[
{
"path": ".gitattributes",
"content": "* text=auto\n\n/tests export-ignore\n/.gitattributes export-ignore\n/.gitignore export-ignore\n/.scrutinizer.yml export-ignore\n/.github export-ignore\n/build-phar.sh export-ignore\n/CHANGELOG.md export-ignore\n/RATIONALE.md export-ignore\n/README.md export-ignore\n/SECURITY.md export-ignore\n/phpunit.sh export-ignore\n/phpunit.xml.dist export-ignore\n/phpunit-autoload.php export-ignore\n/psalm.xml export-ignore\n/psalm-autoload.php export-ignore\n/other/ export-ignore\n"
},
{
"path": ".github/workflows/ci.yml",
"content": "name: CI\n\non:\n - push\n\njobs:\n old:\n name: PHP ${{ matrix.php-versions }} Test on ${{ matrix.operating-system }}\n\n\n runs-on: ${{ matrix.operating-system }}\n\n\n strategy:\n matrix:\n operating-system: [ubuntu-18.04]\n php-versions: ['5.3', '5.4', '5.5', '5.6', '7.0', '8.3', '8.4', '8.5']\n\n\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n\n\n - name: Setup PHP\n uses: shivammathur/setup-php@v2\n with:\n php-version: ${{ matrix.php-versions }}\n extensions: mbstring, intl\n ini-values: error_reporting=-1, display_errors=On\n coverage: none\n\n\n - name: Use Composer 1.x\n run: composer self-update --1\n\n\n - name: Install Composer dependencies\n uses: ramsey/composer-install@v3\n\n\n - name: PHPUnit tests\n run: vendor/bin/phpunit\n\n moderate-modern:\n name: PHP ${{ matrix.php-versions }} Test on ${{ matrix.operating-system }}\n\n\n runs-on: ${{ matrix.operating-system }}\n\n\n strategy:\n matrix:\n operating-system: [ubuntu-latest]\n php-versions: ['7.1', '7.2', '7.3', '7.4', '8.0', '8.1', '8.2', '8.3', '8.4']\n\n continue-on-error: ${{ matrix.php-versions == '8.4' }}\n\n\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n\n\n - name: Setup PHP\n uses: shivammathur/setup-php@v2\n with:\n php-version: ${{ matrix.php-versions }}\n extensions: mbstring, intl, sodium\n ini-values: error_reporting=-1, display_errors=On\n coverage: none\n\n\n - name: Modernize dependencies\n run: composer require --dev --no-update \"phpunit/phpunit:>=4\"\n\n\n - name: Install Composer dependencies (PHP < 8.4)\n if: \"${{ matrix.php-versions != '8.4' }}\"\n uses: ramsey/composer-install@v3\n\n\n - name: Install Composer dependencies - ignore-platform-reqs (PHP 8.4)\n if: \"${{ matrix.php-versions == '8.4' }}\"\n uses: ramsey/composer-install@v3\n with:\n composer-options: --ignore-platform-reqs\n\n\n - name: PHPUnit tests\n run: vendor/bin/phpunit\n"
},
{
"path": ".github/workflows/psalm.yml",
"content": "name: Psalm\n\non:\n - push\n\njobs:\n psalm:\n name: Psalm on PHP ${{ matrix.php-versions }}\n\n runs-on: ${{ matrix.operating-system }}\n\n strategy:\n matrix:\n operating-system: [ubuntu-latest]\n php-versions: ['7.4', '8.3', '8.4', '8.5']\n\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n\n - name: Setup PHP\n uses: shivammathur/setup-php@v2\n with:\n php-version: ${{ matrix.php-versions }}\n tools: psalm:4\n coverage: none\n\n - name: Install Composer dependencies\n uses: ramsey/composer-install@v3\n with:\n composer-options: --no-dev\n\n - name: Static Analysis\n run: psalm\n"
},
{
"path": ".gitignore",
"content": "composer.lock\n/vendor/\n/tests/phpunit.phar\n/tests/phpunit.phar.asc"
},
{
"path": ".scrutinizer.yml",
"content": "checks:\n php:\n code_rating: true\n duplication: false"
},
{
"path": "CHANGELOG.md",
"content": "### Version 2.0.18 - 2019-01-03\n\n* If `/dev/urandom` cannot be read on Unix-based operating systems,\n a Exception with a specific error message will be thrown.\n* Fixed Psalm nits.\n* Updated the README to include a reference to the support contract\n offering by Paragon Initiative Enterprises.\n\n### Version 2.0.17 - 2018-07-04\n\n* Version 2.0.16 failed Psalm checks on PHP v5.6 with Psalm v1.\n We could not reproduce this failure locally, so we've suppressed the\n `MissingReturnType` check (that is to say, demoted it to \"info\").\n\n### Version 2.0.16 - 2018-07-04\n\n* Fixed type-checking consistencies that forced us to use Psalm in\n non-strict mode (i.e. `totallyTyped=\"false\"`).\n* README cleanup, added a header to the Version 9.99.99 section.\n * If you're confused by `v9.99.99` and it's causing stuff to break, see\n [this section of the README](https://github.com/paragonie/random_compat#version-99999)\n for the solution to your problem.\n* Trimmed down and annotated our `psalm.xml` file with explanations\n for why each assertion is suppressed.\n\n### Version 2.0.15 - 2018-06-08\n\n* A reported, but difficult to reproduce, problem with file inclusion on\n [some Windows machines](https://github.com/paragonie/random_compat/issues/136)\n was fixed by [replacing `/` with `DIRECTORY_SEPARATOR`](https://github.com/paragonie/random_compat/pull/141).\n For most users (i.e. not running Windows) this change should be of zero\n consequence. For everyone else, it should mean random_compat magically\n works when it didn't before.\n\n### Version 2.0.14 - 2018-06-06\n\n* Update version information.\n* Updated README with better instructions, including new information\n about the `v9.99.99` tag.\n\n### Version 2.0.13 - 2018-06-06\n* #139 - Add `polyfill` keyword to composer.json\n* Ensure the docblocks are consistent to aid static analysis efforts in\n other libraries; see https://github.com/paragonie/random_compat/commit/cbe0b11b78140bc62a921fec33a730fdaa6540d6\n\n### Version 2.0.12 - 2018-04-04\n\n* Minor docblock issue that's breaking Psalm downstream.\n\n### Version 2.0.11 - 2017-09-27\n\n* Minor docblock corrections.\n* Re-issuing a PHP Archive to attempt to address an issue with the Phar provided.\n See [#134](https://github.com/paragonie/random_compat/issues/134).\n\n### Version 2.0.10 - 2017-03-13\n\n* Mcrypt can now be used on PHP < 5.3.7 if you're not on Windows.\n* Minor boyscouting changes.\n\n### Version 2.0.9 - 2017-03-03\n\n* More Psalm integration fixes.\n\n### Version 2.0.8 - 2017-03-03\n\n* Prevent function already declared error for `random_int()` caused by misusing\n the library (really you should only ever include `lib/random.php` and never any \n of the other files). See [#125](https://github.com/paragonie/random_compat/issues/125).\n\n### Version 2.0.6, 2.0.7 - 2017-02-27\n\n* Just updates to psalm.xml to silence false positives.\n\n### Version 2.0.5 - 2017-02-27\n\n* Run random_compat through the static analysis tool, [psalm](https://github.com/vimeo/psalm),\n as part of our continuous integration process.\n* Minor readability enhancements ([#122](https://github.com/paragonie/random_compat/issues/122)\n and several docblock changes).\n\n### Version 2.0.4 - 2016-11-07\n\n* Don't unnecessarily prevent `mcrypt_create_iv()` from being used.\n See [#111](https://github.com/paragonie/random_compat/issues/111).\n\n### Version 2.0.3 - 2016-10-17\n\n* Updated `lib/error_polyfill.php` [to resolve corner cases](https://github.com/paragonie/random_compat/issues/104).\n* The README was updated to help users troubleshoot and fix insecure environments.\n* Tags will now be signed by [the GnuPG key used by the security team at Paragon Initiative Enterprises, LLC](https://paragonie.com/static/gpg-public-key.txt).\n\n### Version 2.0.2 - 2016-04-03\n\nAdded a consistency check (discovered by Taylor Hornby in his \n[PHP encryption library](https://github.com/defuse/php-encryption)). It\nwasn't likely causing any trouble for us.\n\n### Version 2.0.1 - 2016-03-18\n\nUpdate comment in random.php\n\n### Version 2.0.0 - 2016-03-18\n\nDue to downstream errors, the OpenSSL removal now belongs in version \n2.0.0.\n\n### Version 1.3.1 - 2016-03-18\n\n* Add more possible values to `open_basedir` check.\n\n### Version 1.3.0 - 2016-03-17\n\n* Removed `openssl_random_pseudo_bytes()` entirely. If you are using\n random_compat in PHP on a Unix-like OS but cannot access\n `/dev/urandom`, version 1.3+ will throw an `Exception`. If you want to\n trust OpenSSL, feel free to write your own fallback code. e.g.\n \n ```php\n try {\n $bytes = random_bytes(32);\n } catch (Exception $ex) {\n $strong = false;\n $bytes = openssl_random_pseudo_bytes(32, $strong);\n if (!$strong) {\n throw $ex;\n }\n }\n ```\n\n### Version 1.2.2 - 2016-03-11\n\n* To prevent applications from hanging, if `/dev/urandom` is not\n accessible to PHP, skip mcrypt (which just fails before giving OpenSSL\n a chance and was morally equivalent to not offering OpenSSL at all).\n\n### Version 1.2.1 - 2016-02-29\n\n* PHP 5.6.10 - 5.6.12 will hang when mcrypt is used on Unix-based operating \n systems ([PHP bug 69833](https://bugs.php.net/bug.php?id=69833)). If you are\n running one of these versions, please upgrade (or make sure `/dev/urandom` is\n readable) otherwise you're relying on OpenSSL.