Pierre, 1. The proposal in the RFC is explicit: "The function should neither block nor return a failure status in the case that the systems entropy pool is depleted. However, it should allow the caller to discover if this is the case. etc..."
2. The current code implements that by setting the $is_strong_result flag if it has to resort to urandom on Linux. So, afaikt, what has been done _so_far_ is in alignment with your preferences. Correct? As I said in the email discussing implementation, setting $is_strong_result requires different code for each OS and this has not been implemented yet. Tom On 1/9/12 9:33 AM, "Pierre Joye" <pierre....@gmail.com> wrote: >hi, > >Some comments, same as I did before: > >cs means crypto safe. In your implementation, it is by no mean crypto >safe as it relies on urandom for the cases where /dev/random did not >return enough data (some OS are non blocking here), while linux is. > >It should detect which entropy sources are available. Be /dev/random >or other like entropy daemon or similar systems providing a device. >Doing so will make this function works fine on almost all systems. > >Cheers, > >On Mon, Jan 9, 2012 at 2:00 PM, Tom Worster <f...@thefsb.org> wrote: >> I added it at the top, I hope that's ok. >> >> the URL is https://github.com/tom--/php-cs_random_bytes >> >> Thanks for pointing that out >> Tom >> >> On 1/9/12 7:54 AM, "Pierre Joye" <pierre....@gmail.com> wrote: >> >>>pls add it to the RFC, the right one as this one is a 404. >>> >>>On Mon, Jan 9, 2012 at 2:58 AM, Tom Worster <f...@thefsb.org> wrote: >>>> I forgot the URL: https://github.com/tom--/php-cs_random_bytesemo >>>> >>>> :X >>>> >>>> tom >>>> >>>> On 1/8/12 8:56 PM, "Tom Worster" <f...@thefsb.org> wrote: >>>> >>>>>I have also set up a github repo with 4 files in it. It is a first >>>>>hack >>>>>of >>>>>a function that does part of what I described in the RFC. It's based >>>>>on >>>>>the interface of openssl_random_pseudo_bytes() and the guts of >>>>>mcrypt_create_iv(). It is provisionally named cs_random_bytes(). >>>>> >>>>>For now it builds and works at least this much: >>>>> >>>>>$ sapi/cli/php -r 'echo bin2hex(cs_random_bytes(8)) . PHP_EOL;' >>>>>4cd0965922470560 >>>>> >>>>> >>>>>The hard work will be implementing the $is_strong_result flag in a >>>>>platform independent way. You need to read the status of the entropy >>>>>pool. >>>>>The current code does that for Linux (maybe?). On FreeBSD you use >>>>>sysctl(3) to read kern.random.sys.seeded. On OS X you ask securityd. >>>>>Windows is actually easier. >>>>> >>>>>And what about other OSs? What is PHP normally tested on and would >>>>>that >>>>>be >>>>>a suitable guide for cs_random_bytes()? >>>>> >>>>>In any case, I am no C programmer. I'm just a web dev. I don't even >>>>>know >>>>>how to ask if sysctl(3) is present. >>>>> >>>>> >>>>>Tom >>>>> >>>>> >>>>>On 1/8/12 7:42 PM, "Tom Worster" <f...@thefsb.org> wrote: >>>>> >>>>>>I added the new RFC https://wiki.php.net/rfc/csrandombytes which is >>>>>>in >>>>>>its >>>>>>first draft. >>>> >>>> >>>> >>>> -- >>>> PHP Internals - PHP Runtime Development Mailing List >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>> >>> >>> >>> >>>-- >>>Pierre >>> >>>@pierrejoye | http://blog.thepimp.net | http://www.libgd.org >> >> > > > >-- >Pierre > >@pierrejoye | http://blog.thepimp.net | http://www.libgd.org > >-- >PHP Internals - PHP Runtime Development Mailing List >To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
