diff options
| author | Frédéric Guillot <fred@kanboard.net> | 2017-12-15 13:27:25 -0800 |
|---|---|---|
| committer | Frédéric Guillot <fred@kanboard.net> | 2017-12-15 13:27:25 -0800 |
| commit | 8e6476b4028e44687e10bf7fb2617a2d2fff97d2 (patch) | |
| tree | f010db02cb0ff016bdc806a0a87e1a4b21946f0a /vendor/paragonie/random_compat | |
| parent | a93b8e10f5954be0853eec693c13e84c4bd9e6f2 (diff) | |
Update composer dependencies
Diffstat (limited to 'vendor/paragonie/random_compat')
17 files changed, 746 insertions, 1226 deletions
diff --git a/vendor/paragonie/random_compat/CHANGELOG.md b/vendor/paragonie/random_compat/CHANGELOG.md deleted file mode 100644 index 247deace..00000000 --- a/vendor/paragonie/random_compat/CHANGELOG.md +++ /dev/null @@ -1,260 +0,0 @@ -### Version 2.0.2 - 2016-04-03 - -Added a consistency check (discovered by Taylor Hornby in his -[PHP encryption library](https://github.com/defuse/php-encryption)). It -wasn't likely causing any trouble for us. - -### Version 2.0.1 - 2016-03-18 - -Update comment in random.php - -### Version 2.0.0 - 2016-03-18 - -Due to downstream errors, the OpenSSL removal now belongs in version -2.0.0. - -### Version 1.3.1 - 2016-03-18 - -* Add more possible values to `open_baseir` check. - -### Version 1.3.0 - 2016-03-17 - -* Removed `openssl_random_pseudo_bytes()` entirely. If you are using - random_compat in PHP on a Unix-like OS but cannot access - `/dev/urandom`, version 1.3+ will throw an `Exception`. If you want to - trust OpenSSL, feel free to write your own fallback code. e.g. - - ```php - try { - $bytes = random_bytes(32); - } catch (Exception $ex) { - $strong = false; - $bytes = openssl_random_pseudo_bytes(32, $strong); - if (!$strong) { - throw $ex; - } - } - ``` - -### Version 1.2.2 - 2016-03-11 - -* To prevent applications from hanging, if `/dev/urandom` is not - accessible to PHP, skip mcrypt (which just fails before giving OpenSSL - a chance and was morally equivalent to not offering OpenSSL at all). - -### Version 1.2.1 - 2016-02-29 - -* PHP 5.6.10 - 5.6.12 will hang when mcrypt is used on Unix-based operating - systems ([PHP bug 69833](https://bugs.php.net/bug.php?id=69833)). If you are - running one of these versions, please upgrade (or make sure `/dev/urandom` is - readable) otherwise you're relying on OpenSSL. - -### Version 1.2.0 - 2016-02-05 - -* Whitespace and other cosmetic changes -* Added a changelog. -* We now ship with a command line utility to build a PHP Archive from the - command line. - - Every time we publish a new release, we will also upload a .phar - to Github. Our public key is signed by our GPG key. - -### Version 1.1.6 - 2016-01-29 - -* Eliminate `open_basedir` warnings by detecting this configuration setting. - (Thanks [@oucil](https://github.com/oucil) for reporting this.) -* Added install instructions to the README. -* Documentation cleanup (there is, in fact, no `MCRYPT_CREATE_IV` constant, I - meant to write `MCRYPT_DEV_URANDOM`) - -### Version 1.1.5 - 2016-01-06 - -Prevent fatal errors on platforms with older versions of libsodium. - -### Version 1.1.4 - 2015-12-10 - -Thanks [@narfbg](https://github.com/narfbg) for [critiquing the previous patch](https://github.com/paragonie/random_compat/issues/79#issuecomment-163590589) -and suggesting a fix. - -### Version 1.1.3 - 2015-12-09 - -The test for COM in disabled_classes is now case-insensitive. - -### Version 1.1.2 - 2015-12-09 - -Don't instantiate COM if it's a disabled class. Removes the E_WARNING on Windows. - -### Version 1.1.1 - 2015-11-30 - -Fix a performance issue with `/dev/urandom` buffering. - -### Version 1.1.0 - 2015-11-09 - -Fix performance issues with ancient versions of PHP on Windows, but dropped -support for PHP < 5.4.1 without mcrypt on Windows 7+ in the process. Since this - is a BC break, semver dictates a minor version bump. - -### Version 1.0.10 - 2015-10-23 - -* Avoid a performance killer with OpenSSL on Windows PHP 5.3.0 - 5.3.3 that was - affecting [WordPress users](https://core.trac.wordpress.org/ticket/34409). -* Use `$var = null` instead of `unset($var)` to avoid triggering the garbage - collector and slowing things down. - -### Version 1.0.9 - 2015-10-20 - -There is an outstanding issue `mcrypt_create_iv()` and PHP 7's `random_bytes()` -on Windows reported by [@nicolas-grekas](https://github.com/nicolas-grekas) caused by `proc_open()` and environment -variable handling (discovered by Appveyor when developing Symfony). - -Since the break is consistent, it's not our responsibility to fix it, but we -should fail the same way PHP 7 will (i.e. throw an `Exception` rather than raise -an error and then throw an `Exception`). - -### Version 1.0.8 - 2015-10-18 - -* Fix usability issues with Windows (`new COM('CAPICOM.Utilities.1')` is not - always available). -* You can now test all the possible drivers by running `phpunit.sh each` in the - `tests` directory. - -### Version 1.0.7 - 2015-10-16 - -Several large integer handling bugfixes were contributed by [@oittaa](https://github.com/oittaa). - -### Version 1.0.6 - 2015-10-15 - -Don't let the version number fool you, this was a pretty significant change. - -1. Added support for ext-libsodium, if it exists on the system. This is morally - equivalent to adding `getrandom(2)` support without having to expose the - syscall interface in PHP-land. -2. Relaxed open_basedir restrictions. In previous versions, if open_basedir was - set, PHP wouldn't even try to read from `/dev/urandom`. Now it will still do - so if you can. -3. Fixed integer casting inconsistencies between random_compat and PHP 7. -4. Handle edge cases where an integer overflow turns one of the parameters into - a float. - -One change that we discussed was making `random_bytes()` and `random_int()` -strict typed; meaning you could *only* pass integers to either function. While -most veteran programmers are probably only doing this already (we strongly -encourage it), it wouldn't be consistent with how these functions behave in PHP -7. Please use these functions responsibly. - -We've had even more of the PHP community involved in this release; the -contributors list has been updated. If I forgot anybody, I promise you it's not -because your contributions (either code or ideas) aren't valued, it's because -I'm a bit overloaded with information at the moment. Please let me know -immediately and I will correct my oversight. - -Thanks everyone for helping make random_compat better. - -### Version 1.0.5 - 2015-10-08 - -Got rid of the methods in the `Throwable` interface, which was causing problems -on PHP 5.2. While we would normally not care about 5.2 (since [5.4 and earlier are EOL'd](https://secure.php.net/supported-versions.php)), -we do want to encourage widespread adoption (e.g. [Wordpress](https://core.trac.wordpress.org/ticket/28633)). - -### Version 1.0.4 - 2015-10-02 - -Removed redundant `if()` checks, since `lib/random.php` is the entrypoint people -should use. - -### Version 1.0.3 - 2015-10-02 - -This release contains bug fixes contributed by the community. - -* Avoid a PHP Notice when PHP is running without the mbstring extension -* Use a compatible version of PHPUnit for testing on older versions of PHP - -Although none of these bugs were outright security-affecting, updating ASAP is -still strongly encouraged. - -### Version 1.0.2 - 2015-09-23 - -Less strict input validation on `random_int()` parameters. PHP 7's `random_int()` -accepts strings and floats that look like numbers, so we should too. - -Thanks [@dd32](https://github.com/@dd32) for correcting this oversight. - -### Version 1.0.1 - 2015-09-10 - -Instead of throwing an Exception immediately on insecure platforms, only do so -when `random_bytes()` is invoked. - -### Version 1.0.0 - 2015-09-07 - -Our API is now stable and forward-compatible with the CSPRNG features in PHP 7 -(as of 7.0.0 RC3). - -A lot of great people have contributed their time and expertise to make this -compatibility library possible. That this library has reached a stable release -is more a reflection on the community than it is on PIE. - -We are confident that random_compat will serve as the simplest and most secure -CSPRNG interface available for PHP5 projects. - -### Version 0.9.7 (pre-release) - 2015-09-01 - -An attempt to achieve compatibility with Error/TypeError in the RFC. - -This should be identical to 1.0.0 