>
> I really don't see any pros for caring about failing CSPRNG and fallback
> to weak behavior.
>
> 1) BC is extremely unlikely. Basically, no BC on healthy hardware/OS.
> 2) Then things failed, programs should fail properly. i.e. Shouldn't
> fallback to weaker/problematic code.
>
Failing closed
Hi Niklas,
On Fri, Jan 20, 2017 at 1:07 AM, Niklas Keller wrote:
> has this been committed? It's just the same BC issue as seeding mt_rand
> with a CSPRNG by default.
Not yet.
I really don't see any pros for caring about failing CSPRNG and fallback to
weak behavior.
1) BC is extremely unlike
2016-12-31 0:20 GMT+01:00 Yasuo Ohgaki :
> I'll merge the patch to master (7.2) if there is no comment.
>
Hi Yasuo,
has this been committed? It's just the same BC issue as seeding mt_rand
with a CSPRNG by default.
Regards, Niklas
Lauri Kenttä writes:
>> signed 32 bit int range. This version is as fast as php_combined_lcg()
>> version on my system. Both versions executes a million uniqid() calls
>> about 0.36 sec.
>>
>> $ php -r '$s = microtime(TRUE);for($i=0;$i<100;$i++) uniqid("",
>> TRUE); echo microtime(TRUE) - $s;'
On 2017-01-09 08:08, Yasuo Ohgaki wrote:
Hi Kazuo,
On Mon, Jan 9, 2017 at 9:27 AM, Kazuo Oishi wrote:
[original uniqid() using php_combined_lcg]
$ time ./php_uniqid_orig -r 'for($i=0; $i<100;$i++)
uniqid("",true);'
real0m0.366s
user0m0.350s
sys 0m0.010s
[your php_random_byt
Hi Kazuo,
On Mon, Jan 9, 2017 at 9:27 AM, Kazuo Oishi wrote:
> >>> [original uniqid() using php_combined_lcg]
> >>> $ time ./php_uniqid_orig -r 'for($i=0; $i<100;$i++)
> uniqid("",true);'
> >>> real0m0.366s
> >>> user0m0.350s
> >>> sys 0m0.010s
> >>>
> >>> [your php_random_bytes_
Hi,
>>> [original uniqid() using php_combined_lcg]
>>> $ time ./php_uniqid_orig -r 'for($i=0; $i<100;$i++) uniqid("",true);'
>>> real0m0.366s
>>> user0m0.350s
>>> sys 0m0.010s
>>>
>>> [your php_random_bytes_throw version (commit
>>> 48f1a17886d874dc90867c669481804de90509e8)]
>>> $
On Mon, Jan 9, 2017 at 5:07 AM, Yasuo Ohgaki wrote:
> On Mon, Jan 9, 2017 at 2:29 AM, Lauri Kenttä
> wrote:
>
>> On 2017-01-07 03:15, Yasuo Ohgaki wrote:
>>
>>> + php_random_int(10, 99, &rand, 1);
>>>
>>> This should be
>>>
>>> + php_random_int(0,
On Mon, Jan 9, 2017 at 5:31 AM, Yasuo Ohgaki wrote:
> On Mon, Jan 9, 2017 at 3:15 AM, Kazuo Oishi wrote:
>
>> No. Lauri's version is better.
>>
>> Your php_random_bytes_throw() version is significantly slow. Lauri's
>> version is faster and cleaner.
>>
>> [original uniqid() using php_combined_
Hi Kazuo,
On Mon, Jan 9, 2017 at 3:15 AM, Kazuo Oishi wrote:
> No. Lauri's version is better.
>
> Your php_random_bytes_throw() version is significantly slow. Lauri's
> version is faster and cleaner.
