = self::hmacSha1($key, $salt);
+		$okm = "";
+
+		for ($keyBlock = "", $blockIndex = 1; !isset($okm[$length - 1]); $blockIndex++) {
+			$keyBlock = self::hmacSha1($keyBlock . $info . chr($blockIndex), $prk);
+			$okm .= $keyBlock;
+		}
+
+		return substr($okm, 0, $length);
+	}
+
+	/**
+	 * Always available HMAC-SHA1 function. Binary-only output by design. If hex is desired, just bin2hex the output.
+	 *
+	 * @see https://www.rfc-editor.org/rfc/rfc2104
+	 *
+	 * @param string $data Message to be hashed.
+	 * @param string $key Hashing key.
+	 *
+	 * @return string Calculated message.
+	 */
+	public static function hmacSha1(string $data, string $key): string
+	{
+		if (!extension_loaded("hash")) {
+			return hash_hmac("sha1", $data, $key, true);
+		}
+
+		if (strlen($key) > 64) {
+			$key = sha1($key, true);
+		}
+
+		$key = str_pad($key, 64, "\0");
+
+		$ipad = ($key ^ str_repeat("\x36", 64));
+		$opad = ($key ^ str_repeat("\x5C", 64));
+
+		return sha1($opad . sha1($ipad . $data, true), true);
+	}
+}

admin/core/Random.php

@@ -0,0 +1,172 @@
+<?php
+
+namespace AdminNeo;
+
+use Exception;
+
+class Random
+{
+	/**
+	 * Returns requested amount of random bytes.
+	 *
+	 * @return string A binary string.
+	 *
+	 * @throws Exception
+	 */
+	public static function bytes(int $length): string
+	{
+		if (PHP_VERSION_ID >= 70000) {
+			// There is an astronomically low chance of this throwing an exception. If it happens, the exception is
+			// purposefully not caught, because it means that there is something very wrong in the system, and it cannot
+			// be trusted to do TLS securely either.
+			return random_bytes($length);
+		}
+
+		$result = self::tryAlternatives($length);
+		if ($result !== false) {
+			return $result;
+		}
+
+		$result = self::lastResortRandom($length);
+		if ($result !== false) {
+			return $result;
+		}
+
+		throw new Exception("Error generating random bytes");
+	}
+
+	/**
+	 * @return string|false
+	 */
+	private static function tryAlternatives(int $length)
+	{
+		if (extension_loaded("libsodium")) {
+			return \Sodium\randombytes_buf($length);
+		}
+
+		$unix = DIRECTORY_SEPARATOR === "/";
+
+		if ($unix) {
+			$result = self::readDevUrandom($length);
+			if ($result !== false) {
+				return $result;
+			}
+		}
+
+		// https://bugs.php.net/bug.php?id=69833
+		$bug69833 = $unix && PHP_VERSION_ID > 50609 && PHP_VERSION_ID < 50613;
+
+		if (extension_loaded("mcrypt") && !$bug69833) {
+			// MCRYPT_DEV_URANDOM means "something secure" provided by the os.
+			// It's something completely else on Windows.
+			$result = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
+			if ($result !== false) {
+				return $result;
+			}
+		}
+
+		/* TODO Comment out after testing.
+		if (!$unix && extension_loaded('com_dotnet') && class_exists('COM'))
+		{
+			return self::readCapicom($length);
+		}
+		*/
+
+		// https://bugs.php.net/bug.php?id=70014
+		$bug70014 = PHP_VERSION_ID < 50444 || (PHP_VERSION_ID > 50500 && PHP_VERSION_ID < 50528) || (PHP_VERSION_ID > 50600 && PHP_VERSION_ID < 50612);
+
+		if (extension_loaded("openssl") && !$bug70014) {
+			$result = openssl_random_pseudo_bytes($length, $strong);
+			if ($strong) {
+				return $result;
+			}
+		}
+
+		// No reliable source of randomness was found.
+		return false;
+	}
+
+	/**
+	 * @return string|false
+	 */
+	private static function readDevUrandom(int $length)
+	{
+		static $file = null;
+
+		if ($file === null) {
+			$file = @fopen("/dev/urandom", "rb");
+		}
+		if (!$file) {
+			return false;
+		}
+
+		$remaining = $length;
+		$result = "";
+
+		do {
+			$data = fread($file, $remaining);
+			if ($data === false) {
+				return false;
+			}
+
+			$remaining -= strlen($data);
+			$result .= $data;
+		} while ($remaining > 0);
+
+		return $result;
+	}
+
+	/**
+	 * @return string|false
+	 */
+	private static function readCapicom(int $length)
+	{
+		$com = new \COM("CAPICOM.Utilities.1");
+
+		$remaining = $length;
+		$result = "";
+
+		do {
+			$data = base64_decode((string)$com->GetRandom($length, 0));
+			$remaining -= strlen($data);
+			$result .= $data;
+		} while ($remaining > 0);
+
+		return $result;
+	}
+
+	/**
+	 * @return string|false
+	 */
+	private static function lastResortRandom(int $length)
+	{
+		static $key = null;
+		static $salt = null;
+
+		if ($key === null) {
+			$data = $_SERVER;
+			$data[] = uniqid("", true);
+			shuffle($data);
+
+			$key = sha1(serialize($data), true);
+
+			// See referenced bug 70014 above.
+			if (extension_loaded("openssl")) {
+				$salt = openssl_random_pseudo_bytes(20);
+			} else {
+				$salt = "";
+				for ($i = 0; $i < 20; $i++) {
+					$salt .= chr((mt_rand() ^ mt_rand()) % 256);
+				}
+			}
+		} else {
+			if ((ord($key) % 2 === 0) === (ord($salt) % 2 === 0)) {
+				$key = Hash::hmacSha1($key, $salt);
+			} else {
+				$salt = Hash::hmacSha1($salt, $key);
+			}
+		}
+
+		return Hash::hkdf($length, $key, "$length", $salt);
+	}
+}

