From 2c427f050e2bc263b5c4c2faabf73e3993f1d29d Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sun, 14 Oct 2012 17:17:06 +0200
Subject: [PATCH] Show a warning in the installer if no secure RNG is available

---
 core/templates/installation.php | 10 ++++++++--
 lib/setup.php                   |  2 ++
 lib/util.php                    | 24 ++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/core/templates/installation.php b/core/templates/installation.php
index 1a05c3fb762..426d60989a6 100644
--- a/core/templates/installation.php
+++ b/core/templates/installation.php
@@ -3,7 +3,6 @@
 <input type='hidden' id='hasPostgreSQL' value='<?php echo $_['hasPostgreSQL'] ?>'></input>
 <input type='hidden' id='hasOracle' value='<?php echo $_['hasOracle'] ?>'></input>
 <form action="index.php" method="post">
-
 <input type="hidden" name="install" value="true" />
 	<?php if(count($_['errors']) > 0): ?>
 	<ul class="errors">
@@ -19,7 +18,14 @@
 		<?php endforeach; ?>
 	</ul>
 	<?php endif; ?>
-
+	<?php if(!$_['secureRNG']): ?>
+	<fieldset style="color: #B94A48; background-color: #F2DEDE; border-color: #EED3D7;">
+		<legend><strong><?php echo $l->t('Security Warning');?></strong></legend>
+		<span><?php echo $l->t('No secure random number generator is available, please enable the PHP OpenSSL extension.');?></span>		
+		<br/>
+		<span><?php echo $l->t('Without a secure random number generator an attacker may be able to predict password reset tokens and take over your account.');?></span>		
+	</fieldset>
+	<?php endif; ?>
 	<fieldset>
 		<legend><?php echo $l->t( 'Create an <strong>admin account</strong>' ); ?></legend>
 		<p class="infield">
diff --git a/lib/setup.php b/lib/setup.php
index 16b9ec68df6..be4101fd7b0 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -5,12 +5,14 @@ $hasMySQL = is_callable('mysql_connect');
 $hasPostgreSQL = is_callable('pg_connect');
 $hasOracle = is_callable('oci_connect');
 $datadir = OC_Config::getValue('datadirectory', OC::$SERVERROOT.'/data');
+
 $opts = array(
 	'hasSQLite' => $hasSQLite,
 	'hasMySQL' => $hasMySQL,
 	'hasPostgreSQL' => $hasPostgreSQL,
 	'hasOracle' => $hasOracle,
 	'directory' => $datadir,
+	'secureRNG' => OC_Util::secureRNG_available(),
 	'errors' => array(),
 );
 
diff --git a/lib/util.php b/lib/util.php
index 748886083dd..9fde98c1972 100755
--- a/lib/util.php
+++ b/lib/util.php
@@ -559,6 +559,7 @@ class OC_Util {
 	* @brief Generates a cryptographical secure pseudorandom string
 	* @param Int with the length of the random string
 	* @return String
+	* Please also update secureRNG_available if you change something here
 	*/
 	public static function generate_random_bytes($length = 30) {
 
@@ -589,4 +590,27 @@ class OC_Util {
 		}        
 		return $pseudo_byte;
 	}
+	
+	/*
+	* @brief Checks if a secure random number generator is available
+	* @return bool 
+	*/
+	public static function secureRNG_available() {
+
+		// Check openssl_random_pseudo_bytes
+		if(function_exists('openssl_random_pseudo_bytes')) { 
+			openssl_random_pseudo_bytes(1, $strong);
+			if($strong == TRUE) {
+				return true;
+			}
+		}
+
+		// Check /dev/random
+		$fp = @file_get_contents('/dev/random', false, null, 0, 1);
+		if ($fp !== FALSE) {
+			return true;
+		}
+
+		return false;
+	}	
 }
-- 
GitLab