\n\n### Version 1.2.0 - 2016-02-05\n\n* Whitespace and other cosmetic changes\n* Added a changelog.\n* We now ship with a command line utility to build a PHP Archive from the \n command line.\n \n Every time we publish a new release, we will also upload a .phar\n to Github. Our public key is signed by our GPG key.\n\n### Version 1.1.6 - 2016-01-29\n\n* Eliminate `open_basedir` warnings by detecting this configuration setting. \n (Thanks [@oucil](https://github.com/oucil) for reporting this.)\n* Added install instructions to the README.\n* Documentation cleanup (there is, in fact, no `MCRYPT_CREATE_IV` constant, I \n meant to write `MCRYPT_DEV_URANDOM`)\n\n### Version 1.1.5 - 2016-01-06\n\nPrevent fatal errors on platforms with older versions of libsodium.\n\n### Version 1.1.4 - 2015-12-10\n\nThanks [@narfbg](https://github.com/narfbg) for [critiquing the previous patch](https://github.com/paragonie/random_compat/issues/79#issuecomment-163590589)\nand suggesting a fix.\n\n### Version 1.1.3 - 2015-12-09\n\nThe test for COM in disabled_classes is now case-insensitive.\n\n### Version 1.1.2 - 2015-12-09\n\nDon't instantiate COM if it's a disabled class. Removes the E_WARNING on Windows.\n\n### Version 1.1.1 - 2015-11-30\n\nFix a performance issue with `/dev/urandom` buffering.\n\n### Version 1.1.0 - 2015-11-09\n\nFix performance issues with ancient versions of PHP on Windows, but dropped \nsupport for PHP < 5.4.1 without mcrypt on Windows 7+ in the process. Since this\n is a BC break, semver dictates a minor version bump.\n\n### Version 1.0.10 - 2015-10-23\n\n* Avoid a performance killer with OpenSSL on Windows PHP 5.3.0 - 5.3.3 that was \n affecting [WordPress users](https://core.trac.wordpress.org/ticket/34409).\n* Use `$var = null` instead of `unset($var)` to avoid triggering the garbage \n collector and slowing things down.\n\n### Version 1.0.9 - 2015-10-20\n\nThere is an outstanding issue `mcrypt_create_iv()` and PHP 7's `random_bytes()`\non Windows reported by [@nicolas-grekas](https://github.com/nicolas-grekas) caused by `proc_open()` and environment\nvariable handling (discovered by Appveyor when developing Symfony).\n\nSince the break is consistent, it's not our responsibility to fix it, but we \nshould fail the same way PHP 7 will (i.e. throw an `Exception` rather than raise\nan error and then throw an `Exception`).\n\n### Version 1.0.8 - 2015-10-18\n\n* Fix usability issues with Windows (`new COM('CAPICOM.Utilities.1')` is not \n always available).\n* You can now test all the possible drivers by running `phpunit.sh each` in the\n `tests` directory.\n\n### Version 1.0.7 - 2015-10-16\n\nSeveral large integer handling bugfixes were contributed by [@oittaa](https://github.com/oittaa).\n\n### Version 1.0.6 - 2015-10-15\n\nDon't let the version number fool you, this was a pretty significant change.\n\n1. Added support for ext-libsodium, if it exists on the system. This is morally\n equivalent to adding `getrandom(2)` support without having to expose the \n syscall interface in PHP-land.\n2. Relaxed open_basedir restrictions. In previous versions, if open_basedir was \n set, PHP wouldn't even try to read from `/dev/urandom`. Now it will still do \n so if you can.\n3. Fixed integer casting inconsistencies between random_compat and PHP 7.\n4. Handle edge cases where an integer overflow turns one of the parameters into\n a float.\n\nOne change that we discussed was making `random_bytes()` and `random_int()` \nstrict typed; meaning you could *only* pass integers to either function. While \nmost veteran programmers are probably only doing this already (we strongly \nencourage it), it wouldn't be consistent with how these functions behave in PHP\n7. Please use these functions responsibly.\n\nWe've had even more of the PHP community involved in this release; the \ncontributors list has been updated. If I forgot anybody, I promise you it's not\nbecause your contributions (either code or ideas) aren't valued, it's because \nI'm a bit overloaded with information at the moment. Please let me know \nimmediately and I will correct my oversight.\n\nThanks everyone for helping make random_compat better. \n\n### Version 1.0.5 - 2015-10-08\n\nGot rid of the methods in the `Throwable` interface, which was causing problems \non PHP 5.2. While we would normally not care about 5.2 (since [5.4 and earlier are EOL'd](https://secure.php.net/supported-versions.php)),\nwe do want to encourage widespread adoption (e.g. [Wordpress](https://core.trac.wordpress.org/ticket/28633)).\n\n### Version 1.0.4 - 2015-10-02\n\nRemoved redundant `if()` checks, since `lib/random.php` is the entrypoint people\nshould use.\n\n### Version 1.0.3 - 2015-10-02\n\nThis release contains bug fixes contributed by the community.\n\n* Avoid a PHP Notice when PHP is running without the mbstring extension\n* Use a compatible version of PHPUnit for testing on older versions of PHP\n\nAlthough none of these bugs were outright security-affecting, updating ASAP is\nstill strongly encouraged.\n\n### Version 1.0.2 - 2015-09-23\n\nLess strict input validation on `random_int()` parameters. PHP 7's `random_int()`\naccepts strings and floats that look like numbers, so we should too.\n\nThanks [@dd32](https://github.com/@dd32) for correcting this oversight.\n\n### Version 1.0.1 - 2015-09-10\n\nInstead of throwing an Exception immediately on insecure platforms, only do so \nwhen `random_bytes()` is invoked.\n\n### Version 1.0.0 - 2015-09-07\n\nOur API is now stable and forward-compatible with the CSPRNG features in PHP 7\n(as of 7.0.0 RC3).\n\nA lot of great people have contributed their time and expertise to make this \ncompatibility library possible. That this library has reached a stable release \nis more a reflection on the community than it is on PIE.\n\nWe are confident that random_compat will serve as the simplest and most secure\nCSPRNG interface available for PHP5 projects.\n\n### Version 0.9.7 (pre-release) - 2015-09-01\n\nAn attempt to achieve compatibility with Error/TypeError in the RFC.\n\nThis should be identical to 1.0.0 sans any last-minute changes or performance enhancements.\n\n### Version 0.9.6 (pre-release) - 2015-08-06\n\n* Split the implementations into their own file (for ease of auditing)\n* Corrected the file type check after `/dev/urandom` has been opened (thanks\n [@narfbg](https://github.com/narfbg) and [@jedisct1](https://github.com/jedisct1))\n\n### Version 0.9.5 (pre-release) - 2015-07-31\n\n* Validate that `/dev/urandom` is a character device \n * Reported by [@lokdnet](https://twitter.com/lokdnet)\n * Investigated by [@narfbg](https://github.com/narfbg) and [frymaster](http://stackoverflow.com/users/1226810/frymaster) on [StackOverflow](http://stackoverflow.com/q/31631066/2224584)\n* Remove support for `/dev/arandom` which is an old OpenBSD feature, thanks [@jedisct1](https://github.com/jedisct1)\n* Prevent race conditions on the `filetype()` check, thanks [@jedisct1](https://github.com/jedisct1)\n* Buffer file reads to 8 bytes (performance optimization; PHP defaults to 8192 bytes)\n\n### Version 0.9.4 (pre-release) - 2015-07-27\n\n* Add logic to verify that `/dev/arandom` and `/dev/urandom` are actually devices.\n* Some clean-up in the comments\n\n### Version 0.9.3 (pre-release) - 2015-07-22\n\nUnless the Exceptions change to PHP 7 fails, this should be the last pre-release\nversion. If need be, we'll make one more pre-release version with compatible \nbehavior.\n\nChanges since 0.9.2:\n\n* Prioritize `/dev/arandom` and `/dev/urandom` over mcrypt.\n[@oittaa](https://github.com/oittaa) removed the -1 and +1 juggling on `$range` calculations for `random_int()`\n* Whitespace and comment clean-up, plus better variable names\n* Actually put a description in the composer.json file...\n\n### Version 0.9.2 (pre-release) - 2015-07-16\n\n* Consolidated `$range > PHP_INT_MAX` logic with `$range <= PHP_INT_MAX` (thanks\n [@oittaa](https://github.com/oittaa) and [@CodesInChaos](https://github.com/CodesInChaos))\n* `tests/phpunit.sh` now also runs the tests with `mbstring.func_overload` and \n `open_basedir`\n* Style consistency, whitespace cleanup, more meaningful variable names\n\n### Version 0.9.1 (pre-release) - 2015-07-09\n\n* Return random values on integer ranges > `PHP_INT_MAX` (thanks [@CodesInChaos](https://github.com/CodesInChaos))\n* Determined CSPRNG preference:\n 1. `mcrypt_create_iv()` with `MCRYPT_DEV_URANDOM`\n 2. `/dev/arandom`\n 3. `/dev/urandom`\n 4. `openssl_random_pseudo_bytes()`\n* Optimized backend selection (thanks [@lt](https://github.com/lt))\n* Fix #3 (thanks [@scottchiefbaker](https://github.com/scottchiefbaker))\n\n### Version 0.9.0 (pre-release) - 2015-07-07\n\nThis should be a sane polyfill for PHP 7's `random_bytes()` and `random_int()`.\nWe hesitate to call it production ready until it has received sufficient third\nparty review.\n"
