Merge pull request #12780 from laravel/revert-12764-5.0-rand

Revert "[5.0] Ensure openssl's vulnerable random generation is not used"

composer.json

@@ -28,7 +28,6 @@
         "monolog/monolog": "~1.11",
         "mtdowling/cron-expression": "~1.0",
         "nesbot/carbon": "~1.0",
-        "paragonie/random_compat": "~1.3",
         "psy/psysh": "0.4.*",
         "swiftmailer/swiftmailer": "~5.1",
         "symfony/console": "2.6.*",

src/Illuminate/Encryption/Encrypter.php

@@ -1,9 +1,9 @@
 <?php namespace Illuminate\Encryption;
 
 use Exception;
-use Illuminate\Support\Str;
 use Illuminate\Contracts\Encryption\DecryptException;
 use Symfony\Component\Security\Core\Util\StringUtils;
+use Symfony\Component\Security\Core\Util\SecureRandom;
 use Illuminate\Contracts\Encryption\Encrypter as EncrypterContract;
 
 class Encrypter implements EncrypterContract {
@@ -160,7 +160,7 @@ class Encrypter implements EncrypterContract {
 	 */
 	protected function validMac(array $payload)
 	{
-		$bytes = Str::randomBytes(16);
+		$bytes = (new SecureRandom)->nextBytes(16);
 
 		$calcMac = hash_hmac('sha256', $this->hash($payload['iv'], $payload['value']), $bytes, true);
 

src/Illuminate/Encryption/composer.json

@@ -18,7 +18,6 @@
         "ext-openssl": "*",
         "illuminate/contracts": "5.0.*",
         "illuminate/support": "5.0.*",
-        "paragonie/random_compat": "~1.3",
         "symfony/security-core": "2.6.*"
     },
     "autoload": {

src/Illuminate/Foundation/Console/Optimize/config.php

@@ -187,6 +187,8 @@ return array_map('realpath', array(
     $basePath.'/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/ResponseHeaderBag.php',
     $basePath.'/vendor/symfony/http-foundation/Symfony/Component/HttpFoundation/Cookie.php',
     $basePath.'/vendor/symfony/security-core/Symfony/Component/Security/Core/Util/StringUtils.php',
+    $basePath.'/vendor/symfony/security-core/Symfony/Component/Security/Core/Util/SecureRandomInterface.php',
+    $basePath.'/vendor/symfony/security-core/Symfony/Component/Security/Core/Util/SecureRandom.php',
     $basePath.'/vendor/symfony/finder/Symfony/Component/Finder/SplFileInfo.php',
     $basePath.'/vendor/symfony/finder/Symfony/Component/Finder/Expression/Regex.php',
     $basePath.'/vendor/symfony/finder/Symfony/Component/Finder/Expression/ValueInterface.php',

src/Illuminate/Support/Str.php

@@ -1,5 +1,6 @@
 <?php namespace Illuminate\Support;
 
+use RuntimeException;
 use Stringy\StaticStringy;
 use Illuminate\Support\Traits\Macroable;
 
@@ -207,6 +208,8 @@ class Str {
 	 *
 	 * @param  int  $length
 	 * @return string
+	 *
+	 * @throws \RuntimeException
 	 */
 	public static function random($length = 16)
 	{
@@ -227,10 +230,29 @@ class Str {
 	 *
 	 * @param  int  $length
 	 * @return string
+	 *
+	 * @throws \RuntimeException
 	 */
 	public static function randomBytes($length = 16)
 	{
-		return random_bytes($length);
+		if (function_exists('random_bytes'))
+		{
+			$bytes = random_bytes($length);
+		}
+		elseif (function_exists('openssl_random_pseudo_bytes'))
+		{
+			$bytes = openssl_random_pseudo_bytes($length, $strong);
+			if ($bytes === false || $strong === false)
+			{
+				throw new RuntimeException('Unable to generate random string.');
+			}
+		}
+		else
+		{
+			throw new RuntimeException('OpenSSL extension is required for PHP 5 users.');
+		}
+
+		return $bytes;
 	}
 
 	/**

src/Illuminate/Support/composer.json

@@ -18,8 +18,7 @@
         "ext-mbstring": "*",
         "illuminate/contracts": "5.0.*",
         "doctrine/inflector": "~1.0",
-        "danielstjules/stringy": "~1.8",
-        "paragonie/random_compat": "~1.3"
+        "danielstjules/stringy": "~1.8"
     },
     "autoload": {
         "psr-4": {