Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82098
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42419 invoked from network); 7 Feb 2015 19:24:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Feb 2015 19:24:23 -0000
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.99 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 173.203.187.99 smtp99.iad3a.emailsrvr.com Linux 2.6
Received: from [173.203.187.99] ([173.203.187.99:52894] helo=smtp99.iad3a.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C7/D2-17921-56666D45 for <internals@lists.php.net>; Sat, 07 Feb 2015 14:24:22 -0500
Received: from smtp29.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp29.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 8610F3800E1
	for <internals@lists.php.net>; Sat,  7 Feb 2015 14:24:18 -0500 (EST)
Received: by smtp29.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id EEF693800CC
	for <internals@lists.php.net>; Sat,  7 Feb 2015 14:24:17 -0500 (EST)
X-Sender-Id: fsb@thefsb.org
Received: from [10.0.1.2] ([UNAVAILABLE]. [73.4.147.142])
	(using TLSv1 with cipher DES-CBC3-SHA)
	by 0.0.0.0:465 (trex/5.4.2);
	Sat, 07 Feb 2015 19:24:18 GMT
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Sat, 07 Feb 2015 14:24:14 -0500
To: php-internals <internals@lists.php.net>
Message-ID: <D0FBCF22.5D217%fsb@thefsb.org>
Thread-Topic: Security changes in PHP 7
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit
Subject: Security changes in PHP 7
From: fsb@thefsb.org (Tom Worster)

I've been trying to catch up on the plans in PHP 7 for changes in security
features and APIs and I got confused. Questions on my mind at the moment
include:

1. Will there be a portable API for getting random bytes from the
platform's CSPRNG?

https://wiki.php.net/ideas/php6 lists as an addition: "Reliable,
userfriendly RNG APIs: Provide a userfriendly and reliable RNG APIs,
available by default, on all supported platforms and for all usages
(from weak to crypto safe)."


2. What's going to happen to mcrypt?

I see the vote to excise it did not pass. Does this mean that (i.e.
imply that) PHP's plan is to keep a security lib that hasn't been
maintained for 8 years for the next 5+ years?


3. Will the OpenSSL ext remain as it currently stands?

There have been a few discussions about this but I'm not clear if any
decisions have been made about changing it or providing a new API.


4. What does openssl_random_pseudo_bytes() really do in PHP?

Where does it get random bytes from in the various different platforms?
Is it going to change in PHP 7?


5. Is the weird Linux /dev/random[1] still supported? If so, is used
by default in any PHP API?


6. I noticed some work on constant-time functions. Is this for security
purposes, i.e. defeating remote timing attacks? Is there an RFC?



"Feature Freeze" for PHP 7 is coming soon. I, for one, would value a
summary of what's happening in PHP 7 with respect to security topics
like but not limited to these. Some kinda of document detailing the
plan, if there is one, would be real swell.

Tom


--- 
[1] http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/