Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72547
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34303 invoked from network); 13 Feb 2014 07:21:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Feb 2014 07:21:52 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.175 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.175 mail-lb0-f175.google.com  
Received: from [209.85.217.175] ([209.85.217.175:63828] helo=mail-lb0-f175.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DF/41-27664-E827CF25 for <internals@lists.php.net>; Thu, 13 Feb 2014 02:21:51 -0500
Received: by mail-lb0-f175.google.com with SMTP id p9so7947097lbv.34
        for <internals@lists.php.net>; Wed, 12 Feb 2014 23:21:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=OvolSXm0UfKqhucr5Jh1alD6dkT0M0nBgZCmdDXRNlY=;
        b=Kj+0smySu1MvOGIyWG95yayoccG6vCh1xB9vdj0T1iKmMBQJ8EuBnVo5ZRdXoQ5YdS
         g+LLmir5qaZr8ee7bFHdgUCEx4eFaHyhITbQRi2tTY9YQKIRet2VM+GyILEIS+Ywsmnm
         45yHHVwdZJElLtkgftylvU2vdQF1v2F1Ztitxq7PvPj9Pzrh+Jq2WZRKg2OCcHQfIP/w
         K7CeAXjNzIjQK/GYVk0K8rY0w8JIuYE0Kf7EKL4GusrShBT2J2kxtvqOHhUp0GO1aI2K
         0m6VcPKkiYRENENQUFh596VaMTzl8ZSuY+J22WTAuM8crkKLe5ZNtpjNv7rwHez5/HMB
         BzWw==
X-Received: by 10.152.36.70 with SMTP id o6mr33834133laj.7.1392276107592; Wed,
 12 Feb 2014 23:21:47 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Wed, 12 Feb 2014 23:21:07 -0800 (PST)
In-Reply-To: <CAEZPtU7NJYRrsMMnNZZZ2fi_XSvqG5J=85=kd9yO5c54zfDCSw@mail.gmail.com>
References: <CAEZPtU7NJYRrsMMnNZZZ2fi_XSvqG5J=85=kd9yO5c54zfDCSw@mail.gmail.com>
Date: Thu, 13 Feb 2014 16:21:07 +0900
X-Google-Sender-Auth: Qjq2kANYJqx5vvl1fB7h5-T6liQ
Message-ID: <CAGa2bXb0cAPMKuEGLW8pnQ8xNQ=G0UWHaaGRrcjJ9PvuSoT2Ww@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>, julien pauli <jpauli@php.net>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0160b618d2870e04f2448ad7
Subject: Re: [PHP-DEV] unify entropy source for all php related functions
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0160b618d2870e04f2448ad7
Content-Type: text/plain; charset=UTF-8

Hi all,

On Fri, Feb 7, 2014 at 8:25 PM, Pierre Joye <pierre.php@gmail.com> wrote:

> There are a lot of additions and discussions about entropy source and
> (P)RNG lately.
>
> PHP already has a ini setting to define a strong entropy source for
> the session module, which defaults to urandom or arandom.
>
> I would like to create two settings to unify the entropy source
> accross php functions. That includes mcrypt, new password APIs,
> session, LCG, etc.
>
> Something along this line:
>
> random.entropy_strong_source (/dev/(u|a)random etc.)
> random.entropy_crypto_source (/dev/random etc.)
>
> I am not willing to propose new RNG functions or extensions for 5.6 as
> we have way too little time to actually discuss its design and APIs.
> However having these settings unified and documented would be a good
> step forward already.
>
> Thoughts?
>

I would like to have this.
This simplifies code uses /dev/*random.

I may write patch for this as well as
rand_strong_bytes()/rand_crypto_bytes().
Since it's too late for 5.6, I'll commit only to master.
Does anyone think this change needs RFC?

Or this is mandatory for good security, include it in 5.6?
What do you think, Julien?

Regards

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0160b618d2870e04f2448ad7--