sans any last-minute changes or performance enhancements. - -### Version 0.9.6 (pre-release) - 2015-08-06 - -* Split the implementations into their own file (for ease of auditing) -* Corrected the file type check after `/dev/urandom` has been opened (thanks - [@narfbg](https://github.com/narfbg) and [@jedisct1](https://github.com/jedisct1)) - -### Version 0.9.5 (pre-release) - 2015-07-31 - -* Validate that `/dev/urandom` is a character device - * Reported by [@lokdnet](https://twitter.com/lokdnet) - * Investigated by [@narfbg](https://github.com/narfbg) and [frymaster](http://stackoverflow.com/users/1226810/frymaster) on [StackOverflow](http://stackoverflow.com/q/31631066/2224584) -* Remove support for `/dev/arandom` which is an old OpenBSD feature, thanks [@jedisct1](https://github.com/jedisct1) -* Prevent race conditions on the `filetype()` check, thanks [@jedisct1](https://github.com/jedisct1) -* Buffer file reads to 8 bytes (performance optimization; PHP defaults to 8192 bytes) - -### Version 0.9.4 (pre-release) - 2015-07-27 - -* Add logic to verify that `/dev/arandom` and `/dev/urandom` are actually devices. -* Some clean-up in the comments - -### Version 0.9.3 (pre-release) - 2015-07-22 - -Unless the Exceptions change to PHP 7 fails, this should be the last pre-release -version. If need be, we'll make one more pre-release version with compatible -behavior. - -Changes since 0.9.2: - -* Prioritize `/dev/arandom` and `/dev/urandom` over mcrypt. -[@oittaa](https://github.com/oittaa) removed the -1 and +1 juggling on `$range` calculations for `random_int()` -* Whitespace and comment clean-up, plus better variable names -* Actually put a description in the composer.json file... - -### Version 0.9.2 (pre-release) - 2015-07-16 - -* Consolidated `$range > PHP_INT_MAX` logic with `$range <= PHP_INT_MAX` (thanks - [@oittaa](https://github.com/oittaa) and [@CodesInChaos](https://github.com/CodesInChaos)) -* `tests/phpunit.sh` now also runs the tests with `mbstring.func_overload` and - `open_basedir` -* Style consistency, whitespace cleanup, more meaningful variable names - -### Version 0.9.1 (pre-release) - 2015-07-09 - -* Return random values on integer ranges > `PHP_INT_MAX` (thanks [@CodesInChaos](https://github.com/CodesInChaos)) -* Determined CSPRNG preference: - 1. `mcrypt_create_iv()` with `MCRYPT_DEV_URANDOM` - 2. `/dev/arandom` - 3. `/dev/urandom` - 4. `openssl_random_pseudo_bytes()` -* Optimized backend selection (thanks [@lt](https://github.com/lt)) -* Fix #3 (thanks [@scottchiefbaker](https://github.com/scottchiefbaker)) - -### Version 0.9.0 (pre-release) - 2015-07-07 - -This should be a sane polyfill for PHP 7's `random_bytes()` and `random_int()`. -We hesitate to call it production ready until it has received sufficient third -party review.
\ No newline at end of file diff --git a/vendor/paragonie/random_compat/ERRATA.md b/vendor/paragonie/random_compat/ERRATA.md deleted file mode 100644 index 0561630d..00000000 --- a/vendor/paragonie/random_compat/ERRATA.md +++ /dev/null @@ -1,34 +0,0 @@ -## Errata (Design Decisions) - -### Reasoning Behind the Order of Preferred Random Data Sources - -The order is: - - 1. `libsodium if available` - 2. `fread() /dev/urandom if available` - 3. `mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM)` - 4. `COM('CAPICOM.Utilities.1')->GetRandom()` - -If libsodium is available, we get random data from it. This is the preferred -method on all OSes, but libsodium is not very widely installed, so other -fallbacks are available. - -Next, we read `/dev/urandom` (if it exists). This is the preferred file to read -for random data for cryptographic purposes for BSD and Linux. - -Despite [strongly urging people not to use mcrypt in their projects](https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong), -because libmcrypt is abandonware and the API puts too much responsibility on the -implementor, we prioritize `mcrypt_create_iv()` with `MCRYPT_DEV_URANDOM` above -the remaining implementations. - -The reason is simple: `mcrypt_create_iv()` is part of PHP's `ext/mcrypt` code, -and is not part `libmcrypt`. It actually does the right thing: - - * On Unix-based operating systems, it reads from `/dev/urandom`, which unlike `/dev/random` - is the sane and correct thing to do. - * On Windows, it reads from `CryptGenRandom`, which is an exclusively Windows - way to get random bytes. - -If we're on Windows and don't have access to `mcrypt`, we use `CAPICOM.Utilities.1`. - -As of random_compat 1.3, we no longer fall through to OpenSSL. diff --git a/vendor/paragonie/random_compat/README.md b/vendor/paragonie/random_compat/README.md deleted file mode 100644 index 80560862..00000000 --- a/vendor/paragonie/random_compat/README.md +++ /dev/null @@ -1,176 +0,0 @@ -# random_compat - -[](https://travis-ci.org/paragonie/random_compat) -[](https://scrutinizer-ci.com/g/paragonie/random_compat) - -PHP 5.x polyfill for `random_bytes()` and `random_int()` created and maintained -by [Paragon Initiative Enterprises](https://paragonie.com). - -Although this library *should* function in earlier versions of PHP, we will only -consider issues relevant to [supported PHP versions](https://secure.php.net/supported-versions.php). -**If you are using an unsupported version of PHP, please upgrade as soon as possible.** - -## Important - -Although this library has been examined by some security experts in the PHP -community, there will always be a chance that we overlooked something. Please -ask your favorite trusted hackers to hammer it for implementation errors and -bugs before even thinking about deploying it in production. - -**Do not use the master branch, use a [stable release](https://github.com/paragonie/random_compat/releases/latest).** - -For the background of this library, please refer to our blog post on -[Generating Random Integers and Strings in PHP](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php). - -### Usability Notice - -If PHP cannot safely generate random data, this library will throw an `Exception`. -It will never fall back to insecure random data. If this keeps happening, upgrade -to a newer version of PHP immediately. - -## Installing - -**With [Composer](https://getcomposer.org):** - - composer require paragonie/random_compat - -**Signed PHP Archive:** - -As of version 1.2.0, we also ship an ECDSA-signed PHP Archive with each stable -release on Github. - -1. Download [the `.phar`, `.phar.pubkey`, and `.phar.pubkey.asc`](https://github.com/paragonie/random_compat/releases/latest) files. -2. (**Recommended** but not required) Verify the PGP signature of `.phar.pubkey` - (contained within the `.asc` file) using the [PGP public key for Paragon Initiative Enterprises](https://paragonie.com/static/gpg-public-key.txt). -3. Extract both `.phar` and `.phar.pubkey` files to the same directory. -4. `require_once "/path/to/random_compat.phar";` -5. When a new version is released, you only need to replace the `.phar` file; - the `.pubkey` will not change (unless our signing key is ever compromised). - -**Manual Installation:** - -1. Download [a stable release](https://github.com/paragonie/random_compat/releases/latest). -2. Extract the files into your project. -3. `require_once "/path/to/random_compat/lib/random.php";` - -## Usage - -This library exposes the [CSPRNG functions added in PHP 7](https://secure.php.net/manual/en/ref.csprng.php) -for use in PHP 5 projects. Their behavior should be identical. - -### Generate a string of random bytes - -```php -try { - $string = random_bytes(32); -} catch (TypeError $e) { - // Well, it's an integer, so this IS unexpected. - die("An unexpected error has occurred"); -} catch (Error $e) { - // This is also unexpected because 32 is a reasonable integer. - die("An unexpected error has occurred"); -} catch (Exception $e) { - // If you get this message, the CSPRNG failed hard. - die("Could not generate a random string. Is our OS secure?"); -} - -var_dump(bin2hex($string)); -// string(64) "5787c41ae124b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2eeac6f" -``` - -### Generate a random integer between two given integers (inclusive) - -```php -try { - $int = random_int(0,255); - -} catch (TypeError $e) { - // Well, it's an integer, so this IS unexpected. - die("An unexpected error has occurred"); -} catch (Error $e) { - // This is also unexpected