Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93962
Return-Path: <php@fleshgrinder.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19927 invoked from network); 14 Jun 2016 17:45:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jun 2016 17:45:45 -0000
Authentication-Results: pb1.pair.com header.from=php@fleshgrinder.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=php@fleshgrinder.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain fleshgrinder.com from 77.244.243.85 cause and error)
X-PHP-List-Original-Sender: php@fleshgrinder.com
X-Host-Fingerprint: 77.244.243.85 mx104.easyname.com  
Received: from [77.244.243.85] ([77.244.243.85:44247] helo=mx206.easyname.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6F/93-34398-5C240675 for <internals@lists.php.net>; Tue, 14 Jun 2016 13:45:43 -0400
Received: from cable-81-173-133-15.netcologne.de ([81.173.133.15] helo=[192.168.178.20])
	by mx.easyname.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.84_2)
	(envelope-from <php@fleshgrinder.com>)
	id 1bCsPD-0004Vk-8r; Tue, 14 Jun 2016 17:45:39 +0000
Reply-To: internals@lists.php.net
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
To: Leigh <leight@gmail.com>, internals@lists.php.net
Message-ID: <e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
Date: Tue, 14 Jun 2016 19:45:29 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="0iaKBPcJhjwqgsjE2MDwmxjSHtuCKGvam"
X-ACL-Warn: X-DNSBL-BARRACUDACENTRAL
Subject: Re: [PHP-DEV] [RFC] RNG fixes
From: php@fleshgrinder.com (Fleshgrinder)

--0iaKBPcJhjwqgsjE2MDwmxjSHtuCKGvam
Content-Type: multipart/mixed; boundary="SdQ5RBj20k4Fb7o00HQMofw4kFXtFuiRx"
From: Fleshgrinder <php@fleshgrinder.com>
Reply-To: internals@lists.php.net
To: Leigh <leight@gmail.com>, internals@lists.php.net
Message-ID: <e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
Subject: Re: [PHP-DEV] [RFC] RNG fixes
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
In-Reply-To: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>

--SdQ5RBj20k4Fb7o00HQMofw4kFXtFuiRx
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 6/14/2016 6:46 PM, Leigh wrote:
> The issues I want to bring up for discussion are.
>=20
> * Replacing mt_rand() and rand() to a strong, modern RNG.
> * Alternatively, fixing the current mt_rand() implementation to make it=

> standard
> * Aliasing rand() to mt_rand() to improve output and cross-platform sup=
port
> * Fixing RAND_RANGE for large ranges.
> * Replacing insecure uses of php_rand() with php_random_bytes()
> * Making the array_rand() algorithm more efficient
>=20
> The RFC can be found here: https://wiki.php.net/rfc/rng_fixes
>=20

Why do we need so many functions to get a random int anyways if we now
have random_int()? I would like to see all of them deprecated and
removed in PHP 8.0.

- crypt()         -> password_hash()
- rand()          -> random_int()
- mt_getrandmax() -> PHP_INT_MAX
- mt_rand()       -> random_int()
- mt_srand()      -> -
- shuffle()       -> array_shuffle()*
- srand()         -> -

Mcrypt is meant to be replaced anyways and OpenSSL might be too if we
can come up with a nicer implementation that actually hides the
underlying library (e.g. sodium).

* Directly fix the name and get rid of the reference:

  array_shuffle(array $array, int $num =3D 1): array

I do not see a problem to change array_rand(), array_shuffle(), nor
str_shuffle() since their output should be random anyways.

--=20
Richard "Fleshgrinder" Fussenegger


--SdQ5RBj20k4Fb7o00HQMofw4kFXtFuiRx--

--0iaKBPcJhjwqgsjE2MDwmxjSHtuCKGvam
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXYEK9AAoJEOKkKcqFPVVrF8oQAJnfcD9v/NPmcM0tJ+3NrvD4
KiYCUT8zZM59NRb9wlZEXiajtFwH6DL/YNS7a19fw7qlD0d6UHmpxMu2xrnq6yZs
7rdVT6pCMaP2t7f6gLLMMZFVTA1phIYmtRmc3VdC9e5Kdjl/AG2gsD6gAaym+dJ6
nf2MepN15oHQKQAwzQaMKpwMGTuVdsS9jTM28v81ppM9uTTQ22cEOvFgxr9LZfxG
onGBeRs7xjnM6Jr42XzIVy9W4GQpGPeXTJYL9cUJdz+cRxX7a1MXv4S0y4tgE0ym
RFn3uQ/XCacCAKrvilNi57/Yy2flJzpwLXLPX1hQylr/lIqkGOQQt0iXYs7fNbqM
avINJQbfnJocal5S8tjYLiEPIHbY037JYmhgqgjRZE5omoNVtl1b7UXLxhcR/ie1
3xaAEaePVrCXQcy8lXWxEnrYazNqDKpfX7+sefpmony8KKlTEvrZR8YRfzgoCJNA
koVZ/VQIT4athDKMWkNM5gnCNGUulvYcfCgwha6uA2eJzWf0ENeMPynbc79T0MmB
2rkdxMNqG+q4cvZycTXhSQB4YFpfT9LnH1XCb36OlJHEXIgKqzAJmQNJHNiRGeXY
RkeQlbpWPDXwqXk5TIUShgPxWEEkYxchzCILWZly93yulNYn+/mIiWC0hgItgIXj
Oz+sFYm20YP8D72cmEhd
=jTrG
-----END PGP SIGNATURE-----

--0iaKBPcJhjwqgsjE2MDwmxjSHtuCKGvam--