Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:40227 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63452 invoked from network); 3 Sep 2008 02:46:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Sep 2008 02:46:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=scott@macvicar.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=scott@macvicar.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain macvicar.net from 193.227.246.108 cause and error) X-PHP-List-Original-Sender: scott@macvicar.net X-Host-Fingerprint: 193.227.246.108 ip246-108-v193.static.x-ip.net Received: from [193.227.246.108] ([193.227.246.108:52756] helo=lovelace.midden.org.uk) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A7/73-33714-679FDB84 for ; Tue, 02 Sep 2008 22:42:23 -0400 Received: from macvicar.demon.co.uk ([80.177.111.173] helo=[192.168.1.100]) by lovelace.midden.org.uk with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1KaiJD-0000zO-5P; Wed, 03 Sep 2008 03:41:29 +0100 Cc: "PHP Developers Mailing List" Message-ID: <175FE3A6-DF48-42A2-B206-9D2C42D9EAC5@macvicar.net> To: "David Coallier" In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Wed, 3 Sep 2008 03:41:21 +0100 References: X-Mailer: Apple Mail (2.926) X-Spam-Score: -4.1 X-Spam_Report: Spam detection software, running on the system "lovelace.midden.org.uk", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 3 Sep 2008, at 03:33, David Coallier wrote: > 2008/9/2 Scott MacVicar : >> Hi All, >> >> Attached and uploaded [1] is a patch to add the OpenSSL random >> pseudo byte >> function, at the moment it will return FALSE if the bytes aren't >> considered >> cryptographically strong, I am however considering making this >> parameter >> controlled. >> >> Any objections to me applying this to 5.3? > > I'd say that 5.3 should be a rather "stable" version and that if we > add features we should make sure they are rock solid now. [...] Content analysis details: (-4.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0000] 0.3 AWL AWL: From: address is in the auto white-list Subject: Re: [PHP-DEV] OpenSSL random pseudo bytes From: scott@macvicar.net (Scott MacVicar) On 3 Sep 2008, at 03:33, David Coallier wrote: > 2008/9/2 Scott MacVicar : >> Hi All, >> >> Attached and uploaded [1] is a patch to add the OpenSSL random >> pseudo byte >> function, at the moment it will return FALSE if the bytes aren't >> considered >> cryptographically strong, I am however considering making this >> parameter >> controlled. >> >> Any objections to me applying this to 5.3? > > I'd say that 5.3 should be a rather "stable" version and that if we > add features we should make sure they are rock solid now. This function has been in OpenSSL for 8 years and supported by every version since 0.9.5. It's literally just exposing the API, it's safe for inclusion in 5.3 in my opinion. > Perhaps > adding the control (Parameter to control the security/cryptography > level) now would save time and would make it a thing less to look back > in the future. > It's not a cryptography level / control. The problem is that the PRNG can run out of data if there isn't enough entropy available, you can still take the result but it's not strong. I should say this function isn't for key generation but for use in places that you need random data. Scott