Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94390 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 21551 invoked from network); 5 Jul 2016 15:37:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Jul 2016 15:37:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.17.21 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.17.21 mout.gmx.net Received: from [212.227.17.21] ([212.227.17.21:57838] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 42/60-19446-554DB775 for ; Tue, 05 Jul 2016 11:37:58 -0400 Received: from [192.168.2.103] ([217.82.227.154]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MJjUO-1bLYLS2YhY-0019mS; Tue, 05 Jul 2016 17:37:42 +0200 To: Leigh , Pierre Joye References: Cc: Yasuo Ohgaki , danack@php.net, PHP internals , Stanislav Malyshev Message-ID: Date: Tue, 5 Jul 2016 17:37:40 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:5xT1L+H5K7YCLLGgGITzlfNxuHCj8JEsXFSKh9GcOYDJOhoDgNb ctkRX0JXLjD5vQgR6p+2+tCSExTa4ZcA9jaPzzKXBIAtA/+W17WhaUKHmSZV2rVkNBH0GE5 40fK7S+YVL7eNxUCUm9aTwcBaUITxq5+9h/1xP7fkwoRnnu8UO8aHmd8aI6u+56z0tXojIU HUxEORHguQ4V5v51V84dA== X-UI-Out-Filterresults: notjunk:1;V01:K0:t5MGTko6sDY=:vM9RatBo1KGTVTBtNXutvq jhwpuS7E0Cam5XbOggn21F6piYOimj7bZh8CU9/Q76qm50mFztXe4pHf0Ctf5QS5LsYD5Xd3C KB+Ou2Iqs8NHI4WYhdxBOR7vi8b85OAIzG5YeYQA63zlfNM+35HW0aeYqXvkK1rQVNYONbRf4 c/lXxNq8xOmpW5M32dJ/F/QL6oSmQDIginsCEkX1n6/6rDyAOYRn87QUe4uE8Orzq8ljgAM1F P1NNhpNrE3F/2U8lkONZ4kV7JhXIpV3xgD+VMPAuPgsfl20AZ0GqJnwwU6krxFiZPXNUy44mD M3gcttpeADaWpFTd4/YrrsE4aUINeQzzLKEqz2LYu6wpKqfMW9tzoH2EP65R54qdknlo6PjTe JIWTeCj2k2f3krDnQyK5LrFQytaqXRZO8I/bFOsFglP0G9Pf4CxEimyQoCUgnGWDePr47LUV2 TPrUiesLMwAlU0GAdR3xxZ2bhyzLa85UdGI2nwpHmUBErWelRFcA+FJkAcumYh2CY2yq1lJU0 4ndWrlrXBY4sOhyvXwaLh86K/cNrMRcgnb0bU65Dteu3yrOsaH9WpPK1rgp+ZGWLsVs8kkpv4 iUBWlLHxV6KJP8T8rM9PIUmTHIsVzQoJBTDvl7PjPV8XRDWKzFF5ngFqdoC6UdvIMN1A1vyjM FSUBdp3Lx6mQs5pat237G4IrV8u4ZLAFZgv5dM7dI1nn6IpKNYyksHCsFTTYmT1sYJsHN0t6s lmSl6OXLb40AkovEm7/N2HcWM0qRsYrj5zEfJuPcaU6SIZ2gzu2ED3PnjSzpMROKeetm1EGzx VTeldAW Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Session ID without hashing From: cmbecker69@gmx.de (Christoph Becker) On 05.07.2016 at 16:32, Leigh wrote: > On 5 July 2016 at 04:02, Pierre Joye wrote: >> We can argue about the provided pnrng being CS but it is not php's job to >> decide. > > I think we need to drop the concerns about exposing "RNG state". > > A reminder of what php_random_bytes looks at (in order): > * CryptGenRandom on Windows > * arc4random_buf on modern BSD (where ChaCha20 is used) > * Linux getrandom(2) syscall where available > * /dev/urandom where available > * Throws an exception if it cannot access one of the above Would that imply that in this latter case sessions couldn't be used anymore? What would be the fallback in that case? From a quick glance at the current PR there appears to be none! -- Christoph M. Becker