Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:82150 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 6585 invoked from network); 8 Feb 2015 17:04:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Feb 2015 17:04:23 -0000 Authentication-Results: pb1.pair.com header.from=damz@damz.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=damz@damz.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain damz.org designates 209.85.218.54 as permitted sender) X-PHP-List-Original-Sender: damz@damz.org X-Host-Fingerprint: 209.85.218.54 mail-oi0-f54.google.com Received: from [209.85.218.54] ([209.85.218.54:64529] helo=mail-oi0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 08/94-15550-51797D45 for ; Sun, 08 Feb 2015 12:04:21 -0500 Received: by mail-oi0-f54.google.com with SMTP id v63so13884005oia.13 for ; Sun, 08 Feb 2015 09:04:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=damz.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u+klHICNmamzSY03uSarb6cEJAu4fHH07nQjX3afVSM=; b=MRihgJWFLHPceV0ebTp+v1zoLxMJHeeh3EvRIgwkRYvSdeypZ38cCiRyEQ7p9dTN6C MA4Vz8l5/sGCFQfVuglUMe4mPr/qPAypOn7Hh2rCFyJaKxT+1HueEFSBvjMm9q/4GAZM f8XTegTHgKzfK1knmyCr9KyJw0NIkF2Wd6uHw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=u+klHICNmamzSY03uSarb6cEJAu4fHH07nQjX3afVSM=; b=LpgRV1kUxjbngCVJpRpccBgQ20DvTcTr7pUpw7O/1ScggBi4v7wgf75BjgN/e/r1Rx WCuGH0UiZ665mDYD2bsz5qXmxipYrPwMldPvg9K8q5SXu9qWiW6PqBscFBRr6Y1gTqKs LrSWJLC//+z7aY0hvzlHHcBlwmRlx9QVh61Kb/fEP1tlNxpxEDeD+qRawEsvEexl2x0I VmwPQaPM89ltzRIvl/vndYc4sPtvmDlT2yGIiOZRoPUvQ53V9ukkB54O880PCcAnmgn8 6qtncaqQFCV4GMCeI9cxQU61s6DATy0RERsdnDRKHPg0MsFjjARxMxY/LfxHesQCeeAl 7F8g== X-Gm-Message-State: ALoCoQnkLR84RABWckEUWOiSy8SOGZzhQtzXvh1CgYu++y/AVb31Z5TaJlpq5lTcUvT62vBKDb6u MIME-Version: 1.0 X-Received: by 10.182.22.137 with SMTP id d9mr9107329obf.67.1423415058633; Sun, 08 Feb 2015 09:04:18 -0800 (PST) Received: by 10.60.45.174 with HTTP; Sun, 8 Feb 2015 09:04:18 -0800 (PST) X-Originating-IP: [80.119.108.245] In-Reply-To: References: Date: Sun, 8 Feb 2015 18:04:18 +0100 Message-ID: To: Daniel Lowrey Cc: "internals@lists.php.net" , fsb@thefsb.dot.org Content-Type: multipart/alternative; boundary=001a11c2e558f030b4050e96a4d6 Subject: Re: [PHP-DEV] Re: Security changes in PHP 7 From: damz@damz.org (Damien Tournoud) --001a11c2e558f030b4050e96a4d6 Content-Type: text/plain; charset=UTF-8 On Sun, Feb 8, 2015 at 5:15 PM, Daniel Lowrey wrote: > Currently PHP's openssl_random_pseudo_bytes() uses the latter function and > allows users to pass a by-reference $crypto_strong out parameter to > determine if the result is cryptographically strong. This is fine if you > know all of the above and have read the manual for this function. However, > it may be desirable to add a new openssl_rand_bytes() function that uses > RAND_bytes() under the hood to make it less likely for someone to > accidentally use insufficiently random output. Hi Daniel, Just to clarify: OpenSSL automatically seeds its random pool from crypto-safe system-specific sources (/dev/[u]random on Linux): it is just *impossible* on modern systems to end up in the case of not having enough entropy. Damien --001a11c2e558f030b4050e96a4d6--