because 0 and 255 are both reasonable integers. - die("An unexpected error has occurred"); -} catch (Exception $e) { - // If you get this message, the CSPRNG failed hard. - die("Could not generate a random string. Is our OS secure?"); -} - -var_dump($int); -// int(47) -``` - -### Exception handling - -When handling exceptions and errors you must account for differences between -PHP 5 and PHP7. - -The differences: - -* Catching `Error` works, so long as it is caught before `Exception`. -* Catching `Exception` has different behavior, without previously catching `Error`. -* There is *no* portable way to catch all errors/exceptions. - -#### Our recommendation - -**Always** catch `Error` before `Exception`. - -#### Example - -```php -try { - return random_int(1, $userInput); -} catch (TypeError $e) { - // This is okay, so long as `Error` is caught before `Exception`. - throw new Exception('Please enter a number!'); -} catch (Error $e) { - // This is required, if you do not need to do anything just rethrow. - throw $e; -} catch (Exception $e) { - // This is optional and maybe omitted if you do not want to handle errors - // during generation. - throw new InternalServerErrorException( - 'Oops, our server is bust and cannot generate any random data.', - 500, - $e - ); -} -``` - -## Contributors - -This project would not be anywhere near as excellent as it is today if it -weren't for the contributions of the following individuals: - -* [@AndrewCarterUK (Andrew Carter)](https://github.com/AndrewCarterUK) -* [@asgrim (James Titcumb)](https://github.com/asgrim) -* [@bcremer (Benjamin Cremer)](https://github.com/bcremer) -* [@CodesInChaos (Christian Winnerlein)](https://github.com/CodesInChaos) -* [@chriscct7 (Chris Christoff)](https://github.com/chriscct7) -* [@cs278 (Chris Smith)](https://github.com/cs278) -* [@cweagans (Cameron Eagans)](https://github.com/cweagans) -* [@dd32 (Dion Hulse)](https://github.com/dd32) -* [@geggleto (Glenn Eggleton)](https://github.com/geggleto) -* [@ircmaxell (Anthony Ferrara)](https://github.com/ircmaxell) -* [@jedisct1 (Frank Denis)](https://github.com/jedisct1) -* [@juliangut (Julián Gutiérrez)](https://github.com/juliangut) -* [@kelunik (Niklas Keller)](https://github.com/kelunik) -* [@lt (Leigh)](https://github.com/lt) -* [@MasonM (Mason Malone)](https://github.com/MasonM) -* [@mmeyer2k (Michael M)](https://github.com/mmeyer2k) -* [@narfbg (Andrey Andreev)](https://github.com/narfbg) -* [@nicolas-grekas (Nicolas Grekas)](https://github.com/nicolas-grekas) -* [@oittaa](https://github.com/oittaa) -* [@oucil (Kevin Farley)](https://github.com/oucil) -* [@redragonx (Stephen Chavez)](https://github.com/redragonx) -* [@rchouinard (Ryan Chouinard)](https://github.com/rchouinard) -* [@SammyK (Sammy Kaye Powers)](https://github.com/SammyK) -* [@scottchiefbaker (Scott Baker)](https://github.com/scottchiefbaker) -* [@skyosev (Stoyan Kyosev)](https://github.com/skyosev) -* [@stof (Christophe Coevoet)](https://github.com/stof) -* [@teohhanhui (Teoh Han Hui)](https://github.com/teohhanhui) -* [@tom-- (Tom Worster)](https://github.com/tom--) -* [@tsyr2ko](https://github.com/tsyr2ko) -* [@trowski (Aaron Piotrowski)](https://github.com/trowski) -* [@twistor (Chris Lepannen)](https://github.com/twistor) -* [@voku (Lars Moelleken)](https://github.com/voku) -* [@xabbuh (Christian Flothmann)](https://github.com/xabbuh) diff --git a/vendor/paragonie/random_compat/SECURITY.md b/vendor/paragonie/random_compat/SECURITY.md deleted file mode 100644 index 8f731b38..00000000 --- a/vendor/paragonie/random_compat/SECURITY.md +++ /dev/null @@ -1,108 +0,0 @@ -# An Invitation to Security Researchers - -Every company says they take security "very seriously." Rather than bore anyone -with banal boilerplate, here are some quick answers followed by detailed -elaboration. If you have any questions about our policies, please email them to -`scott@paragonie.com`. - -## Quick Answers - -* There is no compulsion to disclose vulnerabilities privately, but we - appreciate a head's up. -* `security@paragonie.com` will get your reports to the right person. Our GPG - fingerprint, should you decide to encrypt your report, is - `7F52 D5C6 1D12 55C7 3136 2E82 6B97 A1C2 8264 04DA`. - -* **YES**, we will reward security researchers who disclose vulnerabilities in - our software. -* In most cases, **No Proof-of-Concept Required.** - -## How to Report a Security Bug to Paragon Initiative Enterprises - -### There is no compulsion to disclose privately. - -We believe vulnerability disclosure style is a personal choice and enjoy working -with a diverse community. We understand and appreciate the importance of Full -Disclosure in the history and practice of security research. - -We would *like* to know about high-severity bugs before they become public -knowledge, so we can fix them in a timely manner, but **we do not believe in -threatening researchers or trying to enforce vulnerability embargoes**. - -Ultimately, if you discover a security-affecting vulnerability, what you do with -it is your choice. We would like to work with people, and to celebrate and -reward their skill, experience, and dedication. We appreciate being informed of -our mistakes so we can learn from them and build a better product. Our goal is -to empower the community. - -### Where to Send Security Vulnerabilities - -Our security email address is `security@paragonie.com`. Also feel free to open a -new issue on Github if you want to disclose publicly. - -``` ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG - -mQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5 -qBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA -ivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0 -z1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk -6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn -syrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1 -cml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI -AgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/ -WLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD -Vj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC -9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d -cp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05 -WrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5 -AQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU -335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE -0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z -vy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm -hjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy -gF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb -DAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv -rKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH -6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx -qSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje -oLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q -ha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1 -=xJPW ------END PGP PUBLIC KEY BLOCK----- -``` - -### We Will Reward Security Researchers - -**This process has not been formalized; nor have dollar amounts been -discussed.** - -However, if you report a valid security-affecting bug, we will compensate you -for the time spent finding the vulnerability and reward you for being a good -neighbor. - -#### What does a "valid" bug mean? - -There are two sides to this: - -1. Some have spammed projects with invalid bug reports hoping to collect - bounties for pressing a button and running an automated analysis tool. This - is not cool. -2. There is a potential for the developers of a project to declare all security - bug reports as invalid to save money. - -Our team members have an established history of reporting vulnerabilities to -large open source projects. **We aren't in the business of ripping people off.