Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93426
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65010 invoked from network); 21 May 2016 20:46:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 May 2016 20:46:17 -0000
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.47 as permitted sender)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.218.47 mail-oi0-f47.google.com  
Received: from [209.85.218.47] ([209.85.218.47:34449] helo=mail-oi0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C6/D5-23824-819C0475 for <internals@lists.php.net>; Sat, 21 May 2016 16:46:16 -0400
Received: by mail-oi0-f47.google.com with SMTP id b65so82997402oia.1
        for <internals@lists.php.net>; Sat, 21 May 2016 13:46:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:date:message-id:subject:from:to;
        bh=qEfHxliNkbFETqRRhRdLKhzKzt1IGyearcR35RceKTQ=;
        b=HDUaoVMbV56UhEe2oP1gQW/lIqX8ATEXNvNeOH4LhAFmQbwSJE99TUMO3iPicHd1Fo
         /CqMz0OQtr8YgSrmTLhwR8+A14GofgJw9em+7yX7lIR9/pfXjFl7gHPudw6Eclk83taU
         bw8yiku7Jo4SNLAtnmLDyh+HPRK85vETBMOMQfV275VnJg0D4AXejRZKvqP48cDqaSGu
         Mr7NnnVMKxCdUBnkaJN0Bc24/el7HZ9O7OijI85JJ/9jBRTlb/yoTL0oSdcX8QNKfd5m
         y9BGYmD9tnBNBqnItpAou+WpzPZ9ettyMnsMx90E0852yJ2czkgoWcsfpn9SE656AFF/
         cYOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to;
        bh=qEfHxliNkbFETqRRhRdLKhzKzt1IGyearcR35RceKTQ=;
        b=PAPT79yt1Ec++cRGfVc+LXZlvD+q+zR7q7y6TNIel2nvyWrp0s3/0xL0SNwNfEgEX6
         Gd0oXxXLP+qeWlw8aQyr3LjexV3V5iNwn38otTwf4kMDBc6tmLktYo/cwhs4jhBAbqhP
         61IPrtyHytYMJnEVMJt6knxqDbjb20o+fWQtVYLGfwM0x15oo+pqiHrxa95A5BnnDp+E
         TTbKDpjTpOeubK+kiHPUmbABAG+6VI7r/6sLGL5E7zFAE5yZtV3H2UAkB9nhLlcxJzMa
         gXmWshEazp+iiqKeK9Ukh1lA874qTnJVQ9xNkbIrasyRjxDGdKATrredpt0ya4Zzp7m+
         YsNg==
X-Gm-Message-State: AOPr4FWnYnJQgLW7uKVNM9gMCA87NtnMcLrAXYl6qNVA2lNV0c0naiOGbSG/NkxQHRskruh7V0mSXbcYDjFyFQ==
MIME-Version: 1.0
X-Received: by 10.202.171.13 with SMTP id u13mr4727294oie.77.1463863573799;
 Sat, 21 May 2016 13:46:13 -0700 (PDT)
Received: by 10.157.10.12 with HTTP; Sat, 21 May 2016 13:46:13 -0700 (PDT)
Date: Sat, 21 May 2016 16:46:13 -0400
Message-ID: <CAKws9z2y1_0GUecbJmjzH8cBf32NDq9OUwP_0w8edMiEF+wzBA@mail.gmail.com>
To: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113cdcee5105a40533604ca3
Subject: PHP 7 CSPRNG - block on /dev/random?
From: scott@paragonie.com (Scott Arciszewski)

--001a113cdcee5105a40533604ca3
Content-Type: text/plain; charset=UTF-8

Question: Is there a nonzero chance of a PHP application running at boot
time on an older GNU/Linux machine? If so, should we adopt this "unseeded
CSPRNG" mitigation employed by libsodium for ancient Linux kernels?

https://github.com/jedisct1/libsodium/issues/374
https://github.com/jedisct1/libsodium/commit/c752eb55d9e9992bc38e7790128953427aa0a89f

This could be done as a security patch for PHP 7.0.x if there's any concern
about startup entropy e.g. on embedded devices.

I'm not aware of any such projects being written in PHP, so my intuition is
this is a non-issue for us.

Regards,

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

--001a113cdcee5105a40533604ca3--