PHP :: Doc Bug #71365 :: random_bytes(): missing Error causes; may return PRNG

random_bytes(): missing Error causes; may return PRNG

Submitted:

2016-01-14 05:37 UTC

Modified:

2023-01-25 19:55 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	0 of 1 (0.0%)

From:

salsi at icosaedro dot it

Assigned:

timwolla (profile)

Status:

Closed

Package:

Unknown/Other Function

PHP Version:

7.0.2

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2016-01-14 05:37 UTC] salsi at icosaedro dot it

Description:
------------
---
From manual page: http://www.php.net/function.random-bytes
---

Examining the C source code, appears that the Error exception might be thrown also on failed reading from the source of randomness, or no enough entropy is available (whenever an estimation of the available entropy is available).

It might worth to mention also that if not enough entropy data is available, some implementations (notably when reading from /dev/urandom as a last resort) may return values from a PRNG rather than from a CSPRNG, so partially defeating the purpose of this function for CS applications.

The same holds for the companion random_int() function, which relies on the same base function as random_bytes().

Programmers should be advised that abusing of the entropy source may then compromise security, and those entropy sources should be used sparingly.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-01-17 16:01 UTC] public+php dot net at bastelstu dot be

http://www.2uo.de/myths-about-urandom/

[2017-01-28 13:14 UTC] cmb@php.net

-Package: Documentation problem +Package: Unknown/Other Function

[2023-01-25 19:54 UTC] timwolla@php.net

Current versions of PHP preferably use the getrandom(2) syscall if available and thus are not affected by low entropy situations shortly after boot, because the syscall blocks until sufficient entropy has been obtained. Even with older versions or operating systems that use /dev/urandom, it is generally not possible to “exhaust” the CSPRNG, as also explained by the “Myths about urandom” link.

Likewise the CSPRNG is effectively infallible on modern PHP versions and operating systems. I believe the information that the functions relying on the CSPRNG might throw if no source can be found is sufficient, the distinction between a missing source and a failing source does not provide a real value-add for the reader, because it is not actionable.

Please open an issue in the php/doc-en repository if you feel further clarification in the documentation is required: https://github.com/php/doc-en/issues

[2023-01-25 19:55 UTC] timwolla@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: timwolla

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 14:01:34 2025 UTC