Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94402 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83371 invoked from network); 6 Jul 2016 12:10:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Jul 2016 12:10:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.15 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.15 mout.gmx.net Received: from [212.227.15.15] ([212.227.15.15:63444] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3E/02-63547-C35FC775 for ; Wed, 06 Jul 2016 08:10:37 -0400 Received: from [192.168.2.103] ([217.82.227.154]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0M6AbC-1bW6Zt09BC-00y6pd; Wed, 06 Jul 2016 14:10:11 +0200 To: Yasuo Ohgaki , Christoph Becker References: Cc: Leigh , Pierre Joye , Dan Ackroyd , PHP internals , Stanislav Malyshev Message-ID: <9e874892-d682-1c0d-77ad-21d5b44ce25b@gmx.de> Date: Wed, 6 Jul 2016 14:10:08 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:QD+RnMZdsZsIps1WpZnqAYH7/1+kCDoYJNSlA84v9JsAbIel4+o TlaYQfTIlGJ08EAvl2zRnb7oTjWcphY45T7uJu3sZSvtT4XaQ3pt7bwSWVJw7Xy3w5D7uBX YmWDSFRWumyY6tO05DLXRkVaQFJ3ZmrV5yPxxq9KuXcvtbXT0vC5t/GXBamJ9auvcLEx72w B1ctvirJlnp+7hGSb27IA== X-UI-Out-Filterresults: notjunk:1;V01:K0:3MR0LS8hz7A=:vOOV0Avts6SJnjzX/3pfP6 olNiCXVBNGJ0EVhXvUNZdzbgZmWrd2uPdrvC7OHoB0pEkfsKz4/kn0yj0EfN5CGAVVlWurLxz o13tHOaOiZPi8vU1mDe39kRasqUUxLDyDEZOZMC5nJ4Z4faK5+2cCpYPsXHY/DvQD6qE6fOkC Law3RF0bWPsQDuabnNxtT4h1iONX7ZITBHeNwF37vRlP7g29zQZCm0xTXBuplo+657nqeNx5P qH6c2Pqcjhc6tflTarsuR1nosmQv6/zXAuZpJnfVHstk4sg526ZJoUJNlLTfGq5PM8BKHTNQ4 eXA5IpYPSb0cb/1oT8IZ9HlnYBsyFxwVl9xxgTcyWH//wWP0sai6d/Ceo7cZsiFrqDz5Zh4xn fGFWwLL8f8Q/qkUdusTBrRJWRIUKKMzcUB5cJfnzbwWFQ7iU+qzq2UwcKfqarw90+6vxxEsBc 9IomhaWzGAtunK60jr0VaXIjEgFWg/oTfYrNqQes3CoheTrHeRkObsnr6Qr2Rmj2IuXPjUXo9 zb+HOXoWT3Nk/epjiEbZmkLC/mctMOW1Fs57cgf2DELm08zXRfg818mIewCdjw2JhMylSGLot d5y3LOCkCd3cnWA2AG/uVXoUKStat672cO7+SGAadi7aob1K5RaZrGIQAY+ciBpe221mA/ILX SU68hrioerQo9MgTtbdgPN8IIUAX7rxUpv3dQZk3XyvzvilH/HnvxWAtlgNdUzRbtVlCf+DMt srdlP/lr4FNmFK485ihjFTzBDC5KS1nidtBz4ehbpKRmQgc+K671eh3yF9/xsGT1B30IHQ2iu SvjuV7r Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Session ID without hashing From: cmbecker69@gmx.de (Christoph Becker) Hi Yasuo! On 06.07.2016 at 03:51, Yasuo Ohgaki wrote: > > On Wed, Jul 6, 2016 at 12:37 AM, Christoph Becker wrote: >> On 05.07.2016 at 16:32, Leigh wrote: >> >>> On 5 July 2016 at 04:02, Pierre Joye wrote: >>>> We can argue about the provided pnrng being CS but it is not php's job to >>>> decide. >>> >>> I think we need to drop the concerns about exposing "RNG state". >>> >>> A reminder of what php_random_bytes looks at (in order): >>> * CryptGenRandom on Windows >>> * arc4random_buf on modern BSD (where ChaCha20 is used) >>> * Linux getrandom(2) syscall where available >>> * /dev/urandom where available >>> * Throws an exception if it cannot access one of the above >> >> Would that imply that in this latter case sessions couldn't be used >> anymore? What would be the fallback in that case? From a quick glance >> at the current PR there appears to be none! > > It relies on php_random_bytes() defined in ext/standard/random.c > Current PHP does not build without decent PRNG. The patch uses > php_random_bytes() simply. Yes, I am aware that the patch uses php_random_bytes(), but what happens when it fails, in which case php_session_create_id() returns null[1]? Would it be impossible to use a session in this case? [1] -- Christoph M. Becker