Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94392
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27397 invoked from network); 5 Jul 2016 17:00:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Jul 2016 17:00:40 -0000
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.131 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 67.192.241.131 smtp131.dfw.emailsrvr.com Linux 2.6
Received: from [67.192.241.131] ([67.192.241.131:33560] helo=smtp131.dfw.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 97/41-19446-6B7EB775 for <internals@lists.php.net>; Tue, 05 Jul 2016 13:00:39 -0400
Received: from smtp21.relay.dfw1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp21.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 603C03002E9;
	Tue,  5 Jul 2016 13:00:36 -0400 (EDT)
X-Auth-ID: fsb@thefsb.org
Received: by smtp21.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 06DAB3002DA;
	Tue,  5 Jul 2016 13:00:35 -0400 (EDT)
X-Sender-Id: fsb@thefsb.org
Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA)
	by 0.0.0.0:587 (trex/5.5.4);
	Tue, 05 Jul 2016 13:00:36 -0400
To: Christoph Becker <cmbecker69@gmx.de>
References: <CAGa2bXaSkozJLLtycujwmHyas9TofRw5s6JzG0EQQvPyU0pxNQ@mail.gmail.com>
 <CAGa2bXZ=DiqQ4PozYntvGApZHdkjWyTBQhk_Udy5Y3_m0ry9Lw@mail.gmail.com>
 <a32232d3-006b-a7c2-0aa8-7f44509dfe69@gmail.com>
 <CAGa2bXa3o4FzQDGyU+=XHWoH59QjTJdJcjwch4=VdUUC7ZsD=w@mail.gmail.com>
 <CAEZPtU5RRGbUXJE7cHd2LuUmF5hiGDJAhGNKZ+_nRj1d+pHkZA@mail.gmail.com>
 <CAPwsocHU4Dc5YLMq_vfJsvXQseH7es4baMh-_pNJFf7aB3bKyg@mail.gmail.com>
 <e7188936-2ef1-15b0-d5e0-15c16b2c4f73@gmx.de>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>, PHP internals <internals@lists.php.net>
Message-ID: <f6cce68b-b460-8c33-5f47-1255e55e2d8b@thefsb.org>
Date: Tue, 5 Jul 2016 13:00:01 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)
 Gecko/20100101 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <e7188936-2ef1-15b0-d5e0-15c16b2c4f73@gmx.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Session ID without hashing
From: fsb@thefsb.org (Tom Worster)

On 7/5/16 11:37 AM, Christoph Becker wrote:
> On 05.07.2016 at 16:32, Leigh wrote:
>
>> On 5 July 2016 at 04:02, Pierre Joye <pierre.php@gmail.com> wrote:
>>> We can argue about the provided pnrng being CS but it is not php's job to
>>> decide.
>>
>> I think we need to drop the concerns about exposing "RNG state".
>>
>> A reminder of what php_random_bytes looks at (in order):
>> * CryptGenRandom on Windows
>> * arc4random_buf on modern BSD (where ChaCha20 is used)
>> * Linux getrandom(2) syscall where available
>> * /dev/urandom where available
>> * Throws an exception if it cannot access one of the above
>
> Would that imply that in this latter case sessions couldn't be used
> anymore?

I hope so.

It's not safe to use sessions if PHP cannot get unpredictable randoms 
for session IDs. PHP should therefore error so that the sys op can be 
alerted and fix the problem.

Tom