On 2018/06/01 22:07, Stefan Sperling wrote: > On Fri, Jun 01, 2018 at 09:03:08PM +0100, Stuart Henderson wrote: > > On 2018/06/01 15:35, Daniel Jakots wrote: > > > On Fri, 1 Jun 2018 18:46:25 +0100, Stuart Henderson > > > <[email protected]> wrote: > > > > > > > Thanks - this is a common problem with many PHP apps rather than being > > > > specific to nextcloud/owncloud. Rather than repeating it all over the > > > > place I've just added a section to the pkg-readme for PHP that > > > > explains this. > > > > > > Great! Would you mind documenting the creation of *random devices? > > > > Hmm, what uses these? I've not run into anything, and if there is, > > it really should be using random_bytes / random_int in 7.x, or the > > random_compat polyfill + one of the other sources (preferably > > libsodium) for 5.x ... > > Nextcloud complains in its admin panel if it cannot find this > device node... I haven't checked if the device node is actually > used but adding it on an mfs was an easy quick solution. > > If this is not a common issue among PHP apps, adding a hint to > nextcloud's README file should be sufficient. >
So from looking at this, nextcloud has two pieces of RNG interaction. In both cases the default setup for packages is now with php 7 so will use random_bytes (-> arc4random_buf). Otherwise (i.e. with php 5): - one piece is phpseclib, if random_bytes is unavailable, the fallback is openssl_random_pseudo_bytes (which for us is a couple of layer of wrapper around arc4random_bytes). /dev/urandom is a subsequent fallback, but the openssl module is compiled-in so will be available. - the other is random_compat, if random_bytes is unavailable then libsodium is preferred (install+activate pecl-libsodium). Subsequent fallbacks are fread() of /dev/urandom, then mcrypt which also I believe uses /dev/random, then openssl_random_pseudo_bytes. If we still used php 5 for this port, I'd suggest adding pecl-libsodium as a dependency to avoid multiple tests+fallbacks (though eventually to a source which is sane on OpenBSD). Unless there's some other reason I didn't spot, it would be nice if nextcloud didn't complain about this on php 7+.
