Improve random number generation

Can't see a reason not to include openssl_random_pseudo_bytes() for a better system agnostic solution

This looks RTBC to me.

It could be good to extend the code comment so it mentions that it is the only reliable source of random numbers on Microsoft Windows.

Note that the patch needs a reroll for core/. If we're doing function_exists(), we can also backport this.

anyone do a real test, I read this from PHP.net

FYI, openssl_random_pseudo_bytes() can be incredibly slow under Windows, to the point of being unusable. It frequently times out (>30 seconds execution time) on several Windows machines of mine.

Apparently, it's a known problem with OpenSSL (not PHP specifically).

See: http://www.google.com/search?q=openssl_random_pseudo_bytes+slow

and seems fixed on latest PHP version..
http://stackoverflow.com/questions/1940168/openssl-random-pseudo-bytes-i...

Since we only require 5.3.2, we might want to do a version check here. Moving back to needs review.

Tagging as novice for

1. Rerolling the patch for the new D8 directory structure.
2. Adding a version check. You can use version_compare() to check the PHP version, and the result can be cached statically because it will not change within a request. Add the version to the condition in elseif (function_exists('openssl_random_pseudo_bytes')). It should be at least 5.3.2 5.3.4.

Here's a patch that does what's been requested in #7.

But, shouldn't it check for PHP 5.3.4 since that version fixed openssl_random_pseudo_bytes locking on Windows?

#8: You're correct, 5.3.4, not 5.3.2. Thanks!

Ok, here's the re-roll.

Patch is doing what was agreed on comment 7 and 9.

Manually tested ??

Maybe bump up PHP version again? PHP 5.3.8 and below has hash collision vulnerability. I think all hosting will bump up their PHP version.

@#13,
yes, unrelated :)

Manually tested ??

Yes, from a PHP 5.3.9
Since I do not have a non *nix platform to test the exact case, I have just commented the /dev/urandom if and only left the elseif as if; and it works fine.

Committed to 8.x. We may be able to remove the version check before we release 8.x. We'll see.

Re-rolled patch for Drupal 7.x.

#17 Works!

Drupal v7.12
PHP v5.3.5
Ubuntu v11.10

Yay for more randomness. :)

Committed and pushed to 7.x. Thanks!