Merge pull request #75 from oittaa/patch-1

Use random_bytes if available, drop SHA-512

Merging, thanks for PR.
Apologies for late merge, was on vacation.

Author: mebjas

.travis.yml

@@ -31,6 +31,7 @@ before_script:
 
 script:
  - mkdir -p build/logs
+ - if [ $(phpenv version-name) = 'hhvm' ]; then echo 'xdebug.enable=1' >> /etc/hhvm/php.ini; fi
  - phpunit --stderr --coverage-clover build/logs/clover.xml
 
 after_script:
@@ -42,4 +43,4 @@ after_success:
 cache:
   directories:
   - vendor
-  - $HOME/.cache/composer
+  - $HOME/.cache/composer

libs/csrf/csrfprotector.php

@@ -354,7 +354,7 @@ public static function refreshToken()
 		public static function generateAuthToken()
 		{
 			// todo - make this a member method / configurable
-			$randLength = 32;
+			$randLength = 64;
 
 			//if config tokenLength value is 0 or some non int
 			if (intval(self::$config['tokenLength']) == 0) {
@@ -363,10 +363,10 @@ public static function generateAuthToken()
 
 			//#todo - if $length > 128 throw exception 
 
-			if (function_exists("hash_algos")
-			    && function_exists("openssl_random_pseudo_bytes")
-			    && in_array("sha512", hash_algos())) {
-				$token = hash("sha512", openssl_random_pseudo_bytes ($randLength));
+			if (function_exists("random_bytes")) {
+				$token = bin2hex(random_bytes($randLength));
+			} elseif (function_exists("openssl_random_pseudo_bytes")) {
+				$token = bin2hex(openssl_random_pseudo_bytes($randLength));
 			} else {
 				$token = '';
 				for ($i = 0; $i < 128; ++$i) {

test/csrfprotector_test.php

@@ -356,10 +356,12 @@ public function testGenerateAuthToken()
 
         $this->assertFalse($token1 == $token2);
         $this->assertEquals(strlen($token1), 20);
+        $this->assertRegExp('/^[a-z0-9]{20}$/', $token1);
 
         csrfprotector::$config['tokenLength'] = 128;
         $token = csrfprotector::generateAuthToken();
         $this->assertEquals(strlen($token), 128);
+        $this->assertRegExp('/^[a-z0-9]{128}$/', $token);
     }
 
     /**