From e2ee009e5c4b9632b2067d36dc44009b18ba57df Mon Sep 17 00:00:00 2001 From: Daniel Friesen Date: Tue, 20 Mar 2012 05:17:40 +0000 Subject: [PATCH] Commit the cryptrand project worked on in git: - MWCryptRand: A new api for generating cryptographic randomness for security tokens. Uses whatever cryptographic source is available and if not falls back to using random state and clock drift. - wfRandomString - A simple non-cryptographic pesudo-random string generation function to replace wfGenerateToken which was written pretending to be secure when it's really not. - Core updates to use MWCryptRand in various places: -- user_token generation (to do this we stop generating user_token implicitly and only generate it when needed to avoid depleting the system's entropy pool by reading random data we'll never use) -- email confirmation token generation -- password salt generation -- temporary password generation -- Generation of the automatic watchlist token -- login and create user tokens -- session ids when php's entropy sources are not set -- the installer when generating wgSecretKey and the upgrade key --- RELEASE-NOTES-1.20 | 5 + includes/AutoLoader.php | 1 + includes/CryptRand.php | 476 +++++++++++++++++++++++++ includes/GlobalFunctions.php | 50 +++ includes/Import.php | 2 +- includes/Preferences.php | 1 + includes/User.php | 70 ++-- includes/installer/Installer.php | 29 +- includes/parser/Parser.php | 2 +- includes/specials/SpecialUserlogin.php | 6 +- includes/specials/SpecialWatchlist.php | 2 +- 11 files changed, 581 insertions(+), 63 deletions(-) create mode 100644 includes/CryptRand.php diff --git a/RELEASE-NOTES-1.20 b/RELEASE-NOTES-1.20 index 1401856f08..cdc3dccb59 100644 --- a/RELEASE-NOTES-1.20 +++ b/RELEASE-NOTES-1.20 @@ -22,6 +22,8 @@ production. * (bug 34302) Add CSS classes to email fields in user preferences * Introduced $wgDebugDBTransactions to trace transaction status (currently PostgreSQL only) * (bug 23795) Add parser itself to ParserMakeImageParams hook. +* Introduce a cryptographic random number generator source api for use when + generating various tokens. === Bug fixes in 1.20 === * (bug 30245) Use the correct way to construct a log page title. @@ -61,6 +63,9 @@ changes to languages because of Bugzilla reports. * Mizo (lus) added === Other changes in 1.20 === +* The user_token field is now left empty until a user attempts to login and + cookies need to be set. It is also now possible to reset every user's + user_token simply by clearing the values in the user_token column. == Compatibility == diff --git a/includes/AutoLoader.php b/includes/AutoLoader.php index 53da8b439b..41b7481fb3 100644 --- a/includes/AutoLoader.php +++ b/includes/AutoLoader.php @@ -50,6 +50,7 @@ $wgAutoloadLocalClasses = array( 'ConfEditorToken' => 'includes/ConfEditor.php', 'Cookie' => 'includes/Cookie.php', 'CookieJar' => 'includes/Cookie.php', + 'MWCryptRand' => 'includes/CryptRand.php', 'CurlHttpRequest' => 'includes/HttpFunctions.php', // 'DBDataObject' => 'includes/DBDataObject.php', // 'DBTable' => 'includes/DBTable.php', diff --git a/includes/CryptRand.php b/includes/CryptRand.php new file mode 100644 index 0000000000..ef425cb5da --- /dev/null +++ b/includes/CryptRand.php @@ -0,0 +1,476 @@ + $v ) { + if ( is_numeric( $k ) ) { + unset( $k ); + } + } + // The absolute filename itself will differ from install to install so don't leave it out + $state .= realpath( $file ); + $state .= implode( '', $stat ); + } else { + // The fact that the file isn't there is worth at least a + // minuscule amount of entropy. + $state .= '0'; + } + } + + // Try and make this a little more unstable by including the varying process + // id of the php process we are running inside of if we are able to access it + if ( function_exists( 'getmypid' ) ) { + $state .= getmypid(); + } + + // If available try to increase the instability of the data by throwing in + // the precise amount of memory that we happen to be using at the moment. + if ( function_exists( 'memory_get_usage' ) ) { + $state .