Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:88866 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98645 invoked from network); 18 Oct 2015 23:49:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Oct 2015 23:49:00 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.43 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.43 mail-pa0-f43.google.com Received: from [209.85.220.43] ([209.85.220.43:34487] helo=mail-pa0-f43.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E0/00-33005-BEF24265 for ; Sun, 18 Oct 2015 19:49:00 -0400 Received: by padhk11 with SMTP id hk11so10561352pad.1 for ; Sun, 18 Oct 2015 16:48:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=RwgTrLB4UHRCM7i4BI69Iox66QMd7nL3e+Ca3iYVpeQ=; b=uokThXxWN7Vl9HME3VkOlN23HVw7VeuTRk7PiMUI9XU8ni0oCd5TRljSJG2JfIKtQi /nb2FAddOh/o5R+HDrWY8YKtCGOYg1wZhrZNOhK6DMbZfD5Ak7t8JyDN3Ve2YDe76/Ew ht5Jun3gyl4IkEhTH26dSAmYXhOZo9TRwZj6C1RGJRtEV+FKXsj5TaH8HG39J6IGWjCO evhShPSV7kJSoavIXgRX41045vEtOsmVwPxQTy1rp8E8/xiqWkoHihbpQy1Rmg17Yia8 DXk7kjLA/J5JNNqK6o2USyLCRN5PlgTJ8fEVclmwsIDllbNl+3dogW70fC/oKoTgKVag UAow== X-Received: by 10.68.239.165 with SMTP id vt5mr30699410pbc.15.1445212136718; Sun, 18 Oct 2015 16:48:56 -0700 (PDT) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by smtp.gmail.com with ESMTPSA id xm9sm32719392pbc.32.2015.10.18.16.48.55 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Oct 2015 16:48:56 -0700 (PDT) To: Anthony Ferrara , "internals@lists.php.net" References: X-Enigmail-Draft-Status: N1110 Message-ID: <56242FE6.10000@gmail.com> Date: Sun, 18 Oct 2015 16:48:54 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Password_hash salt generation refactor From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > With PHP 7 comes random_bytes and random_int. This duplicates some of > the logic internally that password_hash uses to generate its salt. > > I would like to refactor this to unify generation. I've opened a PR > against master: https://github.com/php/php-src/pull/1585 > > I don't feel comfortable pulling against 7 this far into RC status. > Perhaps wait until after it goes gold? Or should this target 7.1? It's If functionality does not change and it's just internal refactoring not breaking BC (both language and binary) then it can go into 7.0.x. From what I can see, it is pretty unintrusive, so I wouldn't mind too much even getting it into 7.0 but that's on RM to decide. In fact, at least making php_random_bytes() public API should be in 7.0 as that makes for much less compatibility problems for extensions later. Generally speaking, having public random generating function sounds like a very prudent thing, even if we end up not merging the rest of the patch into 7.0. > not a big deal in either direction. Though it does add a side-effect, > where if it can't gather enough entropy it will throw an exception and > return failure (where prior it would simply make a "best effort". From what I can see, the system that can't return enough random bytes for what php_random_bytes() wants is deeply fubar, so on this scenario failing fast is the best option. -- Stas Malyshev smalyshev@gmail.com