On Sun, Feb 8, 2015 at 2:18 PM, Tom Worster <f...@thefsb.org> wrote: > > On 2/8/15, 12:52 PM, "Daniel Lowrey" <rdlow...@php.net> wrote: > > >On Sun, Feb 8, 2015 at 12:11 PM, Tom Worster <f...@thefsb.org> wrote: > >> > >> Thanks Damien and Daniel for the info. > >> > >> I am not concerned about running out of entropy. I am concerned about > >> userspace RNGs such as OpenSSL > >> http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/ > > > >Just to be clear (as Damien also mentioned): openssl is not a userspace > >RNG. > > OpenSSL has an RNG that is not in the kernel memory space. Software that > is > in memory but not in the kernel space is in the user space. >
You're right, my mistake. I don't claim to be a crypto expert in any sense of the word -- I simply implement APIs that real crypto experts create. I don't believe it makes any sense for us to implement this in php-src directly. If you haven't compiled openssl with a different RNG engine it's going to default to use RAND_SSLeay(). The explanation here explains the logic involved: https://www.openssl.org/docs/crypto/rand.html#internals Dr. Henson is far smarter than I am; I'll take his word for it. The only outstanding issue noted in the linked discussion is "An initial source of random 'state'" which, as you can see by reading the subsequent RAND_add() documentation is transparently retrieved from /dev/urandom for us: > On systems that provide /dev/urandom, the randomness device is used to > seed the PRNG transparently. However, on all other systems, the > application is responsible for seeding the PRNG by calling RAND_add() If you're in Windows this is handled by a different API. And if not, I tend to trust the openssl PRNG since it pulls its initial random state from /dev/urandom. I honestly don't see the problem here. I'm happy to be wrong if someone says, "no, we should come up with a different way to do this," and can provide logic to back that up. Personally, I have no reason to believe the openssl implementation is inadequate. We could add the ability to pass in your own initialization data but the only good option there is pulling it from `fread()` on /dev/urandom anyway ... a somewhat pointless exercise as openssl already does this.