** -When in doubt, our policy is to err on the side of generosity. - -### No Proof-of-Concept Required - -We might ask for one if we feel we do not understand some of the details -pertaining to a specific vulnerability. We certainly appreciate them if you -include them in your report, but we believe **the burden lies with the developer -to prove their software *is* secure** rather than with the researcher to prove -that it isn't. - -In our experience, most bugs are simpler to fix than they are to exploit. - diff --git a/vendor/paragonie/random_compat/composer.json b/vendor/paragonie/random_compat/composer.json index d363f4c8..1c5978c6 100644 --- a/vendor/paragonie/random_compat/composer.json +++ b/vendor/paragonie/random_compat/composer.json @@ -1,35 +1,37 @@ { - "name": "paragonie/random_compat", - "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", - "keywords": [ - "csprng", - "random", - "pseudorandom" - ], - "license": "MIT", - "type": "library", - "authors": [ - { - "name": "Paragon Initiative Enterprises", - "email": "security@paragonie.com", - "homepage": "https://paragonie.com" - } - ], - "support": { - "issues": "https://github.com/paragonie/random_compat/issues", - "email": "info@paragonie.com", - "source": "https://github.com/paragonie/random_compat" - }, - "require": { - "php": ">=5.2.0" - }, - "require-dev": { - "phpunit/phpunit": "4.*|5.*" - }, - "suggest": { - "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." - }, - "autoload": { - "files": ["lib/random.php"] + "name": "paragonie/random_compat", + "description": "PHP 5.x polyfill for random_bytes() and random_int() from PHP 7", + "keywords": [ + "csprng", + "random", + "pseudorandom" + ], + "license": "MIT", + "type": "library", + "authors": [ + { + "name": "Paragon Initiative Enterprises", + "email": "security@paragonie.com", + "homepage": "https://paragonie.com" } + ], + "support": { + "issues": "https://github.com/paragonie/random_compat/issues", + "email": "info@paragonie.com", + "source": "https://github.com/paragonie/random_compat" + }, + "require": { + "php": ">=5.2.0" + }, + "require-dev": { + "phpunit/phpunit": "4.*|5.*" + }, + "suggest": { + "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." + }, + "autoload": { + "files": [ + "lib/random.php" + ] + } } diff --git a/vendor/paragonie/random_compat/lib/byte_safe_strings.php b/vendor/paragonie/random_compat/lib/byte_safe_strings.php index dec5d306..3de86b22 100644 --- a/vendor/paragonie/random_compat/lib/byte_safe_strings.php +++ b/vendor/paragonie/random_compat/lib/byte_safe_strings.php @@ -5,7 +5,7 @@ * * The MIT License (MIT) * - * Copyright (c) 2015 Paragon Initiative Enterprises + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -26,7 +26,7 @@ * SOFTWARE. */ -if (!function_exists('RandomCompat_strlen')) { +if (!is_callable('RandomCompat_strlen')) { if ( defined('MB_OVERLOAD_STRING') && ini_get('mbstring.func_overload') & MB_OVERLOAD_STRING @@ -51,7 +51,7 @@ if (!function_exists('RandomCompat_strlen')) { ); } - return mb_strlen($binary_string, '8bit'); + return (int) mb_strlen($binary_string, '8bit'); } } else { @@ -73,12 +73,12 @@ if (!function_exists('RandomCompat_strlen')) { 'RandomCompat_strlen() expects a string' ); } - return strlen($binary_string); + return (int) strlen($binary_string); } } } -if (!function_exists('RandomCompat_substr')) { +if (!is_callable('RandomCompat_substr')) { if ( defined('MB_OVERLOAD_STRING') @@ -118,7 +118,7 @@ if (!function_exists('RandomCompat_substr')) { * mb_substr($str, 0, NULL, '8bit') returns an empty string on * PHP 5.3, so we have to find the length ourselves. */ - $length = RandomCompat_strlen($length) - $start; + $length = RandomCompat_strlen($binary_string) - $start; } elseif (!is_int($length)) { throw new TypeError( 'RandomCompat_substr(): Third argument should be an integer, or omitted' @@ -130,10 +130,10 @@ if (!function_exists('RandomCompat_substr')) { return ''; } if ($start > RandomCompat_strlen($binary_string)) { - return false; + return ''; } - return mb_substr($binary_string, $start, $length, '8bit'); + return (string) mb_substr($binary_string, $start, $length, '8bit'); } } else { @@ -172,10 +172,10 @@ if (!function_exists('RandomCompat_substr')) { ); } - return substr($binary_string, $start, $length); + return (string) substr($binary_string, $start, $length); } - return substr($binary_string, $start); + return (string) substr($binary_string, $start); } } } diff --git a/vendor/paragonie/random_compat/lib/cast_to_int.php b/vendor/paragonie/random_compat/lib/cast_to_int.php index f441c5d9..9a4fab99 100644 --- a/vendor/paragonie/random_compat/lib/cast_to_int.php +++ b/vendor/paragonie/random_compat/lib/cast_to_int.php @@ -5,7 +5,7 @@ * * The MIT License (MIT) * - * Copyright (c) 2015 Paragon Initiative Enterprises + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -26,7 +26,7 @@ * SOFTWARE. */ -if (!function_exists('RandomCompat_intval')) { +if (!is_callable('RandomCompat_intval')) { /** * Cast to an integer if we can, safely. @@ -38,15 +38,18 @@ if (!function_exists('RandomCompat_intval')) { * through. * * @param int|float $number The number we want to convert to an int - * @param boolean $fail_open Set to true to not throw an exception + * @param bool $fail_open Set to true to not throw an exception * - * @return int (or float if $fail_open) + * @return float|int + * @psalm-suppress InvalidReturnType * * @throws TypeError */ function RandomCompat_intval($number, $fail_open = false) { - if (is_numeric($number)) { + if (is_int($number) || is_float($number)) { + $number += 0; + } elseif (is_numeric($number)) { $number += 0; } @@ -60,12 +63,13 @@ if (!function_exists('RandomCompat_intval')) { $number = (int) $number; } - if (is_int($number) || $fail_open) { - return $number; + if (is_int($number)) { + return (int) $number; + } elseif (!$fail_open) { + throw new TypeError( + 'Expected an integer.' + ); } - - throw new TypeError( - 'Expected an integer.' - ); + return $number; } } diff --git a/vendor/paragonie/random_compat/lib/error_polyfill.php b/vendor/paragonie/random_compat/lib/error_polyfill.php index 57cfefdc..6a91990c 100644 --- a/vendor/paragonie/random_compat/lib/error_polyfill.php +++ b/vendor/paragonie/random_compat/lib/error_polyfill.php @@ -4,8 +4,8 @@ * for using the new PHP 7 random_* API in PHP 5 projects * * The MIT License (MIT) - * - * Copyright (c) 2015 Paragon Initiative Enterprises + * + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -35,8 +35,15 @@ if (!class_exists('Error', false)) { } if (!class_exists('TypeError', false)) { - class TypeError extends Error - { - + if (is_subclass_of('Error', 'Exception')) { + class TypeError extends Error + { + + } + } else { + class TypeError extends Exception + { + + } } } diff --git a/vendor/paragonie/random_compat/lib/random.php b/vendor/paragonie/random_compat/lib/random.php index a8802597..df74c8a4 100644 --- a/vendor/paragonie/random_compat/lib/random.php +++ b/vendor/paragonie/random_compat/lib/random.php @@ -3,12 +3,12 @@ * Random_* Compatibility Library * for using the new PHP 7 random_* API in PHP 5 projects * - * @version 2.0.2 - * @released 2016-04-03 + * @version 2.0.10 + * @released 2017-03-13 * * The MIT License (MIT) * - * Copyright (c) 2015 Paragon Initiative Enterprises + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -31,7 +31,7 @@ if (!defined('PHP_VERSION_ID')) { // This constant was introduced in PHP 5.2.7 - $RandomCompatversion = explode('.', PHP_VERSION); + $RandomCompatversion = array_map('intval', explode('.', PHP_VERSION)); define( 'PHP_VERSION_ID', $RandomCompatversion[0] * 10000 @@ -41,157 +41,183 @@ if (!defined('PHP_VERSION_ID')) { $RandomCompatversion = null; } -if (PHP_VERSION_ID < 70000) { - - if (!defined('RANDOM_COMPAT_READ_BUFFER')) { - define('RANDOM_COMPAT_READ_BUFFER', 8); - } - - $RandomCompatDIR = dirname(__FILE__); +/** + * PHP 7.0.0 and newer have these functions natively. + */ +if (PHP_VERSION_ID >= 70000) { + return; +} - require_once $RandomCompatDIR.'/byte_safe_strings.php'; - require_once $RandomCompatDIR.'/cast_to_int.php'; - require_once $RandomCompatDIR.'/error_polyfill.php'; +if (!defined('RANDOM_COMPAT_READ_BUFFER')) { + define('RANDOM_COMPAT_READ_BUFFER', 8); +} - if (!function_exists('random_bytes')) { - /** - * PHP 5.2.0 - 5.6.x way to implement random_bytes() - * - * We use conditional statements here to define the function in accordance - * to the operating environment. It's a micro-optimization. - * - * In order of preference: - * 1. Use libsodium if available. - * 2. fread() /dev/urandom if available (never on Windows) - * 3. mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM) - * 4. COM('CAPICOM.Utilities.1')->GetRandom() - * 5. openssl_random_pseudo_bytes() (absolute last resort) - * - * See ERRATA.md for our reasoning behind this particular order - */ - if (extension_loaded('libsodium')) { - // See random_bytes_libsodium.php - if (PHP_VERSION_ID >= 50300 && function_exists('\\Sodium\\randombytes_buf')) { - require_once $RandomCompatDIR.'