= memory_get_usage( true ); + } + + // It's mostly worthless but throw the wiki's id into the data for a little more variance + $state .= wfWikiID(); + + // If we have a secret key or proxy key set then throw it into the state as well + global $wgSecretKey, $wgProxyKey; + if ( $wgSecretKey ) { + $state .= $wgSecretKey; + } elseif ( $wgProxyKey ) { + $state .= $wgProxyKey; + } + + return $state; + } + + /** + * Randomly hash data while mixing in clock drift data for randomness + * + * @param $data The data to randomly hash. + * @return String The hashed bytes + * @author Tim Starling + */ + protected function driftHash( $data ) { + // Minimum number of iterations (to avoid slow operations causing the loop to gather little entropy) + $minIterations = self::MIN_ITERATIONS; + // Duration of time to spend doing calculations (in seconds) + $duration = ( self::MSEC_PER_BYTE / 1000 ) * $this->hashLength(); + // Create a buffer to use to trigger memory operations + $bufLength = 10000000; + $buffer = str_repeat( ' ', $bufLength ); + $bufPos = 0; + + // Iterate for $duration seconds or at least $minIerations number of iterations + $iterations = 0; + $startTime = microtime( true ); + $currentTime = $startTime; + while ( $iterations < $minIterations || $currentTime - $startTime < $duration ) { + // Trigger some memory writing to trigger some bus activity + // This may create variance in the time between iterations + $bufPos = ( $bufPos + 13 ) % $bufLength; + $buffer[$bufPos] = ' '; + // Add the drift between this iteration and the last in as entropy + $nextTime = microtime( true ); + $delta = (int)( ( $nextTime - $currentTime ) * 1000000 ); + $data .= $delta; + // Every 100 iterations hash the data and entropy + if ( $iterations % 100 === 0 ) { + $data = sha1( $data ); + } + $currentTime = $nextTime; + $iterations++; + } + $timeTaken = $currentTime - $startTime; + $data = $this->hash( $data ); + + wfDebug( __METHOD__ . ": Clock drift calculation " . + "(time-taken=" . ( $timeTaken * 1000 ) . "ms, " . + "iterations=$iterations, " . + "time-per-iteration=" . ( $timeTaken / $iterations * 1e6 ) . "us)\n" ); + return $data; + } + + /** + * Return a rolling random state initially build using data from unstable sources + * @return A new weak random state + */ + protected function randomState() { + static $state = null; + if ( is_null( $state ) ) { + // Initialize the state with whatever unstable data we can find + // It's important that this data is hashed right afterwards to prevent + // it from being leaked into the output stream + $state = $this->hash( $this->initialRandomState() ); + } + // Generate a new random state based on the initial random state or previous + // random state by combining it with clock drift + $state = $this->driftHash( $state ); + return $state; + } + + /** + * Decide on the best acceptable hash algorithm we have available for hash() + * @return String A hash algorithm + */ + protected function hashAlgo() { + if ( !is_null( $algo ) ) { + return $algo; + } + + $algos = hash_algos(); + $preference = array( 'whirlpool', 'sha256', 'sha1', 'md5' ); + + foreach ( $preference as $algorithm ) { + if ( in_array( $algorithm, $algos ) ) { + $algo = $algorithm; # assign to static + wfDebug( __METHOD__ . ": Using the $algo hash algorithm.\n" ); + return $algo; + } + } + + // We only reach here if no acceptable hash is found in the list, this should + // be a technical impossibility since most of php's hash list is fixed and + // some of the ones we list are available as their own native functions + // But since we already require at least 5.2 and hash() was default in + // 5.1.2 we don't bother falling back to methods like sha1 and md5. + throw new MWException( "Could not find an acceptable hashing function in hash_algos()" ); + } + + /** + * Return the byte-length output of the hash algorithm we are + * using in self::hash and self::hmac. + * + * @return int Number of bytes the hash outputs + */ + protected function hashLength() { + if ( is_null( $hashLength ) ) { + $hashLength = strlen( $this->hash( '' ) ); + } + return $hashLength; + } + + /** + * Generate an acceptably unstable one-way-hash of some text + * making use of the best hash algorithm that we have available. + * + * @return String A raw hash of the data + */ + protected function hash( $data ) { + return hash( $this->hashAlgo(), $data, true ); + } + + /** + * Generate an acceptably unstable one-way-hmac of some text + * making use of the best hash algorithm that we have available. + * + * @return String A raw hash of the data + */ + protected function hmac( $data, $key ) { + return hash_hmac( $this->hashAlgo(), $data, $key, true ); + } + + /** + * @see self::wasStrong() + */ + public function realWasStrong() { + if ( is_null( $this->strong ) ) { + throw new MWException( __METHOD__ . ' called before generation of random data' ); + } + return $this->strong; + } + + /** + * @see self::generate() + */ + public function realGenerate( $bytes, $forceStrong = false, $method = null ) { + wfProfileIn( __METHOD__ ); + if ( is_string( $forceStrong ) && is_null( $method ) ) { + // If $forceStrong is a string then it's really $method + $method = $forceStrong; + $forceStrong = false; + } + + if ( !is_null( $method ) ) { + wfDebug( __METHOD__ . ": Generating cryptographic random bytes for $method\n" ); + } + + $bytes = floor( $bytes ); + static $buffer = ''; + if ( is_null( $this->strong ) ) { + // Set strength to false initially until we know what source data is coming from + $this->strong = true; + } + + if ( strlen( $buffer ) < $bytes ) { + // If available make use of mcrypt_create_iv URANDOM source to generate randomness + // On unix-like systems this reads from /dev/urandom but does it without any buffering + // and bypasses openbasdir restrictions so it's preferable to reading directly + // On Windows starting in PHP 5.3.0 Windows' native CryptGenRandom is used to generate + // entropy so this is also preferable to just trying to read urandom because it may work + // on Windows systems as well. + if ( function_exists( 'mcrypt_create_iv' ) ) { + wfProfileIn( __METHOD__ . '-mcrypt' ); + $rem = $bytes - strlen( $buffer ); + wfDebug( __METHOD__ . ": Trying to generate $rem bytes of randomness using mcrypt_create_iv.\n" ); + $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM ); + if ( $iv === false ) { + wfDebug( __METHOD__ . ": mcrypt_create_iv returned false.\n" ); + } else { + $bytes .= $iv; + wfDebug( __METHOD__ . ": mcrypt_create_iv generated " . strlen( $iv ) . " bytes of randomness.\n" ); + } + wfProfileOut( __METHOD__ . '-mcrypt' ); + } + } + + if ( strlen( $buffer ) < $bytes ) { + // If available make use of openssl's random_pesudo_bytes method to attempt to generate randomness. + // However don't do this on Windows with PHP < 5.3.4 due to a bug: + // http://stackoverflow.com/questions/1940168/openssl-random-pseudo-bytes-is-slow-php + if ( function_exists( 'openssl_random_pseudo_bytes' ) + && ( !wfIsWindows() || version_compare( PHP_VERSION, '5.3.4', '>=' ) ) + ) { + wfProfileIn( __METHOD__ . '-openssl' ); + $rem = $bytes - strlen( $buffer ); + wfDebug( __METHOD__ . ": Trying to generate $rem bytes of randomness using openssl_random_pseudo_bytes.\n" ); + $openssl_bytes = openssl_random_pseudo_bytes( $rem, $openssl_strong ); + if ( $openssl_bytes === false ) { + wfDebug( __METHOD__ . ": openssl_random_pseudo_bytes returned false.\n" ); + } else { + $buffer .= $openssl_bytes; + wfDebug( __METHOD__ . ": openssl_random_pseudo_bytes generated " . strlen( $openssl_bytes ) . " bytes of " . ( $openssl_strong ? "strong" : "weak" ) . " randomness.\n" ); + } + if ( strlen( $buffer ) >= $bytes ) { + // openssl tells us if the random source was strong, if some of our data was generated + // using it use it's say on whether the randomness is strong + $this->strong = !!$openssl_strong; + } + wfProfileOut( __METHOD__ . '-openssl' ); + } + } + + // Only read from urandom if we can control the buffer size or were passed forceStrong + if ( strlen( $buffer ) < $bytes && ( function_exists( 'stream_set_read_buffer' ) || $forceStrong ) ) { + wfProfileIn( __METHOD__ . '-fopen-urandom' ); + $rem = $bytes - strlen( $buffer ); + wfDebug( __METHOD__ . ": Trying to generate $rem bytes of randomness using /dev/urandom.