>
> [original uniqid() using php_combined_lcg]
> $ time ./php_uniqid_orig -r 'for($i=0; $i<100
On Mon, Jan 9, 2017 at 2:29 AM, Lauri Kenttä wrote:
> On 2017-01-07 03:15, Yasuo Ohgaki wrote:
>
>> + php_random_int(10, 99, &rand, 1);
>>
>> This should be
>>
>> + php_random_int(0, 99, &rand, 1);
>>
>
> No, it shouldn't. That fixes none of the
Hi,
>>> + zend_long rand;
>>> + php_random_int(10, 99, &rand, 1);
>>> + uniqid = strpprintf(0, "%s%08x%05x%.8F", prefix, sec,
>>> usec, (double)rand/100);
>>
>> Your code is broken. It produces 0.1000 - 0. when it should
On 2017-01-07 03:15, Yasuo Ohgaki wrote:
+ php_random_int(10, 99, &rand, 1);
This should be
+ php_random_int(0, 99, &rand, 1);
No, it shouldn't. That fixes none of the reported problems. You still
have too many numbers (integer overflow) an
Hi Niklas,
On Sun, Jan 8, 2017 at 4:08 AM, Niklas Keller wrote:
> 2017-01-07 2:15 GMT+01:00 Yasuo Ohgaki :
>
>> Hi Lauri,
>>
>> On Wed, Jan 4, 2017 at 4:56 AM, Lauri Kenttä
>> wrote:
>>
>> > On 2016-12-31 01:20, Yasuo Ohgaki wrote:
>> >
>> >> + zend_long rand;
>> >> +
2017-01-07 2:15 GMT+01:00 Yasuo Ohgaki :
> Hi Lauri,
>
> On Wed, Jan 4, 2017 at 4:56 AM, Lauri Kenttä
> wrote:
>
> > On 2016-12-31 01:20, Yasuo Ohgaki wrote:
> >
> >> + zend_long rand;
> >> + php_random_int(10, 99, &rand, 1);
> >> + uniqid
Hi Kazuo,
On Sat, Jan 7, 2017 at 9:54 AM, Yasuo Ohgaki wrote:
> You misunderstand the mail.
> PHPMailer and uniqid() fix is unrelated, but uniqid() is misused proposed
> patch in obvious way.
>
>
>>
>> What's your intention?
>>
>
> The point we should learn from the code is, it is clear that use
Hi Lauri,
On Wed, Jan 4, 2017 at 4:56 AM, Lauri Kenttä wrote:
> On 2016-12-31 01:20, Yasuo Ohgaki wrote:
>
>> + zend_long rand;
>> + php_random_int(10, 99, &rand, 1);
>> + uniqid = strpprintf(0, "%s%08x%05x%.8F", prefix, sec,
>> usec, (do
Hi Kazuo,
On Mon, Jan 2, 2017 at 3:03 AM, Kazuo Oishi wrote:
> > I thought we must fix due to proposed PHPMailer bug fix patch. (See below
> > for detail) Previous discussion went wrong because of compatibility
> > misunderstanding. There is _no_ additional BC issue. Please keep in mind
> > this
On 2016-12-31 01:20, Yasuo Ohgaki wrote:
+ zend_long rand;
+ php_random_int(10, 99, &rand, 1);
+ uniqid = strpprintf(0, "%s%08x%05x%.8F", prefix, sec,
usec, (double)rand/100);
Your code is broken. It produces 0.1000 - 0.9
Hi,
> I'll merge the patch to master (7.2) if there is no comment.
>
>
> Patch:
>
> $ git diff
> diff --git a/ext/standard/uniqid.c b/ext/standard/uniqid.c
> index f429e6d..80dacdb 100644
> --- a/ext/standard/uniqid.c
> +++ b/ext/standard/uniqid.c
> @@ -35,7 +35,7 @@
> #include
> #endif
>
> -#i
Hi all,
I thought we must fix due to proposed PHPMailer bug fix patch. (See below
for detail) Previous discussion went wrong because of compatibility
misunderstanding. There is _no_ additional BC issue. Please keep in mind
this.
This is simple change proposal replacing weak entropy to string one.
21 matches
Mail list logo