},
{
"path": "LICENSE",
"content": "The MIT License (MIT)\n\nCopyright (c) 2015 Paragon Initiative Enterprises\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n"
},
{
"path": "RATIONALE.md",
"content": "## Rationale (Design Decisions)\n\n### Reasoning Behind the Order of Preferred Random Data Sources\n\nThe order is:\n\n 1. `libsodium if available`\n 2. `fread() /dev/urandom if available`\n 3. `mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM)`\n 4. `COM('CAPICOM.Utilities.1')->GetRandom()`\n\nIf libsodium is available, we get random data from it. This is the preferred\nmethod on all OSes, but libsodium is not very widely installed, so other\nfallbacks are available.\n\nNext, we read `/dev/urandom` (if it exists). This is the preferred file to read\nfor random data for cryptographic purposes for BSD and Linux. This step\nis skipped on Windows, because someone could create a `C:\\dev\\urandom`\nfile and PHP would helpfully (but insecurely) return bytes from it.\n\nDespite [strongly urging people not to use mcrypt in their projects](https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong)\n(because libmcrypt is abandonware and the API puts too much responsibility on the\nimplementor) we prioritize `mcrypt_create_iv()` with `MCRYPT_DEV_URANDOM` above\nthe remaining implementations.\n\nThe reason is simple: `mcrypt_create_iv()` is part of PHP's `ext/mcrypt` code,\nand is not part `libmcrypt`. It actually does the right thing:\n\n * On Unix-based operating systems, it reads from `/dev/urandom` which\n (unlike `/dev/random`) is the sane and correct thing to do.\n * On Windows, it reads from `CryptGenRandom`, which is an exclusively Windows\n way to get random bytes.\n\nIf we're on Windows and don't have access to `mcrypt`, we use `CAPICOM.Utilities.1`.\n\nAs of random_compat 2.0, we no longer fall through to OpenSSL. \n"
},
{
"path": "README.md",
"content": "# random_compat\n\n[](https://github.com/paragonie/random_compat/actions)\n[](https://scrutinizer-ci.com/g/paragonie/random_compat)\n[](https://packagist.org/packages/paragonie/random_compat)\n[](https://packagist.org/packages/paragonie/random_compat)\n[](https://packagist.org/packages/paragonie/random_compat)\n[](https://packagist.org/packages/paragonie/random_compat)\n\nPHP 5.x polyfill for `random_bytes()` and `random_int()` created and maintained\nby [Paragon Initiative Enterprises](https://paragonie.com).\n\nAlthough this library *should* function in earlier versions of PHP, we will only\nconsider issues relevant to [supported PHP versions](https://secure.php.net/supported-versions.php).\n**If you are using an unsupported version of PHP, please upgrade as soon as possible.**\n\n## Important\n\nAlthough this library has been examined by some security experts in the PHP \ncommunity, there will always be a chance that we overlooked something. Please \nask your favorite trusted hackers to hammer it for implementation errors and\nbugs before even thinking about deploying it in production.\n\n**Do not use the master branch, use a [stable release](https://github.com/paragonie/random_compat/releases/latest).**\n\nFor the background of this library, please refer to our blog post on \n[Generating Random Integers and Strings in PHP](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php).\n\n### Usability Notice\n\nIf PHP cannot safely generate random data, this library will throw an `Exception`.\nIt will never fall back to insecure random data. If this keeps happening, upgrade\nto a newer version of PHP immediately.\n\n## Installing\n\n**With [Composer](https://getcomposer.org):**\n\n # For libraries and frameworks that support PHP 5 but may be used by\n # other software that only supports PHP 7:\n composer require paragonie/random_compat:\\>=2\n\n # For software that explicitly needs PHP 5 support:\n composer require paragonie/random_compat:\\<9.99\n\n**Signed PHP Archive:**\n\nAs of version 1.2.0, we also ship an ECDSA-signed PHP Archive with each stable \nrelease on Github.\n\n1. Download [the `.phar`, `.phar.pubkey`, and `.phar.pubkey.asc`](https://github.com/paragonie/random_compat/releases/latest) files.\n2. (**Recommended** but not required) Verify the PGP signature of `.phar.pubkey` \n (contained within the `.asc` file) using the [PGP public key for Paragon Initiative Enterprises](https://paragonie.com/static/gpg-public-key.txt).\n3. Extract both `.phar` and `.phar.pubkey` files to the same directory.\n4. `require_once \"/path/to/random_compat.phar\";`\n5. When a new version is released, you only need to replace the `.phar` file;\n the `.pubkey` will not change (unless our signing key is ever compromised).\n\n**Manual Installation:**\n\n1. Download [a stable release](https://github.com/paragonie/random_compat/releases/latest).\n2. Extract the files into your project.\n3. `require_once \"/path/to/random_compat/lib/random.php\";`\n\nThe entrypoint should be **`lib/random.php`** directly, not any of the other files in `/lib`.\n\n## Usage\n\nThis library exposes the [CSPRNG functions added in PHP 7](https://secure.php.net/manual/en/ref.csprng.php)\nfor use in PHP 5 projects. Their behavior should be identical.\n\n### Generate a string of random bytes\n\n```php\ntry {\n $string = random_bytes(32);\n} catch (TypeError $e) {\n // Well, it's an integer, so this IS unexpected.\n die(\"An unexpected error has occurred\"); \n} catch (Error $e) {\n // This is also unexpected because 32 is a reasonable integer.\n die(\"An unexpected error has occurred\");\n} catch (Exception $e) {\n // If you get this message, the CSPRNG failed hard.\n die(\"Could not generate a random string. Is our OS secure?\");\n}\n\nvar_dump(bin2hex($string));\n// string(64) \"5787c41ae124b3b9363b7825104f8bc8cf27c4c3036573e5f0d4a91ad2eeac6f\"\n```\n\n### Generate a random integer between two given integers (inclusive)\n\n```php\ntry {\n $int = random_int(0, 255);\n} catch (TypeError $e) {\n // Well, it's an integer, so this IS unexpected.\n die(\"An unexpected error has occurred\"); \n} catch (Error $e) {\n // This is also unexpected because 0 and 255 are both reasonable integers.\n die(\"An unexpected error has occurred\");\n} catch (Exception $e) {\n // If you get this message, the CSPRNG failed hard.\n die(\"Could not generate a random int. Is our OS secure?\");\n}\n\nvar_dump($int);\n// int(47)\n```\n\n### Exception handling\n\nWhen handling exceptions and errors you must account for differences between\nPHP 5 and PHP7.\n\nThe differences:\n\n* Catching `Error` works, so long as it is caught before `Exception`.\n* Catching `Exception` has different behavior, without previously catching `Error`.\n* There is *no* portable way to catch all errors/exceptions.\n\n#### Our recommendation\n\n**Always** catch `Error` before `Exception`.\n\n#### Example\n\n```php\ntry {\n return random_int(1, $userInput);\n} catch (TypeError $e) {\n // This is okay, so long as `Error` is caught before `Exception`.\n throw new Exception('Please enter a number!');\n} catch (Error $e) {\n // This is required, if you do not need to do anything just rethrow.\n throw $e;\n} catch (Exception $e) {\n // This is optional and maybe omitted if you do not want to handle errors\n // during generation.\n throw new InternalServerErrorException(\n 'Oops, our server is bust and cannot generate any random data.',\n 500,\n $e\n );\n}\n```\n\n### Troubleshooting\n\n#### Exception: \"Could not gather sufficient random data\"\n\nIf an Exception is thrown, then your operating system is not secure.\n\n1. If you're on Windows, make sure you enable mcrypt.\n2. If you're on any other OS, make sure `/dev/urandom` is readable.\n * FreeBSD jails need to expose `/dev/urandom` from the host OS\n * If you use `open_basedir`, make sure `/dev/urandom` is allowed\n\nThis library does not (and will not accept any patches to) fall back to\nan insecure random number generator.\n\n#### Version Conflict with [Other PHP Project]\n\nIf you're using a project that has a line like this in its composer.json\n\n \"require\" {\n ...