Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94387 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12145 invoked from network); 5 Jul 2016 14:32:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jul 2016 14:32:06 -0000 Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.67 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.215.67 mail-lf0-f67.google.com Received: from [209.85.215.67] ([209.85.215.67:33961] helo=mail-lf0-f67.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 10/E4-14106-5E4CB775 for ; Tue, 05 Jul 2016 10:32:05 -0400 Received: by mail-lf0-f67.google.com with SMTP id l102so7574675lfi.1 for ; Tue, 05 Jul 2016 07:32:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OMbv+xn4lu0CreELGGXIbpwgxsHdKBNFG0AvNk/l7io=; b=GCS6WjDwg48fkzYXTL8/oMIHss2cS2ShGtGUmiJ4cAIBHFa746XNWeJW5XjFm6lwEm XTy8OHlylXIfZ3R+GlUXr8ZtcMtP6yFxExTZhndHKmlS92a5TcyNPymRgJKZBOOeBarA 9sxEXv8ibsNoytklAHm8/GjJEnRloq0WGBFsCRYsWh9pOsCcFeOdN7vyZrhMc9Q2yysR zxNvnIIf2Z2LwEDA//hGjquprGg3RZk80fMNR04ziuY2yxaMGTgDGoVyk/pq6+/pXOYe UIsHzAmOXnlw9Lqv9eDtJi1Nuw0eCft7igBQOQE2kT3Npz2LaXpQwl/njAbknIefe1/i K8JA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OMbv+xn4lu0CreELGGXIbpwgxsHdKBNFG0AvNk/l7io=; b=OiiOQZArLmDPu4rAik3dfx5cpPq61yIhvzDaBwENEggNNv/R87oVT9jRE/xYD121GI +Wn/KFEv1CvrJv0jIUUk5JSNm35tTqfxWHjx3PCFqKCo3C1kYtAcWOnYPsscFVfW+nPB omlGaU8fyD/MMtqGzxcERxQ8RXWOh6JRznTLdLhbZrnGOfHgn0w77x1CVytDwt040ehd eHJ9xzDekg3elW4S3GOXBjUg2Eqsj2b+iHMLz7GQRcK7GxsCr9NtxqfyJKXB2MJhgBHh BMxPubU5yVw/EgS9ljK/i4Gw+roRLRZG3/xkFC02cnM5M6S4MKw2/TMyNzNwJAlIXsa4 ynCA== X-Gm-Message-State: ALyK8tIv4AhUP3BrfriBK/gpYiljhI8qpURG9VbRSMepjC4A1htTFhdbQ+EJ1adV9BHH6Yl9x3gSmqJUSURSNg== X-Received: by 10.46.33.193 with SMTP id h62mr4413772lji.41.1467729122363; Tue, 05 Jul 2016 07:32:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.27.77 with HTTP; Tue, 5 Jul 2016 07:32:01 -0700 (PDT) In-Reply-To: References: Date: Tue, 5 Jul 2016 15:32:01 +0100 Message-ID: To: Pierre Joye Cc: Yasuo Ohgaki , danack@php.net, PHP internals , Stanislav Malyshev Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Session ID without hashing From: leight@gmail.com (Leigh) On 5 July 2016 at 04:02, Pierre Joye wrote: > We can argue about the provided pnrng being CS but it is not php's job to > decide. I think we need to drop the concerns about exposing "RNG state". A reminder of what php_random_bytes looks at (in order): * CryptGenRandom on Windows * arc4random_buf on modern BSD (where ChaCha20 is used) * Linux getrandom(2) syscall where available * /dev/urandom where available * Throws an exception if it cannot access one of the above If these are weak RNGs on your system, YOUR SYSTEM is broken. They are all designed to be cryptographic quality. If people are unconvinced we can temper the values with a secondary RNG, but there is absolutely no need to generate session IDs using a slow hashing algorithm. For the record, I am +1 on removing hashing, -1 on the _other_ changes in this RFC