Hi all,
On Mon, Feb 3, 2014 at 3:25 PM, Pierre Joye <[email protected]> wrote:
> On Mon, Feb 3, 2014 at 5:59 AM, Tjerk Meesters <[email protected]>
> wrote:
> > On Mon, Feb 3, 2014 at 9:13 AM, Yasuo Ohgaki <[email protected]> wrote:
> >
> >> Hi Tjerk,
> >>
> >> On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters <
> [email protected]>wrote:
> >>
> >>> I think it would be good enough to have only uuid v4:
> >>>
> >>> function uuidv4()
> >>> {
> >>> $data = openssl_random_pseudo_bytes(16); // or whatever
> >>>
> >>> $data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010
> >>> $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10
> >>>
> >>> return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data),
> 4));
> >>> }
> >>>
> >>> It's really just a representation of random data, whereby 6 bits are
> used
> >>> for the actual format.
> >>>
> >>
> >> I agree.
> >> UUID v4 simply generate random ID and it is good for many purposes.
> >>
> >> My concern is portability. OpenSSL(or Mcrypt) is provided as module.
> >> Users tends not to use module functions whenever possible. To address
> >> this issue, OpenSSL could be a module compiled by default.
> >>
> >
> > You could simply choose between php_win32_get_random_bytes() (Windows)
> or
> > reading directly from /dev/xrandom. Ultimately you have to be prepared
> to
> > supplement the data (partially or fully) with calls to php_rand().
>
> I cannot agree more, except for the php_rand part, we should avoid it.
> Both are more than enough for this purpose. As I wrote earlier, it is
> not necessary to have crypto safe RNGs for uuid generations,
> definitively not. It would be good not to suddenly overreact for
> something that should be better documented :)
I think use of RAND is bad idea for creating IVs.
I added E_NOTICE for it.
https://github.com/php/php-src/pull/579/files
E_WARNING might be better.
Regards,
--
Yasuo Ohgaki
[email protected]