\n \"paragonie/random_compat\": \"~1.1\",\n ...\n }\n\n...and then you try to add random_compat 2 (or another library that explicitly\nrequires random_compat 2, such as [this secure PHP encryption library](https://github.com/defuse/php-encryption)),\nyou will get a version conflict.\n\nThe solution is to get the project to update its requirement string to allow\nversion 2 and above to be used instead of hard-locking users to version 1.\n\n```diff\n\"require\" {\n ...\n- \"paragonie/random_compat\": \"~1.1\",\n+ \"paragonie/random_compat\": \">=1\",\n ...\n}\n```\n\n#### Version 9.99.99\n\n**Note**: There is a special version called `9.99.99` which makes this\nlibrary do nothing, but is only installable on PHP 7.\n\nIf you're writing software (e.g. a library) that supports PHP 5, but may\nbe used by software that doesn't, you'll want to allow `9.99.99` to be\ninstalled. The above diff is what you want.\n\nConversely, if you're writing software that (in and of itself) supports\nPHP 5, you do not want 9.99.99 to be installed, so you'll want to make\nthis change instead:\n\n```diff\n\"require\" {\n ...\n- \"paragonie/random_compat\": \"~1.1\",\n+ \"paragonie/random_compat\": \">=1 <9.99\",\n ...\n}\n```\n\nTo avoid installing \"empty\" version `9.99.99` you can add `replace` section\nin your root `composer.json`:\n\n \"replace\": {\n \"paragonie/random_compat\": \"9.99.99\"\n },\n\n#### Manifest Read Length Error\n\nIf you're using the PHP Archive (Phar) approach rather than Composer, and\nyou are getting an error message to the effect of \"manifest read length\nwas `{int1}` should be `{int2}`\", the Phar extension may not be enabled.\n\nSee [this comment](https://github.com/paragonie/random_compat/issues/134#issuecomment-365696289)\nfor specific guidance on how to fix this issue.\n\n## Contributors\n\nThis project would not be anywhere near as excellent as it is today if it \nweren't for the contributions of the following individuals:\n\n* [@AndrewCarterUK (Andrew Carter)](https://github.com/AndrewCarterUK)\n* [@asgrim (James Titcumb)](https://github.com/asgrim)\n* [@bcremer (Benjamin Cremer)](https://github.com/bcremer)\n* [@chriscct7 (Chris Christoff)](https://github.com/chriscct7)\n* [@CodesInChaos (Christian Winnerlein)](https://github.com/CodesInChaos)\n* [@ConnorVG (Connor S. Parks)](https://github.com/ConnorVG)\n* [@cs278 (Chris Smith)](https://github.com/cs278)\n* [@cweagans (Cameron Eagans)](https://github.com/cweagans)\n* [@dd32 (Dion Hulse)](https://github.com/dd32)\n* [@geggleto (Glenn Eggleton)](https://github.com/geggleto)\n* [@glensc (Elan Ruusamäe)](https://github.com/glensc)\n* [@GrahamCampbell (Graham Campbell)](https://github.com/GrahamCampbell)\n* [@ircmaxell (Anthony Ferrara)](https://github.com/ircmaxell)\n* [@jdevalk (Joost de Valk)](https://github.com/jdevalk)\n* [@jedisct1 (Frank Denis)](https://github.com/jedisct1)\n* [@juliangut (Julián Gutiérrez)](https://github.com/juliangut)\n* [@kelunik (Niklas Keller)](https://github.com/kelunik)\n* [@lt (Leigh)](https://github.com/lt)\n* [@MasonM (Mason Malone)](https://github.com/MasonM)\n* [@menkaff (Mehran NikNafs)](https://github.com/menkaff)\n* [@mmeyer2k (Michael M)](https://github.com/mmeyer2k)\n* [@narfbg (Andrey Andreev)](https://github.com/narfbg)\n* [@nicolas-grekas (Nicolas Grekas)](https://github.com/nicolas-grekas)\n* [@ocean90 (Dominik Schilling)](https://github.com/ocean90)\n* [@oittaa](https://github.com/oittaa)\n* [@oucil (Kevin Farley)](https://github.com/oucil)\n* [@philios33 (Phil Nicholls)](https://github.com/philios33)\n* [@redragonx (Stephen Chavez)](https://github.com/redragonx)\n* [@relaxnow (Boy Baukema)](https://github.com/relaxnow)\n* [@rchouinard (Ryan Chouinard)](https://github.com/rchouinard)\n* [@rugk](https://github.com/rugk)\n* [@SammyK (Sammy Kaye Powers)](https://github.com/SammyK)\n* [@scottchiefbaker (Scott Baker)](https://github.com/scottchiefbaker)\n* [@skyosev (Stoyan Kyosev)](https://github.com/skyosev)\n* [@sthen (Stuart Henderseon)](https://github.com/sthen)\n* [@stof (Christophe Coevoet)](https://github.com/stof)\n* [@teohhanhui (Teoh Han Hui)](https://github.com/teohhanhui)\n* [@tom-- (Tom Worster)](https://github.com/tom--)\n* [@tsyr2ko](https://github.com/tsyr2ko)\n* [@trowski (Aaron Piotrowski)](https://github.com/trowski)\n* [@twistor (Chris Lepannen)](https://github.com/twistor)\n* [@vinkla (Vincent Klaiber)](https://github.com/vinkla)\n* [@voku (Lars Moelleken)](https://github.com/voku)\n* [@xabbuh (Christian Flothmann)](https://github.com/xabbuh)\n\n## Support Contracts\n\nIf your company uses this library in their products or services, you may be\ninterested in [purchasing a support contract from Paragon Initiative Enterprises](https://paragonie.com/enterprise).\n"
},
{
"path": "SECURITY.md",
"content": "# An Invitation to Security Researchers\n\nEvery company says they take security \"very seriously.\" Rather than bore anyone \nwith banal boilerplate, here are some quick answers followed by detailed\nelaboration. If you have any questions about our policies, please email them to\n`scott@paragonie.com`.\n\n## Quick Answers\n\n* There is no compulsion to disclose vulnerabilities privately, but we \n appreciate a head's up.\n* `security@paragonie.com` will get your reports to the right person. Our GPG \n fingerprint, should you decide to encrypt your report, is \n `7F52 D5C6 1D12 55C7 3136 2E82 6B97 A1C2 8264 04DA`.\n* **YES**, we will reward security researchers who disclose vulnerabilities in\n our software.\n* In most cases, **No Proof-of-Concept Required.**\n* We have a [bug bounty program on HackerOne](https://hackerone.com/paragonie).\n\n## How to Report a Security Bug to Paragon Initiative Enterprises\n\n### There is no compulsion to disclose privately.\n\nWe believe vulnerability disclosure style is a personal choice and enjoy working\nwith a diverse community. We understand and appreciate the importance of Full \nDisclosure in the history and practice of security research.\n\nWe would *like* to know about high-severity bugs before they become public\nknowledge, so we can fix them in a timely manner, but **we do not believe in \nthreatening researchers or trying to enforce vulnerability embargoes**.\n\nUltimately, if you discover a security-affecting vulnerability, what you do with\nit is your choice. We would like to work with people, and to celebrate and \nreward their skill, experience, and dedication. We appreciate being informed of\nour mistakes so we can learn from them and build a better product. Our goal is\nto empower the community.\n\n### Where to Send Security Vulnerabilities\n\nOur security email address is `security@paragonie.com`. Also feel free to open a\nnew issue on Github if you want to disclose publicly.\n\n```\n-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG\n\nmQENBFUgwRUBCADcIpqNwyYc5UmY/tpx1sF/rQ3knR1YNXYZThzFV+Gmqhp1fDH5\nqBs9foh1xwI6O7knWmQngnf/nBumI3x6xj7PuOdEZUh2FwCG/VWnglW8rKmoHzHA\nivjiu9SLnPIPAgHSHeh2XD7q3Ndm3nenbjAiRFNl2iXcwA2cTQp9Mmfw9vVcw0G0\nz1o0G3s8cC8ZS6flFySIervvfSRWj7A1acI5eE3+AH/qXJRdEJ+9J8OB65p1JMfk\n6+fWgOB1XZxMpz70S0rW6IX38WDSRhEK2fXyZJAJjyt+YGuzjZySNSoQR/V6vNYn\nsyrNPCJ2i5CgZQxAkyBBcr7koV9RIhPRzct/ABEBAAG0IVNlY3VyaXR5IDxzZWN1\ncml0eUBwYXJhZ29uaWUuY29tPokBOQQTAQIAIwUCVSDBFQIbAwcLCQgHAwIBBhUI\nAgkKCwQWAgMBAh4BAheAAAoJEGuXocKCZATat2YIAIoejNFEQ2c1iaOEtSuB7Pn/\nWLbsDsHNLDKOV+UnfaCjv/vL7D+5NMChFCi2frde/NQb2TsjqmIH+V+XbnJtlrXD\nVj7yvMVal+Jqjwj7v4eOEWcKVcFZk+9cfUgh7t92T2BMX58RpgZF0IQZ6Z1R3FfC\n9Ub4X6ykW+te1q0/4CoRycniwmlQi6iGSr99LQ5pfJq2Qlmz/luTZ0UX0h575T7d\ncp2T1sX/zFRk/fHeANWSksipdDBjAXR7NMnYZgw2HghEdFk/xRDY7K1NRWNZBf05\nWrMHmh6AIVJiWZvI175URxEe268hh+wThBhXQHMhFNJM1qPIuzb4WogxM3UUD7m5\nAQ0EVSDBFQEIALNkpzSuJsHAHh79sc0AYWztdUe2MzyofQbbOnOCpWZebYsC3EXU\n335fIg59k0m6f+O7GmEZzzIv5v0i99GS1R8CJm6FvhGqtH8ZqmOGbc71WdJSiNVE\n0kpQoJlVzRbig6ZyyjzrggbM1eh5OXOk5pw4+23FFEdw7JWU0HJS2o71r1hwp05Z\nvy21kcUEobz/WWQQyGS0Neo7PJn+9KS6wOxXul/UE0jct/5f7KLMdWMJ1VgniQmm\nhjvkHLPSICteqCI04RfcmMseW9gueHQXeUu1SNIvsWa2MhxjeBej3pDnrZWszKwy\ngF45GO9/v4tkIXNMy5J1AtOyRgQ3IUMqp8EAEQEAAYkBHwQYAQIACQUCVSDBFQIb\nDAAKCRBrl6HCgmQE2jnIB/4/xFz8InpM7eybnBOAir3uGcYfs3DOmaKn7qWVtGzv\nrKpQPYnVtlU2i6Z5UO4c4jDLT/8Xm1UDz3Lxvqt4xCaDwJvBZexU5BMK8l5DvOzH\n6o6P2L1UDu6BvmPXpVZz7/qUhOnyf8VQg/dAtYF4/ax19giNUpI5j5o5mX5w80Rx\nqSXV9NdSL4fdjeG1g/xXv2luhoV53T1bsycI3wjk/x5tV+M2KVhZBvvuOm/zhJje\noLWp0saaESkGXIXqurj6gZoujJvSvzl0n9F9VwqMEizDUfrXgtD1siQGhP0sVC6q\nha+F/SAEJ0jEquM4TfKWWU2S5V5vgPPpIQSYRnhQW4b1\n=xJPW\n-----END PGP PUBLIC KEY BLOCK-----\n```\n\n### We Will Reward Security Researchers\n\n**This process has not been formalized; nor have dollar amounts been \ndiscussed.