/random_bytes_libsodium.php'; - } elseif (method_exists('Sodium', 'randombytes_buf')) { - require_once $RandomCompatDIR.'/random_bytes_libsodium_legacy.php'; - } +$RandomCompatDIR = dirname(__FILE__); + +require_once $RandomCompatDIR . '/byte_safe_strings.php'; +require_once $RandomCompatDIR . '/cast_to_int.php'; +require_once $RandomCompatDIR . '/error_polyfill.php'; + +if (!is_callable('random_bytes')) { + /** + * PHP 5.2.0 - 5.6.x way to implement random_bytes() + * + * We use conditional statements here to define the function in accordance + * to the operating environment. It's a micro-optimization. + * + * In order of preference: + * 1. Use libsodium if available. + * 2. fread() /dev/urandom if available (never on Windows) + * 3. mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM) + * 4. COM('CAPICOM.Utilities.1')->GetRandom() + * + * See RATIONALE.md for our reasoning behind this particular order + */ + if (extension_loaded('libsodium')) { + // See random_bytes_libsodium.php + if (PHP_VERSION_ID >= 50300 && is_callable('\\Sodium\\randombytes_buf')) { + require_once $RandomCompatDIR . '/random_bytes_libsodium.php'; + } elseif (method_exists('Sodium', 'randombytes_buf')) { + require_once $RandomCompatDIR . '/random_bytes_libsodium_legacy.php'; } + } - /** - * Reading directly from /dev/urandom: - */ - if (DIRECTORY_SEPARATOR === '/') { - // DIRECTORY_SEPARATOR === '/' on Unix-like OSes -- this is a fast - // way to exclude Windows. - $RandomCompatUrandom = true; - $RandomCompat_basedir = ini_get('open_basedir'); - - if (!empty($RandomCompat_basedir)) { - $RandomCompat_open_basedir = explode( - PATH_SEPARATOR, - strtolower($RandomCompat_basedir) - ); - $RandomCompatUrandom = (array() !== array_intersect( - array('/dev', '/dev/', '/dev/urandom'), - $RandomCompat_open_basedir - )); - $RandomCompat_open_basedir = null; - } - - if ( - !function_exists('random_bytes') - && - $RandomCompatUrandom - && - @is_readable('/dev/urandom') - ) { - // Error suppression on is_readable() in case of an open_basedir - // or safe_mode failure. All we care about is whether or not we - // can read it at this point. If the PHP environment is going to - // panic over trying to see if the file can be read in the first - // place, that is not helpful to us here. - - // See random_bytes_dev_urandom.php - require_once $RandomCompatDIR.'/random_bytes_dev_urandom.php'; - } - // Unset variables after use - $RandomCompat_basedir = null; - } else { - $RandomCompatUrandom = false; + /** + * Reading directly from /dev/urandom: + */ + if (DIRECTORY_SEPARATOR === '/') { + // DIRECTORY_SEPARATOR === '/' on Unix-like OSes -- this is a fast + // way to exclude Windows. + $RandomCompatUrandom = true; + $RandomCompat_basedir = ini_get('open_basedir'); + + if (!empty($RandomCompat_basedir)) { + $RandomCompat_open_basedir = explode( + PATH_SEPARATOR, + strtolower($RandomCompat_basedir) + ); + $RandomCompatUrandom = (array() !== array_intersect( + array('/dev', '/dev/', '/dev/urandom'), + $RandomCompat_open_basedir + )); + $RandomCompat_open_basedir = null; } - /** - * mcrypt_create_iv() - */ if ( - !function_exists('random_bytes') - && - PHP_VERSION_ID >= 50307 + !is_callable('random_bytes') && - extension_loaded('mcrypt') + $RandomCompatUrandom && - (DIRECTORY_SEPARATOR !== '/' || $RandomCompatUrandom) + @is_readable('/dev/urandom') ) { - // Prevent this code from hanging indefinitely on non-Windows; - // see https://bugs.php.net/bug.php?id=69833 - if ( - DIRECTORY_SEPARATOR !== '/' || - (PHP_VERSION_ID <= 50609 || PHP_VERSION_ID >= 50613) - ) { - // See random_bytes_mcrypt.php - require_once $RandomCompatDIR.'/random_bytes_mcrypt.php'; - } + // Error suppression on is_readable() in case of an open_basedir + // or safe_mode failure. All we care about is whether or not we + // can read it at this point. If the PHP environment is going to + // panic over trying to see if the file can be read in the first + // place, that is not helpful to us here. + + // See random_bytes_dev_urandom.php + require_once $RandomCompatDIR . '/random_bytes_dev_urandom.php'; } - $RandomCompatUrandom = null; - - if ( - !function_exists('random_bytes') - && - extension_loaded('com_dotnet') - && - class_exists('COM') - ) { - $RandomCompat_disabled_classes = preg_split( - '#\s*,\s*#', - strtolower(ini_get('disable_classes')) - ); + // Unset variables after use + $RandomCompat_basedir = null; + } else { + $RandomCompatUrandom = false; + } - if (!in_array('com', $RandomCompat_disabled_classes)) { - try { - $RandomCompatCOMtest = new COM('CAPICOM.Utilities.1'); - if (method_exists($RandomCompatCOMtest, 'GetRandom')) { - // See random_bytes_com_dotnet.php - require_once $RandomCompatDIR.'/random_bytes_com_dotnet.php'; - } - } catch (com_exception $e) { - // Don't try to use it. + /** + * mcrypt_create_iv() + * + * We only want to use mcypt_create_iv() if: + * + * - random_bytes() hasn't already been defined + * - the mcrypt extensions is loaded + * - One of these two conditions is true: + * - We're on Windows (DIRECTORY_SEPARATOR !== '/') + * - We're not on Windows and /dev/urandom is readabale + * (i.e. we're not in a chroot jail) + * - Special case: + * - If we're not on Windows, but the PHP version is between + * 5.6.10 and 5.6.12, we don't want to use mcrypt. It will + * hang indefinitely. This is bad. + * - If we're on Windows, we want to use PHP >= 5.3.7 or else + * we get insufficient entropy errors. + */ + if ( + !is_callable('random_bytes') + && + // Windows on PHP < 5.3.7 is broken, but non-Windows is not known to be. + (DIRECTORY_SEPARATOR === '/' || PHP_VERSION_ID >= 50307) + && + // Prevent this code from hanging indefinitely on non-Windows; + // see https://bugs.php.net/bug.php?id=69833 + ( + DIRECTORY_SEPARATOR !== '/' || + (PHP_VERSION_ID <= 50609 || PHP_VERSION_ID >= 50613) + ) + && + extension_loaded('mcrypt') + ) { + // See random_bytes_mcrypt.php + require_once $RandomCompatDIR . '/random_bytes_mcrypt.php'; + } + $RandomCompatUrandom = null; + + /** + * This is a Windows-specific fallback, for when the mcrypt extension + * isn't loaded. + */ + if ( + !is_callable('random_bytes') + && + extension_loaded('com_dotnet') + && + class_exists('COM') + ) { + $RandomCompat_disabled_classes = preg_split( + '#\s*,\s*#', + strtolower(ini_get('disable_classes')) + ); + + if (!in_array('com', $RandomCompat_disabled_classes)) { + try { + $RandomCompatCOMtest = new COM('CAPICOM.Utilities.1'); + if (method_exists($RandomCompatCOMtest, 'GetRandom')) { + // See random_bytes_com_dotnet.php + require_once $RandomCompatDIR . '/random_bytes_com_dotnet.php'; } + } catch (com_exception $e) { + // Don't try to use it. } - $RandomCompat_disabled_classes = null; - $RandomCompatCOMtest = null; } + $RandomCompat_disabled_classes = null; + $RandomCompatCOMtest = null; + } + /** + * throw new Exception + */ + if (!is_callable('random_bytes')) { /** - * throw new Exception + * We don't have any more options, so let's throw an exception right now + * and hope the developer won't let it fail silently. + * + * @param mixed $length + * @return void + * @throws Exception */ - if (!function_exists('random_bytes')) { - /** - * We don't have any more options, so let's throw an exception right now - * and hope the developer won't let it fail silently. - */ - function random_bytes($length) - { - throw new Exception( - 'There is no suitable CSPRNG installed on your system' - ); - } + function random_bytes($length) + { + unset($length); // Suppress "variable not used" warnings. + throw new Exception( + 'There is no suitable CSPRNG installed on your system' + ); } } +} - if (!function_exists('random_int')) { - require_once $RandomCompatDIR.'