From 045ea4eb2b3bfb9eb6b7c27324aec66b4233d34c Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Fri, 6 Nov 2015 16:24:26 +0100
Subject: [PATCH] Use native CSPRNG if available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unfortunately only PHP 7…
---
 lib/private/security/securerandom.php | 19 ++++++++++++++++---
 lib/public/security/isecurerandom.php |  8 +++++---
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/lib/private/security/securerandom.php b/lib/private/security/securerandom.php
index 409285fd09..87dca68985 100644
--- a/lib/private/security/securerandom.php
+++ b/lib/private/security/securerandom.php
@@ -28,7 +28,7 @@ use OCP\Security\ISecureRandom;
 
 /**
  * Class SecureRandom provides a layer around RandomLib to generate
- * secure random strings.
+ * secure random strings. For PHP 7 the native CSPRNG is used.
  *
  * Usage:
  * \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
@@ -77,16 +77,29 @@ class SecureRandom implements ISecureRandom {
 	/**
 	 * Generate a random string of specified length.
 	 * @param int $length The length of the generated string
-	 * @param string $characters An optional list of characters to use if no characterlist is
+	 * @param string $characters An optional list of characters to use if no character list is
 	 * 							specified all valid base64 characters are used.
 	 * @return string
 	 * @throws \Exception If the generator is not initialized.
 	 */
-	public function generate($length, $characters = '') {
+	public function generate($length,
+							 $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/') {
 		if(is_null($this->generator)) {
 			throw new \Exception('Generator is not initialized.');
 		}
 
+		if(function_exists('random_int')) {
+			$maxCharIndex = strlen($characters) - 1;
+			$randomString = '';
+
+			while($length > 0) {
+				$randomNumber = random_int(0, $maxCharIndex);
+				$randomString .= $characters[$randomNumber];
+				$length--;
+			}
+			return $randomString;
+		}
+
 		return $this->generator->generateString($length, $characters);
 	}
 }
diff --git a/lib/public/security/isecurerandom.php b/lib/public/security/isecurerandom.php
index cbe2d4e0d5..1b72e4f437 100644
--- a/lib/public/security/isecurerandom.php
+++ b/lib/public/security/isecurerandom.php
@@ -24,7 +24,7 @@ namespace OCP\Security;
 
 /**
  * Class SecureRandom provides a layer around RandomLib to generate
- * secure random numbers.
+ * secure random strings. For PHP 7 the native CSPRNG is used.
  *
  * Usage:
  * $rng = new \OC\Security\SecureRandom();
@@ -70,11 +70,13 @@ interface ISecureRandom {
 	/**
 	 * Generate a random string of specified length.
 	 * @param int $length The length of the generated string
-	 * @param string $characters An optional list of characters to use if no characterlist is
+	 * @param string $characters An optional list of characters to use if no character list is
 	 * 							specified all valid base64 characters are used.
 	 * @return string
 	 * @throws \Exception If the generator is not initialized.
 	 * @since 8.0.0
 	 */
-	public function generate($length, $characters = '');
+	public function generate($length,
+							 $characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/');
+
 }