**\n\nHowever, if you report a valid security-affecting bug, we will compensate you\nfor the time spent finding the vulnerability and reward you for being a good\nneighbor.\n\n#### What does a \"valid\" bug mean?\n\nThere are two sides to this:\n\n1. Some have spammed projects with invalid bug reports hoping to collect\n bounties for pressing a button and running an automated analysis tool. This\n is not cool.\n2. There is a potential for the developers of a project to declare all security\n bug reports as invalid to save money.\n\nOur team members have an established history of reporting vulnerabilities to\nlarge open source projects. **We aren't in the business of ripping people off.**\nWhen in doubt, our policy is to err on the side of generosity.\n\n### No Proof-of-Concept Required\n\nWe might ask for one if we feel we do not understand some of the details \npertaining to a specific vulnerability. We certainly appreciate them if you \ninclude them in your report, but we believe **the burden lies with the developer\nto prove their software *is* secure** rather than with the researcher to prove\nthat it isn't.\n\nIn our experience, most bugs are simpler to fix than they are to exploit.\n\n"
},
{
"path": "build-phar.sh",
"content": "#!/usr/bin/env bash\n\nbasedir=$( dirname $( readlink -f ${BASH_SOURCE[0]} ) )\n\nphp -dphar.readonly=0 \"$basedir/other/build_phar.php\" $*"
},
{
"path": "composer.json",
"content": "{\n \"name\": \"paragonie/random_compat\",\n \"description\": \"PHP 5.x polyfill for random_bytes() and random_int() from PHP 7\",\n \"keywords\": [\n \"csprng\",\n \"random\",\n \"polyfill\",\n \"pseudorandom\"\n ],\n \"license\": \"MIT\",\n \"type\": \"library\",\n \"authors\": [\n {\n \"name\": \"Paragon Initiative Enterprises\",\n \"email\": \"security@paragonie.com\",\n \"homepage\": \"https://paragonie.com\"\n }\n ],\n \"support\": {\n \"issues\": \"https://github.com/paragonie/random_compat/issues\",\n \"email\": \"info@paragonie.com\",\n \"source\": \"https://github.com/paragonie/random_compat\"\n },\n \"require\": {\n \"php\": \">=5.2.0\"\n },\n \"require-dev\": {\n \"phpunit/phpunit\": \"*\"\n },\n \"suggest\": {\n \"ext-libsodium\": \"Provides a modern crypto API that can be used to generate random bytes.\"\n },\n \"autoload\": {\n \"files\": [\n \"lib/random.php\"\n ]\n }\n}\n"
},
{
"path": "dist/random_compat.phar.pubkey",
"content": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEEd+wCqJDrx5B4OldM0dQE0ZMX+lx1ZWm\npui0SUqD4G29L3NGsz9UhJ/0HjBdbnkhIK5xviT0X5vtjacF6ajgcCArbTB+ds+p\n+h7Q084NuSuIpNb6YPfoUFgC/CL9kAoc\n-----END PUBLIC KEY-----\n"
},
{
"path": "dist/random_compat.phar.pubkey.asc",
"content": "-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v2.0.22 (MingW32)\n\niQEcBAABAgAGBQJWtW1hAAoJEGuXocKCZATaJf0H+wbZGgskK1dcRTsuVJl9IWip\nQwGw/qIKI280SD6/ckoUMxKDCJiFuPR14zmqnS36k7N5UNPnpdTJTS8T11jttSpg\n1LCmgpbEIpgaTah+cELDqFCav99fS+bEiAL5lWDAHBTE/XPjGVCqeehyPYref4IW\nNDBIEsvnHPHPLsn6X5jq4+Yj5oUixgxaMPiR+bcO4Sh+RzOVB6i2D0upWfRXBFXA\nNNnsg9/zjvoC7ZW73y9uSH+dPJTt/Vgfeiv52/v41XliyzbUyLalf02GNPY+9goV\nJHG1ulEEBJOCiUD9cE1PUIJwHA/HqyhHIvV350YoEFiHl8iSwm7SiZu5kPjaq74=\n=B6+8\n-----END PGP SIGNATURE-----\n"
},
{
"path": "lib/byte_safe_strings.php",
"content": " RandomCompat_strlen($binary_string)) {\n return '';\n }\n\n return (string) mb_substr(\n (string) $binary_string,\n (int) $start,\n (int) $length,\n '8bit'\n );\n }\n\n } else {\n\n /**\n * substr() implementation that isn't brittle to mbstring.func_overload\n *\n * This version just uses the default substr()\n *\n * @param string $binary_string\n * @param int $start\n * @param int|null $length (optional)\n *\n * @throws TypeError\n *\n * @return string\n */\n function RandomCompat_substr($binary_string, $start, $length = null)\n {\n if (!is_string($binary_string)) {\n throw new TypeError(\n 'RandomCompat_substr(): First argument should be a string'\n );\n }\n\n if (!is_int($start)) {\n throw new TypeError(\n 'RandomCompat_substr(): Second argument should be an integer'\n );\n }\n\n if ($length !== null) {\n if (!is_int($length)) {\n throw new TypeError(\n 'RandomCompat_substr(): Third argument should be an integer, or omitted'\n );\n }\n\n return (string) substr(\n (string )$binary_string,\n (int) $start,\n (int) $length\n );\n }\n\n return (string) substr(\n (string) $binary_string,\n (int) $start\n );\n }\n }\n}\n"
},
{
"path": "lib/cast_to_int.php",
"content": " operators might accidentally let a float\n * through.\n *\n * @param int|float $number The number we want to convert to an int\n * @param bool $fail_open Set to true to not throw an exception\n *\n * @return float|int\n * @psalm-suppress InvalidReturnType\n *\n * @throws TypeError\n */\n function RandomCompat_intval($number, $fail_open = false)\n {\n if (is_int($number) || is_float($number)) {\n $number += 0;\n } elseif (is_numeric($number)) {\n /** @psalm-suppress InvalidOperand */\n $number += 0;\n }\n /** @var int|float $number */\n\n if (\n is_float($number)\n &&\n $number > ~PHP_INT_MAX\n &&\n $number < PHP_INT_MAX\n ) {\n $number = (int) $number;\n }\n\n if (is_int($number)) {\n return (int) $number;\n } elseif (!$fail_open) {\n throw new TypeError(\n 'Expected an integer.'\n );\n }\n return $number;\n }\n}\n"
},
{
"path": "lib/error_polyfill.php",
"content": "= 70000) {\n return;\n}\n\nif (!defined('RANDOM_COMPAT_READ_BUFFER')) {\n define('RANDOM_COMPAT_READ_BUFFER', 8);\n}\n\n$RandomCompatDIR = dirname(__FILE__);\n\nrequire_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'byte_safe_strings.php';\nrequire_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'cast_to_int.php';\nrequire_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'error_polyfill.php';\n\nif (!is_callable('random_bytes')) {\n /**\n * PHP 5.2.0 - 5.6.x way to implement random_bytes()\n *\n * We use conditional statements here to define the function in accordance\n * to the operating environment. It's a micro-optimization.\n *\n * In order of preference:\n * 1. Use libsodium if available.\n * 2. fread() /dev/urandom if available (never on Windows)\n * 3. mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM)\n * 4. COM('CAPICOM.Utilities.1')->GetRandom()\n *\n * See RATIONALE.md for our reasoning behind this particular order\n */\n if (extension_loaded('libsodium')) {\n // See random_bytes_libsodium.php\n if (PHP_VERSION_ID >= 50300 && is_callable('\\\\Sodium\\\\randombytes_buf')) {\n require_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'random_bytes_libsodium.php';\n } elseif (method_exists('Sodium', 'randombytes_buf')) {\n require_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'random_bytes_libsodium_legacy.php';\n }\n }\n\n /**\n * Reading directly from /dev/urandom:\n */\n if (DIRECTORY_SEPARATOR === '/') {\n // DIRECTORY_SEPARATOR === '/' on Unix-like OSes -- this is a fast\n // way to exclude Windows.\n $RandomCompatUrandom = true;\n $RandomCompat_basedir = ini_get('open_basedir');\n\n if (!empty($RandomCompat_basedir)) {\n $RandomCompat_open_basedir = explode(\n PATH_SEPARATOR,\n strtolower($RandomCompat_basedir)\n );\n $RandomCompatUrandom = (array() !== array_intersect(\n array('/dev', '/dev/', '/dev/urandom'),\n $RandomCompat_open_basedir\n ));\n $RandomCompat_open_basedir = null;\n }\n\n if (\n !is_callable('random_bytes')\n &&\n $RandomCompatUrandom\n &&\n @is_readable('/dev/urandom')\n ) {\n // Error suppression on is_readable() in case of an open_basedir\n // or safe_mode failure. All we care about is whether or not we\n // can read it at this point. If the PHP environment is going to\n // panic over trying to see if the file can be read in the first\n // place, that is not helpful to us here.\n\n // See random_bytes_dev_urandom.php\n require_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'random_bytes_dev_urandom.php';\n }\n // Unset variables after use\n $RandomCompat_basedir = null;\n } else {\n $RandomCompatUrandom = false;\n }\n\n /**\n * mcrypt_create_iv()\n *\n * We only want to use mcypt_create_iv() if:\n *\n * - random_bytes() hasn't already been defined\n * - the mcrypt extensions is loaded\n * - One of these two conditions is true:\n * - We're on Windows (DIRECTORY_SEPARATOR !== '/')\n * - We're not on Windows and /dev/urandom is readabale\n * (i.e. we're not in a chroot jail)\n * - Special case:\n * - If we're not on Windows, but the PHP version is between\n * 5.6.10 and 5.6.12, we don't want to use mcrypt. It will\n * hang indefinitely. This is bad.