\n" ); + if ( !function_exists( 'stream_set_read_buffer' ) && $forceStrong ) { + wfDebug( __METHOD__ . ": Was forced to read from /dev/urandom without control over the buffer size.\n" ); + } + // /dev/urandom is generally considered the best possible commonly + // available random source, and is available on most *nix systems. + wfSuppressWarnings(); + $urandom = fopen( "/dev/urandom", "rb" ); + wfRestoreWarnings(); + + // Attempt to read all our random data from urandom + // php's fread always does buffered reads based on the stream's chunk_size + // so in reality it will usually read more than the amount of data we're + // asked for and not storing that risks depleting the system's random pool. + // If stream_set_read_buffer is available set the chunk_size to the amount + // of data we need. Otherwise read 8k, php's default chunk_size. + if ( $urandom ) { + // php's default chunk_size is 8k + $chunk_size = 1024 * 8; + if ( function_exists( 'stream_set_read_buffer' ) ) { + // If possible set the chunk_size to the amount of data we need + stream_set_read_buffer( $urandom, $rem ); + $chunk_size = $rem; + } + wfDebug( __METHOD__ . ": Reading from /dev/urandom with a buffer size of $chunk_size.\n" ); + $random_bytes = fread( $urandom, max( $chunk_size, $rem ) ); + $buffer .= $random_bytes; + fclose( $urandom ); + wfDebug( __METHOD__ . ": /dev/urandom generated " . strlen( $random_bytes ) . " bytes of randomness.\n" ); + if ( strlen( $buffer ) >= $bytes ) { + // urandom is always strong, set to true if all our data was generated using it + $this->strong = true; + } + } else { + wfDebug( __METHOD__ . ": /dev/urandom could not be opened.\n" ); + } + wfProfileOut( __METHOD__ . '-fopen-urandom' ); + } + + // If we cannot use or generate enough data from a secure source + // use this loop to generate a good set of pseudo random data. + // This works by initializing a random state using a pile of unstable data + // and continually shoving it through a hash along with a variable salt. + // We hash the random state with more salt to avoid the state from leaking + // out and being used to predict the /randomness/ that follows. + if ( strlen( $buffer ) < $bytes ) { + wfDebug( __METHOD__ . ": Falling back to using a pseudo random state to generate randomness.\n" ); + } + while ( strlen( $buffer ) < $bytes ) { + wfProfileIn( __METHOD__ . '-fallback' ); + $buffer .= $this->hmac( $this->randomState(), mt_rand() ); + // This code is never really cryptographically strong, if we use it + // at all, then set strong to false. + $this->strong = false; + wfProfileOut( __METHOD__ . '-fallback' ); + } + + // Once the buffer has been filled up with enough random data to fulfill + // the request shift off enough data to handle the request and leave the + // unused portion left inside the buffer for the next request for random data + $generated = substr( $buffer, 0, $bytes ); + $buffer = substr( $buffer, $bytes ); + + wfDebug( __METHOD__ . ": " . strlen( $buffer ) . " bytes of randomness leftover in the buffer.\n" ); + + wfProfileOut( __METHOD__ ); + return $generated; + } + + /** + * @see self::generateHex() + */ + public function realGenerateHex( $chars, $forceStrong = false, $method = null ) { + // hex strings are 2x the length of raw binary so we divide the length in half + // odd numbers will result in a .5 that leads the generate() being 1 character + // short, so we use ceil() to ensure that we always have enough bytes + $bytes = ceil( $chars / 2 ); + // Generate the data and then convert it to a hex string + $hex = bin2hex( $this->generate( $bytes, $forceStrong, $method ) ); + // A bit of paranoia here, the caller asked for a specific length of string + // here, and it's possible (eg when given an odd number) that we may actually + // have at least 1 char more than they asked