Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83647 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 48179 invoked from network); 24 Feb 2015 09:51:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 24 Feb 2015 09:51:58 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.214.176 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.214.176 mail-ob0-f176.google.com Received: from [209.85.214.176] ([209.85.214.176:52856] helo=mail-ob0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9B/C1-37184-BB94CE45 for ; Tue, 24 Feb 2015 04:51:56 -0500 Received: by mail-ob0-f176.google.com with SMTP id wo20so42287574obc.7 for ; Tue, 24 Feb 2015 01:51:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=1Rwav3JEYrFkGsI6z4KYeeHFic8UJ3JegRduwXtWDws=; b=XeH8X2mokmNSsbk6XImSgGxHThGBkqxJX4zxUW0WJtQNs/pELKUFQtFOWNa9ciB7Uu oGjyEn3g4sa/D/9Mkg71yUbkiqzHohZpBxsi90mfrYqOR5mL1vOt4EtKI4P+3/4dCns2 FadiE79qKOy3nCHUQgIMBfzEVYNaf68pFLOVo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=1Rwav3JEYrFkGsI6z4KYeeHFic8UJ3JegRduwXtWDws=; b=VglJKAYBjM2ncpdYXbGXDGJwuWe+vtpnIYVQB3rTRgx5tHPKhDumy1AYvAtchP07YR PNAiTuTnEoS0rs1lz0rs/k303Jfva/u2JXkVBQAfDsxN1g7jlbEZauHVpfAFJ4eAQzz9 FGtbAX4IZ5H91iv4WTxp8ofAUGA6pCHWzxZjzYRbidanrpsaOLg4jjQuuP/VLk5niV0G Erd/7QZgWzx6YGWqupvZFKcE2KZICjlF2fVBEZ23cjVB0HCBafCmqajbtPKB+kxVq7VG uHQtJQkg7E7FMfqj1H/wZPgVIgsyzRo9yk6nW2mK9l3Sh7wPXK03S952xm9qHmMZRIep Edrw== X-Gm-Message-State: ALoCoQn/I57tYDxfurQYqoHMjfnQ3SC2AhfXUhoNX+51Xh6ElSehWJynL3vGhl2U2DFsAWDACg9N MIME-Version: 1.0 X-Received: by 10.202.225.130 with SMTP id y124mr9949606oig.58.1424771512773; Tue, 24 Feb 2015 01:51:52 -0800 (PST) Received: by 10.202.214.205 with HTTP; Tue, 24 Feb 2015 01:51:52 -0800 (PST) In-Reply-To: References: Date: Tue, 24 Feb 2015 11:51:52 +0200 Message-ID: To: Sammy Kaye Powers Cc: PHP Internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] [DISCUSSION] Reliable user-land CSPRNG From: narf@devilix.net (Andrey Andreev) Hi, On Tue, Feb 24, 2015 at 8:36 AM, Sammy Kaye Powers wrote: > The RFC to add a user-land API for an easy-to-use and reliable CSPRNG in > PHP is up for discussion: https://wiki.php.net/rfc/easy_userland_csprng > > This proposes adding two methods: `random_bytes()` and `random_int()` that > return cryptographically secure pseudo-random data. > > This has been quite a team effort so far and would love to hear your > feedback! :) I noticed that the patch checks for /dev/arandom availability first, and I'm pretty sure that on systems that have it, /dev/urandom simply redirects to /dev/urandom, so that might be a bit redundant ... Maybe Leigh can say more about this if I'm missing something. Also, you don't need 100s of lines of code to write the same thing in userland ... you need ~30 lines, your Facebook SDK example is just over-complicated. I'm sure everybody will agree that this is a feature that PHP needs, so I think you should rather focus on explaining that it's better than leaving it to userland implementations that may screw up a lot of details. And finally, a suggestion to remove the default $length value of 16 for random_bytes() - it just happens to be what you need for i.e. an AES-128 IV, but other than that it doesn't make sense to have a default length. Otherwise - great! I'm really looking forward to this, and many others surely do as well. I've got no doubt that the RFC will pass and I intend to write a compat package for use in pre-PHP7 environments, to ease the new API's adoption. Cheers, Andrey.