Fallback to /dev/random if openssl_random_pseudo_bytes not available

diff --git a/lib/util.php b/lib/util.php
index afbea9a00cbc7f710e6f3712581af3d5a89e383e..748886083dd19bad0b0acae8213b97cdae57cfc2 100755 (executable)
--- a/lib/util.php
+++ b/lib/util.php
@@ -556,12 +556,13 @@ class OC_Util {
        }
 
        /*
-       * @brief Generates random bytes with "openssl_random_pseudo_bytes" with a fallback for systems without openssl
-       * Inspired by gorgo on php.net
-       * @param Int with the length of the random
-       * @return String with the random bytes
+       * @brief Generates a cryptographical secure pseudorandom string
+       * @param Int with the length of the random string
+       * @return String
        */
        public static function generate_random_bytes($length = 30) {
+
+               // Try to use openssl_random_pseudo_bytes
                if(function_exists('openssl_random_pseudo_bytes')) { 
                        $pseudo_byte = bin2hex(openssl_random_pseudo_bytes($length, $strong));
                        if($strong == TRUE) {
@@ -569,9 +570,16 @@ class OC_Util {
                        }
                }
 
-               // fallback to mt_rand() 
+               // Try to use /dev/random
+               $fp = @file_get_contents('/dev/random', false, null, 0, $length);
+               if ($fp !== FALSE) {
+                       $string = substr(bin2hex($fp), 0, $length);  
+                       return $string;
+               }
+
+               // Fallback to mt_rand() 
                $characters = '0123456789';
-               $characters .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 
+               $characters .= 'abcdefghijklmnopqrstuvwxyz'; 
                $charactersLength = strlen($characters)-1;
                $pseudo_byte = "";