Skip to content

Commit

Permalink
Use random_bytes function if it is available for random number genera…
Browse files Browse the repository at this point in the history 
…tion
  • Loading branch information
@pierredup
pierredup committed Sep 23, 2015
1 parent b2f7753 commit 6a217dc
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 5 deletions.
12 changes: 8 additions & 4 deletions src/Symfony/Component/Security/Core/Util/SecureRandom.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,12 @@ public function __construct($seedFile = null, LoggerInterface $logger = null)
$this->seedFile = $seedFile;
$this->logger = $logger;

$isUnsupportedPhp = '\\' === DIRECTORY_SEPARATOR && PHP_VERSION_ID < 50304;

// determine whether to use OpenSSL
if ('\\' === DIRECTORY_SEPARATOR && PHP_VERSION_ID < 50304) {
$this->useOpenSsl = false;
} elseif (!function_exists('openssl_random_pseudo_bytes')) {
if (!function_exists('random_bytes') && ($isUnsupportedPhp || !function_exists('openssl_random_pseudo_bytes'))) {
if (null !== $this->logger) {
$this->logger->notice('It is recommended that you enable the "openssl" extension for random number generation.');
$this->logger->notice('It is recommended that you install the "paragonie/random_compat" library or enable the "openssl" extension for random number generation.');
}
$this->useOpenSsl = false;
} else {
Expand All @@ -60,6 +60,10 @@ public function __construct($seedFile = null, LoggerInterface $logger = null)
*/
public function nextBytes($nbBytes)
{
if (function_exists('random_bytes')) {
return random_bytes($nbBytes);
}

// try OpenSSL
if ($this->useOpenSsl) {
$bytes = openssl_random_pseudo_bytes($nbBytes, $strong);
Expand Down
3 changes: 2 additions & 1 deletion src/Symfony/Component/Security/composer.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@
"symfony/validator": "",
"symfony/routing": "",
"doctrine/dbal": "to use the built-in ACL implementation",
"ircmaxell/password-compat": ""
"ircmaxell/password-compat": "",
"paragonie/random_compat": ""
},
"autoload": {
"psr-0": { "Symfony\\Component\\Security\\": "" }
Expand Down

2 comments on commit 6a217dc

@acasademont
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! This should be considered a BC breaking commit. We had a buggy code that instantiated an "\Error" class that comes with the random_compat package. Why is this package included as mandatory and not optional? The message "It is recommended that you install the "paragonie/random_compat" library or" is meaningless as the random_compat library is installed no matter what.

Thanks!

@xabbuh
Copy link
Member

@xabbuh xabbuh commented on 6a217dc Feb 17, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are referring to fcd3160 where this dependency was introduced to fix a security issue. However, I fail to see how this breaks your application. Though please open a new issue if you think that there is a bug.

Please sign in to comment.