Add tests for behavior when mcrypt isn't installed

[Torniojaws]

It would be good to notify that the PHP implementation requires PHP 7, because it needs the random_bytes function that is only available in PHP 7 (http://php.net/manual/en/function.random-bytes.php). It can be added to the far more common PHP 5.x with a 3rd party plugin though: https://github.com/paragonie/random_compat

But it is very hard to notice that this requires PHP 7 and spend quite a while wondering why it fails silently on PHP 5.x. There are no Exceptions thrown and no other warnings, even with error_reporting(E_ALL);

[defuse]

It definitely shouldn't require PHP 7. It falls back to using mcrypt_create_iv if random_bytes isn't available. See the code here:

https://github.com/defuse/password-hashing/blob/master/PasswordStorage.php#L36-L48

If both random_bytes and mcrypt_create_iv are unavailable then you should be seeing a CannotPerformOperationException thrown.

I'm concerned that you aren't seeing that exception get thrown. Could you double check that that's the case? If the library isn't throwing an exception that's definitely a bug.

[defuse]

@Torniojaws: Is it still broken for you?

[Torniojaws]

I got it working with the "random_compat" library I mentioned in my original post. Basically just unzip them to a subdir and then require the "main" php of the library.

require __DIR__.'/lib/random.php';
class InvalidHashException extends (etc...)

[defuse]

Glad you got it working! That shouldn't have been necessary. Perhaps mcrypt_create_iv is missing and that was failing silently. I'll leave this ticket open for us to test what happens when the mcrypt extension isn't installed.