diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index c25a3036c..47110e987 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -433,7 +433,7 @@ function local_user_set_password(&$user, $password = null) { if ($password == null) { /* generate a random password */ - $bytes = openssl_random_pseudo_bytes(50); + $bytes = random_bytes(50); $password = pack('H*', bin2hex($bytes)); } diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/API.php b/src/opnsense/mvc/app/library/OPNsense/Auth/API.php index 401b8163a..196220bb7 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/API.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/API.php @@ -88,8 +88,8 @@ class API extends Base implements IAuthConnector } $item = $apikeys->addChild('item'); - $newKey = base64_encode(openssl_random_pseudo_bytes(60)); - $newSecret = base64_encode(openssl_random_pseudo_bytes(60)); + $newKey = base64_encode(random_bytes(60)); + $newSecret = base64_encode(random_bytes(60)); $item->addChild('key', $newKey); $item->addChild('secret', crypt($newSecret, '$6$')); diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php index 28441d83c..750ece77a 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Voucher.php @@ -193,41 +193,10 @@ class Voucher extends Base implements IAuthConnector { $response = array(); if ($this->dbHandle != null) { + $characterMap = '!#$%()*+,-./0123456789:;=?@ABCDEFGHIJKLMNPQRSTUVWXYZ[\]_abcdefghijkmnopqrstuvwxyz'; if ($this->simplePasswords) { - // create a map of easy to read characters - $characterMap = ''; - while (strlen($characterMap) < 256) { - $random_bytes = openssl_random_pseudo_bytes(10000); - for ($i = 0; $i < strlen($random_bytes); $i++) { - $chr_ord = ord($random_bytes[$i]); - if ( - ($chr_ord >= 50 && $chr_ord <= 57) || // 2..9 - ($chr_ord >= 65 && $chr_ord <= 72) || // A..H - ($chr_ord >= 74 && $chr_ord <= 78) || // J..N - ($chr_ord >= 80 && $chr_ord <= 90) || // P..Z - ($chr_ord >= 97 && $chr_ord <= 107) || // a..k - ($chr_ord >= 109 && $chr_ord <= 110) || // m..n - ($chr_ord >= 112 && $chr_ord <= 122) // p..z - ) { - $characterMap .= $random_bytes[$i]; - } - } - } - } else { - // list of characters to skip for random generator - $doNotUseChr = array('<', '>', '{', '}', '&', 'l' , 'O' ,'`', '\'', '|' ,'^', '"'); - - // create map of random readable characters - $characterMap = ''; - while (strlen($characterMap) < 256) { - $random_bytes = openssl_random_pseudo_bytes(10000); - for ($i = 0; $i < strlen($random_bytes); $i++) { - $chr_ord = ord($random_bytes[$i]); - if ($chr_ord >= 33 && $chr_ord <= 125 && !in_array($random_bytes[$i], $doNotUseChr)) { - $characterMap .= $random_bytes[$i]; - } - } - } + // a map of easy to read characters + $characterMap = '23456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnpqrstuvwxyz'; } // generate new vouchers @@ -235,14 +204,12 @@ class Voucher extends Base implements IAuthConnector $expirytime = $expirytime == 0 ? 0 : $expirytime + time(); while ($vouchersGenerated < $count) { $generatedUsername = ''; - $random_bytes = openssl_random_pseudo_bytes($this->usernameLength); - for ($j = 0; $j < strlen($random_bytes); $j++) { - $generatedUsername .= $characterMap[ord($random_bytes[$j])]; + for ($j = 0; $j < $this->usernameLength; $j++) { + $generatedUsername .= $characterMap[random_int(0, strlen($characterMap) - 1)]; } $generatedPassword = ''; - $random_bytes = openssl_random_pseudo_bytes($this->passwordLength); - for ($j = 0; $j < strlen($random_bytes); $j++) { - $generatedPassword .= $characterMap[ord($random_bytes[$j])]; + for ($j = 0; $j < $this->passwordLength; $j++) { + $generatedPassword .= $characterMap[random_int(0, strlen($characterMap) - 1)]; } if (!$this->userNameExists($generatedUsername)) { diff --git a/src/www/system_advanced_network.php b/src/www/system_advanced_network.php index fd32afdc1..c71e34779 100644 --- a/src/www/system_advanced_network.php +++ b/src/www/system_advanced_network.php @@ -77,7 +77,7 @@ function generate_new_duid($duid_type) $new_duid = $new_duid.':'.$mac; break; case '3': //UUID - $type = "\x00\x00\x00\x04".openssl_random_pseudo_bytes(16); + $type = "\x00\x00\x00\x04".random_bytes(16); for ($count = 0; $count < strlen($type); ) { $new_duid .= bin2hex( $type[$count]); $count++; @@ -87,7 +87,7 @@ function generate_new_duid($duid_type) } break; case '4': //EN - Using Opnsense PEN!!! - $type = "\x00\x02\x00\x00\xD2\x6D".openssl_random_pseudo_bytes(8); + $type = "\x00\x02\x00\x00\xD2\x6D".random_bytes(8); for ($count = 0; $count < strlen($type); ) { $new_duid .= bin2hex( $type[$count]); $count++; diff --git a/src/www/system_usermanager.php b/src/www/system_usermanager.php index f32c76811..41697d02f 100644 --- a/src/www/system_usermanager.php +++ b/src/www/system_usermanager.php @@ -342,7 +342,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $userent['ipsecpsk'] = $pconfig['ipsecpsk']; if (!empty($pconfig['gen_otp_seed'])) { // generate 160bit base32 encoded secret - $userent['otp_seed'] = Base32\Base32::encode(openssl_random_pseudo_bytes(20)); + $userent['otp_seed'] = Base32\Base32::encode(random_bytes(20)); } else { $userent['otp_seed'] = trim($pconfig['otp_seed']); } diff --git a/src/www/system_usermanager_passwordmg.php b/src/www/system_usermanager_passwordmg.php index 8a1c18fd9..39461fec3 100644 --- a/src/www/system_usermanager_passwordmg.php +++ b/src/www/system_usermanager_passwordmg.php @@ -71,7 +71,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { if (!empty($pconfig['request_otp_seed'])) { if ($user_allow_gen_token && $userFound) { - $new_seed = Base32\Base32::encode(openssl_random_pseudo_bytes(20)); + $new_seed = Base32\Base32::encode(random_bytes(20)); $config['system']['user'][$userindex[$username]]['otp_seed'] = $new_seed; write_config(); $otp_url = "otpauth://totp/";