Deprecate the SecureRandom class

pierredup · pierredup · commit b527c03f8d78 · 2015-09-25T10:33:05.000+02:00
diff --git a/composer.json b/composer.json
@@ -20,7 +20,8 @@
         "doctrine/common": "~2.4",
         "twig/twig": "~1.20|~2.0",
         "psr/log": "~1.0",
-        "symfony/security-acl": "~2.7"
+        "symfony/security-acl": "~2.7",
+        "paragonie/random_compat": "~1.0"
     },
     "replace": {
         "symfony/asset": "self.version",
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.xml b/src/Symfony/Bundle/FrameworkBundle/Resources/config/security_csrf.xml
@@ -12,7 +12,6 @@
 
     <services>
         <service id="security.csrf.token_generator" class="%security.csrf.token_generator.class%" public="false">
-            <argument type="service" id="security.secure_random" />
         </service>
 
         <service id="security.csrf.token_storage" class="%security.csrf.token_storage.class%" public="false">
diff --git a/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
@@ -164,6 +164,6 @@ private function createPasswordQuestion()
 
     private function generateSalt()
     {
-        return base64_encode($this->getContainer()->get('security.secure_random')->nextBytes(30));
+        return base64_encode(random_bytes(30));
     }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.xml
@@ -46,7 +46,6 @@
                  class="%security.authentication.rememberme.services.persistent.class%"
                  parent="security.authentication.rememberme.services.abstract"
                  abstract="true">
-            <argument type="service" id="security.secure_random" />
         </service>
 
         <service id="security.authentication.rememberme.services.simplehash"
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -12,6 +12,7 @@ CHANGELOG
    `Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface` instead
  * deprecated `Symfony\Component\Security\Core\Util\ClassUtils`, use
    `Symfony\Component\Security\Acl\Util\ClassUtils` instead
+ * deprecated `Symfony\Component\Security\Core\Util\SecureRandom` class in favour of the `random_bytes` function
 
 2.7.0
 -----
diff --git a/src/Symfony/Component/Security/Core/Tests/Util/SecureRandomTest.php b/src/Symfony/Component/Security/Core/Tests/Util/SecureRandomTest.php
@@ -13,6 +13,9 @@
 
 use Symfony\Component\Security\Core\Util\SecureRandom;
 
+/**
+ * @group legacy
+ */
 class SecureRandomTest extends \PHPUnit_Framework_TestCase
 {
     /**
diff --git a/src/Symfony/Component/Security/Core/Util/SecureRandom.php b/src/Symfony/Component/Security/Core/Util/SecureRandom.php
@@ -11,13 +11,17 @@
 
 namespace Symfony\Component\Security\Core\Util;
 
+@trigger_error('The '.__NAMESPACE__.'\SecureRandom class is deprecated since version 2.8 and will be removed in 3.0. Use the random_bytes function instead.', E_USER_DEPRECATED);
+
 use Psr\Log\LoggerInterface;
 
 /**
  * A secure random number generator implementation.
  *
  * @author Fabien Potencier <fabien@symfony.com>
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
+ *
+ * @deprecated since version 2.8, to be removed in 3.0. Use the random_bytes function instead
  */
 final class SecureRandom implements SecureRandomInterface
 {
@@ -43,9 +47,9 @@ public function __construct($seedFile = null, LoggerInterface $logger = null)
         $this->logger = $logger;
 
         // determine whether to use OpenSSL
-        if (!function_exists('openssl_random_pseudo_bytes')) {
+        if (!function_exists('random_bytes') || !function_exists('openssl_random_pseudo_bytes')) {
             if (null !== $this->logger) {
-                $this->logger->notice('It is recommended that you enable the "openssl" extension for random number generation.');
+                $this->logger->notice('It is recommended that you install the "paragonie/random_compat" library or enable the "openssl" extension for random number generation.');
             }
             $this->useOpenSsl = false;
         } else {
@@ -58,6 +62,10 @@ public function __construct($seedFile = null, LoggerInterface $logger = null)
      */
     public function nextBytes($nbBytes)
     {
+        if (function_exists('random_bytes')) {
+            return random_bytes($nbBytes);
+        }
+
         // try OpenSSL
         if ($this->useOpenSsl) {
             $bytes = openssl_random_pseudo_bytes($nbBytes, $strong);
diff --git a/src/Symfony/Component/Security/Core/composer.json b/src/Symfony/Component/Security/Core/composer.json
@@ -33,7 +33,8 @@
         "symfony/http-foundation": "",
         "symfony/validator": "For using the user password constraint",
         "symfony/expression-language": "For using the expression voter",
-        "ircmaxell/password-compat": "For using the BCrypt password encoder in PHP <5.5"
+        "ircmaxell/password-compat": "For using the BCrypt password encoder in PHP <5.5",
+        "paragonie/random_compat": "For secure random number generation in PHP 5.x"
     },
     "autoload": {
         "psr-4": { "Symfony\\Component\\Security\\Core\\": "" }
diff --git a/src/Symfony/Component/Security/Csrf/Tests/TokenGenerator/UriSafeTokenGeneratorTest.php b/src/Symfony/Component/Security/Csrf/Tests/TokenGenerator/UriSafeTokenGeneratorTest.php
@@ -44,8 +44,7 @@ public static function setUpBeforeClass()
 
