Security changes in PHP 7

10 years ago by Tom Worster — view source — reply

unread

I've been trying to catch up on the plans in PHP 7 for changes in security
features and APIs and I got confused. Questions on my mind at the moment
include:

Will there be a portable API for getting random bytes from the
platform's CSPRNG?

https://wiki.php.net/ideas/php6 lists as an addition: "Reliable,
userfriendly RNG APIs: Provide a userfriendly and reliable RNG APIs,
available by default, on all supported platforms and for all usages
(from weak to crypto safe)."

What's going to happen to mcrypt?

I see the vote to excise it did not pass. Does this mean that (i.e.
imply that) PHP's plan is to keep a security lib that hasn't been
maintained for 8 years for the next 5+ years?

Will the OpenSSL ext remain as it currently stands?

There have been a few discussions about this but I'm not clear if any
decisions have been made about changing it or providing a new API.

What does openssl_random_pseudo_bytes() really do in PHP?

Where does it get random bytes from in the various different platforms?
Is it going to change in PHP 7?

Is the weird Linux /dev/random[1] still supported? If so, is used
by default in any PHP API?

I noticed some work on constant-time functions. Is this for security
purposes, i.e. defeating remote timing attacks? Is there an RFC?

"Feature Freeze" for PHP 7 is coming soon. I, for one, would value a
summary of what's happening in PHP 7 with respect to security topics
like but not limited to these. Some kinda of document detailing the
plan, if there is one, would be real swell.

Tom

[1] http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

10 years ago by Yasuo Ohgaki — view source — reply

unread

Hi Tom,

Will there be a portable API for getting random bytes from the
platform's CSPRNG?

https://wiki.php.net/ideas/php6 lists as an addition: "Reliable,
userfriendly RNG APIs: Provide a userfriendly and reliable RNG APIs,
available by default, on all supported platforms and for all usages
(from weak to crypto safe)."

Pierre,

What the status?

What's going to happen to mcrypt?

I see the vote to excise it did not pass. Does this mean that (i.e.
imply that) PHP's plan is to keep a security lib that hasn't been
maintained for 8 years for the next 5+ years?

Removed.
Available as PECL module.
Probably.

Will the OpenSSL ext remain as it currently stands?

There have been a few discussions about this but I'm not clear if any
decisions have been made about changing it or providing a new API.

Not sure on this

What does openssl_random_pseudo_bytes() really do in PHP?

Where does it get random bytes from in the various different platforms?
Is it going to change in PHP 7?

It's depend on openssl. What openssl does is what it does.

Is the weird Linux /dev/random[1] still supported? If so, is used
by default in any PHP API?

Session module use it.
/dev/urandom or /dev/arundom

I noticed some work on constant-time functions. Is this for security
purposes, i.e. defeating remote timing attacks? Is there an RFC?

No, but there is patch.
Status?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

10 years ago by Pierre Joye — view source — reply

unread

What's going to happen to mcrypt?

I see the vote to excise it did not pass. Does this mean that (i.e.
imply that) PHP's plan is to keep a security lib that hasn't been
maintained for 8 years for the next 5+ years?

Removed.
Available as PECL module.
Probably.

Please check the RFC.

It is not removed and unless some people changed their mind the horrible
scenario described here will happen. And it will be longer than 5 years.

10 years ago by Yasuo Ohgaki — view source — reply

unread

Hi Pierre,

What's going to happen to mcrypt?

I see the vote to excise it did not pass. Does this mean that (i.e.
imply that) PHP's plan is to keep a security lib that hasn't been
maintained for 8 years for the next 5+ years?

Removed.
Available as PECL module.
Probably.

Please check the RFC.

It is not removed and unless some people changed their mind the horrible
scenario described here will happen. And it will be longer than 5 years.

https://wiki.php.net/start#extmcrypt

Voted +1

--
Yasuo Ohgaki
yohgaki@ohgaki.net

10 years ago by Pierre Joye — view source — reply

unread

Hi Pierre,

What's going to happen to mcrypt?

I see the vote to excise it did not pass. Does this mean that (i.e.
imply that) PHP's plan is to keep a security lib that hasn't been
maintained for 8 years for the next 5+ years?

Removed.
Available as PECL module.
Probably.

Please check the RFC.

It is not removed and unless some people changed their mind the horrible
scenario described here will happen. And it will be longer than 5 years.

https://wiki.php.net/start#extmcrypt

Voted +1

Not sure what this RFC is (did not dig the list as the link is wrong).
However the latest on the topic is here and it is does not look
remotely close to a approval:

https://wiki.php.net/rfc/removal_of_dead_sapis_and_exts

10 years ago by Yasuo Ohgaki — view source — reply

unread

Hi Pierre,

Not sure what this RFC is (did not dig the list as the link is wrong).
However the latest on the topic is here and it is does not look
remotely close to a approval:

https://wiki.php.net/rfc/removal_of_dead_sapis_and_exts

Sorry my copy buffer had wrong URL...
I voted +1 for mcrypt. It's 12 vs. 13 now.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

10 years ago by Tom Worster — view source — reply

unread

Hi Yasuo, Pierre,

Thank you both for the updates.

I expect the vote to remove mcrypt can be shifted towards "yes" if some
campaigning effort is made. I made a start in another thread.

Assuming that mcrypt goes, as it should, we are left with a problem. The
PHP user doesn't have a platform-independent way to get pseudo-random
bytes for crypto. OpenSSL's RNG is not to be trusted. If the user knows
this (I wouldn't bet on it) then she has to resort to accessing the
platform RNG directly.

On Unix-like system's it is technically easy but much confusion is caused
by the Linux man page with its myth that urandom is unsafe for crypto.

On Windows I just have no idea how the user might proceed.

So I really think the "Reliable, userfriendly RNG APIs" idea in the wiki
is very important.

Tom

10 years ago by Pierre Joye — view source — reply

unread

Hi Yasuo, Pierre,

Thank you both for the updates.

I expect the vote to remove mcrypt can be shifted towards "yes" if some
campaigning effort is made. I made a start in another thread.

Assuming that mcrypt goes, as it should, we are left with a problem.

I agree with Derick about wrapping ext/mcrypt around OpenSSL or other to
keep it around for BC. I simply do not have the resources to make that
happen so someone has to jump on it (Derick?)

Cheers
Pierre

10 years ago by Leigh — view source — reply

unread

I agree with Derick about wrapping ext/mcrypt around OpenSSL or other to
keep it around for BC. I simply do not have the resources to make that
happen so someone has to jump on it (Derick?)

Are we happy to accept that we'll lose access to some of mcrypts
ciphers if we do this? I'd suspect most real world usage of php-mcrypt
is to implement AES anyway, so most users would be covered.

10 years ago by Tom Worster — view source — reply

unread

Hi Leigh,

Are we happy to accept that we'll lose access to some of mcrypts
ciphers if we do this? I'd suspect most real world usage of php-mcrypt
is to implement AES anyway, so most users would be covered.

I hope your suspicion is right.

I'd be happy to lose all but AES and Blowfish cyphers and CBC and CTR
modes.

Tom