for. Just in case they made this + // call intending to insert it into a database that does truncation we don't + // want to give them too much and end up with their database and their live + // code having two different values because part of what we gave them is truncated + // hence, we strip out any run of characters longer than what we were asked for. + return substr( $hex, 0, $chars ); + } + + /** Publicly exposed static methods **/ + + /** + * Return a singleton instance of MWCryptRand + */ + protected static function singleton() { + if ( is_null( self::$singleton ) ) { + self::$singleton = new self; + } + return self::$singleton; + } + + /** + * Return a boolean indicating whether or not the source used for cryptographic + * random bytes generation in the previously run generate* call + * was cryptographically strong. + * + * @return bool Returns true if the source was strong, false if not. + */ + public static function wasStrong() { + return self::singleton()->realWasStrong(); + } + + /** + * Generate a run of (ideally) cryptographically random data and return + * it in raw binary form. + * You can use MWCryptRand::wasStrong() if you wish to know if the source used + * was cryptographically strong. + * + * @param $bytes int the number of bytes of random data to generate + * @param $forceStrong bool Pass true if you want generate to prefer cryptographically + * strong sources of entropy even if reading from them may steal + * more entropy from the system than optimal. + * @param $method The calling method, for debug info. May be the second argument if you are not using forceStrong + * @return String Raw binary random data + */ + public static function generate( $bytes, $forceStrong = false, $method = null ) { + return self::singleton()->realGenerate( $bytes, $forceStrong, $method ); + } + + /** + * Generate a run of (ideally) cryptographically random data and return + * it in hexadecimal string format. + * You can use MWCryptRand::wasStrong() if you wish to know if the source used + * was cryptographically strong. + * + * @param $chars int the number of hex chars of random data to generate + * @param $forceStrong bool Pass true if you want generate to prefer cryptographically + * strong sources of entropy even if reading from them may steal + * more entropy from the system than optimal. + * @param $method The calling method, for debug info. May be the second argument if you are not using forceStrong + * @return String Hexadecimal random data + */ + public static function generateHex( $chars, $forceStrong = false, $method = null ) { + return self::singleton()->realGenerateHex( $chars, $forceStrong, $method ); + } + +} diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php index 8b7aa00a5a..806b43e899 100644 --- a/includes/GlobalFunctions.php +++ b/includes/GlobalFunctions.php @@ -294,6 +294,24 @@ function wfRandom() { return $rand; } +/** + * Get a random string containing a number of pesudo-random hex + * characters. + * @note This is not secure, if you are trying to generate some sort + * of token please use MWCryptRand instead. + * + * @param $length int The length of the string to generate + * @return String + * @since 1.20 + */ +function wfRandomString( $length = 32 ) { + $str = ''; + while ( strlen( $str ) < $length ) { + $str .= dechex( mt_rand() ); + } + return substr( $str, 0, $length ); +} + /** * We want some things to be included as literal characters in our title URLs * for prettiness, which urlencode encodes by default. According to RFC 1738, @@ -3322,6 +3340,33 @@ function wfHttpOnlySafe() { return true; } +/** + * Override session_id before session startup if php's built-in + * session generation code is not secure. + */ +function wfFixSessionID() { + // If the cookie or session id is already set we already have a session and should abort + if ( isset( $_COOKIE[ session_name() ] ) || session_id() ) { + return; + } + + // PHP's built-in session entropy is enabled if: + // - entropy_file is set or you're on Windows with php 5.3.3+ + // - AND entropy_length is > 0 + // We treat it as disabled if it doesn't have an entropy length of at least 32 + $entropyEnabled = ( + ( wfIsWindows() && version_compare( PHP_VERSION, '5.3.3', '>=' ) ) + || ini_get( 'session.entropy_file' ) + ) + && intval( ini_get( 'session.entropy_length' ) ) >= 32; + + // If built-in entropy is not enabled or not sufficient override php's built in session id generation code + if ( !