     protected function setUp()
     {
-        $this->random = $this->getMock('Symfony\Component\Security\Core\Util\SecureRandomInterface');
-        $this->generator = new UriSafeTokenGenerator($this->random, self::ENTROPY);
+        $this->generator = new UriSafeTokenGenerator(null, self::ENTROPY);
     }
 
     protected function tearDown()
@@ -56,11 +55,6 @@ protected function tearDown()
 
     public function testGenerateToken()
     {
-        $this->random->expects($this->once())
-            ->method('nextBytes')
-            ->with(self::ENTROPY / 8)
-            ->will($this->returnValue(self::$bytes));
-
         $token = $this->generator->generateToken();
 
         $this->assertTrue(ctype_print($token), 'is printable');
diff --git a/src/Symfony/Component/Security/Csrf/TokenGenerator/UriSafeTokenGenerator.php b/src/Symfony/Component/Security/Csrf/TokenGenerator/UriSafeTokenGenerator.php
@@ -12,7 +12,6 @@
 namespace Symfony\Component\Security\Csrf\TokenGenerator;
 
 use Symfony\Component\Security\Core\Util\SecureRandomInterface;
-use Symfony\Component\Security\Core\Util\SecureRandom;
 
 /**
  * Generates CSRF tokens.
@@ -23,13 +22,6 @@
  */
 class UriSafeTokenGenerator implements TokenGeneratorInterface
 {
-    /**
-     * The generator for random values.
-     *
-     * @var SecureRandomInterface
-     */
-    private $random;
-
     /**
      * The amount of entropy collected for each token (in bits).
      *
@@ -40,14 +32,15 @@ class UriSafeTokenGenerator implements TokenGeneratorInterface
     /**
      * Generates URI-safe CSRF tokens.
      *
+     * Note: The $random parameter is deprecated since version 2.8 and will be removed in 3.0.
+     *
      * @param SecureRandomInterface|null $random  The random value generator used for
      *                                            generating entropy
      * @param int                        $entropy The amount of entropy collected for
      *                                            each token (in bits)
      */
     public function __construct(SecureRandomInterface $random = null, $entropy = 256)
     {
-        $this->random = $random ?: new SecureRandom();
         $this->entropy = $entropy;
     }
 
@@ -59,7 +52,7 @@ public function generateToken()
         // Generate an URI safe base64 encoded string that does not contain "+",
         // "/" or "=" which need to be URL encoded and make URLs unnecessarily
         // longer.
-        $bytes = $this->random->nextBytes($this->entropy / 8);
+        $bytes = random_bytes($this->entropy / 8);
 
         return rtrim(strtr(base64_encode($bytes), '+/', '-_'), '=');
     }
diff --git a/src/Symfony/Component/Security/Csrf/composer.json b/src/Symfony/Component/Security/Csrf/composer.json
@@ -17,7 +17,8 @@
     ],
     "require": {
         "php": ">=5.3.9",
-        "symfony/security-core": "~2.4|~3.0.0"
+        "symfony/security-core": "~2.4|~3.0.0",
+        "paragonie/random_compat" : "~1.0"
     },
     "require-dev": {
         "symfony/phpunit-bridge": "~2.7|~3.0.0",
diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices.php
@@ -32,23 +32,22 @@
 class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
 {
     private $tokenProvider;
-    private $secureRandom;
 
     /**
      * Constructor.
      *
+     * Note: The $secureRandom parameter is deprecated since version 2.8 and will be removed in 3.0.
+     *
      * @param array                 $userProviders
      * @param string                $secret
      * @param string                $providerKey
      * @param array                 $options
      * @param LoggerInterface       $logger
      * @param SecureRandomInterface $secureRandom
      */
-    public function __construct(array $userProviders, $secret, $providerKey, array $options = array(), LoggerInterface $logger = null, SecureRandomInterface $secureRandom)
+    public function __construct(array $userProviders, $secret, $providerKey, array $options = array(), LoggerInterface $logger = null, SecureRandomInterface $secureRandom = null)
     {
         parent::__construct($userProviders, $secret, $providerKey, $options, $logger);
-
-        $this->secureRandom = $secureRandom;
     }
 
     /**
@@ -98,7 +97,7 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
             throw new AuthenticationException('The cookie has expired.');
         }
 
