Thanks Damien and Daniel for the info. I am not concerned about running out of entropy. I am concerned about userspace RNGs such as OpenSSL http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
On 2/8/15, 12:04 PM, "Damien Tournoud" <d...@damz.org> wrote: >On Sun, Feb 8, 2015 at 5:15 PM, Daniel Lowrey <rdlow...@php.net> wrote: > >> Currently PHP's openssl_random_pseudo_bytes() uses the latter function >>and >> allows users to pass a by-reference $crypto_strong out parameter to >> determine if the result is cryptographically strong. This is fine if you >> know all of the above and have read the manual for this function. >>However, >> it may be desirable to add a new openssl_rand_bytes() function that uses >> RAND_bytes() under the hood to make it less likely for someone to >> accidentally use insufficiently random output. > > >Hi Daniel, > >Just to clarify: OpenSSL automatically seeds its random pool from >crypto-safe system-specific sources (/dev/[u]random on Linux): it is just >*impossible* on modern systems to end up in the case of not having enough >entropy. > >Damien -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