/random_int.php'; - } - - $RandomCompatDIR = null; +if (!is_callable('random_int')) { + require_once $RandomCompatDIR . '/random_int.php'; } + +$RandomCompatDIR = null; diff --git a/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php b/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php index 34228254..fc1926e5 100644 --- a/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php +++ b/vendor/paragonie/random_compat/lib/random_bytes_com_dotnet.php @@ -5,7 +5,7 @@ * * The MIT License (MIT) * - * Copyright (c) 2015 Paragon Initiative Enterprises + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -26,56 +26,63 @@ * SOFTWARE. */ -/** - * Windows with PHP < 5.3.0 will not have the function - * openssl_random_pseudo_bytes() available, so let's use - * CAPICOM to work around this deficiency. - * - * @param int $bytes - * - * @throws Exception - * - * @return string - */ -function random_bytes($bytes) -{ - try { - $bytes = RandomCompat_intval($bytes); - } catch (TypeError $ex) { - throw new TypeError( - 'random_bytes(): $bytes must be an integer' - ); - } - - if ($bytes < 1) { - throw new Error( - 'Length must be greater than 0' - ); - } - - $buf = ''; - $util = new COM('CAPICOM.Utilities.1'); - $execCount = 0; - +if (!is_callable('random_bytes')) { /** - * Let's not let it loop forever. If we run N times and fail to - * get N bytes of random data, then CAPICOM has failed us. + * Windows with PHP < 5.3.0 will not have the function + * openssl_random_pseudo_bytes() available, so let's use + * CAPICOM to work around this deficiency. + * + * @param int $bytes + * + * @throws Exception + * + * @return string */ - do { - $buf .= base64_decode($util->GetRandom($bytes, 0)); - if (RandomCompat_strlen($buf) >= $bytes) { - /** - * Return our random entropy buffer here: - */ - return RandomCompat_substr($buf, 0, $bytes); + function random_bytes($bytes) + { + try { + $bytes = RandomCompat_intval($bytes); + } catch (TypeError $ex) { + throw new TypeError( + 'random_bytes(): $bytes must be an integer' + ); } - ++$execCount; - } while ($execCount < $bytes); - /** - * If we reach here, PHP has failed us. - */ - throw new Exception( - 'Could not gather sufficient random data' - ); -} + if ($bytes < 1) { + throw new Error( + 'Length must be greater than 0' + ); + } + + $buf = ''; + if (!class_exists('COM')) { + throw new Error( + 'COM does not exist' + ); + } + $util = new COM('CAPICOM.Utilities.1'); + $execCount = 0; + + /** + * Let's not let it loop forever. If we run N times and fail to + * get N bytes of random data, then CAPICOM has failed us. + */ + do { + $buf .= base64_decode($util->GetRandom($bytes, 0)); + if (RandomCompat_strlen($buf) >= $bytes) { + /** + * Return our random entropy buffer here: + */ + return RandomCompat_substr($buf, 0, $bytes); + } + ++$execCount; + } while ($execCount < $bytes); + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); + } +}
\ No newline at end of file diff --git a/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php b/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php index db93b075..df5b9152 100644 --- a/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php +++ b/vendor/paragonie/random_compat/lib/random_bytes_dev_urandom.php @@ -4,8 +4,8 @@ * for using the new PHP 7 random_* API in PHP 5 projects * * The MIT License (MIT) - * - * Copyright (c) 2015 Paragon Initiative Enterprises + * + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -30,119 +30,138 @@ if (!defined('RANDOM_COMPAT_READ_BUFFER')) { define('RANDOM_COMPAT_READ_BUFFER', 8); } -/** - * Unless open_basedir is enabled, use /dev/urandom for - * random numbers in accordance with best practices - * - * Why we use /dev/urandom and not /dev/random - * @ref http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers - * - * @param int $bytes - * - * @throws Exception - * - * @return string - */ -function random_bytes($bytes) -{ - static $fp = null; +if (!is_callable('random_bytes')) { /** - * This block should only be run once + * Unless open_basedir is enabled, use /dev/urandom for + * random numbers in accordance with best practices + * + * Why we use /dev/urandom and not /dev/random + * @ref http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers + * + * @param int $bytes + * + * @throws Exception + * + * @return string */ - if (empty($fp)) { + function random_bytes($bytes) + { + static $fp = null; /** - * We use /dev/urandom if it is a char device. - * We never fall back to /dev/random + * This block should only be run once */ - $fp = fopen('/dev/urandom', 'rb'); - if (!empty($fp)) { - $st = fstat($fp); - if (($st['mode'] & 0170000) !== 020000) { - fclose($fp); - $fp = false; - } - } - - if (!empty($fp)) { + if (empty($fp)) { /** - * stream_set_read_buffer() does not exist in HHVM - * - * If we don't set the stream's read buffer to 0, PHP will - * internally buffer 8192 bytes, which can waste entropy - * - * stream_set_read_buffer returns 0 on success + * We use /dev/urandom if it is a char device. + * We never fall back to /dev/random */ - if (function_exists('stream_set_read_buffer')) { - stream_set_read_buffer($fp, RANDOM_COMPAT_READ_BUFFER); + $fp = fopen('/dev/urandom', 'rb'); + if (!empty($fp)) { + $st = fstat($fp); + if (($st['mode'] & 0170000) !== 020000) { + fclose($fp); + $fp = false; + } } - if (function_exists('stream_set_chunk_size')) { - stream_set_chunk_size($fp, RANDOM_COMPAT_READ_BUFFER); + + if (!empty($fp)) { + /** + * stream_set_read_buffer() does not exist in HHVM + * + * If we don't set the stream's read buffer to 0, PHP will + * internally buffer 8192 bytes, which can waste entropy + * + * stream_set_read_buffer returns 0 on success + */ + if (is_callable('stream_set_read_buffer')) { + stream_set_read_buffer($fp, RANDOM_COMPAT_READ_BUFFER); + } + if (is_callable('stream_set_chunk_size')) { + stream_set_chunk_size($fp, RANDOM_COMPAT_READ_BUFFER); + } } } - } - try { - $bytes = RandomCompat_intval($bytes); - } catch (TypeError $ex) { - throw new TypeError( - 'random_bytes(): $bytes must be an integer' - ); - } - - if ($bytes < 1) { - throw new Error( - 'Length must be greater than 0' - ); - } + try { + $bytes = RandomCompat_intval($bytes); + } catch (TypeError $ex) { + throw new TypeError( + 'random_bytes(): $bytes must be an integer' + ); + } - /** - * This if() block only runs if we managed to open a file handle - * - * It does not belong in an else {} block, because the above - * if (empty($fp)) line is logic that should only be run once per - * page load. - */ - if (!empty($fp)) { - $remaining = $bytes; - $buf = ''; + if ($bytes < 1) { + throw new Error( + 'Length must be greater than 0' + ); + } /** - * We use fread() in a loop to protect against partial reads + * This if() block only runs if we managed to open a file handle + * + * It does not belong in an else {} block, because the above + * if (empty($fp)) line is logic that should only be run once per + * page load. */ - do { - $read = fread($fp, $remaining); - if ($read === false) { - /** - * We cannot safely read from the file. Exit the - * do-while loop and trigger the exception condition - */ - $buf = false; - break; - } + if (!empty($fp)) { /** - * Decrease the number of bytes returned from remaining + * @var int */ - $remaining -= RandomCompat_strlen($read); - $buf .= $read; - } while ($remaining > 0); - - /** - * Is our result valid? - */ - if ($buf !== false) { - if (RandomCompat_strlen($buf) === $bytes) { + $remaining = $bytes; + + /** + * @var string|bool + */ + $buf = ''; + + /** + * We use fread() in a loop to protect against partial reads + */ + do { + /** + * @var string|bool + */ + $read = fread($fp, $remaining); + if (!is_string($read)) { + if ($read === false) { + /** + * We cannot safely read from the file. Exit the + * do-while loop and trigger the exception condition + * + * @var string|bool + */ + $buf = false; + break; + } + } /** - * Return our random entropy buffer here: + * Decrease the number of bytes returned from remaining */ - return $buf; + $remaining -= RandomCompat_strlen($read); + /** + * @var string|bool + */ + $buf = $buf . $read; + } while ($remaining > 0); + + /** + * Is our result valid? + */ + if (is_string($buf)) { + if (RandomCompat_strlen($buf) === $bytes) { + /** + * Return our random entropy buffer here: + */ + return $buf; + } } } - } - /** - * If we reach here, PHP has failed us. - */ - throw new Exception( - 'Error reading from source device' - ); + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Error reading from source device' + ); + } } diff --git a/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php b/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php index f802d4e1..4af1a242 100644 --- a/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php +++ b/vendor/paragonie/random_compat/lib/random_bytes_libsodium.php @@ -4,8 +4,8 @@ * for