-        $tokenValue = base64_encode($this->secureRandom->nextBytes(64));
+        $tokenValue = base64_encode(random_bytes(64));
         $this->tokenProvider->updateToken($series, $tokenValue, new \DateTime());
         $request->attributes->set(self::COOKIE_ATTR_NAME,
             new Cookie(
@@ -120,8 +119,8 @@ protected function processAutoLoginCookie(array $cookieParts, Request $request)
      */
     protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
     {
-        $series = base64_encode($this->secureRandom->nextBytes(64));
-        $tokenValue = base64_encode($this->secureRandom->nextBytes(64));
+        $series = base64_encode(random_bytes(64));
+        $tokenValue = base64_encode(random_bytes(64));
 
         $this->tokenProvider->createNewToken(
             new PersistentToken(
diff --git a/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentTokenBasedRememberMeServicesTest.php b/src/Symfony/Component/Security/Http/Tests/RememberMe/PersistentTokenBasedRememberMeServicesTest.php
@@ -20,7 +20,6 @@
 use Symfony\Component\Security\Http\RememberMe\PersistentTokenBasedRememberMeServices;
 use Symfony\Component\Security\Core\Exception\TokenNotFoundException;
 use Symfony\Component\Security\Core\Exception\CookieTheftException;
-use Symfony\Component\Security\Core\Util\SecureRandom;
 
 class PersistentTokenBasedRememberMeServicesTest extends \PHPUnit_Framework_TestCase
 {
@@ -311,7 +310,7 @@ protected function getService($userProvider = null, $options = array(), $logger
             $userProvider = $this->getProvider();
         }
 
-        return new PersistentTokenBasedRememberMeServices(array($userProvider), 'foosecret', 'fookey', $options, $logger, new SecureRandom(sys_get_temp_dir().'/_sf2.seed'));
+        return new PersistentTokenBasedRememberMeServices(array($userProvider), 'foosecret', 'fookey', $options, $logger);
     }
 
     protected function getProvider()
diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json
@@ -20,7 +20,8 @@
         "symfony/security-core": "~2.8",
         "symfony/event-dispatcher": "~2.1|~3.0.0",
         "symfony/http-foundation": "~2.4|~3.0.0",
-        "symfony/http-kernel": "~2.4|~3.0.0"
+        "symfony/http-kernel": "~2.4|~3.0.0",
+        "paragonie/random_compat" : "~1.0"
     },
     "require-dev": {
         "symfony/phpunit-bridge": "~2.7|~3.0.0",
diff --git a/src/Symfony/Component/Security/composer.json b/src/Symfony/Component/Security/composer.json
@@ -20,7 +20,8 @@
         "symfony/security-acl": "~2.7",
         "symfony/event-dispatcher": "~2.2|~3.0.0",
         "symfony/http-foundation": "~2.1|~3.0.0",
-        "symfony/http-kernel": "~2.4|~3.0.0"
+        "symfony/http-kernel": "~2.4|~3.0.0",
+        "paragonie/random_compat" : "~1.0"
     },
     "replace": {
         "symfony/security-core": "self.version",

Original file line number	Diff line number	Diff line change
`@@ -164,6 +164,6 @@ private function createPasswordQuestion()`
`164`	`164`
`165`	`165`	`private function generateSalt()`
`166`	`166`	`{`
`167`		`- return base64_encode($this->getContainer()->get('security.secure_random')->nextBytes(30));`
	`167`	`+ return base64_encode(random_bytes(30));`
`168`	`168`	`}`
`169`	`169`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,9 @@`
`13`	`13`
`14`	`14`	`use Symfony\Component\Security\Core\Util\SecureRandom;`
`15`	`15`
	`16`	`+/**`
	`17`	`+ * @group legacy`
	`18`	`+ */`
`16`	`19`	`class SecureRandomTest extends \PHPUnit_Framework_TestCase`
`17`	`20`	`{`
`18`	`21`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,7 @@ public static function setUpBeforeClass()`
`44`	`44`
`45`	`45`	`protected function setUp()`
`46`	`46`	`{`
`47`		`- $this->random = $this->getMock('Symfony\Component\Security\Core\Util\SecureRandomInterface');`
`48`		`- $this->generator = new UriSafeTokenGenerator($this->random, self::ENTROPY);`
	`47`	`+ $this->generator = new UriSafeTokenGenerator(null, self::ENTROPY);`
`49`	`48`	`}`
`50`	`49`
`51`	`50`	`protected function tearDown()`
`@@ -56,11 +55,6 @@ protected function tearDown()`
`56`	`55`
`57`	`56`	`public function testGenerateToken()`
`58`	`57`	`{`
`59`		`- $this->random->expects($this->once())`
`60`		`- ->method('nextBytes')`
`61`		`- ->with(self::ENTROPY / 8)`
`62`		`- ->will($this->returnValue(self::$bytes));`
`63`		`-`
`64`	`58`	`$token = $this->generator->generateToken();`
`65`	`59`
`66`	`60`	`$this->assertTrue(ctype_print($token), 'is printable');`