On 10/12/15 10:53 PM, Larry Garfield wrote:
On 10/12/2015 07:29 PM, Tom Worster wrote:
Could we regard random_bytes() as a security patch rather than a new
feature and therefore port it to PHP 5?
Error handling would have to change but that should be feasible. Iirc,
earlier commits of random_bytes() had PHP 5-like behavior on error.
My motivation: it's easier to defend abandoning OpenSSL's RNG (e.g. in
paragonie/random_compat) if we could say to Windows users stuck with
nothing else: "Upgrade to the latest point release of PHP 5.x. It has a
proper fix."
Tom
Since there's no 5.7 release planned, you're talking about adding it in
a 5.6.x?
Yes, maybe even 5.5?
> What's wrong with the random_compat library as a solution for
> 5.6 users?
Good question. Vexing answer. I try to be brief.
There are real situations that push random_compat into a corner with
only unpleasant options, namely recommending the user install the
unsavory mcrypt ext, which provides mcrypt_create_iv(), or resort to
OpenSSL's RNG, which is just scary.
There are recent discussion of this in a few places, I think you can
find them all starting here
https://github.com/paragonie/random_compat/issues/5
So I thought another option would be to say "patch your PHP". One
possibility to do that is what I proposed above.
[I hesitate to mention it but, another is to make mcrypt_create_iv()
independent of libmcrypt and present in standard builds of PHP. Maybe
the latter is better because existing scripts that test
function_exists('mcrypt_create_iv') become more secure.]
Tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
