Update to Drupal 8.1.0. For more information, see https://www.drupal.org/drupal-8.1.0-release-notes

core/lib/Drupal/Component/Utility/Crypt.php

@@ -1,10 +1,5 @@
 <?php
 
-/**
- * @file
- * Contains \Drupal\Component\Utility\Crypt.
- */
-
 namespace Drupal\Component\Utility;
 
 /**
@@ -22,6 +17,10 @@ class Crypt {
    * bytes normally from mt_rand()) and uses the best available pseudo-random
    * source.
    *
+   * In PHP 7 and up, this uses the built-in PHP function random_bytes().
+   * In older PHP versions, this uses the random_bytes() function provided by
+   * the random_compat library.
+   *
    * @param int $count
    *   The number of characters (bytes) to return in the string.
    *
@@ -29,65 +28,7 @@ class Crypt {
    *   A randomly generated string.
    */
   public static function randomBytes($count) {
-    // $random_state does not use drupal_static as it stores random bytes.
-    static $random_state, $bytes;
-
-    $missing_bytes = $count - strlen($bytes);
-
-    if ($missing_bytes > 0) {
-      // openssl_random_pseudo_bytes() will find entropy in a system-dependent
-      // way.
-      if (function_exists('openssl_random_pseudo_bytes')) {
-        $bytes .= openssl_random_pseudo_bytes($missing_bytes);
-      }
-
-      // If OpenSSL is not available, we can use mcrypt. On Windows, this will
-      // transparently pull from CryptGenRandom. On Unix-based systems, it will
-      // read from /dev/urandom as expected.
-      elseif (function_exists(('mcrypt_create_iv')) && defined('MCRYPT_DEV_URANDOM')) {
-        $bytes .= mcrypt_create_iv($count, MCRYPT_DEV_URANDOM);
-      }
-
-      // Else, read directly from /dev/urandom, which is available on many *nix
-      // systems and is considered cryptographically secure.
-      elseif ($fh = @fopen('/dev/urandom', 'rb')) {
-        // PHP only performs buffered reads, so in reality it will always read
-        // at least 4096 bytes. Thus, it costs nothing extra to read and store
-        // that much so as to speed any additional invocations.
-        $bytes .= fread($fh, max(4096, $missing_bytes));
-        fclose($fh);
-      }
-
-      // If we couldn't get enough entropy, this simple hash-based PRNG will
-      // generate a good set of pseudo-random bytes on any system.
-      // Note that it may be important that our $random_state is passed
-      // through hash() prior to being rolled into $output, that the two hash()
-      // invocations are different, and that the extra input into the first one -
-      // the microtime() - is prepended rather than appended. This is to avoid
-      // directly leaking $random_state via the $output stream, which could
-      // allow for trivial prediction of further "random" numbers.
-      if (strlen($bytes) < $count) {
-        // Initialize on the first call. The contents of $_SERVER includes a mix
-        // of user-specific and system information that varies a little with
-        // each page.
-        if (!isset($random_state)) {
-          $random_state = print_r($_SERVER, TRUE);
-          if (function_exists('getmypid')) {
-            // Further initialize with the somewhat random PHP process ID.
-            $random_state .= getmypid();
-          }
-          $bytes = '';
-        }
-
-        do {
-          $random_state = hash('sha256', microtime() . mt_rand() . $random_state);
-          $bytes .= hash('sha256', mt_rand() . $random_state, TRUE);
-        } while (strlen($bytes) < $count);
-      }
-    }
-    $output = substr($bytes, 0, $count);
-    $bytes = substr($bytes, $count);
-    return $output;
+    return random_bytes($count);
   }
 
   /**
@@ -178,7 +119,7 @@ class Crypt {
   /**
    * Returns a URL-safe, base64 encoded string of highly randomized bytes.
    *
-   * @param $byte_count
+   * @param $count
    *   The number of random bytes to fetch and base64 encode.
    *
    * @return string