Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:97847 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 73239 invoked from network); 18 Jan 2017 01:22:25 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Jan 2017 01:22:25 -0000 Authentication-Results: pb1.pair.com smtp.mail=nikita.ppv@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=nikita.ppv@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.174 as permitted sender) X-PHP-List-Original-Sender: nikita.ppv@gmail.com X-Host-Fingerprint: 209.85.213.174 mail-yb0-f174.google.com Received: from [209.85.213.174] ([209.85.213.174:33174] helo=mail-yb0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C2/A2-00729-F43CE785 for ; Tue, 17 Jan 2017 20:22:24 -0500 Received: by mail-yb0-f174.google.com with SMTP id w194so45368970ybe.0 for ; Tue, 17 Jan 2017 17:22:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=krncjwE8tAeLNfhMrcp7s/ZrtYWe7DH+YRwsSAJddQQ=; b=m0seiedrrwGAR3Oy466HzP9erGQUKmHfH8RA0SpZLxWF35wB8Lpia1fRjBxw55KnVb /9ZTWUdVlIkEXJpk9AhoHC1HmEcmUwDWAd1Q3sYDcSH4Cm98NFSF3vGDgK1SiGxynhz/ KtDW99c0wL4CnrRRRXFAdG3cYpfdnfmRn51SCOMgV0lu49Ad4huACQ6hLrQ/Nm3vEcOx NJBwuTnlklebHJF7hUB/740USZPiIzUBlw70tD32rYbp5LfbPzrw2jWfQK15LgHblCLs adt6p2hM/2CzMHIqqz9jdPBrj7KNKSmio5GBsFyHRp3NOHkIamE7Mqxq3f/cQoRraOF/ 0eQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=krncjwE8tAeLNfhMrcp7s/ZrtYWe7DH+YRwsSAJddQQ=; b=Ce1YG4YDCNJ/9WuWw/4l5hpwQVt4Exll9GX7bexsdKs/VZ0AEx9Fa93Rc5SL7XDItd kwoudOuLUnDbzwF+RiuWjdRuk61gVG6xEggJcc6+72tm4ivNqIPPqqySM8MSQIJJ4dby aY0umQFciZZv71MqSJ/+cWMO6/KGMXxpKL9BdkCXKOR9wYh897vbDh/AY/tuEAX/6jck D4s+x3secIq7m/PnnOgHYnQGMf4v/Yxso9ZPnh42HCWaJhgLLYene1737t2VPoUg3jhV jVAB2xKGvQWsh5x9z7md4OabuGuMxJ/0cFZFQ5Vo6jGnFk0hyyer0Z5UcGpOa+G+T2Z8 VR2Q== X-Gm-Message-State: AIkVDXItQTTK1xLIaEG9UgkUH9SW3GgM1TyOXDBhUDV4cTD+6G/TDv488UMkkB0dLaRzEPckblJT1Bk6ISubrA== X-Received: by 10.37.173.1 with SMTP id y1mr492974ybi.140.1484702540713; Tue, 17 Jan 2017 17:22:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.129.80.215 with HTTP; Tue, 17 Jan 2017 17:22:20 -0800 (PST) In-Reply-To: References: <71c26cd6df6f59e76dafd31647852c2e@koti.fimnet.fi> <142a3537a99809cf23d78e0eaadc3aef@gmail.com> <7a359bb08b0ad8b046534c15492cec91@gmail.com> Date: Wed, 18 Jan 2017 02:22:20 +0100 Message-ID: To: Yasuo Ohgaki Cc: =?UTF-8?Q?Lauri_Kentt=C3=A4?= , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=f403045dc5d289630f0546543fc1 Subject: Re: [PHP-DEV] Re: Improving mt_rand() seed From: nikita.ppv@gmail.com (Nikita Popov) --f403045dc5d289630f0546543fc1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jan 18, 2017 at 1:44 AM, Yasuo Ohgaki wrote: > Hi Lauri, > > On Tue, Jan 17, 2017 at 11:59 PM, Lauri Kentt=C3=A4 > wrote: > > > On 2017-01-17 16:18, Lauri Kentt=C3=A4 wrote: > > > >> On 2017-01-17 02:34, Yasuo Ohgaki wrote: > >> > >>> Set state somewhere between MT rand's 2^19937=E2=88=921 cycle. > >>> > >> > >> This is exactly what my patch does. > >> > > > > Or, to be honest, my patch provides 2^19936 possible states, > > which should be more than enough. > > > > To get all 2^19937=E2=88=921, you would need to get one more bit of > > entropy (2^19936 to 2^19937) and then check that the state is > > not all zeros (which is the =E2=88=921 in 2^19937=E2=88=921). That's ce= rtainly > > not worth the trouble, so I just set that one "extra" bit to 1. > > (MT doesn't work if the state is all zeros.) > > > Sorry for sloppy patch reading. > Your patch initialize whole BG(state) buffer by php_random_bytes(). > This should be good enough. > I'll merge this patch. > > This better automatic initialization should be included 7.0 and up. > mt_rand() will at a lot stronger against dictionary attacks. > Any comments, RMs? > The patch initializes the full MT state vector, approximately 2.5KB of memory, from a CSPRNG. To put this into perspective, 16 bytes are generally considered to be sufficient for cryptographic keying material. Does this seem somewhat disproportionate? Additionally, the patch has the same concern that has already been mentioned in the uniqid() thread more than once: If a CSPRNG is not available, this will make mt_rand() throw. While this is an unusual situation that should not occur in a well-configured system, this is still not acceptable. If you wish to introduce this change, please follow the usual procedure of submitting a PR, getting it reviewed by the relevant people and only merging it once it has been approved (or even better, just leave merging to someone else). I recommend doing this for any non-trivial change. For the record, I am generally in favor of seeding MT rand from CSPRNG. It doesn't really cost us anything and it will make it significantly harder to exploit code that uses mt_rand() inappropriately, especially for cases where mt_rand() is only called rarely within a single request. Nikita --f403045dc5d289630f0546543fc1--