Issue #838800 by kotnik, Damien Tournoud, jromine: Improve random number generation.

1 files changed, 11 insertions, 1 deletions

diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 677b216ee..c8280374a 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -1913,7 +1913,7 @@ function drupal_block_denied($ip) {
  */
 function drupal_random_bytes($count)  {
   // $random_state does not use drupal_static as it stores random bytes.
-  static $random_state, $bytes;
+  static $random_state, $bytes, $php_compatible;
   // Initialize on the first call. The contents of $_SERVER includes a mix of
   // user-specific and system information that varies a little with each page.
   if (!isset($random_state)) {
@@ -1925,6 +1925,11 @@ function drupal_random_bytes($count)  {
     $bytes = '';
   }
   if (strlen($bytes) < $count) {
+    // PHP versions prior 5.3.4 experienced openssl_random_pseudo_bytes()
+    // locking on Windows and rendered it unusable.
+    if (!isset($php_compatible)) {
+      $php_compatible = version_compare(PHP_VERSION, '5.3.4', '>=');
+    }
     // /dev/urandom is available on many *nix systems and is considered the
     // best commonly available pseudo-random source.
     if ($fh = @fopen('/dev/urandom', 'rb')) {
@@ -1934,6 +1939,11 @@ function drupal_random_bytes($count)  {
       $bytes .= fread($fh, max(4096, $count));
       fclose($fh);
     }
+    // openssl_random_pseudo_bytes() will find entropy in a system-dependent
+    // way.
+    elseif ($php_compatible && function_exists('openssl_random_pseudo_bytes')) {
+      $bytes .= openssl_random_pseudo_bytes($count - strlen($bytes));
+    }
     // If /dev/urandom is not available or returns no bytes, this loop will
     // generate a good set of pseudo-random bytes on any system.
     // Note that it may be important that our $random_state is passed