Update Random.php

2024-09-28 15:19:02 +00:00 · 2016-03-27 10:49:03 -04:00 · 2016-03-27 10:49:03 -04:00 · 827e42222e
commit 827e42222e
parent bdb9935e35
1 changed files with 11 additions and 58 deletions
--- a/phpseclib/Crypt/Random.php
+++ b/phpseclib/Crypt/Random.php
@ -46,64 +46,17 @@ class Random
     */
    static function string($length)
    {
-        if (version_compare(PHP_VERSION, '7.0.0', '>=') || defined('RANDOM_COMPAT_READ_BUFFER')) {
-            try {
-                return \random_bytes($length);
-            } catch (\Throwable $e) {
-                // If a sufficient source of randomness is unavailable, random_bytes() will throw an
-                // object that implements the Throwable interface (Exception, TypeError, Error).
-                // We don't actually need to do anything here. The string() method should just continue
-                // as normal. Note, however, that if we don't have a sufficient source of randomness for
-                // random_bytes(), most of the other calls here will fail too, so we'll end up using
-                // the PHP implementation.
-            }
-        }
-
-        if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
-            // method 1. prior to PHP 5.3 this would call rand() on windows hence the function_exists('class_alias') call.
-            // ie. class_alias is a function that was introduced in PHP 5.3
-            if (extension_loaded('mcrypt') && function_exists('class_alias')) {
-                return mcrypt_create_iv($length);
-            }
-            // method 2. openssl_random_pseudo_bytes was introduced in PHP 5.3.0 but prior to PHP 5.3.4 there was,
-            // to quote <http://php.net/ChangeLog-5.php#5.3.4>, "possible blocking behavior". as of 5.3.4
-            // openssl_random_pseudo_bytes and mcrypt_create_iv do the exact same thing on Windows. ie. they both
-            // call php_win32_get_random_bytes():
-            //
-            // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/openssl/openssl.c#L5008
-            // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1392
-            //
-            // php_win32_get_random_bytes() is defined thusly:
-            //
-            // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/win32/winutil.c#L80
-            //
-            // we're calling it, all the same, in the off chance that the mcrypt extension is not available
-            if (extension_loaded('openssl') && version_compare(PHP_VERSION, '5.3.4', '>=')) {
-                return openssl_random_pseudo_bytes($length);
-            }
-        } else {
-            // method 1. the fastest
-            if (extension_loaded('openssl')) {
-                return openssl_random_pseudo_bytes($length);
-            }
-            // method 2
-            static $fp = true;
-            if ($fp === true) {
-                // warning's will be output unles the error suppression operator is used. errors such as
-                // "open_basedir restriction in effect", "Permission denied", "No such file or directory", etc.
-                $fp = @fopen('/dev/urandom', 'rb');
-            }
-            if ($fp !== true && $fp !== false) { // surprisingly faster than !is_bool() or is_resource()
-                return fread($fp, $length);
-            }
-            // method 3. pretty much does the same thing as method 2 per the following url:
-            // https://github.com/php/php-src/blob/7014a0eb6d1611151a286c0ff4f2238f92c120d6/ext/mcrypt/mcrypt.c#L1391
-            // surprisingly slower than method 2. maybe that's because mcrypt_create_iv does a bunch of error checking that we're
-            // not doing. regardless, this'll only be called if this PHP script couldn't open /dev/urandom due to open_basedir
-            // restrictions or some such
-            if (extension_loaded('mcrypt')) {
-                return mcrypt_create_iv($length, MCRYPT_DEV_URANDOM);
-            }
+        try {
+            return \random_bytes($length);
+        } catch (\Throwable $e) {
+            // If a sufficient source of randomness is unavailable, random_bytes() will throw an
+            // object that implements the Throwable interface (Exception, TypeError, Error).
+            // We don't actually need to do anything here. The string() method should just continue
+            // as normal. Note, however, that if we don't have a sufficient source of randomness for
+            // random_bytes(), most of the other calls here will fail too, so we'll end up using
+            // the PHP implementation.
+        } catch (\Exception $e) {
+            // random_compat will throw an Exception, which in PHP 5 does not implement Throwable
        }
        // at this point we have no choice but to use a pure-PHP CSPRNG