$entropyEnabled ) { + wfDebug( __METHOD__ . ": PHP's built in entropy is disabled or not sufficient, overriding session id generation using our cryptrand source.\n" ); + session_id( MWCryptRand::generateHex( 32, __METHOD__ ) ); + } +} + /** * Initialise php session * @@ -3361,6 +3406,8 @@ function wfSetupSession( $sessionId = false ) { session_cache_limiter( 'private, must-revalidate' ); if ( $sessionId ) { session_id( $sessionId ); + } else { + wfFixSessionID(); } wfSuppressWarnings(); session_start(); @@ -3681,8 +3728,11 @@ function wfCountDown( $n ) { * characters before hashing. * @return string * @codeCoverageIgnore + * @deprecated since 1.20; Please use MWCryptRand for security purposes and wfRandomString for pesudo-random strings + * @warning This method is NOT secure. Additionally it has many callers that use it for pesudo-random purposes. */ function wfGenerateToken( $salt = '' ) { + wfDeprecated( __METHOD__, '1.20' ); $salt = serialize( $salt ); return md5( mt_rand( 0, 0x7fffffff ) . $salt ); } diff --git a/includes/Import.php b/includes/Import.php index d53302bb18..607d878b59 100644 --- a/includes/Import.php +++ b/includes/Import.php @@ -829,7 +829,7 @@ class UploadSourceAdapter { * @return string */ static function registerSource( $source ) { - $id = wfGenerateToken(); + $id = wfRandomString(); self::$sourceRegistrations[$id] = $source; diff --git a/includes/Preferences.php b/includes/Preferences.php index a9f7456052..bc8e47f826 100644 --- a/includes/Preferences.php +++ b/includes/Preferences.php @@ -916,6 +916,7 @@ class Preferences { if ( $wgEnableAPI ) { # Some random gibberish as a proposed default + // @fixme This should use CryptRand but we may not want to read urandom on every view $hash = sha1( mt_rand() . microtime( true ) ); $defaultPreferences['watchlisttoken'] = array( diff --git a/includes/User.php b/includes/User.php index 684a05c6f7..9fdd076bcd 100644 --- a/includes/User.php +++ b/includes/User.php @@ -836,23 +836,20 @@ class User { } /** - * Return a random password. Sourced from mt_rand, so it's not particularly secure. - * @todo hash random numbers to improve security, like generateToken() + * Return a random password. * * @return String new random password */ public static function randomPassword() { global $wgMinimalPasswordLength; - $pwchars = 'ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjkmnpqrstuvwxyz'; - $l = strlen( $pwchars ) - 1; - - $pwlength = max( 7, $wgMinimalPasswordLength ); - $digit = mt_rand( 0, $pwlength - 1 ); - $np = ''; - for ( $i = 0; $i < $pwlength; $i++ ) { - $np .= $i == $digit ? chr( mt_rand( 48, 57 ) ) : $pwchars[ mt_rand( 0, $l ) ]; - } - return $np; + // Decide the final password length based on our min password length, stopping at a minimum of 10 chars + $length = max( 10, $wgMinimalPasswordLength ); + // Multiply by 1.25 to get the number of hex characters we need + $length = $length * 1.25; + // Generate random hex chars + $hex = MWCryptRand::generateHex( $length, __METHOD__ ); + // Convert from base 16 to base 32 to get a proper password like string + return wfBaseConvert( $hex, 16, 32 ); } /** @@ -882,7 +879,7 @@ class User { $this->mTouched = '0'; # Allow any pages to be cached } - $this->setToken(); # Random + $this->mToken = null; // Don't run cryptographic functions till we need a token $this->mEmailAuthenticated = null; $this->mEmailToken = ''; $this->mEmailTokenExpires = null; @@ -989,11 +986,11 @@ class User { return false; } - if ( $request->getSessionData( 'wsToken' ) !== null ) { - $passwordCorrect = $proposedUser->getToken() === $request->getSessionData( 'wsToken' ); + if ( $request->getSessionData( 'wsToken' ) ) { + $passwordCorrect = $proposedUser->getToken( false ) === $request->getSessionData( 'wsToken' ); $from = 'session'; - } elseif ( $request->getCookie( 'Token' ) !== null ) { - $passwordCorrect = $proposedUser->getToken() === $request->getCookie( 'Token' ); + } elseif ( $request->getCookie( 'Token' ) ) { + $passwordCorrect = $proposedUser->getToken( false ) === $request->getCookie( 'Token' ); $from = 'cookie'; } else { # No session or persistent login cookie @@ -1098,6 +1095,9 @@ class User { } $this->mTouched = wfTimestamp( TS_MW, $row->user_touched ); $this->mToken = $row->user_token; + if ( $this->mToken == '' ) { + $this->mToken = null; + } $this->mEmailAuthenticated = wfTimestampOrNull( TS_MW, $row->user_email_authenticated ); $this->mEmailToken = $row->user_email_token; $this->mEmailTokenExpires = wfTimestampOrNull( TS_MW, $row->user_email_token_expires ); @@ -2023,10 +2023,14 @@ class User { /** * Get the user's current token. + * @param $forceCreation Force the generation of a new token if the user doesn't have one (default=true for backwards compatibility) * @return String Token */ - public function getToken() { + public function getToken( $forceCreation = true ) { $this->load(); + if ( !$this->mToken && $forceCreation ) { + $this->setToken(); + } return $this->mToken; } @@ -2040,14 +2044,7 @@ class User { global $wgSecretKey, $wgProxyKey; $this->load(); if ( !$token ) { - if ( $wgSecretKey ) { - $key = $wgSecretKey; - } elseif ( $wgProxyKey ) { - $key = $wgProxyKey; - } else { - $key = microtime(); - } - $this->mToken = md5( $key . mt_rand( 0, 0x7fffffff ) . wfWikiID() . $this->mId ); + $this->mToken = MWCryptRand::generateHex( USER_TOKEN_LENGTH, __METHOD__ ); } else { $this->mToken = $token; } @@ -2814,7 +2811,7 @@ class User { 'user_email' => $this->mEmail, 'user_email_authenticated' => $dbw->timestampOrNull( $this->mEmailAuthenticated ), 'user_touched' => $dbw->timestamp( $this->mTouched ), - 'user_token' => $this->mToken, + 'user_token' => strval( $this->mToken ), 'user_email_token' => $this->mEmailToken, 'user_email_token_expires' => $dbw->timestampOrNull( $this->mEmailTokenExpires ), ), array( /* WHERE */ @@ -2880,7 +2877,7 @@ class User { 'user_email' => $user->mEmail, 'user_email_authenticated' => $dbw->timestampOrNull( $user->mEmailAuthenticated ), 'user_real_name' => $user->mRealName, - 'user_token' => $user->mToken, + 'user_token' => strval( $user->mToken ), 'user_registration' => $dbw->timestamp( $user->mRegistration ), 'user_editcount' => 0, 'user_touched' => $dbw->timestamp( self::newTouchedTimestamp() ), @@ -2917,7 +2914,7 @@ class User { 'user_email' => $this->mEmail, 'user_email_authenticated' => $dbw->timestampOrNull( $this->mEmailAuthenticated ), 'user_real_name' => $this->mRealName, - 'user_token' => $this->mToken, + 'user_token' => strval( $this->mToken ), 'user_registration' => $dbw->timestamp( $this->mRegistration ), 'user_editcount' => 0, 'user_touched' => $dbw->timestamp( $this->mTouched ), @@ -3182,7 +3179,7 @@ class User { } else { $token = $request->getSessionData( 'wsEditToken' ); if ( $token === null ) { - $token = self::generateToken(); + $token = MWCryptRand::generateHex( 32, __METHOD__ ); $request->setSessionData( 'wsEditToken', $token ); } if( is_array( $salt ) ) { @@ -3197,10 +3194,10 @@ class User { * * @param $salt String Optional salt value * @return String The new random token + * @deprecated since 1.20; Use MWCryptRand for secure purposes or wfRandomString for pesudo-randomness */ public static function generateToken( $salt = '' ) { - $token = dechex( mt_rand() ) . dechex( mt_rand() ); - return md5( $token . $salt ); + return MWCryptRand::generateHex( 32, __METHOD__ ); } /** @@ -3306,12 +3303,11 @@ class User { global $wgUserEmailConfirmationTokenExpiry; $now = time(); $expires = $now + $wgUserEmailConfirmationTokenExpiry; - $expiration = wfTimestamp( TS_MW, $expires ); - $token = self::generateToken( $this->mId . $this->mEmail . $expires ); - $hash = md5( $token ); $this->load(); + $token = MWCryptRand::generateHex( 32, __METHOD__ ); + $hash = md5( $token ); $this->mEmailToken = $hash; - $this->mEmailTokenExpires = $expiration; + $this->mEmailTokenExpires = wfTimestamp( TS_MW, $expires ); return $token; } @@ -3860,7 +3856,7 @@ class User { if( $wgPasswordSalt ) { if ( $salt === false ) { - $salt = substr( wfGenerateToken(), 0, 8 ); + $salt = MWCryptRand::generateHex( 8, __METHOD__ ); } return ':B:' . $salt . ':' . md5( $salt . '-' . md5( $password ) ); } else { diff --git a/includes/installer/Installer.php b/includes/installer/Installer.php index d6a0c869f9..b380787db8 100644 --- a/includes/installer/Installer.php +++ b/includes/installer/Installer.php @@ -1446,8 +1446,7 @@ abstract class Installer { } /** - * Generate $wgSecretKey. Will warn if we had to use mt_rand() instead of - * /dev/urandom + * Generate $wgSecretKey. Will warn if we had to use an insecure random source. * * @return Status */ @@ -1460,8 +1459,8 @@ abstract class Installer { } /** - * Generate a secret value for variables using either - * /dev/urandom or mt_rand(). Produce a warning in the later case. + * Generate a secret value for variables using our CryptRand generator. + * Produce a warning if the random source was insecure. * * @param $keys Array * @return Status @@ -1469,28 +1468,18 @@ abstract class Installer { protected function doGenerateKeys( $keys ) { $status = Status::newGood(); - wfSuppressWarnings(); - $file = fopen( "/dev/urandom", "r" ); - wfRestoreWarnings(); - + $strong = true; foreach ( $keys as $name => $length ) { - if ( $file ) { - $secretKey = bin2hex( fread( $file, $length / 2 ) ); - } else { - $secretKey = ''; - - for ( $i = 0; $i < $length / 8; $i++ ) { - $secretKey .= dechex( mt_rand( 0, 0x7fffffff ) ); - } + $secretKey = MWCryptRand::generateHex( $length, true ); + if ( !MWCryptRand::wasStrong() ) { + $strong = false; } $this->setVar( $name, $secretKey ); } - if ( $file ) { - fclose( $file ); - } else { - $names = array_keys ( $keys ); + if ( !$strong ) { + $names = array_keys( $keys ); $names = preg_replace( '/^(.*)$/', '\$$1', $names ); global $wgLang; $status->warning( 'config-insecure-keys', $wgLang->listToText( $names ), count( $names ) ); diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php index 998286c9f1..99a283dcb8 100644 --- a/includes/parser/Parser.php +++ b/includes/parser/Parser.php @@ -561,7 +561,7 @@ class Parser { * @return string */ static public function getRandomString() { - return dechex( mt_rand( 0, 0x7fffffff ) ) . dechex( mt_rand( 0, 0x7fffffff ) ); + return wfRandomString( 16 ); } /** diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 761f1a792f..f6df4d5474 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -1150,9 +1150,9 @@ class LoginForm extends SpecialPage { */ public static function setLoginToken() { global $wgRequest; - // Use User::generateToken() instead of $user->editToken() + // Generate a token directly instead of using $user->editToken() // because the latter reuses $_SESSION['wsEditToken'] - $wgRequest->setSessionData( 'wsLoginToken', User::generateToken() ); + $wgRequest->setSessionData( 'wsLoginToken', MWCryptRand::generateHex( 32, __METHOD__ ) ); } /** @@ -1177,7 +1177,7 @@ class LoginForm extends SpecialPage { */ public static function setCreateaccountToken() { global $wgRequest; - $wgRequest->setSessionData( 'wsCreateaccountToken', User::generateToken() ); + $wgRequest->setSessionData( 'wsCreateaccountToken', MWCryptRand::generateHex( 32, __METHOD__ ) ); } /** diff --git a/includes/specials/SpecialWatchlist.php b/includes/specials/SpecialWatchlist.php index 62358da6bd..64a07f14b8 100644 --- a/includes/specials/SpecialWatchlist.php +++ b/includes/specials/SpecialWatchlist.php @@ -43,7 +43,7 @@ class SpecialWatchlist extends SpecialPage { // Add feed links $wlToken = $user->getOption( 'watchlisttoken' ); if ( !$wlToken ) { - $wlToken = sha1( mt_rand() . microtime( true ) ); + $wlToken = MWCryptRand::generateHex( 40 ); $user->setOption( 'watchlisttoken', $wlToken ); $user->saveSettings(); } -- 2.20.1