OpenSSL random pseudo bytes

16 years ago by Scott MacVicar — view source

unread

Hi All,

Attached and uploaded [1] is a patch to add the OpenSSL random pseudo
byte function, at the moment it will return FALSE if the bytes aren't
considered cryptographically strong, I am however considering making
this parameter controlled.

Any objections to me applying this to 5.3?

Scott

[1] - http://whisky.macvicar.net/patches/openssl_prg.patch.txt

16 years ago by David Coallier — view source

unread

2008/9/2 Scott MacVicar scott@macvicar.net:

Hi All,

Attached and uploaded [1] is a patch to add the OpenSSL random pseudo byte
function, at the moment it will return FALSE if the bytes aren't considered
cryptographically strong, I am however considering making this parameter
controlled.

Any objections to me applying this to 5.3?

I'd say that 5.3 should be a rather "stable" version and that if we
add features we should make sure they are rock solid now. Perhaps
adding the control (Parameter to control the security/cryptography
level) now would save time and would make it a thing less to look back
in the future.

What do you think?

Slan,
David

16 years ago by Scott MacVicar — view source

unread

2008/9/2 Scott MacVicar scott@macvicar.net:

Hi All,

Attached and uploaded [1] is a patch to add the OpenSSL random
pseudo byte
function, at the moment it will return FALSE if the bytes aren't
considered
cryptographically strong, I am however considering making this
parameter
controlled.

Any objections to me applying this to 5.3?

I'd say that 5.3 should be a rather "stable" version and that if we
add features we should make sure they are rock solid now.

This function has been in OpenSSL for 8 years and supported by every
version since 0.9.5. It's literally just exposing the API, it's safe
for inclusion in 5.3 in my opinion.

Perhaps
adding the control (Parameter to control the security/cryptography
level) now would save time and would make it a thing less to look back
in the future.

It's not a cryptography level / control. The problem is that the PRNG
can run out of data if there isn't enough entropy available, you can
still take the result but it's not strong.

I should say this function isn't for key generation but for use in
places that you need random data.

Scott

16 years ago by David Coallier — view source

unread

This function has been in OpenSSL for 8 years and supported by every version
since 0.9.5. It's literally just exposing the API, it's safe for inclusion
in 5.3 in my opinion.

I didn't express myself very clearly. What I meant is that we should
probably add that switch for the return right now instead of later
(IE: "I am however considering making this parameter controlled.")

I think it's safe to include it but I'll await on the RMs before
saying anything :) Exposing OpenSSL's API is a good idea imo.

--
Slan,
David

16 years ago by Lukas Kahwe Smith — view source

unread

Hi All,

Attached and uploaded [1] is a patch to add the OpenSSL random
pseudo byte function, at the moment it will return FALSE if the
bytes aren't considered cryptographically strong, I am however
considering making this parameter controlled.

Any objections to me applying this to 5.3?

If we do end up having an alpha3, this patch can be applied along with
the of the other openssl patches. If we move to beta for the next
5.3.0 release, then I would rather prefer to keep this change out
until 5.3.1. Lets wait what happens with the namespace discussion this
week. Johannes and I will then decide if we do alpha3 or beta1 next
over the weekend and publish a schedule next Monday.

regards,
Lukas Kahwe Smith
mls@pooteeweet.org

16 years ago by Pierre Joye — view source

unread

hi Scott,

Hi All,

Attached and uploaded [1] is a patch to add the OpenSSL random pseudo byte
function, at the moment it will return FALSE if the bytes aren't considered
cryptographically strong, I am however considering making this parameter
controlled.

Any objections to me applying this to 5.3?

As the idea is good and usefull, I have to object to expose this function.

There is already a todo entry for our random functions (mt and normal
rand) as well as a bug report. Two main issues have to be fixed there,
the entropy and the actual randomness. The same underlying API is used
and we can then add a function to return a random buffer directly
(which is basically what is done internally too).

Cheers,

Pierre

http://blog.thepimp.net | http://www.libgd.org

16 years ago by crrodriguez@suse.de — view source

unread

Scott MacVicar escribió:

Hi All,

Attached and uploaded [1] is a patch to add the OpenSSL random pseudo
byte function, at the moment it will return FALSE if the bytes aren't
considered cryptographically strong, I am however considering making
this parameter controlled.

Any objections to me applying this to 5.3?

Scott

[1] - http://whisky.macvicar.net/patches/openssl_prg.patch.txt

What is the status of this ? I see nothing that can break with this
patch, but I would suggest the function to take the second argument by
value instead of by reference, valid code like

<?php

$activation_code = md5(openssl_random_pseudo_bytes(128, true));

causes a Fatal error: Only variables can be passed by reference...

--
"A computer is like an Old Testament god, with a lot of rules and no
mercy. "

Cristian Rodríguez R.
Platform/OpenSUSE - Core Services
SUSE LINUX Products GmbH
Research & Development
http://www.opensuse.org/

16 years ago by Scott MacVicar — view source

unread

On 25 Sep 2008, at 22:59, Cristian Rodríguez crrodriguez@suse.de
wrote:

Scott MacVicar escribió:

Hi All,

Attached and uploaded [1] is a patch to add the OpenSSL random pseudo
byte function, at the moment it will return FALSE if the bytes aren't
considered cryptographically strong, I am however considering making
this parameter controlled.

Any objections to me applying this to 5.3?

Scott

[1] - http://whisky.macvicar.net/patches/openssl_prg.patch.txt

What is the status of this ? I see nothing that can break with this
patch, but I would suggest the function to take the second argument by
value instead of by reference, valid code like

<?php

$activation_code = md5(openssl_random_pseudo_bytes(128, true));

?>

causes a Fatal error: Only variables can be passed by

The second parameter indicates if the resultant data was strong random
data. It's not an option.

By default it is strong, if it runs out of data it will be weak.

If you don't care don't pass a parameter.

Scott

16 years ago by crrodriguez@suse.de — view source

unread

Scott MacVicar escribió:

If you don't care don't pass a parameter.

ohh.. right, I misinterpreted it .. sorry ;)

--
"A computer is like an Old Testament god, with a lot of rules and no
mercy. "

Cristian Rodríguez R.
Platform/OpenSUSE - Core Services
SUSE LINUX Products GmbH
Research & Development
http://www.opensuse.org/