<?php namespace SilverStripe\Security; use Exception; /** * Generates entropy values based on strongest available methods * (mcrypt_create_iv(), openssl_random_pseudo_bytes(), /dev/urandom, COM.CAPICOM.Utilities.1, mt_rand()). * Chosen method depends on operating system and PHP version. * * @author Ingo Schommer */ class RandomGenerator { /** * Note: Returned values are not guaranteed to be crypto-safe, * depending on the used retrieval method. * * @return string Returns a random series of bytes */ public function generateEntropy() { $isWin = preg_match('/WIN/', PHP_OS); // TODO Fails with "Could not gather sufficient random data" on IIS, temporarily disabled on windows if(!$isWin) { if(function_exists('mcrypt_create_iv')) { $e = mcrypt_create_iv(64, MCRYPT_DEV_URANDOM); if($e !== false) return $e; } } // Fall back to SSL methods - may slow down execution by a few ms if (function_exists('openssl_random_pseudo_bytes')) { $e = openssl_random_pseudo_bytes(64, $strong); // Only return if strong algorithm was used if($strong) return $e; } // Read from the unix random number generator if(!$isWin && !ini_get('open_basedir') && is_readable('/dev/urandom') && ($h = fopen('/dev/urandom', 'rb'))) { $e = fread($h, 64); fclose($h); return $e; } // Warning: Both methods below are considered weak // try to read from the windows RNG if($isWin && class_exists('COM')) { try { $comObj = new \COM('CAPICOM.Utilities.1'); if(is_callable(array($comObj,'GetRandom'))) { return base64_decode($comObj->GetRandom(64, 0)); } } catch (Exception $ex) { } } // Fallback to good old mt_rand() return uniqid(mt_rand(), true); } /** * Generates a random token that can be used for session IDs, CSRF tokens etc., based on * hash algorithms. * * If you are using it as a password equivalent (e.g. autologin token) do NOT store it * in the database as a plain text but encrypt it with Member::encryptWithUserSettings. * * @param String $algorithm Any identifier listed in hash_algos() (Default: whirlpool) * * @return String Returned length will depend on the used $algorithm */ public function randomToken($algorithm = 'whirlpool') { return hash($algorithm, $this->generateEntropy()); } }