@@ -51,129 +51,8 @@ public static function pass($len)
5151 return self ::key ($ lentrue );
5252 }
5353
54- /*
55- * Author:
56- * George Argyros <[email protected] > 57- *
58- * Copyright (c) 2012, George Argyros
59- * All rights reserved.
60- *
61- * Redistribution and use in source and binary forms, with or without
62- * modification, are permitted provided that the following conditions are met:
63- * * Redistributions of source code must retain the above copyright
64- * notice, this list of conditions and the following disclaimer.
65- * * Redistributions in binary form must reproduce the above copyright
66- * notice, this list of conditions and the following disclaimer in the
67- * documentation and/or other materials provided with the distribution.
68- * * Neither the name of the <organization> nor the
69- * names of its contributors may be used to endorse or promote products
70- * derived from this software without specific prior written permission.
71- *
72- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
73- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
74- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
75- * DISCLAIMED. IN NO EVENT SHALL GEORGE ARGYROS BE LIABLE FOR ANY
76- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
77- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
78- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
79- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
80- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
81- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
82- *
83- *
84- *
85- * The function is providing, at least at the systems tested :),
86- * $len bytes of entropy under any PHP installation or operating system.
87- * The execution time should be at most 10-20 ms in any system.
88- */
89- public static function secureRandomBytes ($ len10 )
54+ public static function secureRandomBytes (int $ len10 ): string
9055 {
91- /*
92- * Our primary choice for a cryptographic strong randomness function is
93- * openssl_random_pseudo_bytes.
94- */
95- $ sSLstr'4 ' ; // http://xkcd.com/221/
96- if (function_exists ('openssl_random_pseudo_bytes ' ) &&
97- (version_compare (PHP_VERSION , '5.3.4 ' ) >= 0 ||
98- substr (PHP_OS , 0 , 3 ) !== 'WIN ' )) {
99- $ sSLstropenssl_random_pseudo_bytes ($ len$ strong
100- if ($ strong
101- return $ sSLstr
102- }
103- }
104-
105-
106- /*
107- * No build-in crypto randomness function found. We collect any entropy
108- * available in the PHP core PRNGs along with some filesystem info and memory
109- * stats. To make this data cryptographically strong we add data either from
110- * /dev/urandom or if its unavailable, we gather entropy by measuring the
111- * time needed to compute a number of SHA-1 hashes.
112- */
113- $ str'' ;
114- $ bitsPerRound2 ; // bits of entropy collected in each clock drift round
115- $ msecPerRound400 ; // expected running time of each round in microseconds
116- $ hashLen20 ; // SHA-1 Hash length
117- $ total$ len// total bytes of entropy to collect
118-
119- $ handlefopen ('/dev/urandom ' , 'rb ' );
120- if ($ handlefunction_exists ('stream_set_read_buffer ' )) {
121- @stream_set_read_buffer ($ handle0 );
122- }
123-
124- do {
125- $ bytes$ total$ hashLen$ hashLen$ total
126- $ total$ bytes
127-
128- //collect any entropy available from the PHP system and filesystem
129- $ entropyrand () . uniqid (mt_rand (), true ) . $ sSLstr
130- $ entropyimplode ('' , @fstat (@fopen (__FILE__ , 'r ' )));
131- $ entropymemory_get_usage () . getmypid ();
132- $ entropyserialize ($ _eNVserialize ($ _sERVER
133- if (function_exists ('posix_times ' )) {
134- $ entropyserialize (posix_times ());
135- }
136- if (function_exists ('zend_thread_id ' )) {
137- $ entropyzend_thread_id ();
138- }
139- if ($ handle
140- $ entropyfread ($ handle$ bytes
141- } else {
142- // Measure the time that the operations will take on average
143- for ($ i0 ; $ i3 ; $ i
144- $ c1microtime (true );
145- $ varsha1 (mt_rand ());
146- for ($ j0 ; $ j50 ; $ j
147- $ varsha1 ($ var
148- }
149- $ c2microtime (true );
150- $ entropy$ c1$ c2
151- }
152-
153- // Based on the above measurement determine the total rounds
154- // in order to bound the total running time.
155- $ roundsint ) ($ msecPerRound50 / (int ) (($ c2$ c11000000 ));
156-
157- // Take the additional measurements. On average we can expect
158- // at least $bitsPerRound bits of entropy from each measurement.
159- $ iter$ bytesint ) (ceil (8 / $ bitsPerRound
160- for ($ i0 ; $ i$ iter$ i
161- $ c1microtime ();
162- $ varsha1 (mt_rand ());
163- for ($ j0 ; $ j$ rounds$ j
164- $ varsha1 ($ var
165- }
166- $ c2microtime ();
167- $ entropy$ c1$ c2
168- }
169- }
170- // We assume sha1 is a deterministic extractor for the $entropy variable.
171- $ strsha1 ($ entropytrue );
172- } while ($ lenstrlen ($ str
173-
174- if ($ handle
175- @fclose ($ handle
176- }
177- return substr ($ str0 , $ len
56+ return random_bytes ($ len
17857 }
17958}
0 commit comments