Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:82152
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10281 invoked from network); 8 Feb 2015 17:11:20 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2015 17:11:20 -0000
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.155 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 67.192.241.155 smtp155.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.155] ([67.192.241.155:32973] helo=smtp155.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AF/65-15550-8B897D45 for <internals@lists.php.net>; Sun, 08 Feb 2015 12:11:20 -0500
Received: from smtp16.relay.dfw1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp16.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 651643801AA;
	Sun,  8 Feb 2015 12:11:17 -0500 (EST)
Received: by smtp16.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 951E33801A8;
	Sun,  8 Feb 2015 12:11:16 -0500 (EST)
X-Sender-Id: fsb@thefsb.org
Received: from [10.0.1.2] ([UNAVAILABLE]. [73.4.147.142])
	(using TLSv1 with cipher DES-CBC3-SHA)
	by 0.0.0.0:465 (trex/5.4.2);
	Sun, 08 Feb 2015 17:11:17 GMT
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Sun, 08 Feb 2015 12:11:13 -0500
To: Damien Tournoud <damz@damz.org>,
	Daniel Lowrey <rdlowrey@php.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <D0FD0276.5D311%fsb@thefsb.org>
Thread-Topic: [PHP-DEV] Re: Security changes in PHP 7
References: <CAH8MpnkZCnvdHE5yC_kgo8cisHULegjwndMZWdvTPOYrm9io3A@mail.gmail.com>
 <CALWK-fghgnXh8hgF3CpqOTvWU3UbcJrnZ=rZY1SNeU2SAuhnSg@mail.gmail.com>
In-Reply-To: <CALWK-fghgnXh8hgF3CpqOTvWU3UbcJrnZ=rZY1SNeU2SAuhnSg@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain;
	charset="UTF-8"
Content-transfer-encoding: 7bit
Subject: Re: [PHP-DEV] Re: Security changes in PHP 7
From: fsb@thefsb.org (Tom Worster)

Thanks Damien and Daniel for the info.

I am not concerned about running out of entropy. I am concerned about
userspace RNGs such as OpenSSL
http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/



On 2/8/15, 12:04 PM, "Damien Tournoud" <damz@damz.org> wrote:

>On Sun, Feb 8, 2015 at 5:15 PM, Daniel Lowrey <rdlowrey@php.net> wrote:
>
>> Currently PHP's openssl_random_pseudo_bytes() uses the latter function
>>and
>> allows users to pass a by-reference $crypto_strong out parameter to
>> determine if the result is cryptographically strong. This is fine if you
>> know all of the above and have read the manual for this function.
>>However,
>> it may be desirable to add a new openssl_rand_bytes() function that uses
>> RAND_bytes() under the hood to make it less likely for someone to
>> accidentally use insufficiently random output.
>
>
>Hi Daniel,
>
>Just to clarify: OpenSSL automatically seeds its random pool from
>crypto-safe system-specific sources (/dev/[u]random on Linux): it is just
>*impossible* on modern systems to end up in the case of not having enough
>entropy.
>
>Damien