On 7/5/16 11:37 AM, Christoph Becker wrote:
On 05.07.2016 at 16:32, Leigh wrote:
On 5 July 2016 at 04:02, Pierre Joye <pierre....@gmail.com> wrote:
We can argue about the provided pnrng being CS but it is not php's job to
decide.
I think we need to drop the concerns about exposing "RNG state".
A reminder of what php_random_bytes looks at (in order):
* CryptGenRandom on Windows
* arc4random_buf on modern BSD (where ChaCha20 is used)
* Linux getrandom(2) syscall where available
* /dev/urandom where available
* Throws an exception if it cannot access one of the above
Would that imply that in this latter case sessions couldn't be used
anymore?
I hope so.
It's not safe to use sessions if PHP cannot get unpredictable randoms
for session IDs. PHP should therefore error so that the sys op can be
alerted and fix the problem.
Tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
