Merge pull request #4458 from yiisoft/security-adjustments

apps/advanced/common/models/User.php

@@ -159,7 +159,7 @@ class User extends ActiveRecord implements IdentityInterface
      */
     public function generateAuthKey()
     {
-        $this->auth_key = Yii::$app->security->generateRandomKey();
+        $this->auth_key = Yii::$app->security->generateRandomString();
     }
 
     /**
@@ -167,7 +167,7 @@ class User extends ActiveRecord implements IdentityInterface
      */
     public function generatePasswordResetToken()
     {
-        $this->password_reset_token = Yii::$app->security->generateRandomKey() . '_' . time();
+        $this->password_reset_token = Yii::$app->security->generateRandomString() . '_' . time();
     }
 
     /**

apps/advanced/common/tests/templates/fixtures/user.php

@@ -3,7 +3,7 @@
 return [
     'username' => 'userName',
     'auth_key' => function ($fixture, $faker, $index) {
-        $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomKey();
+        $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomString();
 
         return $fixture;
     },
@@ -13,7 +13,7 @@ return [
         return $fixture;
     },
     'password_reset_token' => function ($fixture, $faker, $index) {
-        $fixture['password_reset_token'] = Yii::$app->getSecurity()->generateRandomKey() . '_' . time();
+        $fixture['password_reset_token'] = Yii::$app->getSecurity()->generateRandomString() . '_' . time();
 
         return $fixture;
     },

docs/guide/security-authentication.md

@@ -64,15 +64,18 @@ class User extends ActiveRecord implements IdentityInterface
 }
 ```
 
-Two of the outlined methods are simple: `findIdentity` is provided with an  ID value and returns a model instance associated with that ID. The `getId` method returns the ID itself.
-Two of the other methods--`getAuthKey` and `validateAuthKey`--are used to provide extra security to the "remember me" cookie. The `getAuthKey` method should return a string that is unique for each user. You can create reliably create a unique string using `Yii::$app->getSecurity()->generateRandomKey()`. It's a good idea to also save this as part of the user's record:
+Two of the outlined methods are simple: `findIdentity` is provided with an  ID value and returns a model instance
+associated with that ID. The `getId` method returns the ID itself. Two of the other methods – `getAuthKey` and
+`validateAuthKey` – are used to provide extra security to the "remember me" cookie. The `getAuthKey` method should
+return a string that is unique for each user. You can reliably create a unique string using
+`Yii::$app->getSecurity()->generateRandomString()`. It's a good idea to also save this as part of the user's record:
 
 ```php
 public function beforeSave($insert)
 {
     if (parent::beforeSave($insert)) {
         if ($this->isNewRecord) {
-            $this->auth_key = Yii::$app->getSecurity()->generateRandomKey();
+            $this->auth_key = Yii::$app->getSecurity()->generateRandomString();
         }
         return true;
     }

docs/guide/security-passwords.md

@@ -42,7 +42,7 @@ Yii security helper makes generating pseudorandom data simple:
 
 
 ```php
-$key = Yii::$app->getSecurity()->generateRandomKey();
+$key = Yii::$app->getSecurity()->generateRandomString();
 ```
 
 Note that you need to have the `openssl` extension installed in order to generate cryptographically secure random data.

extensions/faker/README.md

@@ -78,7 +78,7 @@ return [
         return $fixture;
     },
     'auth_key' => function ($fixture, $faker, $index) {
-        $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomKey();
+        $fixture['auth_key'] = Yii::$app->getSecurity()->generateRandomString();
         return $fixture;
     },
 ];

framework/CHANGELOG.md

@@ -149,6 +149,11 @@ Yii Framework 2 Change Log
 - Enh #4080: Added proper handling and support of the symlinked directories in `FileHelper`, added $options parameter in `FileHelper::removeDirectory()` (resurtm)
 - Enh #4086: changedAttributes of afterSave Event now contain old values (dizews)
 - Enh #4114: Added `Security::generateRandomBytes()`, improved tests (samdark)
+- Enh #4131: Security adjustments (tom--)
+     - Added HKDF to `yii\base\Security`.
+     - Reverted auto fallback to PHP PBKDF2.
+     - Fixed PBKDF2 key truncation.
+     - Adjusted API.
 - Enh #4209: Added `beforeCopy`, `afterCopy`, `forceCopy` properties to AssetManager (cebe)
 - Enh #4297: Added check for DOM extension to requirements (samdark)
 - Enh #4317: Added `absoluteAuthTimeout` to yii\web\User (ivokund, nkovacs)

framework/web/Request.php

@@ -1303,7 +1303,7 @@ class Request extends \yii\base\Request
     {
         $options = $this->csrfCookie;
         $options['name'] = $this->csrfParam;
-        $options['value'] = Yii::$app->getSecurity()->generateRandomKey();
+        $options['value'] = Yii::$app->getSecurity()->generateRandomString();
 
         return new Cookie($options);
     }

tests/unit/framework/base/ExposedSecurity.php

+<?php
+namespace yiiunit\framework\base;
+
+
+use yii\base\Security;
+
+/**
+ * ExposedSecurity exposes protected methods for direct testing
+ */
+class ExposedSecurity extends Security
+{
+    /**
+     * @inheritdoc
+     */
+    public function hkdf($algo, $inputKey, $salt = null, $info = null, $length = 0)
+    {
+        return parent::hkdf($algo, $inputKey, $salt, $info, $length);
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function pbkdf2($algo, $password, $salt, $iterations, $length = 0)
+    {
+        return parent::pbkdf2($algo, $password, $salt, $iterations, $length);
+    }
+} 
\ No newline at end of file