Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107303 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 45508 invoked from network); 23 Sep 2019 20:58:32 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 23 Sep 2019 20:58:32 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id 5E6F22C716D for ; Mon, 23 Sep 2019 11:37:14 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS3215 2.6.0.0/16 X-Spam-Virus: No Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Mon, 23 Sep 2019 11:37:13 -0700 (PDT) Received: by mail-pg1-x532.google.com with SMTP id v27so2366868pgk.10 for ; Mon, 23 Sep 2019 11:37:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vI/rAG1tYZpeoDBDyl1tuER8L1Fjt37rYsYvnr+D6VM=; b=B/pgT0F7nMg79OZnAOdiPl7qkbRkXbHmk+fNDNIP1jsCcgbsvGNKBwM2PBjnXBPfVa yQ+c7u7ReXl60Quh4yMtSnI2k5UtgfSytTr8u6S+XnoHwZsqgM6wATzVwnmFDsTwDL+i 40VBCp/ZQUACjxBnHg113h7tBs7g3K8HanYuPpvL8H4MY+fT1w2chxuD11HKObHoGYpZ EX1oudyzkxoAOUy+bwBMJnK/V1l6aZ0kuOsHLfpQv7uK00G+aFtCRS+bXM6y33vpKi4X TcAoiZb8VrRZibEKhvcqjCgVOTfxtTYClPrUfVSBNnqAvYGjRxmM7jTOVCjW4+F3FOSc uj0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vI/rAG1tYZpeoDBDyl1tuER8L1Fjt37rYsYvnr+D6VM=; b=Ff4Fb/e8Q3k/N+LMKa3vKSNdZBWC3f//81RmZEyML9o50/llr+fq+sAArbXyX7xbud 129VMxX6r1b9YVZdsFAUrTueBAb6Gzc09kY4mGiy5HXB/NIi9k1KT/Tt6pREeAW9GePt zOJSQIPiN5hElNU50CUPeqXzfcafY1GW8N1wIcFJ7YUfJqjnOXqs/OrBzBuWoe5e0VY1 v0MzV1qZpVHQDNCd2rngXrWywIkW2Q1MetMNBj6jZ/6s1oZHZTOp5eU7brddXt8ODlPv SUqnxQyMzJfPgBETmuuSVtDrtUA1uTrCNo8OWABKL6mStLenSltBeBsHsgewFgh0uBFP dEWA== X-Gm-Message-State: APjAAAX9nZFtXtmW3kL8OQzzBLcj9xixwY99u9nxZNa2c6ivGFch6g2L QiBY7CWUukbTRp9gomPPqrIbE4khrazWCB5aJU1dmP5b X-Google-Smtp-Source: APXvYqxVq5ZbOeoIoHMd4LrFOP2c+wnxgzVjrFSxGfzVKTdnvBQB1ib0P39cEt0PJFeEd7FUD5grRFbAEFma3SxLXsw= X-Received: by 2002:a17:90a:10d7:: with SMTP id b23mr969449pje.86.1569263832947; Mon, 23 Sep 2019 11:37:12 -0700 (PDT) MIME-Version: 1.0 References: <696dc114-c2df-40aa-aad6-5b87d4373c0e@www.fastmail.com> <9479751B-281E-4590-85E7-51EEAF066C73@cschneid.com> In-Reply-To: <9479751B-281E-4590-85E7-51EEAF066C73@cschneid.com> Date: Mon, 23 Sep 2019 11:37:02 -0700 Message-ID: To: Christian Schneider Cc: Larry Garfield , php internals Content-Type: multipart/alternative; boundary="00000000000052630205933cb5e8" X-Envelope-From: Subject: Re: [PHP-DEV] PHP 7.4 BC break with openssl_random_pseudo_bytes() From: mo.mu.wss@gmail.com ("M. W. Moe") --00000000000052630205933cb5e8 Content-Type: text/plain; charset="UTF-8" Hello, "A little side-node: random_int(0, 0) does not throw an exception which makes random_bytes and random_int inconsistent by your logic ;-)" not really; there are still different functions; hence they can differ in their behavior; + that's not a matter of individual logic but an api choice; everything can be argued *; however, I don't see any BC break here but a `addon` instead of failing silently, like it was before; hiding a very wrong state. Regards. * the smiley doesn't help. On Mon, Sep 23, 2019 at 9:34 AM Christian Schneider wrote: > Am 23.09.2019 um 17:16 schrieb Larry Garfield : > > I cannot speak for OpenSSL, but random_bytes() and random_int() were > changed very late in the 7.0 cycle to throw exceptions so that they "fail > closed". Otherwise if you expect a random value back but get a constant > value (false or empty string), if you don't remember to check it yourself > every time then you now have a security hole because you're using a > constant seed for random-dependent behavior. > > I see your point but I'm still not convinced that it is worth the BC. > But whatever is decided for this specific change, I'm more interested in > handling this properly for future RFCs, i.e. people should get the full > picture concerning BC before voting. > > A little side-node: random_int(0, 0) does not throw an exception which > makes random_bytes and random_int inconsistent by your logic ;-) > > - Chris > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --00000000000052630205933cb5e8--