protected static method

Returns the best available random number generator source.

The source of randomness used are as follows:

  1. random_bytes(), available in PHP >=7.0
  2. mcrypt_create_iv(), available if the mcrypt extensions is installed
  3. /dev/urandom, available on *nix
  4. GetRandom() through COM, available on Windows

Note: Users restricting path access through the open_basedir INI setting, will need to include /dev/urandom into the list of allowed paths, as this method might read from it.

The openssl_random_pseudo_bytes() function is not used, as it is not clear under which circumstances it will not have a strong source available to it.



Returns a closure containing a random number generator.


	protected static function _source() {
		if (function_exists('random_bytes')) {
			return function($bytes) {
				return random_bytes($bytes);
		if (function_exists('mcrypt_create_iv')) {
			return function($bytes) {
				return mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM);
		if (is_readable('/dev/urandom')) {
			return function($bytes) {
				$stream = fopen('/dev/urandom', 'rb');
				$result = fread($stream, $bytes);

				return $result;
		if (class_exists('COM', false)) {
			$com = new COM('CAPICOM.Utilities.1');

			return function($bytes) use ($com) {
				return base64_decode($com->GetRandom($bytes, 0));
		throw new LogicException('No suitable strong random number generator source found.');