using the new PHP 7 random_* API in PHP 5 projects * * The MIT License (MIT) - * - * Copyright (c) 2015 Paragon Initiative Enterprises + * + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -26,61 +26,63 @@ * SOFTWARE. */ -/** - * If the libsodium PHP extension is loaded, we'll use it above any other - * solution. - * - * libsodium-php project: - * @ref https://github.com/jedisct1/libsodium-php - * - * @param int $bytes - * - * @throws Exception - * - * @return string - */ -function random_bytes($bytes) -{ - try { - $bytes = RandomCompat_intval($bytes); - } catch (TypeError $ex) { - throw new TypeError( - 'random_bytes(): $bytes must be an integer' - ); - } - - if ($bytes < 1) { - throw new Error( - 'Length must be greater than 0' - ); - } - +if (!is_callable('random_bytes')) { /** - * \Sodium\randombytes_buf() doesn't allow more than 2147483647 bytes to be - * generated in one invocation. + * If the libsodium PHP extension is loaded, we'll use it above any other + * solution. + * + * libsodium-php project: + * @ref https://github.com/jedisct1/libsodium-php + * + * @param int $bytes + * + * @throws Exception + * + * @return string */ - if ($bytes > 2147483647) { - $buf = ''; - for ($i = 0; $i < $bytes; $i += 1073741824) { - $n = ($bytes - $i) > 1073741824 - ? 1073741824 - : $bytes - $i; - $buf .= \Sodium\randombytes_buf($n); + function random_bytes($bytes) + { + try { + $bytes = RandomCompat_intval($bytes); + } catch (TypeError $ex) { + throw new TypeError( + 'random_bytes(): $bytes must be an integer' + ); } - } else { - $buf = \Sodium\randombytes_buf($bytes); - } - if ($buf !== false) { - if (RandomCompat_strlen($buf) === $bytes) { - return $buf; + if ($bytes < 1) { + throw new Error( + 'Length must be greater than 0' + ); } - } - /** - * If we reach here, PHP has failed us. - */ - throw new Exception( - 'Could not gather sufficient random data' - ); + /** + * \Sodium\randombytes_buf() doesn't allow more than 2147483647 bytes to be + * generated in one invocation. + */ + if ($bytes > 2147483647) { + $buf = ''; + for ($i = 0; $i < $bytes; $i += 1073741824) { + $n = ($bytes - $i) > 1073741824 + ? 1073741824 + : $bytes - $i; + $buf .= \Sodium\randombytes_buf($n); + } + } else { + $buf = \Sodium\randombytes_buf($bytes); + } + + if ($buf !== false) { + if (RandomCompat_strlen($buf) === $bytes) { + return $buf; + } + } + + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); + } } diff --git a/vendor/paragonie/random_compat/lib/random_bytes_libsodium_legacy.php b/vendor/paragonie/random_compat/lib/random_bytes_libsodium_legacy.php index 44fddbf6..705af526 100644 --- a/vendor/paragonie/random_compat/lib/random_bytes_libsodium_legacy.php +++ b/vendor/paragonie/random_compat/lib/random_bytes_libsodium_legacy.php @@ -4,8 +4,8 @@ * for using the new PHP 7 random_* API in PHP 5 projects * * The MIT License (MIT) - * - * Copyright (c) 2015 Paragon Initiative Enterprises + * + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -26,61 +26,67 @@ * SOFTWARE. */ -/** - * If the libsodium PHP extension is loaded, we'll use it above any other - * solution. - * - * libsodium-php project: - * @ref https://github.com/jedisct1/libsodium-php - * - * @param int $bytes - * - * @throws Exception - * - * @return string - */ -function random_bytes($bytes) -{ - try { - $bytes = RandomCompat_intval($bytes); - } catch (TypeError $ex) { - throw new TypeError( - 'random_bytes(): $bytes must be an integer' - ); - } - - if ($bytes < 1) { - throw new Error( - 'Length must be greater than 0' - ); - } - +if (!is_callable('random_bytes')) { /** - * \Sodium\randombytes_buf() doesn't allow more than 2147483647 bytes to be - * generated in one invocation. + * If the libsodium PHP extension is loaded, we'll use it above any other + * solution. + * + * libsodium-php project: + * @ref https://github.com/jedisct1/libsodium-php + * + * @param int $bytes + * + * @throws Exception + * + * @return string */ - if ($bytes > 2147483647) { + function random_bytes($bytes) + { + try { + $bytes = RandomCompat_intval($bytes); + } catch (TypeError $ex) { + throw new TypeError( + 'random_bytes(): $bytes must be an integer' + ); + } + + if ($bytes < 1) { + throw new Error( + 'Length must be greater than 0' + ); + } + + /** + * @var string + */ $buf = ''; - for ($i = 0; $i < $bytes; $i += 1073741824) { - $n = ($bytes - $i) > 1073741824 - ? 1073741824 - : $bytes - $i; - $buf .= Sodium::randombytes_buf($n); + + /** + * \Sodium\randombytes_buf() doesn't allow more than 2147483647 bytes to be + * generated in one invocation. + */ + if ($bytes > 2147483647) { + for ($i = 0; $i < $bytes; $i += 1073741824) { + $n = ($bytes - $i) > 1073741824 + ? 1073741824 + : $bytes - $i; + $buf .= Sodium::randombytes_buf((int) $n); + } + } else { + $buf .= Sodium::randombytes_buf((int) $bytes); } - } else { - $buf = Sodium::randombytes_buf($bytes); - } - if ($buf !== false) { - if (RandomCompat_strlen($buf) === $bytes) { - return $buf; + if (is_string($buf)) { + if (RandomCompat_strlen($buf) === $bytes) { + return $buf; + } } - } - /** - * If we reach here, PHP has failed us. - */ - throw new Exception( - 'Could not gather sufficient random data' - ); + /** + * If we reach here, PHP has failed us. + */ + throw new Exception( + 'Could not gather sufficient random data' + ); + } } diff --git a/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php b/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php index 7ac9d910..aac9c013 100644 --- a/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php +++ b/vendor/paragonie/random_compat/lib/random_bytes_mcrypt.php @@ -4,8 +4,8 @@ * for using the new PHP 7 random_* API in PHP 5 projects * * The MIT License (MIT) - * - * Copyright (c) 2015 Paragon Initiative Enterprises + * + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal @@ -26,51 +26,52 @@ * SOFTWARE. */ +if (!is_callable('random_bytes')) { + /** + * Powered by ext/mcrypt (and thankfully NOT libmcrypt) + * + * @ref https://bugs.php.net/bug.php?id=55169 + * @ref https://github.com/php/php-src/blob/c568ffe5171d942161fc8dda066bce844bdef676/ext/mcrypt/mcrypt.c#L1321-L1386 + * + * @param int $bytes + * + * @throws Exception + * + * @return string + */ + function random_bytes($bytes) + { + try { + $bytes = RandomCompat_intval($bytes); + } catch (TypeError $ex) { + throw new TypeError( + 'random_bytes(): $bytes must be an integer' + ); + } -/** - * Powered by ext/mcrypt (and thankfully NOT libmcrypt) - * - * @ref https://bugs.php.net/bug.php?id=55169 - * @ref https://github.com/php/php-src/blob/c568ffe5171d942161fc8dda066bce844bdef676/ext/mcrypt/mcrypt.c#L1321-L1386 - * - * @param int $bytes - * - * @throws Exception - * - * @return string - */ -function random_bytes($bytes) -{ - try { - $bytes = RandomCompat_intval($bytes); - } catch (TypeError $ex) { - throw new TypeError( - 'random_bytes(): $bytes must be an integer' - ); - } + if ($bytes < 1) { + throw new Error( + 'Length must be greater than 0' + ); + } - if ($bytes < 1) { - throw new Error( - 'Length must be greater than 0' - ); - } + $buf = @mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM); + if ( + $buf !== false + && + RandomCompat_strlen($buf) === $bytes + ) { + /** + * Return our random entropy buffer here: + */ + return $buf; + } - $buf = @mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM); - if ( - $buf !