admin/include/bootstrap.inc.php

@@ -30,6 +30,8 @@
 include __DIR__ . "/../core/Server.php";
 include __DIR__ . "/../core/Config.php";
 include __DIR__ . "/../core/Settings.php";
+include __DIR__ . "/../core/Hash.php";
+include __DIR__ . "/../core/Random.php";
 include __DIR__ . "/polyfill.inc.php";
 include __DIR__ . "/functions.inc.php";
 include __DIR__ . "/html.inc.php";

admin/include/design.inc.php

@@ -264,17 +264,18 @@ function page_headers(): void
 }
 
 /**
- * Gets a CSP nonce.
+ * Returns a CSP nonce.
+ *
+ * @return string Random string with 256 bits of entropy.
  *
- * @return string Base64 value.
  * @throws \Random\RandomException
  */
-function get_nonce()
+function get_nonce(): string
 {
 	static $nonce;
 
 	if (!$nonce) {
-		$nonce = base64_encode(get_random_string(true));
+		$nonce = get_random_string();
 	}
 
 	return $nonce;

admin/include/functions.inc.php

@@ -929,17 +929,15 @@ function get_private_key($create)
 }
 
 /**
- * Returns a random 32 characters long string.
+ * Returns a random string with 256 bits of entropy.
+ *
+ * The result is safe to use in URL parameters or file names.
  *
- * @param $binary bool
- * @return string
  * @throws \Random\RandomException
  */
-function get_random_string($binary = false)
+function get_random_string(): string
 {
-	$bytes = function_exists('random_bytes') ? random_bytes(32) : uniqid(mt_rand(), true);
-
-	return $binary ? $bytes : md5($bytes);
+	return strtr(rtrim(base64_encode(Random::bytes(32)), "="), "+/", "-_");
 }
 
 /** Format value to use in select

plugins/FileUploadPlugin.php

@@ -2,8 +2,6 @@
 
 namespace AdminNeo;
 
-use Exception;
-
 /**
  * Replaces fields ending with "_path" by `<input type="file">` in edit form and displays links to the uploaded files in
  * table select.
@@ -62,6 +60,9 @@ public function getFieldInput(?string $table, array $field, string $attrs, $valu
 		return "<input type='file'$attrs>";
 	}
 
+	/**
+	 * @throws \Random\RandomException
+	 */
 	public function processFieldInput(?array $field, string $value, string $function = ""): ?string
 	{
 		if (!$field || !($shortFieldName = $this->matchField($field))) {
@@ -86,7 +87,7 @@ public function processFieldInput(?array $field, string $value, string $function
 
 		// Generate random unique file name.
 		do {
-			$filename = $this->generateName() . $matches[0];
+			$filename = get_random_string() . $matches[0];
 
 			$targetPath = "$targetDir/" . $this->encodeFs($shortFieldName) . "-$filename";
 		} while (file_exists($targetPath));
@@ -104,15 +105,6 @@ private function matchField(array $field): ?string
 		return preg_match('~(.*)_path$~', $field["field"], $matches) ? $matches[1] : null;
 	}
 
-	private function generateName(): string
-	{
-		try {
-			return function_exists('random_bytes') ? bin2hex(random_bytes(8)) : uniqid("", true);
-		} catch (Exception $e) {
-			return uniqid("", true);
-		}
-	}
-
 	private function encodeUrl(string $value): string
 	{
 		return rawurlencode(str_replace("/", "%2F", $value));

plugins/OtpLoginPlugin.php

@@ -76,7 +76,7 @@ public function authenticate(string $username, string $password): ?string
 	private function getOtp(int $timeSlot): int
 	{
 		$data = str_pad(pack("N", $timeSlot), 8, "\0", STR_PAD_LEFT);
-		$hash = hash_hmac("sha1", $data, $this->secret, true);
+		$hash = Hash::hmacSha1($data, $this->secret);
 		$offset = ord(substr($hash, -1)) & 0xF;
 		$unpacked = unpack("N", substr($hash, $offset, 4));