Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)

Conflicts:

	CHANGELOG

CHANGELOG

@@ -27,6 +27,7 @@ RELEASE 1.1.2
 - Fix issues when using moduserprefs.sh without --user argument (#1490399)
 - Fix potential info disclosure issue by protecting directory access (#1490378)
 - Fix blank image in html_signature when saving identity changes (#1490412)
+- Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)
 
 RELEASE 1.1.1
 -------------

program/include/rcmail_install.php

@@ -163,7 +163,7 @@ class rcmail_install
     $value = $this->config[$name];
 
     if ($name == 'des_key' && !$this->configured && !isset($_REQUEST["_$name"]))
-      $value = self::random_key(24);
+      $value = rcube_utils::random_bytes(24);
 
     return $value !== null && $value !== '' ? $value : $default;
   }
@@ -193,7 +193,7 @@ class rcmail_install
 
       // generate new encryption key, never use the default value
       if ($prop == 'des_key' && $value == $this->defaults[$prop])
-        $value = $this->random_key(24);
+        $value = rcube_utils::random_bytes(24);
 
       // convert some form data
       if ($prop == 'debug_level' && !$is_default) {
@@ -789,25 +789,4 @@ class rcmail_install
   {
       $this->last_error = $p;
   }
-
-
-  /**
-   * Generarte a ramdom string to be used as encryption key
-   *
-   * @param int Key length
-   * @return string The generated random string
-   * @static
-   */
-  function random_key($length)
-  {
-    $alpha = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
-    $out = '';
-
-    for ($i=0; $i < $length; $i++)
-      $out .= $alpha{rand(0, strlen($alpha)-1)};
-
-    return $out;
-  }
-
 }
-

program/lib/Roundcube/rcube.php

@@ -1005,8 +1005,7 @@ class rcube
             if (empty($_SESSION['secure_token']) && $generate) {
                 // generate x characters long token
                 $length = $len > 1 ? $len : 16;
-                $token  = openssl_random_pseudo_bytes($length / 2);
-                $token  = bin2hex($token);
+                $token  = rcube_utils::random_bytes($length);
 
                 $plugin = $this->plugins->exec_hook('secure_token',
                     array('value' => $token, 'length' => $length));

program/lib/Roundcube/rcube_utils.php

@@ -1138,4 +1138,34 @@ class rcube_utils
 
         return $url;
     }
+
+    /**
+     * Generate a ramdom string
+     *
+     * @param int String length
+     *
+     * @return string The generated random string
+     */
+    public static function random_bytes($length)
+    {
+        if (function_exists('openssl_random_pseudo_bytes')) {
+            $random = openssl_random_pseudo_bytes(ceil($length / 2));
+            $random = bin2hex($random);
+
+            // if the length wasn't even...
+            if ($length < strlen($random)) {
+                $random = substr($random, 0, $length);
+            }
+        }
+        else {
+            $alpha  = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
+            $random = '';
+
+            for ($i = 0; $i < $length; $i++) {
+                $random .= $alpha[rand(0, strlen($alpha)-1)];
+            }
+        }
+
+        return $random;
+    }
 }

tests/Framework/Utils.php

@@ -419,4 +419,15 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
             $this->assertSame($output, $result);
         }
     }
+
+    /**
+     * rcube:utils::random_bytes()
+     */
+    function test_random_bytes()
+    {
+        $this->assertSame(15, strlen(rcube_utils::random_bytes(15)));
+        $this->assertSame(1, strlen(rcube_utils::random_bytes(1)));
+        $this->assertSame(0, strlen(rcube_utils::random_bytes(0)));
+        $this->assertSame(0, strlen(rcube_utils::random_bytes(-1)));
+    }
 }