== false - && - RandomCompat_strlen($buf) === $bytes - ) { /** - * Return our random entropy buffer here: + * If we reach here, PHP has failed us. */ - return $buf; + throw new Exception( + 'Could not gather sufficient random data' + ); } - - /** - * If we reach here, PHP has failed us. - */ - throw new Exception( - 'Could not gather sufficient random data' - ); } diff --git a/vendor/paragonie/random_compat/lib/random_int.php b/vendor/paragonie/random_compat/lib/random_int.php index fd3ef87a..5b2143a1 100644 --- a/vendor/paragonie/random_compat/lib/random_int.php +++ b/vendor/paragonie/random_compat/lib/random_int.php @@ -1,191 +1,190 @@ <?php -/** - * Random_* Compatibility Library - * for using the new PHP 7 random_* API in PHP 5 projects - * - * The MIT License (MIT) - * - * Copyright (c) 2015 Paragon Initiative Enterprises - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -/** - * Fetch a random integer between $min and $max inclusive - * - * @param int $min - * @param int $max - * - * @throws Exception - * - * @return int - */ -function random_int($min, $max) -{ - /** - * Type and input logic checks - * - * If you pass it a float in the range (~PHP_INT_MAX, PHP_INT_MAX) - * (non-inclusive), it will sanely cast it to an int. If you it's equal to - * ~PHP_INT_MAX or PHP_INT_MAX, we let it fail as not an integer. Floats - * lose precision, so the <= and => operators might accidentally let a float - * through. - */ - - try { - $min = RandomCompat_intval($min); - } catch (TypeError $ex) { - throw new TypeError( - 'random_int(): $min must be an integer' - ); - } - try { - $max = RandomCompat_intval($max); - } catch (TypeError $ex) { - throw new TypeError( - 'random_int(): $max must be an integer' - ); - } - +if (!is_callable('random_int')) { /** - * Now that we've verified our weak typing system has given us an integer, - * let's validate the logic then we can move forward with generating random - * integers along a given range. + * Random_* Compatibility Library + * for using the new PHP 7 random_* API in PHP 5 projects + * + * The MIT License (MIT) + * + * Copyright (c) 2015 - 2017 Paragon Initiative Enterprises + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ - if ($min > $max) { - throw new Error( - 'Minimum value must be less than or equal to the maximum value' - ); - } - - if ($max === $min) { - return $min; - } /** - * Initialize variables to 0 - * - * We want to store: - * $bytes => the number of random bytes we need - * $mask => an integer bitmask (for use with the &) operator - * so we can minimize the number of discards + * Fetch a random integer between $min and $max inclusive + * + * @param int $min + * @param int $max + * + * @throws Exception + * + * @return int */ - $attempts = $bits = $bytes = $mask = $valueShift = 0; - - /** - * At this point, $range is a positive number greater than 0. It might - * overflow, however, if $max - $min > PHP_INT_MAX. PHP will cast it to - * a float and we will lose some precision. - */ - $range = $max - $min; - - /** - * Test for integer overflow: - */ - if (!is_int($range)) { - + function random_int($min, $max) + { /** - * Still safely calculate wider ranges. - * Provided by @CodesInChaos, @oittaa - * - * @ref https://gist.github.com/CodesInChaos/03f9ea0b58e8b2b8d435 - * - * We use ~0 as a mask in this case because it generates all 1s - * - * @ref https://eval.in/400356 (32-bit) - * @ref http://3v4l.org/XX9r5 (64-bit) + * Type and input logic checks + * + * If you pass it a float in the range (~PHP_INT_MAX, PHP_INT_MAX) + * (non-inclusive), it will sanely cast it to an int. If you it's equal to + * ~PHP_INT_MAX or PHP_INT_MAX, we let it fail as not an integer. Floats + * lose precision, so the <= and => operators might accidentally let a float + * through. */ - $bytes = PHP_INT_SIZE; - $mask = ~0; - } else { + try { + $min = RandomCompat_intval($min); + } catch (TypeError $ex) { + throw new TypeError( + 'random_int(): $min must be an integer' + ); + } - /** - * $bits is effectively ceil(log($range, 2)) without dealing with - * type juggling - */ - while ($range > 0) { - if ($bits % 8 === 0) { - ++$bytes; - } - ++$bits; - $range >>= 1; - $mask = $mask << 1 | 1; + try { + $max = RandomCompat_intval($max); + } catch (TypeError $ex) { + throw new TypeError( + 'random_int(): $max must be an integer' + ); } - $valueShift = $min; - } - /** - * Now that we have our parameters set up, let's begin generating - * random integers until one falls between $min and $max - */ - do { /** - * The rejection probability is at most 0.5, so this corresponds - * to a failure probability of 2^-128 for a working RNG + * Now that we've verified our weak typing system has given us an integer, + * let's validate the logic then we can move forward with generating random + * integers along a given range. */ - if ($attempts > 128) { - throw new Exception( - 'random_int: RNG is broken - too many rejections' + if ($min > $max) { + throw new Error( + 'Minimum value must be less than or equal to the maximum value' ); } + if ($max === $min) { + return (int) $min; + } + /** - * Let's grab the necessary number of random bytes + * Initialize variables to 0 + * + * We want to store: + * $bytes => the number of random bytes we need + * $mask => an integer bitmask (for use with the &) operator + * so we can minimize the number of discards */ - $randomByteString = random_bytes($bytes); - if ($randomByteString === false) { - throw new Exception( - 'Random number generator failure' - ); - } + $attempts = $bits = $bytes = $mask = $valueShift = 0; /** - * Let's turn $randomByteString into an integer - * - * This uses bitwise operators (<< and |) to build an integer - * out of the values extracted from ord() - * - * Example: [9F] | [6D] | [32] | [0C] => - * 159 + 27904 + 3276800 + 201326592 => - * 204631455 + * At this point, $range is a positive number greater than 0. It might + * overflow, however, if $max - $min > PHP_INT_MAX. PHP will cast it to + * a float and we will lose some precision. */ - $val = 0; - for ($i = 0; $i < $bytes; ++$i) { - $val |= ord($randomByteString[$i]) << ($i * 8); - } + $range = $max - $min; /** - * Apply mask + * Test for integer overflow: */ - $val &= $mask; - $val += $valueShift; + if (!is_int($range)) { + + /** + * Still safely calculate wider ranges. + * Provided by @CodesInChaos, @oittaa + * + * @ref https://gist.github.com/CodesInChaos/03f9ea0b58e8b2b8d435 + * + * We use ~0 as a mask in this case because it generates all 1s + * + * @ref https://eval.in/400356 (32-bit) + * @ref http://3v4l.org/XX9r5 (64-bit) + */ + $bytes = PHP_INT_SIZE; + $mask = ~0; - ++$attempts; + } else { + + /** + * $bits is effectively ceil(log($range, 2)) without dealing with + * type juggling + */ + while ($range > 0) { + if ($bits % 8 === 0) { + ++$bytes; + } + ++$bits; + $range >>= 1; + $mask = $mask << 1 | 1; + } + $valueShift = $min; + } + + $val = 0; /** - * If $val overflows to a floating point number, - * ... or is larger than $max, - * ... or smaller than $min, - * then try again. + * Now that we have our parameters set up, let's begin generating + * random integers until one falls between $min and $max */ - } while (!is_int($val) || $val > $max || $val < $min); + do { + /** + * The rejection probability is at most 0.5, so this corresponds + * to a failure probability of 2^-128 for a working RNG + */ + if ($attempts > 128) { + throw new Exception( + 'random_int: RNG is broken - too many rejections' + ); + } + + /** + * Let's grab the necessary number of random bytes + */ + $randomByteString = random_bytes($bytes); - return (int) $val; + /** + * Let's turn $randomByteString into an integer + * + * This uses bitwise operators (<< and |) to build an integer + * out of the values extracted from ord() + * + * Example: [9F] | [6D] | [32] | [0C] => + * 159 + 27904 + 3276800 + 201326592 => + * 204631455 + */ + $val &= 0; + for ($i = 0; $i < $bytes; ++$i) { + $val |= ord($randomByteString[$i]) << ($i * 8); + } + + /** + * Apply mask + */ + $val &= $mask; + $val += $valueShift; + + ++$attempts; + /** + * If $val overflows to a floating point number, + * ... or is larger than $max, + * ... or smaller than $min, + * then try again. + */ + } while (!is_int($val) || $val > $max || $val < $min); + + return (int) $val; + } } diff --git a/vendor/paragonie/random_compat/psalm-autoload.php b/vendor/paragonie/random_compat/psalm-autoload.php new file mode 100644 index 00000000..d71d1b81 --- /dev/null +++ b/vendor/paragonie/random_compat/psalm-autoload.php @@ -0,0 +1,9 @@ +<?php + +require_once 'lib/byte_safe_strings.php'; +require_once 'lib/cast_to_int.php'; +require_once 'lib/error_polyfill.php'; +require_once 'other/ide_stubs/libsodium.php'; +require_once 'lib/random.php'; + +$int = random_int(0, 65536); diff --git a/vendor/paragonie/random_compat/psalm.xml b/vendor/paragonie/random_compat/psalm.xml new file mode 100644 index 00000000..1e914098 --- /dev/null +++ b/vendor/paragonie/random_compat/psalm.xml @@ -0,0 +1,16 @@ +<?xml version="1.0"?> +<psalm + autoloader="psalm-autoload.php" + stopOnFirstError="false" + useDocblockTypes="true" +> + <projectFiles> + <directory name="lib" /> + </projectFiles> + <issueHandlers> + <DuplicateClass errorLevel="info" /> + <InvalidOperand errorLevel="info" /> + <UndefinedConstant errorLevel="info" /> + <MissingReturnType errorLevel="info" /> + </issueHandlers> +</psalm> |