Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93982
Return-Path: <scott@paragonie.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57755 invoked from network); 14 Jun 2016 21:20:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jun 2016 21:20:07 -0000
Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.51 as permitted sender)
X-PHP-List-Original-Sender: scott@paragonie.com
X-Host-Fingerprint: 209.85.218.51 mail-oi0-f51.google.com  
Received: from [209.85.218.51] ([209.85.218.51:34746] helo=mail-oi0-f51.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9D/D5-27860-60570675 for <internals@lists.php.net>; Tue, 14 Jun 2016 17:20:06 -0400
Received: by mail-oi0-f51.google.com with SMTP id d132so4793788oig.1
        for <internals@lists.php.net>; Tue, 14 Jun 2016 14:20:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paragonie-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc;
        bh=UnpkcNaDtR7xGqgA/61oU2AXHoZ6Hn6WT/uq7cxHczo=;
        b=EFsxEFD9SbggXoySz0w//cusPMzkDYk4wsAJxi20WKKYJ4FMclzMrhJmy+FrtfVJ1Z
         gX/6x7YcfdmDfvjJJhg3aTZSnBcs2eWTc9X+a+pEh1cB2jjIv9WI1YpI33mztaLC3pqc
         lNMFcT4mcG+DKKOptVxRJI32NnGjcOB3jvzU8GZ2q7i3UUXXaDjonJVSaTwJHf3ivO5x
         YAGko3saLILAGkGe0OPQYNz+JIz4QQrObEYNJjJFJt22CK5zCBjO2hQKBY0e1izrmwjO
         xrGL/BbUMIJsQXNk1pc/GnnDPwXbw2JNuJtqSd2ZpqzlmRfz6qNtk0nxHhJLC3RXlcRL
         yuXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc;
        bh=UnpkcNaDtR7xGqgA/61oU2AXHoZ6Hn6WT/uq7cxHczo=;
        b=dlvwrdzOVCJ8XD1wN88Ku2f4MlUlaQ8LIp+g6IEiqKTAnc17DrlMBq5GsTzlJOoI76
         7cUUC88OFtO37VnajU0k4l6SYpTX2cqbbaMNwF3x/pAzc9+OUBQ/PJ7fyv1yERd8t40K
         RL37GS0ZWulXy0O9G715h/vQc+qxim9ywieAoXaSXLjzsKsRr5yTue+4JWng0HnS2Pyt
         ua2y6tOlTIemvx2SsT9ju3gCMzuDNC6VBDfWPn6xgfGZ4o0QxxCbtX2jRG7fp25kQgz5
         oxIhTzuXDWRggK1ctOl0BI0lo1Tt3w5l3kHQvWKvDSw6KR9xrT+hOPLhey1nJ9QZtQ/g
         +jbA==
X-Gm-Message-State: ALyK8tK/w0f91TFoug+kAyZfIobAKJKEYiWKVErcecbYDdUPdHwaFdHoWn1pdJilHzQm9zyj2jsnUXw1qSNpLg==
MIME-Version: 1.0
X-Received: by 10.157.14.174 with SMTP id 43mr11031403otj.83.1465939203724;
 Tue, 14 Jun 2016 14:20:03 -0700 (PDT)
Received: by 10.157.10.101 with HTTP; Tue, 14 Jun 2016 14:20:03 -0700 (PDT)
In-Reply-To: <CANaX5ncZ4QcKNqfd=0dCVxzN-CGEYDLqOSf=Rp=AxuCfZohv3w@mail.gmail.com>
References: <CAPwsocFZQdU2bt0OETeJMQYBXVUkK8ygB5jTb4ML3df4GZWdVA@mail.gmail.com>
	<e28227a3-d5b1-b971-3362-c6d31768aa44@fleshgrinder.com>
	<dd126a62-a617-8f34-b3c6-8e7cd0df4674@gmx.de>
	<CAPwsocE6FKcKnz2Q2PJiKPbi8prxnUoSvq3UAn-UtWoX19pz=g@mail.gmail.com>
	<e4e02f09-4a29-2f25-f169-9664ae86e161@gmx.de>
	<1ee34970-76f4-e6c6-df1e-a827e3fc592d@fleshgrinder.com>
	<CANaX5ncZ4QcKNqfd=0dCVxzN-CGEYDLqOSf=Rp=AxuCfZohv3w@mail.gmail.com>
Date: Tue, 14 Jun 2016 17:20:03 -0400
Message-ID: <CAKws9z26W90mbne1B5WOLm2_amxFOVQfQ7HnGegoO1BUoxHZTw@mail.gmail.com>
To: Davey Shafik <davey@php.net>
Cc: Christoph Becker <cmbecker69@gmx.de>, Leigh <leight@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113db4ba804cbd053543910f
Subject: Re: [PHP-DEV] [RFC] RNG fixes
From: scott@paragonie.com (Scott Arciszewski)

--001a113db4ba804cbd053543910f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 14, 2016 at 3:56 PM, Davey Shafik <davey@php.net> wrote:

> On Tue, Jun 14, 2016 at 20:13 Fleshgrinder <php@fleshgrinder.com> wrote:
>
> > On 6/14/2016 8:56 PM, Christoph Becker wrote:
> > > Yes, I'm aware of that, and that change isn't an issue for me (except
> > > maybe that it might happen in a minor version).  I was responding to
> > > Richard (Fleshgrinder) who suggested to remove rand() and mt_rand()
> > > alltogether, because there is random_int().
> > >
> >
> > I understood how you mean it. :)
> >
> > Call me ignorant but is this required in typical web applications?
> > Couldn't we move this functionality to PECL? I mean, it is required in
> > games but other than that.
> >
> > Please correct me if that is wrong!
> >
> > --
> > Richard "Fleshgrinder" Fussenegger
> >
> >
> I think as this is a BC break it should require the 2/3 majority. I do
> support fixing the RNGs though.
>
> Have you done any checks on GitHub etc to see how widespread this usage i=
s?
> I'd like to get some data on that too.
>

=E2=80=8BI don't have data, but a word of caution: Don't grep legacy crypto
libraries for use of rand() or mt_rand() for key/IV generation if you want
to feel any sense of optimism. Speaking from experience here! ;)=E2=80=8B
=E2=80=8B

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com/>=E2=80=8B

--001a113db4ba804cbd053543910f--