Use random_bytes if available, drop SHA-512

Auth token creation order is now random_bytes -> openssl_random_pseudo_bytes -> mt_rand.
SHA-512 is unnecessary as we can use bin2hex directly, but $randLength needs to be set to 64.

Author: oittaa

libs/csrf/csrfprotector.php

@@ -354,7 +354,7 @@ public static function refreshToken()
 		public static function generateAuthToken()
 		{
 			// todo - make this a member method / configurable
-			$randLength = 32;
+			$randLength = 64;
 
 			//if config tokenLength value is 0 or some non int
 			if (intval(self::$config['tokenLength']) == 0) {
@@ -363,10 +363,10 @@ public static function generateAuthToken()
 
 			//#todo - if $length > 128 throw exception 
 
-			if (function_exists("hash_algos")
-			    && function_exists("openssl_random_pseudo_bytes")
-			    && in_array("sha512", hash_algos())) {
-				$token = hash("sha512", openssl_random_pseudo_bytes ($randLength));
+			if (function_exists("random_bytes")) {
+				$token = bin2hex(random_bytes($randLength));
+			} elseif (function_exists("openssl_random_pseudo_bytes")) {
+				$token = bin2hex(openssl_random_pseudo_bytes($randLength));
 			} else {
 				$token = '';
 				for ($i = 0; $i < 128; ++$i) {