Hi Nikita,
On 7 February 2014 12:58, Nikita Popov <[email protected]> wrote:
> On Fri, Feb 7, 2014 at 12:25 PM, Pierre Joye <[email protected]> wrote:
>
>> hi,
>>
>> There are a lot of additions and discussions about entropy source and
>> (P)RNG lately.
>>
>> PHP already has a ini setting to define a strong entropy source for
>> the session module, which defaults to urandom or arandom.
>>
>> I would like to create two settings to unify the entropy source
>> accross php functions. That includes mcrypt, new password APIs,
>> session, LCG, etc.
>>
>> Something along this line:
>>
>> random.entropy_strong_source (/dev/(u|a)random etc.)
>> random.entropy_crypto_source (/dev/random etc.)
>>
>> I am not willing to propose new RNG functions or extensions for 5.6 as
>> we have way too little time to actually discuss its design and APIs.
>> However having these settings unified and documented would be a good
>> step forward already.
>>
>
> To clarify what this proposal does (from otr discussion with Pierre):
>
> * openssl_pseudo_random_bytes - not changed
> * mcrypt_create_iv($n, MCRYPT_DEV_RANDOM) - uses crypto_source instead of
> /dev/random
> * mcrypt_create_iv($n, MCRYPT_DEV_URANDOM) - uses strong_source instead of
> /dev/urandom
> * mcrypt_create_iv($n, MCRYPT_RAND) - not changed
> * password_hash() - uses strong_source
> * session ID - uses strong_source
> * lcg_value, rand, mt_rand - not changed
>
> Hope everything is correct :)
>
> Nikita
Don't forget array_rand() and shuffle()... :P
But yes, that would be the expected outcome as I understand it.
Paddy
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative