Merge pull request #8 from Rican7/enhancement/native-csprng-support

Enhancement - Native CSPRNG support and OpenSSL deprecation

Author: brianmuse

.travis.yml

@@ -5,6 +5,7 @@ php:
   - 5.4
   - 5.5
   - 5.6
+  - 7.0
   - nightly
   - hhvm
 
@@ -19,7 +20,7 @@ before_install:
 
 install:
   - composer self-update
-  - composer install --prefer-dist
+  - make install-deps
 
 script:
   - composer validate

Makefile

@@ -1,7 +1,17 @@
+# Define directories
+VENDOR_DIR ?= $(CURDIR)/vendor
+
+
+# Global/default target
 all: install test lint check-style
 
-install:
-	composer install --prefer-dist
+$(VENDOR_DIR):
+	composer install --no-interaction --prefer-dist
+
+install-deps: $(VENDOR_DIR)
+
+clean-deps:
+	rm -rf $(VENDOR_DIR)
 
 test:
 	./vendor/bin/phpunit
@@ -18,3 +28,5 @@ lint:
 
 check-style:
 	./vendor/bin/phpcs --standard=PSR2 --encoding=utf-8 -p src/ tests/
+
+.PHONY: all install-deps clean-deps test test-with-coverage test-with-coverage-clover lint check-style

composer.json

@@ -27,7 +27,11 @@
         "ext-openssl": "*",
         "phpunit/phpunit": "^4.7",
         "phpunit/php-code-coverage": "^2.2",
-        "squizlabs/php_codesniffer": "^2.3"
+        "squizlabs/php_codesniffer": "^2.3",
+        "paragonie/random_compat": "^2.0"
+    },
+    "suggest": {
+        "paragonie/random_compat": "Allows for more cryptographically secure random data generation during the NTLM hashing process"
     },
     "autoload": {
         "psr-4": {"Robin\\Ntlm\\": "src/Robin/Ntlm/"}

src/Robin/Ntlm/Crypt/Random/McryptRandomByteGenerator.php

@@ -2,7 +2,7 @@
 /**
  * Robin NTLM
  *
- * @copyright 2015 Robin Powered, Inc.
+ * @copyright 2016 Robin Powered, Inc.
  * @link https://robinpowered.com/
  */
 
@@ -16,6 +16,9 @@
  * "mcrypt" extension.
  *
  * @link http://php.net/mcrypt
+ * @deprectated NOTE! This implementation is deprecated, as the mcrypt library
+ *   is abandoned. More info: https://github.com/robinpowered/php-ntlm/pull/1
+ * @todo Remove this implementation in a future version.
  */
 class McryptRandomByteGenerator implements RandomByteGeneratorInterface
 {
@@ -63,9 +66,17 @@ public function __construct($source = self::DEFAULT_SOURCE)
 
     /**
      * {@inheritDoc}
+     *
+     * @deprectated NOTE! This implementation is deprecated, as the mcrypt
+     *   library is abandoned.
      */
     public function generate($size)
     {
+        trigger_error(
+            'This implementation is deprecated, as the mcrypt library is abandoned',
+            E_USER_DEPRECATED
+        );
+
         $generated = mcrypt_create_iv($size, $this->source);
 
         if (false === $generated || strlen($generated) !== $size) {

src/Robin/Ntlm/Crypt/Random/NativeRandomByteGenerator.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Robin NTLM
+ *
+ * @copyright 2016 Robin Powered, Inc.
+ * @link https://robinpowered.com/
+ */
+
+namespace Robin\Ntlm\Crypt\Random;
+
+use Error;
+use Exception;
+use Robin\Ntlm\Crypt\Exception\CryptographicFailureException;
+
+/**
+ * A cryptographically secure random byte generator implemented using the native
+ * PHP CSPRNG functions.
+ *
+ * @link http://php.net/csprng
+ */
+class NativeRandomByteGenerator implements RandomByteGeneratorInterface
+{
+
+    /**
+     * Methods
+     */
+
+    /**
+     * {@inheritDoc}
+     */
+    public function generate($size)
+    {
+        try {
+            $generated = random_bytes($size);
+        } catch (Error $e) {
+            // PHP 7+ will throw an `Error`. Catch here to make sure that we don't accidentally catch a polyfilled
+            // `Error` from a polyfill library, such as https://github.com/paragonie/random_compat
+            throw $e;
+        } catch (Exception $e) {
+            throw CryptographicFailureException::forReasonCode(
+                CryptographicFailureException::CODE_FOR_RANDOM_DATA_GENERATION_FAILURE,
+                $e
+            );
+        }
+
+        return $generated;
+    }
+}

src/Robin/Ntlm/Crypt/Random/OpenSslRandomByteGenerator.php

@@ -2,7 +2,7 @@
 /**
  * Robin NTLM
  *
- * @copyright 2015 Robin Powered, Inc.
+ * @copyright 2016 Robin Powered, Inc.
  * @link https://robinpowered.com/
  */
 
@@ -15,6 +15,9 @@
  * "openssl" extension.
  *
  * @link http://php.net/openssl
+ * @deprectated NOTE! This implementation is deprecated, as it's been found to
+ *   be insecure. More info: https://github.com/robinpowered/php-ntlm/issues/7
+ * @todo Remove this implementation in a future version.
  */
 class OpenSslRandomByteGenerator implements RandomByteGeneratorInterface
 {
@@ -25,9 +28,17 @@ class OpenSslRandomByteGenerator implements RandomByteGeneratorInterface
 
     /**
      * {@inheritDoc}
+     *
+     * @deprectated NOTE! This implementation is deprecated, as it's been found
+     *   to be insecure.
      */
     public function generate($size)
     {
+        trigger_error(
+            'This implementation is deprecated, as it can be insecure in some circumstances',
+            E_USER_DEPRECATED
+        );
+
         $generated = openssl_random_pseudo_bytes($size, $strong);
 
         if (false === $generated || strlen($generated) !== $size || false === $strong) {