\n * - If we're on Windows, we want to use PHP >= 5.3.7 or else\n * we get insufficient entropy errors.\n */\n if (\n !is_callable('random_bytes')\n &&\n // Windows on PHP < 5.3.7 is broken, but non-Windows is not known to be.\n (DIRECTORY_SEPARATOR === '/' || PHP_VERSION_ID >= 50307)\n &&\n // Prevent this code from hanging indefinitely on non-Windows;\n // see https://bugs.php.net/bug.php?id=69833\n (\n DIRECTORY_SEPARATOR !== '/' ||\n (PHP_VERSION_ID <= 50609 || PHP_VERSION_ID >= 50613)\n )\n &&\n extension_loaded('mcrypt')\n ) {\n // See random_bytes_mcrypt.php\n require_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'random_bytes_mcrypt.php';\n }\n $RandomCompatUrandom = null;\n\n /**\n * This is a Windows-specific fallback, for when the mcrypt extension\n * isn't loaded.\n */\n if (\n !is_callable('random_bytes')\n &&\n extension_loaded('com_dotnet')\n &&\n class_exists('COM')\n ) {\n $RandomCompat_disabled_classes = preg_split(\n '#\\s*,\\s*#',\n strtolower(ini_get('disable_classes'))\n );\n\n if (!in_array('com', $RandomCompat_disabled_classes)) {\n try {\n $RandomCompatCOMtest = new COM('CAPICOM.Utilities.1');\n /** @psalm-suppress TypeDoesNotContainType */\n if (is_callable(array($RandomCompatCOMtest, 'GetRandom'))) {\n // See random_bytes_com_dotnet.php\n require_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'random_bytes_com_dotnet.php';\n }\n } catch (com_exception $e) {\n // Don't try to use it.\n }\n }\n $RandomCompat_disabled_classes = null;\n $RandomCompatCOMtest = null;\n }\n\n /**\n * throw new Exception\n */\n if (!is_callable('random_bytes')) {\n /**\n * We don't have any more options, so let's throw an exception right now\n * and hope the developer won't let it fail silently.\n *\n * @param mixed $length\n * @psalm-suppress InvalidReturnType\n * @throws Exception\n * @return string\n */\n function random_bytes($length)\n {\n unset($length); // Suppress \"variable not used\" warnings.\n throw new Exception(\n 'There is no suitable CSPRNG installed on your system'\n );\n return '';\n }\n }\n}\n\nif (!is_callable('random_int')) {\n require_once $RandomCompatDIR.DIRECTORY_SEPARATOR.'random_int.php';\n}\n\n$RandomCompatDIR = null;\n"
},
{
"path": "lib/random_bytes_com_dotnet.php",
"content": "GetRandom($bytes, 0));\n if (RandomCompat_strlen($buf) >= $bytes) {\n /**\n * Return our random entropy buffer here:\n */\n return (string) RandomCompat_substr($buf, 0, $bytes);\n }\n ++$execCount;\n } while ($execCount < $bytes);\n\n /**\n * If we reach here, PHP has failed us.\n */\n throw new Exception(\n 'Could not gather sufficient random data'\n );\n }\n}\n"
},
{
"path": "lib/random_bytes_dev_urandom.php",
"content": " $st */\n $st = fstat($fp);\n if (($st['mode'] & 0170000) !== 020000) {\n fclose($fp);\n $fp = false;\n }\n }\n }\n\n if (is_resource($fp)) {\n /**\n * stream_set_read_buffer() does not exist in HHVM\n *\n * If we don't set the stream's read buffer to 0, PHP will\n * internally buffer 8192 bytes, which can waste entropy\n *\n * stream_set_read_buffer returns 0 on success\n */\n if (is_callable('stream_set_read_buffer')) {\n stream_set_read_buffer($fp, RANDOM_COMPAT_READ_BUFFER);\n }\n if (is_callable('stream_set_chunk_size')) {\n stream_set_chunk_size($fp, RANDOM_COMPAT_READ_BUFFER);\n }\n }\n }\n\n try {\n /** @var int $bytes */\n $bytes = RandomCompat_intval($bytes);\n } catch (TypeError $ex) {\n throw new TypeError(\n 'random_bytes(): $bytes must be an integer'\n );\n }\n\n if ($bytes < 1) {\n throw new Error(\n 'Length must be greater than 0'\n );\n }\n\n /**\n * This if() block only runs if we managed to open a file handle\n *\n * It does not belong in an else {} block, because the above\n * if (empty($fp)) line is logic that should only be run once per\n * page load.\n */\n if (is_resource($fp)) {\n /**\n * @var int\n */\n $remaining = $bytes;\n\n /**\n * @var string|bool\n */\n $buf = '';\n\n /**\n * We use fread() in a loop to protect against partial reads\n */\n do {\n /**\n * @var string|bool\n */\n $read = fread($fp, $remaining);\n if (!is_string($read)) {\n /**\n * We cannot safely read from the file. Exit the\n * do-while loop and trigger the exception condition\n *\n * @var string|bool\n */\n $buf = false;\n break;\n }\n /**\n * Decrease the number of bytes returned from remaining\n */\n $remaining -= RandomCompat_strlen($read);\n /**\n * @var string $buf\n */\n $buf .= $read;\n } while ($remaining > 0);\n\n /**\n * Is our result valid?\n * @var string|bool $buf\n */\n if (is_string($buf)) {\n if (RandomCompat_strlen($buf) === $bytes) {\n /**\n * Return our random entropy buffer here:\n */\n return $buf;\n }\n }\n }\n\n /**\n * If we reach here, PHP has failed us.\n */\n throw new Exception(\n 'Error reading from source device'\n );\n }\n}\n"
},
{
"path": "lib/random_bytes_libsodium.php",
"content": " 2147483647) {\n $buf = '';\n for ($i = 0; $i < $bytes; $i += 1073741824) {\n $n = ($bytes - $i) > 1073741824\n ? 1073741824\n : $bytes - $i;\n $buf .= \\Sodium\\randombytes_buf($n);\n }\n } else {\n /** @var string|bool $buf */\n $buf = \\Sodium\\randombytes_buf($bytes);\n }\n\n if (is_string($buf)) {\n if (RandomCompat_strlen($buf) === $bytes) {\n return $buf;\n }\n }\n\n /**\n * If we reach here, PHP has failed us.\n */\n throw new Exception(\n 'Could not gather sufficient random data'\n );\n }\n}\n"
},
{
"path": "lib/random_bytes_libsodium_legacy.php",
"content": " 2147483647) {\n for ($i = 0; $i < $bytes; $i += 1073741824) {\n $n = ($bytes - $i) > 1073741824\n ? 1073741824\n : $bytes - $i;\n $buf .= Sodium::randombytes_buf((int) $n);\n }\n } else {\n $buf .= Sodium::randombytes_buf((int) $bytes);\n }\n\n if (is_string($buf)) {\n if (RandomCompat_strlen($buf) === $bytes) {\n return $buf;\n }\n }\n\n /**\n * If we reach here, PHP has failed us.\n */\n throw new Exception(\n 'Could not gather sufficient random data'\n );\n }\n}\n"
},
{
"path": "lib/random_bytes_mcrypt.php",
"content": " operators might accidentally let a float\n * through.\n */\n\n try {\n /** @var int $min */\n $min = RandomCompat_intval($min);\n } catch (TypeError $ex) {\n throw new TypeError(\n 'random_int(): $min must be an integer'\n );\n }\n\n try {\n /** @var int $max */\n $max = RandomCompat_intval($max);\n } catch (TypeError $ex) {\n throw new TypeError(\n 'random_int(): $max must be an integer'\n );\n }\n\n /**\n * Now that we've verified our weak typing system has given us an integer,\n * let's validate the logic then we can move forward with generating random\n * integers along a given range.\n */\n if ($min > $max) {\n throw new Error(\n 'Minimum value must be less than or equal to the maximum value'\n );\n }\n\n if ($max === $min) {\n return (int) $min;\n }\n\n /**\n * Initialize variables to 0\n *\n * We want to store:\n * $bytes => the number of random bytes we need\n * $mask => an integer bitmask (for use with the &) operator\n * so we can minimize the number of discards\n */\n $attempts = $bits = $bytes = $mask = $valueShift = 0;\n /** @var int $attempts */\n /** @var int $bits */\n /** @var int $bytes */\n /** @var int $mask */\n /** @var int $valueShift */\n\n /**\n * At this point, $range is a positive number greater than 0. It might\n * overflow, however, if $max - $min > PHP_INT_MAX. PHP will cast it to\n * a float and we will lose some precision.\n *\n * @var int|float $range\n */\n $range = $max - $min;\n\n /**\n * Test for integer overflow:\n */\n if (!is_int($range)) {\n\n /**\n * Still safely calculate wider ranges.\n * Provided by @CodesInChaos, @oittaa\n *\n * @ref https://gist.github.com/CodesInChaos/03f9ea0b58e8b2b8d435\n *\n * We use ~0 as a mask in this case because it generates all 1s\n *\n * @ref https://eval.in/400356 (32-bit)\n * @ref http://3v4l.org/XX9r5 (64-bit)\n */\n $bytes = PHP_INT_SIZE;\n /** @var int $mask */\n $mask = ~0;\n\n } else {\n\n /**\n * $bits is effectively ceil(log($range, 2)) without dealing with\n * type juggling\n */\n while ($range > 0) {\n if ($bits % 8 === 0) {\n ++$bytes;\n }\n ++$bits;\n $range >>= 1;\n /** @var int $mask */\n $mask = $mask << 1 | 1;\n }\n $valueShift = $min;\n }\n\n /** @var int $val */\n $val = 0;\n /**\n * Now that we have our parameters set up, let's begin generating\n * random integers until one falls between $min and $max\n */\n /** @psalm-suppress RedundantCondition */\n do {\n /**\n * The rejection probability is at most 0.5, so this corresponds\n * to a failure probability of 2^-128 for a working RNG\n */\n if ($attempts > 128) {\n throw new Exception(\n 'random_int: RNG is broken - too many rejections'\n );\n }\n\n /**\n * Let's grab the necessary number of random bytes\n */\n $randomByteString = random_bytes($bytes);\n\n /**\n * Let's turn $randomByteString into an integer\n *\n * This uses bitwise operators (<< and |) to build an integer\n * out of the values extracted from ord()\n *\n * Example: [9F] | [6D] | [32] | [0C] =>\n * 159 + 27904 + 3276800 + 201326592 =>\n * 204631455\n */\n $val &= 0;\n for ($i = 0; $i < $bytes; ++$i) {\n $val |= ord($randomByteString[$i]) << ($i * 8);\n }\n /** @var int $val */\n\n /**\n * Apply mask\n */\n $val &= $mask;\n $val += $valueShift;\n\n ++$attempts;\n /**\n * If $val overflows to a floating point number,\n * ... or is larger than $max,\n * ... or smaller than $min,\n * then try again.\n */\n } while (!is_int($val) || $val > $max || $val < $min);\n\n return (int) $val;\n }\n}\n"
