Description
While checking one of my projects for potentially unsafe usage of the openssl_random_pseudo_bytes function I also had a hit on the U2F::createChallenge method.
The createChallenge method generates random bytes using the $crypto_strong option the function facilitates which is a good thing. This value is also correctly checked in the if statement below the function call.
It, however, is also advised to test if the actual output of the openssl_random_pseudo_bytes is a non-false value. Which can occur when openssl_random_pseudo_bytes failed to generate the bytes.
Proposal
I'd like to add a second check to the existing if statement. Resulting in the same error when generating the challenge failed for some odd reason.
/**
* @return string
* @throws Error
*/
private function createChallenge()
{
$challenge = openssl_random_pseudo_bytes(32, $crypto_strong );
if($crypto_strong !== true || $challenge === false) {
throw new Error('Unable to obtain a good source of randomness', ERR_BAD_RANDOM);
}
$challenge = $this->base64u_encode( $challenge );
return $challenge;
}
Description While checking one of my projects for potentially unsafe usage of the
openssl_random_pseudo_bytesfunction I also had a hit on theU2F::createChallengemethod.The
createChallengemethod generates random bytes using the$crypto_strongoption the function facilitates which is a good thing. This value is also correctly checked in the if statement below the function call.It, however, is also advised to test if the actual output of the
openssl_random_pseudo_bytesis a non-false value. Which can occur whenopenssl_random_pseudo_bytesfailed to generate the bytes.Proposal I'd like to add a second check to the existing if statement. Resulting in the same error when generating the challenge failed for some odd reason.