[PHP-DEV] RE: [PHP-CVS] com php-src: Remove arc4random: ext/standard/config.m4 ext/standard/random.c

Mon, 26 Oct 2015 14:59:33 -0700 

Hi,

> -----Original Message-----
> From: Leigh [mailto:le...@php.net]
> Sent: Monday, October 26, 2015 9:40 PM
> To: php-...@lists.php.net
> Subject: [PHP-CVS] com php-src: Remove arc4random: ext/standard/config.m4
> ext/standard/random.c
> 
> Commit:    a53510239f629b36f1fdccc860670872463eeb77
> Author:    Leigh <le...@php.net>         Mon, 26 Oct 2015 20:40:28 +0000
> Parents:   fff11a1e0709fb670012b0fac4fc21cb7fc14291
> Branches:  PHP-7.0
> 
> Link:       http://git.php.net/?p=php-
> src.git;a=commitdiff;h=a53510239f629b36f1fdccc860670872463eeb77
> 
> Log:
> Remove arc4random
> 
> There has been a lot of discussion around whether arc4random should be
> included. Given how many different impementations of it are in the wild, we
> can't guarantee a secure implementation on all platforms.
> 
> Changed paths:
>   M  ext/standard/config.m4
>   M  ext/standard/random.c
> 
> 
> Diff:
> diff --git a/ext/standard/config.m4 b/ext/standard/config.m4 index
> c435f96..f41df7e 100644
> --- a/ext/standard/config.m4
> +++ b/ext/standard/config.m4
> @@ -593,11 +593,6 @@ dnl
>  AC_CHECK_HEADERS([atomic.h])
> 
>  dnl
> -dnl Check for arc4random on BSD systems -dnl
> -AC_CHECK_DECLS([arc4random_buf])
> -
> -dnl
>  dnl Check for getrandom on newer Linux kernels  dnl
>  AC_CHECK_DECLS([getrandom])
> diff --git a/ext/standard/random.c b/ext/standard/random.c index
> f46c4e0..fd730d1 100644
> --- a/ext/standard/random.c
> +++ b/ext/standard/random.c
> @@ -87,8 +87,6 @@ static int php_random_bytes(void *bytes, size_t size)
>               zend_throw_exception(zend_ce_exception, "Could not gather
> sufficient random data", 0);
>               return FAILURE;
>       }
> -#elif HAVE_DECL_ARC4RANDOM_BUF
> -     arc4random_buf(bytes, size);
>  #elif HAVE_DECL_GETRANDOM
>       /* Linux getrandom(2) syscall */
>       size_t read_bytes = 0;
> 
Which discussions do you mean, could you please link to them? The one I 
remember right now is https://github.com/php/php-src/pull/1513 , but there's 
actually no obvious conclusion. Removing arc4random is quite a radical move, 
but OpenBSD and NetBSD could still profit from not using /dev/urandom and it 
would cost just extending the macro condition.

Thanks

Anatol
 



--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to