},
{
"path": "other/build_phar.php",
"content": "buildFromDirectory(dirname(__DIR__).'/lib');\nrename(\n dirname(__DIR__).'/lib/index.php',\n dirname(__DIR__).'/lib/random.php'\n);\n\n/**\n * If we pass an (optional) path to a private key as a second argument, we will\n * sign the Phar with OpenSSL.\n *\n * If you leave this out, it will produce an unsigned .phar!\n */\nif ($argc > 1) {\n if (!@is_readable($argv[1])) {\n echo 'Could not read the private key file:', $argv[1], \"\\n\";\n exit(255);\n }\n $pkeyFile = file_get_contents($argv[1]);\n\n $private = openssl_get_privatekey($pkeyFile);\n if ($private !== false) {\n $pkey = '';\n openssl_pkey_export($private, $pkey);\n $phar->setSignatureAlgorithm(Phar::OPENSSL, $pkey);\n\n /**\n * Save the corresponding public key to the file\n */\n if (!@is_readable($dist.'/random_compat.phar.pubkey')) {\n $details = openssl_pkey_get_details($private);\n file_put_contents(\n $dist.'/random_compat.phar.pubkey',\n $details['key']\n );\n }\n } else {\n echo 'An error occurred reading the private key from OpenSSL.', \"\\n\";\n exit(255);\n }\n}\n"
},
{
"path": "other/ide_stubs/COM.php",
"content": "= 5.3\n *\n * Class PHPUnit_Framework_TestCase\n */\nif (PHP_VERSION_ID >= 50300) {\n if (!class_exists('PHPUnit_Framework_TestCase')) {\n require_once __DIR__ . '/other/phpunit-shim.php';\n }\n}\n"
},
{
"path": "phpunit.sh",
"content": "#!/usr/bin/env bash\n\nif [ \"$1\" == 'full' ]; then\n fulltest=1\nelif [ \"$1\" == 'each' ]; then\n testeach=1\nelse\n fulltest=0\nfi\n\nPHP_VERSION=$(php -r \"echo PHP_VERSION_ID;\")\n\necho\necho -e \"\\033[33mBegin Unit Testing\\033[0m\"\n# Run the testing suite\necho \"Basic test suite:\"\nphp vendor/bin/phpunit tests/unit\nif [ $? -ne 0 ]; then\n # Test failure\n exit 1\nfi\necho \"With open_basedir enabled:\"\nphp -d open_basedir=`pwd` vendor/bin/phpunit tests/unit_with_basedir\nif [ $? -ne 0 ]; then\n # Test failure\n exit 1\nfi\necho \"With open_basedir enabled, allowing /dev:\"\nphp -d open_basedir=`pwd`:/dev vendor/bin/phpunit tests/unit_with_basedir\nif [ $? -ne 0 ]; then\n # Test failure\n exit 1\nfi\necho \"With mbstring.func_overload enabled:\"\nphp -d mbstring.func_overload=7 vendor/bin/phpunit tests/unit\nif [ $? -ne 0 ]; then\n # Test failure\n exit 1\nfi\n\nif [[ \"$testeach\" == \"1\" ]]; then\n echo \" CAPICOM:\"\n php vendor/bin/phpunit --bootstrap tests/specific/capicom.php tests/unit\n echo \" /dev/urandom:\"\n php vendor/bin/phpunit --bootstrap tests/specific/dev_urandom.php tests/unit\n echo \" libsodium:\"\n php vendor/bin/phpunit --bootstrap tests/specific/libsodium.php tests/unit\n echo \" mcrypt:\"\n php vendor/bin/phpunit --bootstrap tests/specific/mcrypt.php tests/unit\nfi\n\n# Should we perform full statistical analyses?\nif [[ \"$fulltest\" == \"1\" ]]; then\n php vendor/bin/phpunit tests/full\n if [ $? -ne 0 ]; then\n # Test failure\n exit 1\n fi\nfi\n\n"
},
{
"path": "phpunit.xml.dist",
"content": "\n\n \n \n ./lib\n \n \n \n \n ./tests/unit\n \n \n\n"
},
{
"path": "psalm-autoload.php",
"content": "\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n \n \n \n \n \n \n \n \n\n"
},
{
"path": "tests/full/DieHardTest.php",
"content": " $i,\n 'value' => $buckets[$i], \n 'min' => $min, \n 'nums' => $nums_to_generate,\n 'reason' => 'below min'\n ]);\n }\n if ($buckets[$i] >= $max ) {\n var_dump([\n 'bucket' => $i,\n 'value' => $buckets[$i],\n 'maax' => $max,\n 'nums' => $nums_to_generate,\n 'reason' => 'above max'\n ]);\n }\n \n $this->assertTrue($buckets[$i] < $max && $buckets[$i] > $min);\n }\n }\n }\n}"
},
{
"path": "tests/full/StatTest.php",
"content": " 30% but less than 170%\n * \n * This also catches 0 and 1000\n */\n public function testDistribution()\n {\n $integers = array_fill(0, 100, 0);\n for ($i = 0; $i < 10000; ++$i) {\n ++$integers[random_int(0,99)];\n }\n for ($i = 0; $i < 100; ++$i) {\n $this->assertFalse($integers[$i] < 30);\n $this->assertFalse($integers[$i] > 170);\n }\n }\n \n /**\n * This should be between 55% and 75%, always\n */\n public function testCoverage()\n {\n $integers = array_fill(0, 2000, 0);\n for ($i = 0; $i < 2000; ++$i) {\n ++$integers[random_int(0,1999)];\n }\n $coverage = 0;\n for ($i = 0; $i < 2000; ++$i) {\n if ($integers[$i] > 0) {\n ++$coverage;\n }\n }\n $this->assertTrue($coverage >= 1150);\n $this->assertTrue($coverage <= 1350);\n }\n \n public function testCompressionRatios()\n {\n $some_bytes = random_bytes(65536);\n $compressed = gzcompress($some_bytes, 9);\n if (function_exists('mb_strlen')) {\n $length = mb_strlen($compressed, '8bit');\n } else {\n $length = strlen($compressed);\n }\n $this->assertTrue($length >= 65000 && $length <= 67000);\n }\n}"
},
{
"path": "tests/specific/capicom.php",
"content": "assertTrue(function_exists('random_bytes'));\n }\n \n public function testInvalidParams()\n {\n try {\n $bytes = random_bytes('good morning');\n $this->fail(\"random_bytes() should accept only an integer\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n }\n \n try {\n $bytes = random_bytes(array(12));\n $this->fail(\"random_bytes() should accept only an integer\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n }\n \n // This should succeed:\n $bytes = random_bytes('123456');\n }\n \n public function testOutput()\n {\n $bytes = array(\n random_bytes(12),\n random_bytes(64),\n random_bytes(64),\n PHP_VERSION_ID < 80100\n ? random_bytes(1.5)\n : random_bytes(1)\n );\n \n $this->assertTrue(\n strlen(bin2hex($bytes[0])) === 24\n );\n $this->assertTrue(\n strlen(bin2hex($bytes[3])) === 2\n );\n \n // This should never generate identical byte strings\n $this->assertFalse(\n $bytes[1] === $bytes[2]\n );\n \n try {\n $x = random_bytes(~PHP_INT_MAX - 1000000000);\n $this->fail(\"Integer overflow (~PHP_INT_MAX - 1000000000).\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n }\n \n try {\n $x = random_bytes(PHP_INT_MAX + 1000000000);\n $this->fail(\"Requesting too many bytes should fail.\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n }\n }\n}\n"
},
{
"path": "tests/unit/RandomIntTest.php",
"content": "assertTrue(function_exists('random_int'));\n }\n \n public function testOutput()\n {\n $half_neg_max = (~PHP_INT_MAX / 2);\n $integers = array(\n random_int(0, 1000),\n random_int(1001,2000),\n random_int(-100, -10),\n random_int(-1000, 1000),\n random_int(~PHP_INT_MAX, PHP_INT_MAX),\n random_int(\"0\", \"1\"),\n PHP_VERSION_ID < 80100\n ? random_int(0.11111, 0.99999)\n : 0,\n random_int($half_neg_max, PHP_INT_MAX),\n random_int(0.0, 255.0),\n PHP_VERSION_ID < 80100\n ? random_int(-4.5, -4.5)\n : -4,\n random_int(\"1337e3\",\"1337e3\")\n );\n \n $this->assertFalse($integers[0] === $integers[1]);\n $this->assertTrue($integers[0] >= 0 && $integers[0] <= 1000);\n $this->assertTrue($integers[1] >= 1001 && $integers[1] <= 2000);\n $this->assertTrue($integers[2] >= -100 && $integers[2] <= -10);\n $this->assertTrue($integers[3] >= -1000 && $integers[3] <= 1000);\n $this->assertTrue($integers[4] >= ~PHP_INT_MAX && $integers[4] <= PHP_INT_MAX);\n $this->assertTrue($integers[5] >= 0 && $integers[5] <= 1);\n $this->assertTrue($integers[6] === 0);\n $this->assertTrue($integers[7] >= $half_neg_max && $integers[7] <= PHP_INT_MAX);\n $this->assertTrue($integers[8] >= 0 && $integers[8] <= 255);\n $this->assertSame($integers[9], -4);\n $this->assertSame($integers[10], 1337000);\n \n try {\n $h = random_int(\"2147483648\", \"2147483647\");\n $i = random_int(\"9223372036854775808\", \"9223372036854775807\");\n $this->assertFalse(is_int($i));\n $h = random_int(\"-2147483648\", \"2147483647\");\n $i = random_int(\"-9223372036854775808\", \"9223372036854775807\");\n $this->fail(\"One of these options should have thrown an exception.\");\n } catch (Error $ex) {\n $this->assertTrue($ex instanceof Error);\n } catch (Exception $ex) {\n $this->assertTrue($ex instanceof Exception);\n }\n }\n\n public function testRandomRange()\n {\n $try = 64;\n $maxLen = strlen(~PHP_INT_MAX);\n do {\n $rand = random_int(~PHP_INT_MAX, PHP_INT_MAX);\n } while (strlen($rand) !== $maxLen && $try--);\n\n $this->assertGreaterThan(0, $try);\n }\n}\n"
