Hi Pierre,
On 7 February 2014 11:25, Pierre Joye <[email protected]> wrote:
> hi,
>
> There are a lot of additions and discussions about entropy source and
> (P)RNG lately.
>
> PHP already has a ini setting to define a strong entropy source for
> the session module, which defaults to urandom or arandom.
>
> I would like to create two settings to unify the entropy source
> accross php functions. That includes mcrypt, new password APIs,
> session, LCG, etc.
>
> Something along this line:
>
> random.entropy_strong_source (/dev/(u|a)random etc.)
> random.entropy_crypto_source (/dev/random etc.)
In principle, that makes a lot of sense. It beats wondering what each
different function is using under the covers and may even simplify
userland code a bit (and reduce some file checking if it can be relied
upon).
> I am not willing to propose new RNG functions or extensions for 5.6 as
> we have way too little time to actually discuss its design and APIs.
> However having these settings unified and documented would be a good
> step forward already.
I think the end goal should be unification with some generalised API.
At the moment we have mt_rand(), lcg_value(),
openssl_random_pseudo_bytes(), mcrypt_create_iv() and then the file
read approaches. They all have uses, but they sit in different places
and extensions and it’s not always clear what each is best at. I agree
that this would take a lot of time to work through.
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative