On 10/30/15 2:36 PM, Anatol Belski wrote:
Hi Anthony,
-Original Message-
From: Anthony Ferrara [mailto:ircmax...@gmail.com]
Sent: Friday, October 30, 2015 11:58 AM
All,
On Tue, Oct 20, 2015 at 11:35 PM, Anatol Belski
wrote:
Could php_random_bytes() be extended
All,
On Tue, Oct 20, 2015 at 11:35 PM, Anatol Belski <anatol@belski.net> wrote:
> Hi Anthony,
>
>> -Original Message-
>> From: Anthony Ferrara [mailto:ircmax...@gmail.com]
>> Sent: Monday, October 19, 2015 1:00 AM
>> To: internals@lists.php.net
>
com]
> >> Sent: Monday, October 19, 2015 1:00 AM
> >> To: internals@lists.php.net
> >> Subject: [PHP-DEV] Password_hash salt generation refactor
> >>
> >> All,
> >>
> >> With PHP 7 comes random_bytes and random_int. This duplicates some of
On 10/19/15, 6:43 PM, "Ángel González" wrote:
>Tom Worster wrote:
>
> I've verified that password_hash() without /dev/urandom can
> produce systematically predictable salts, repeating a sequence of
> just two salts. There's nothing statistical involved.
Hi Anthony,
> -Original Message-
> From: Anthony Ferrara [mailto:ircmax...@gmail.com]
> Sent: Monday, October 19, 2015 1:00 AM
> To: internals@lists.php.net
> Subject: [PHP-DEV] Password_hash salt generation refactor
>
> All,
>
> With PHP 7 comes
On 10/18/15 7:39 PM, Ángel González wrote:
Korvin wrote:
+1 for 7.0.x security patch release, best effort sounds scary.
This is a salt. It doesn't need to be cryptographically secure. Using
php_rand()
there should pose no problem.
I would actually include that into the patch (move old lines
On 10/19/15 3:43 PM, Scott Arciszewski wrote:
On Mon, Oct 19, 2015 at 1:00 PM, Chris Riley wrote:
On 19 October 2015 at 16:22, Tom Worster wrote:
On 10/18/15 7:39 PM, Ángel González wrote:
Korvin wrote:
+1 for 7.0.x security patch release, best
On Mon, Oct 19, 2015 at 1:00 PM, Chris Riley wrote:
> On 19 October 2015 at 16:22, Tom Worster wrote:
>
>> On 10/18/15 7:39 PM, Ángel González wrote:
>>
>>> Korvin wrote:
>>>
+1 for 7.0.x security patch release, best effort sounds scary.
>>> This
On 19 October 2015 at 16:22, Tom Worster wrote:
> On 10/18/15 7:39 PM, Ángel González wrote:
>
>> Korvin wrote:
>>
>>> +1 for 7.0.x security patch release, best effort sounds scary.
>>>
>> This is a salt. It doesn't need to be cryptographically secure. Using
>> php_rand()
>>
All,
With PHP 7 comes random_bytes and random_int. This duplicates some of
the logic internally that password_hash uses to generate its salt.
I would like to refactor this to unify generation. I've opened a PR
against master: https://github.com/php/php-src/pull/1585
I don't feel comfortable
If I'm understanding this correctly, this change doesn't effect actual
behavior, right? It's just taking advantage of reusing code for
random_bytes / random_int ?
If that is true I don't think it much matters whether the change goes
through 7.0 or 7.1 since it has no real end-user impact.
On
+1 for 7.0.x security patch release, best effort sounds scary.
On Sun, Oct 18, 2015 at 4:01 PM Anthony Ferrara wrote:
> All,
>
> With PHP 7 comes random_bytes and random_int. This duplicates some of
> the logic internally that password_hash uses to generate its salt.
>
> I
Hi!
> With PHP 7 comes random_bytes and random_int. This duplicates some of
> the logic internally that password_hash uses to generate its salt.
>
> I would like to refactor this to unify generation. I've opened a PR
> against master: https://github.com/php/php-src/pull/1585
>
> I don't feel
13 matches
Mail list logo