Re: [PHP-DEV] Password_hash salt generation refactor

2015-11-01 Thread Tom Worster
On 10/30/15 2:36 PM, Anatol Belski wrote: Hi Anthony, -Original Message- From: Anthony Ferrara [mailto:ircmax...@gmail.com] Sent: Friday, October 30, 2015 11:58 AM All, On Tue, Oct 20, 2015 at 11:35 PM, Anatol Belski wrote: Could php_random_bytes() be extended

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-30 Thread Anthony Ferrara
All, On Tue, Oct 20, 2015 at 11:35 PM, Anatol Belski <anatol@belski.net> wrote: > Hi Anthony, > >> -Original Message- >> From: Anthony Ferrara [mailto:ircmax...@gmail.com] >> Sent: Monday, October 19, 2015 1:00 AM >> To: internals@lists.php.net >

RE: [PHP-DEV] Password_hash salt generation refactor

2015-10-30 Thread Anatol Belski
com] > >> Sent: Monday, October 19, 2015 1:00 AM > >> To: internals@lists.php.net > >> Subject: [PHP-DEV] Password_hash salt generation refactor > >> > >> All, > >> > >> With PHP 7 comes random_bytes and random_int. This duplicates some of

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-20 Thread Tom Worster
On 10/19/15, 6:43 PM, "Ángel González" wrote: >Tom Worster wrote: > > I've verified that password_hash() without /dev/urandom can > produce systematically predictable salts, repeating a sequence of > just two salts. There's nothing statistical involved.

RE: [PHP-DEV] Password_hash salt generation refactor

2015-10-20 Thread Anatol Belski
Hi Anthony, > -Original Message- > From: Anthony Ferrara [mailto:ircmax...@gmail.com] > Sent: Monday, October 19, 2015 1:00 AM > To: internals@lists.php.net > Subject: [PHP-DEV] Password_hash salt generation refactor > > All, > > With PHP 7 comes

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-19 Thread Tom Worster
On 10/18/15 7:39 PM, Ángel González wrote: Korvin wrote: +1 for 7.0.x security patch release, best effort sounds scary. This is a salt. It doesn't need to be cryptographically secure. Using php_rand() there should pose no problem. I would actually include that into the patch (move old lines

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-19 Thread Tom Worster
On 10/19/15 3:43 PM, Scott Arciszewski wrote: On Mon, Oct 19, 2015 at 1:00 PM, Chris Riley wrote: On 19 October 2015 at 16:22, Tom Worster wrote: On 10/18/15 7:39 PM, Ángel González wrote: Korvin wrote: +1 for 7.0.x security patch release, best

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-19 Thread Scott Arciszewski
On Mon, Oct 19, 2015 at 1:00 PM, Chris Riley wrote: > On 19 October 2015 at 16:22, Tom Worster wrote: > >> On 10/18/15 7:39 PM, Ángel González wrote: >> >>> Korvin wrote: >>> +1 for 7.0.x security patch release, best effort sounds scary. >>> This

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-19 Thread Chris Riley
On 19 October 2015 at 16:22, Tom Worster wrote: > On 10/18/15 7:39 PM, Ángel González wrote: > >> Korvin wrote: >> >>> +1 for 7.0.x security patch release, best effort sounds scary. >>> >> This is a salt. It doesn't need to be cryptographically secure. Using >> php_rand() >>

[PHP-DEV] Password_hash salt generation refactor

2015-10-18 Thread Anthony Ferrara
All, With PHP 7 comes random_bytes and random_int. This duplicates some of the logic internally that password_hash uses to generate its salt. I would like to refactor this to unify generation. I've opened a PR against master: https://github.com/php/php-src/pull/1585 I don't feel comfortable

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-18 Thread Sherif Ramadan
If I'm understanding this correctly, this change doesn't effect actual behavior, right? It's just taking advantage of reusing code for random_bytes / random_int ? If that is true I don't think it much matters whether the change goes through 7.0 or 7.1 since it has no real end-user impact. On

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-18 Thread Korvin Szanto
+1 for 7.0.x security patch release, best effort sounds scary. On Sun, Oct 18, 2015 at 4:01 PM Anthony Ferrara wrote: > All, > > With PHP 7 comes random_bytes and random_int. This duplicates some of > the logic internally that password_hash uses to generate its salt. > > I

Re: [PHP-DEV] Password_hash salt generation refactor

2015-10-18 Thread Stanislav Malyshev
Hi! > With PHP 7 comes random_bytes and random_int. This duplicates some of > the logic internally that password_hash uses to generate its salt. > > I would like to refactor this to unify generation. I've opened a PR > against master: https://github.com/php/php-src/pull/1585 > > I don't feel