Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:93959 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12834 invoked from network); 14 Jun 2016 16:46:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Jun 2016 16:46:14 -0000 Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.215.46 mail-lf0-f46.google.com Received: from [209.85.215.46] ([209.85.215.46:36594] helo=mail-lf0-f46.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DE/52-34398-4D430675 for ; Tue, 14 Jun 2016 12:46:13 -0400 Received: by mail-lf0-f46.google.com with SMTP id q132so70426340lfe.3 for ; Tue, 14 Jun 2016 09:46:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=ExwrF2VcTopsIjrWjQLfRnBqCpd0J/KM5/sPGTQ0tZs=; b=FLGSPAJvzMZ/9A3YnwyFLcXiJiSXFoQzY2KbXHSpWfUvLfr2zjmlih7hTH87Atx8fU 3V2OWAFVtUXRdEpbrbyuGIfHiVfrAsKtAqArQHG8ubRf2QmQoIJCrjGBx9ltwY7jMcHX xexOSkQiDMU+DGXVfk9Kiw2X/IjgfsLhuJY7gEqZj8c8mu8BZpd6ZzN9kCaA8cdZkYz/ NZ9KEvT8Mahdh5wPBl1yrfQ96vJWH9uSXj5qdnHSZksXgFzEWOii8dPNOocsT5l86hLQ Jhswbf4F8+FPh5pUCfHjd4sUq4rGnZcWG/ihvR0COP7B7/mz4GayWAt/hq1Mo1CJiXjq pp6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ExwrF2VcTopsIjrWjQLfRnBqCpd0J/KM5/sPGTQ0tZs=; b=Hz0gZg5uKa+UWjaY9Uz6O/vkeBW3hVLLqsegAb6sMOd173tm9SnBPINIUM20FOd+EM JLBERW/Tz4vJjfZFIFKtgTgHaXepmokbNWVo+RlgG36UHCdbETjXrGGkBrq4QZy1H5LC GyHS+cVCvxTOgWonOxPKf+PjAquf6CRhB2uW5u+sNDXdGqv2ffUAlHyXTApd2hZNsZs0 9s9Md1Is4em4KU60Kkgcz66FBPZo+0j6tdQpUpTWzKgkIhI71Yv9afE+LL2RfSIBu/yp XGHHHfvkcG/o9gPTeiOEqMgf6u52RKoLQU0p6EKveKGUdJNJA20VP1cnzWvdDRnRni4t S8ng== X-Gm-Message-State: ALyK8tIQr6PiK/uDaMfhAZ+RNfLB4uP1pXr4jj8b56sHeJ3+ubdwVKQDobSxR/Fbj0imeZMYS/DFERlSYBS9uA== X-Received: by 10.25.210.20 with SMTP id j20mr303612lfg.139.1465922770312; Tue, 14 Jun 2016 09:46:10 -0700 (PDT) MIME-Version: 1.0 Date: Tue, 14 Jun 2016 16:46:00 +0000 Message-ID: To: internals@lists.php.net Content-Type: multipart/alternative; boundary=001a114003c6fe236105353fbde0 Subject: [RFC] RNG fixes From: leight@gmail.com (Leigh) --001a114003c6fe236105353fbde0 Content-Type: text/plain; charset=UTF-8 Hey Internals, I realise I'm cutting it close with this one, but I want to propose some changes to our standard random number generators. The downside of this proposal is that our RNGs (rand() and mt_rand()) are seedable and reproduce identical streams (platform dependant) for any given seed. However their implementations are broken or inconsistent, so we need to weigh up the cost of changing these sequences versus having solid implementations. It is my opinion that if we are going to make any changes to these functions, we should make all of the changes at the same time and avoid any future disruption to their output. The RFC contains a few proposals, some of them depend on each other while others are standalone. Throughout the discussion phase I hope to reduce the number of proposals down to a consensus we can vote on in two weeks time. I will release a patch when I have a better feeling for the direction we want to take. The issues I want to bring up for discussion are. * Replacing mt_rand() and rand() to a strong, modern RNG. * Alternatively, fixing the current mt_rand() implementation to make it standard * Aliasing rand() to mt_rand() to improve output and cross-platform support * Fixing RAND_RANGE for large ranges. * Replacing insecure uses of php_rand() with php_random_bytes() * Making the array_rand() algorithm more efficient The RFC can be found here: https://wiki.php.net/rfc/rng_fixes If anyone knows of other fixes that should be made at the same time but I have overlooked, please let me know so I can get them included. Regards, Leigh. --001a114003c6fe236105353fbde0--