Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:87473 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30768 invoked from network); 1 Aug 2015 00:09:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Aug 2015 00:09:36 -0000 Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain paragonie.com from 209.85.192.44 cause and error) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.192.44 mail-qg0-f44.google.com Received: from [209.85.192.44] ([209.85.192.44:35288] helo=mail-qg0-f44.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 49/82-17913-E3E0CB55 for ; Fri, 31 Jul 2015 20:09:35 -0400 Received: by qgii95 with SMTP id i95so56715067qgi.2 for ; Fri, 31 Jul 2015 17:09:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=JO9RvrKoZDhjpfzIZkjuQCjTXvZVq73etgBXNZX60zc=; b=Ep4ALnBqJ2lphLaWXVMeKXJfa6yz4kXcvClJelO1aDgbOsXcwAWWADv2B08BnSMhBE wZEa+NZmEyxdMUTTGwoZqTWe5id36tGV3USLi355FytstpkGFg3GMoWAMJM9F/n8F1XS b1bg5xOhLWjI6VmasjRnYXeSPC1TvKKVIlDq1TcCaA3MEIoSqxlprf2+fc4YvwWLIt5F GaTJCr6oY2cgao1VjhhQFcuITUa3lNOxFh+oxi2RlV6+303Oz/lNvt3jn+C8mON2k0Sc kIpsYUHLAZDFG/+3WnaiFxPVyw9BwiSKVrPSGfAwwqqeCaMvoOLIZW3xYb4qtMO0lUh7 Egtw== X-Gm-Message-State: ALoCoQk5V9Ztciz5+iubC14iG2P95urxzUaSCOsTfUr8RZXy1qcFD+MY0HG96PzR37ZT9Nx4Cs+3 MIME-Version: 1.0 X-Received: by 10.140.108.6 with SMTP id i6mr8928142qgf.73.1438387771803; Fri, 31 Jul 2015 17:09:31 -0700 (PDT) Received: by 10.96.83.102 with HTTP; Fri, 31 Jul 2015 17:09:31 -0700 (PDT) In-Reply-To: References: Date: Fri, 31 Jul 2015 20:09:31 -0400 Message-ID: To: PHP Internals Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Core functions throwing exceptions in PHP7 From: scott@paragonie.com (Scott Arciszewski) On Fri, Jul 31, 2015 at 6:34 PM, Ferenc Kovacs wrote: > > On Tue, Jul 14, 2015 at 11:04 PM, Sammy Kaye Powers wrote: > > > Hello lovely PHP nerds, > > > > There are two open PR's for PHP7 to modify the behavior of the CSPRNG's= : > > > > https://github.com/php/php-src/pull/1397 (main discussion) > > https://github.com/php/php-src/pull/1398 > > > > Currently the random_*() functions will issue a warning and return fals= e if > > a good source of random cannot be found. This is a potential security h= ole > > in the event the RNG fails and returns false which gets evaluated as 0 = in a > > cryptographic context. > > > > To prevent this exploit the proposed behavior will throw an Exception w= hen > > the RNG fails or certain argument validation fails. This also gives the > > developer a graceful way to fall back to an alternate CSPRNG. > > > > Since the core functions in PHP don't throw Exceptions, there is debate= on > > whether or not this change should be implemented. Some say the CSPRNG's > > should get a special pass since they will be relied on for cryptography= . If > > we can't throw Exceptions, there were suggestions of raising a fatal er= ror > > if the RNG fails. > > > > I think the argument can be boiled down to consistency vs security. We'= d > > love to hear your feedback to decide what we should do in this context.= :) > > > > Thanks, > > Sammy Kaye Powers > > sammyk.me > > > > Chicago, IL 60604 > > > > I would vote for E_WARNING and return false. > This can be wrapped in an oop wrapper in userland if somebody prefers and > exception but would still keep the procedural style as first class citize= n. > Plus this would be consistent with other security/crypto related errors > like mcrypt_encrypt() getting an invalid key/iv > Nikita, Anthony what do you think? > > -- > Ferenc Kov=C3=A1cs > @Tyr43l - http://tyrael.hu Your vote is for apps to be insecure by default. > This can be wrapped in an oop wrapper in userland if somebody prefers and > exception but would still keep the procedural style as first class citize= n. Nobody's going to do that though. The end result is going to be less security because of a cargo cult devotion to consistency. This should be secure by default. The most secure way for an RNG to fail is to interrupt the application. This means: * E_ERROR * throw new Exception (or a subclass) * throw new Error (or a subclass) Exceptions and Errors have the advantage that a developer who wants to go out of their way to handle them can simply do this: function randomPassword($length, $alphabet =3D 'abcdefghijklmnopqrstuvw= xyz') { $sizeOfAlphabetMinusOne =3D strlen($alphabet) - 1; try { for ($i =3D 0; $i < $length; ++$i) { $password .=3D $alphabet[random_int(0, $sizeOfAlphabetMinus= One)]; } } catch (Error $e) { return $this->framework->stylizedErrorMessage("RNG failure message here"); } return $password; } Care to guess what returning false will do for $password? Any cryptography-related implementation needs to fail closed, not fail open= . By raising E_WARNING and returning false, you are placing an extra responsibility on the developer. Or as Daniel J. Bernstein would put it, YOU ARE BLAMING THE IMPLEMENTOR. Ask any competent application security expert, they'll back me up. Don't enforce insecure defaults just because it's more "consistent". Consistency is important, sure, but security is MORE important. Also, death to libmcrypt: https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-c= ode-you-re-doing-it-wrong Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises