Let's make it a byte

[defuse]

This is wrong. In the fallback random thing.

// Let's make it a byte.
$random .= chr($source % 255);

It should be 256, otherwise the value 255 is never possible. Sorry I am too tired right now to fork it and submit a pull request.

[defuse]

I think it's a lot better to fail hard (fatal error) than to fallback to weak random numbers. If an environment can't provide any of those other methods, then it really shouldn't be doing cryptography.

Anyway, in generateUsingFallback(), it should hash all of the values you can get, and return a prefix of the hash. If you don't hash, but just add, you're missing out on all of the entropy in the higher bytes. For example:

$x = 0; $x += $a; $x += $b; $x += $c; $x = $x % 256

is equivalent to

$x = 0; $x += $a & 0xFF; $x += $b & 0xFF; $x += $c & 0xFF;

[kaisellgren]

Updated. By the way, you can always just press Edit here in Github to edit the file. Github will auto fork it for you.

Yeah I suppose you're right about failing hard.