Merge pull request #133 from sarciszewski/csprng2

Implement CSPRNG in a manner consistent with the feedback on #131

Author: Fosco Marotto

src/Facebook/FacebookRedirectLoginHelper.php

@@ -90,7 +90,7 @@ public function __construct($redirectUrl, $appId = null, $appSecret = null)
   public function getLoginUrl($scope = array(), $version = null)
   {
     $version = ($version ?: FacebookRequest::GRAPH_API_VERSION);
-    $this->state = md5(uniqid(mt_rand(), true));
+    $this->state = $this->random(16);
     $this->storeState($this->state);
     $params = array(
       'client_id' => $this->appId,
@@ -215,6 +215,56 @@ protected function loadState()
     }
     return null;
   }
+  
+  /**
+   * Generate a cryptographically secure pseudrandom number
+   * 
+   * @param integer $bytes - number of bytes to return
+   * 
+   * @return string
+   * 
+   * @throws FacebookSDKException
+   * 
+   * @todo Support Windows platforms
+   */
+  public function random($bytes)
+  {
+    if (!is_numeric($bytes)) {
+      throw new FacebookSDKException(
+        "random() expects an integer"
+      );
+    }
+    if ($bytes < 1) {
+      throw new FacebookSDKException(
+        "random() expects an integer greater than zero"
+      );
+    }
+    $buf = '';
+    // http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
+    if (is_readable('/dev/urandom')) {
+      $fp = fopen('/dev/urandom', 'rb');
+      if ($fp !== FALSE) {
+        $buf = fread($fp, $bytes);
+        fclose($fp);
+        if($buf !== FALSE) {
+          return bin2hex($buf);
+        }
+      }
+    }
+	
+    if (function_exists('mcrypt_create_iv')) {
+        $buf = mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM);
+        if ($buf !== FALSE) {
+          return bin2hex($buf);
+        }
+    }
+    
+    while (strlen($buf) < $bytes) {
+      $buf .= md5(uniqid(mt_rand(), true), true); 
+      // We are appending raw binary
+    }
+    return bin2hex(substr($buf, 0, $bytes));
+  }
 
   /**
    * Disables the session_status() check when using $_SESSION
@@ -224,4 +274,4 @@ public function disableSessionStatusCheck()
     $this->checkForSessionStatus = false;
   }
 
-}
+}

tests/FacebookRedirectLoginHelperTest.php

@@ -1,61 +1,71 @@
-<?php
-
-use Facebook\FacebookRedirectLoginHelper;
-use Facebook\FacebookRequest;
-
-class FacebookRedirectLoginHelperTest extends PHPUnit_Framework_TestCase
-{
-
-  const REDIRECT_URL = 'http://invalid.zzz';
-
-  public function testLoginURL()
-  {
-    $helper = new FacebookRedirectLoginHelper(
-      self::REDIRECT_URL,
-      FacebookTestCredentials::$appId,
-      FacebookTestCredentials::$appSecret
-    );
-    $helper->disableSessionStatusCheck();
-    $loginUrl = $helper->getLoginUrl();
-    $state = $_SESSION['FBRLH_state'];
-    $params = array(
-      'client_id' => FacebookTestCredentials::$appId,
-      'redirect_uri' => self::REDIRECT_URL,
-      'state' => $state,
-      'sdk' => 'php-sdk-' . FacebookRequest::VERSION,
-      'scope' => implode(',', array())
-    );
-    $expectedUrl = 'https://www.facebook.com/v2.0/dialog/oauth?';
-    $this->assertTrue(strpos($loginUrl, $expectedUrl) !== false);
-    foreach ($params as $key => $value) {
-      $this->assertTrue(
-        strpos($loginUrl, $key . '=' . urlencode($value)) !== false
-      );
-    }
-  }
-
-  public function testLogoutURL()
-  {
-    $helper = new FacebookRedirectLoginHelper(
-      self::REDIRECT_URL,
-      FacebookTestCredentials::$appId,
-      FacebookTestCredentials::$appSecret
-    );
-    $helper->disableSessionStatusCheck();
-    $logoutUrl = $helper->getLogoutUrl(
-      FacebookTestHelper::$testSession, self::REDIRECT_URL
-    );
-    $params = array(
-      'next' => self::REDIRECT_URL,
-      'access_token' => FacebookTestHelper::$testSession->getToken()
-    );
-    $expectedUrl = 'https://www.facebook.com/logout.php?';
-    $this->assertTrue(strpos($logoutUrl, $expectedUrl) !== false);
-    foreach ($params as $key => $value) {
-      $this->assertTrue(
-        strpos($logoutUrl, $key . '=' . urlencode($value)) !== false
-      );
-    }
-  }
-
-}
+<?php
+
+use Facebook\FacebookRedirectLoginHelper;
+use Facebook\FacebookRequest;
+
+class FacebookRedirectLoginHelperTest extends PHPUnit_Framework_TestCase
+{
+
+  const REDIRECT_URL = 'http://invalid.zzz';
+
+  public function testLoginURL()
+  {
+    $helper = new FacebookRedirectLoginHelper(
+      self::REDIRECT_URL,
+      FacebookTestCredentials::$appId,
+      FacebookTestCredentials::$appSecret
+    );
+    $helper->disableSessionStatusCheck();
+    $loginUrl = $helper->getLoginUrl();
+    $state = $_SESSION['FBRLH_state'];
+    $params = array(
+      'client_id' => FacebookTestCredentials::$appId,
+      'redirect_uri' => self::REDIRECT_URL,
+      'state' => $state,
+      'sdk' => 'php-sdk-' . FacebookRequest::VERSION,
+      'scope' => implode(',', array())
+    );
+    $expectedUrl = 'https://www.facebook.com/v2.0/dialog/oauth?';
+    $this->assertTrue(strpos($loginUrl, $expectedUrl) !== false);
+    foreach ($params as $key => $value) {
+      $this->assertTrue(
+        strpos($loginUrl, $key . '=' . urlencode($value)) !== false
+      );
+    }
+  }
+
+  public function testLogoutURL()
+  {
+    $helper = new FacebookRedirectLoginHelper(
+      self::REDIRECT_URL,
+      FacebookTestCredentials::$appId,
+      FacebookTestCredentials::$appSecret
+    );
+    $helper->disableSessionStatusCheck();
+    $logoutUrl = $helper->getLogoutUrl(
+      FacebookTestHelper::$testSession, self::REDIRECT_URL
+    );
+    $params = array(
+      'next' => self::REDIRECT_URL,
+      'access_token' => FacebookTestHelper::$testSession->getToken()
+    );
+    $expectedUrl = 'https://www.facebook.com/logout.php?';
+    $this->assertTrue(strpos($logoutUrl, $expectedUrl) !== false);
+    foreach ($params as $key => $value) {
+      $this->assertTrue(
+        strpos($logoutUrl, $key . '=' . urlencode($value)) !== false
+      );
+    }
+  }
+  
+  public function testCSPRNG()
+  {
+    $helper = new FacebookRedirectLoginHelper(
+      self::REDIRECT_URL,
+      FacebookTestCredentials::$appId,
+      FacebookTestCredentials::$appSecret
+    );
+	$this->assertTrue(preg_match('/^([0-9a-f]+)$/', $helper->random(32)));
+  }
+
+}