From 51e55681f475b8d8f05ca001970b11ae1fc69c54 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Sun, 5 Dec 2010 04:54:09 +0000 Subject: [PATCH] BUGFIX Limiting usage of mcrypt_create_iv() in RandomGenerator->generateEntropy() to *nix platforms to avoid fatal errors (specically in IIS) (from r114510) (from r114512) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@114513 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- security/RandomGenerator.php | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/security/RandomGenerator.php b/security/RandomGenerator.php index 4a7e4b788..a1cd59520 100644 --- a/security/RandomGenerator.php +++ b/security/RandomGenerator.php @@ -11,12 +11,21 @@ class RandomGenerator { /** + * Note: Returned values are not guaranteed to be crypto-safe, + * depending on the used retrieval method. + * * @return string Returns a random series of bytes */ function generateEntropy() { - // mcrypt with urandom is only available on PHP 5.3 or newer - if(version_compare(PHP_VERSION, '5.3.0', '>=')) { - return mcrypt_create_iv(64, MCRYPT_DEV_URANDOM); + $isWin = preg_match('/WIN/', PHP_OS); + + // TODO Fails with "Could not gather sufficient random data" on IIS, temporarily disabled on windows + if(!$isWin) { + // mcrypt with urandom is only available on PHP 5.3 or newer + if(version_compare(PHP_VERSION, '5.3.0', '>=') && function_exists('mcrypt_create_iv')) { + $e = mcrypt_create_iv(64, MCRYPT_DEV_URANDOM); + if($e !== false) return $e; + } } // Fall back to SSL methods - may slow down execution by a few ms @@ -27,7 +36,7 @@ class RandomGenerator { } // Read from the unix random number generator - if (is_readable('/dev/urandom') && ($h = fopen('/dev/urandom', 'rb'))) { + if(!$isWin && is_readable('/dev/urandom') && ($h = fopen('/dev/urandom', 'rb'))) { $e = fread($h, 64); fclose($h); return $e; @@ -36,7 +45,7 @@ class RandomGenerator { // Warning: Both methods below are considered weak // try to read from the windows RNG - if (class_exists('COM')) { + if($isWin && class_exists('COM')) { try { $comObj = new COM('CAPICOM.Utilities.1'); $e = base64_decode($comObj->GetRandom(64, 0));