Add a CSPRNG to TYPO3
I'd like to bring some crypto-related code into TYPO3 core. First topic: a CSPRNG
As always in cryptography, using a widely used/adopted/reviewed library should be the way to go. This one seems to do a good job: https://github.com/paragonie/random_compat. It is a PHP 5.x polyfill for PHP 7's
- remove all the
GeneralUtility::generateRandomBytesXYZmethods, because they're covered by random_compat. Leave just the fallback method in place (and slightly improve it)
- Add a simple API in
\TYPO3\CMS\Core\Crypto\Randomto produce crypto-save random bytes, integers and hex strings
- Add a check to
\TYPO3\CMS\Install\SystemEnvironment\Checkthat creates a warning, when no CSPRNG can be generated on the system (and the fallback will be used therefor). From the crypto-view it would be much better to fail instead of just warn.. please share your opinion on this!
Furthermore I'd like to come up with things like a
Crypto\Hash class to do proper hashing and verifying, a
Crypto\Password class for password-related stuff, a saltedpasswords salt and so on. I'll open new tasks for these ideas when they're ready.