},
{
"path": "tests/unit/UtilityTest.php",
"content": "markTestSkipped(\n 'We don\\' need to test this in PHP 7.'\n );\n }\n $this->assertEquals(RandomCompat_strlen(\"\\xF0\\x9D\\x92\\xB3\"), 4);\n }\n \n public function testIntval()\n {\n if (!function_exists('RandomCompat_intval')) {\n return $this->markTestSkipped(\n 'We don\\' need to test this in PHP 7.'\n );\n }\n // Equals\n $this->assertEquals(\n abs(RandomCompat_intval(-4.5)),\n abs(RandomCompat_intval(4.5))\n );\n \n // True\n $this->assertTrue(\n is_int(RandomCompat_intval(PHP_INT_MAX, true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(~PHP_INT_MAX, true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(~PHP_INT_MAX + 1, true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"1337e3\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"1.\", true))\n );\n \n // False\n $this->assertFalse(\n is_int(RandomCompat_intval((float) PHP_INT_MAX, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval((float) ~PHP_INT_MAX, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(PHP_INT_MAX + 1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(~PHP_INT_MAX - 1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(~PHP_INT_MAX - 0.1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(PHP_INT_MAX + 0.1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(\"hello\", true))\n );\n \n if (PHP_INT_SIZE === 8) {\n $this->assertFalse(\n is_int(RandomCompat_intval(\"-9223372036854775809\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"-9223372036854775808\", true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(\"9223372036854775808\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"9223372036854775807\", true))\n );\n } else {\n $this->assertFalse(\n is_int(RandomCompat_intval(\"2147483648\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"2147483647\", true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(\"-2147483649\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"-2147483648\", true))\n );\n }\n }\n}\n"
},
{
"path": "tests/unit_with_basedir/RandomBytesTest.php",
"content": "assertTrue(function_exists('random_bytes'));\n }\n \n public function testInvalidParams()\n {\n try {\n $bytes = random_bytes('good morning');\n $this->fail(\"random_bytes() should accept only an integer\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n if ($ex->getMessage() === self::NO_BASEDIR) {\n return;\n }\n }\n \n try {\n $bytes = random_bytes(array(12));\n $this->fail(\"random_bytes() should accept only an integer\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n }\n \n // This should succeed:\n try {\n $bytes = random_bytes('123456');\n } catch (Exception $ex) {\n $this->assertEquals(\n $ex->getMessage(),\n self::NO_BASEDIR\n );\n }\n }\n \n public function testOutput()\n {\n try {\n $bytes = array(\n random_bytes(12),\n random_bytes(64),\n random_bytes(64),\n random_bytes(1.5)\n );\n } catch (Exception $ex) {\n $this->assertEquals(\n $ex->getMessage(),\n self::NO_BASEDIR\n );\n return;\n }\n \n $this->assertTrue(\n strlen(bin2hex($bytes[0])) === 24\n );\n $this->assertTrue(\n strlen(bin2hex($bytes[3])) === 2\n );\n \n // This should never generate identical byte strings\n $this->assertFalse(\n $bytes[1] === $bytes[2]\n );\n \n try {\n $x = random_bytes(~PHP_INT_MAX - 1000000000);\n $this->fail(\"Integer overflow (~PHP_INT_MAX - 1000000000).\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n }\n \n try {\n $x = random_bytes(PHP_INT_MAX + 1000000000);\n $this->fail(\"Requesting too many bytes should fail.\");\n } catch (TypeError $ex) {\n $this->assertTrue(true);\n } catch (Error $ex) {\n $this->assertTrue(true);\n } catch (Exception $ex) {\n $this->assertTrue(true);\n }\n }\n}\n"
},
{
"path": "tests/unit_with_basedir/RandomIntTest.php",
"content": "assertTrue(function_exists('random_int'));\n }\n \n public function testOutput()\n {\n try {\n $half_neg_max = (~PHP_INT_MAX / 2);\n\n $integers = array(\n random_int(0, 1000),\n random_int(1001,2000),\n random_int(-100, -10),\n random_int(-1000, 1000),\n random_int(~PHP_INT_MAX, PHP_INT_MAX),\n random_int(\"0\", \"1\"),\n random_int(0.11111, 0.99999),\n random_int($half_neg_max, PHP_INT_MAX),\n random_int(0.0, 255.0),\n random_int(-4.5, -4.5),\n random_int(\"1337e3\",\"1337e3\")\n );\n\n $this->assertFalse($integers[0] === $integers[1]);\n $this->assertTrue($integers[0] >= 0 && $integers[0] <= 1000);\n $this->assertTrue($integers[1] >= 1001 && $integers[1] <= 2000);\n $this->assertTrue($integers[2] >= -100 && $integers[2] <= -10);\n $this->assertTrue($integers[3] >= -1000 && $integers[3] <= 1000);\n $this->assertTrue($integers[4] >= ~PHP_INT_MAX && $integers[4] <= PHP_INT_MAX);\n $this->assertTrue($integers[5] >= 0 && $integers[5] <= 1);\n $this->assertTrue($integers[6] === 0);\n $this->assertTrue($integers[7] >= $half_neg_max && $integers[7] <= PHP_INT_MAX);\n $this->assertTrue($integers[8] >= 0 && $integers[8] <= 255);\n $this->assertTrue($integers[9] === -4);\n $this->assertTrue($integers[10] === 1337000);\n } catch (Exception $ex) {\n $this->assertEquals(\n $ex->getMessage(),\n self::NO_BASEDIR\n );\n return;\n }\n \n try {\n $h = random_int(\"2147483648\", \"2147483647\");\n $i = random_int(\"9223372036854775808\", \"9223372036854775807\");\n $this->assertFalse(is_int($i));\n $h = random_int(\"-2147483648\", \"2147483647\");\n $i = random_int(\"-9223372036854775808\", \"9223372036854775807\");\n $this->fail(\"One of these options should have thrown an exception.\");\n } catch (Error $ex) {\n $this->assertTrue($ex instanceof Error);\n } catch (Exception $ex) {\n $this->assertTrue($ex instanceof Exception);\n }\n }\n\n public function testRandomRange()\n {\n try {\n $try = 64;\n $maxLen = strlen(~PHP_INT_MAX);\n do {\n $rand = random_int(~PHP_INT_MAX, PHP_INT_MAX);\n } while (strlen($rand) !== $maxLen && $try--);\n\n $this->assertGreaterThan(0, $try);\n } catch (Exception $ex) {\n $this->assertEquals(\n $ex->getMessage(),\n self::NO_BASEDIR\n );\n return;\n }\n }\n}\n"
},
{
"path": "tests/unit_with_basedir/UtilityTest.php",
"content": "markTestSkipped(\n 'We don\\' need to test this in PHP 7.'\n );\n }\n $this->assertEquals(RandomCompat_strlen(\"\\xF0\\x9D\\x92\\xB3\"), 4);\n }\n \n public function testIntval()\n {\n if (!function_exists('RandomCompat_intval')) {\n return $this->markTestSkipped(\n 'We don\\' need to test this in PHP 7.'\n );\n }\n // Equals\n $this->assertEquals(\n abs(RandomCompat_intval(-4.5)),\n abs(RandomCompat_intval(4.5))\n );\n \n // True\n $this->assertTrue(\n is_int(RandomCompat_intval(PHP_INT_MAX, true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(~PHP_INT_MAX, true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(~PHP_INT_MAX + 1, true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"1337e3\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"1.\", true))\n );\n \n // False\n $this->assertFalse(\n is_int(RandomCompat_intval((float) PHP_INT_MAX, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval((float) ~PHP_INT_MAX, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(PHP_INT_MAX + 1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(~PHP_INT_MAX - 1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(~PHP_INT_MAX - 0.1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(PHP_INT_MAX + 0.1, true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(\"hello\", true))\n );\n \n if (PHP_INT_SIZE === 8) {\n $this->assertFalse(\n is_int(RandomCompat_intval(\"-9223372036854775809\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"-9223372036854775808\", true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(\"9223372036854775808\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"9223372036854775807\", true))\n );\n } else {\n $this->assertFalse(\n is_int(RandomCompat_intval(\"2147483648\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"2147483647\", true))\n );\n $this->assertFalse(\n is_int(RandomCompat_intval(\"-2147483649\", true))\n );\n $this->assertTrue(\n is_int(RandomCompat_intval(\"-2147483648\", true))\n );\n }\n }\n}\n"
}
]