Adding a back-port for random_int() & random_bytes() #33
Comments
|
Well, it should be its own compatibility library that doesn't expose other APIs. I will however port RandomLib and others to use the new APIs internally :-) |
|
@ircmaxell we were thinking that a compat library like you did for |
|
yeah, that's sane. I thought someone was working on one already? I would be happy to do it (and host it). It's up to you. |
|
I was going to mock up a really simple PHP version, but it looks like RandomLib is way more robust. Does it make sense to base the compat library on RandomLib, or do a simple wrapper around: mcrypt > openssl > direct file access |
|
Relevant: my proof of concept for the RFC and the Facebook PHP SDK's CSPRNG. Or a lib that just composer requires RandomLib and provides the functions.. :) |
|
I would base it on https://github.com/ircmaxell/random_compat |
|
Here is a super rough userland implementation: https://gist.github.com/scottchiefbaker/d191f369765eef5ed0cf I didn't implement the min/max in random_int() yet. I'll defer to @ircmaxell 's implementation, because https://github.com/ircmaxell/random_compat looks more full featured. I just wanted a proof of concept to see if it was feasible. |
|
Here is some code I've been playing with the past few days. I was also hoping to see a library like password_compat show up :) https://gist.github.com/jrnickell/bd5c3d5b5e6f71bca4b9 I wasn't sure if the new functions take default arguments. @ircmaxell the random_bytes I have is based on how you are generating salts in password_compat. It seemed to be a similar approach to the RFC. I was playing with random_int based on your RandomLib stuff here. It's using pow at the moment, since I was trying to keep the code as compact as possible. I've been reading as much as possible the past few days, and I'm excited about using the new methods for UUIDs and various shuffles, sorts, and data structures. Thank you for the hard work Sammy and Anthony, and let me know if there is anything you guys need help with. |
|
@jrnickell I like it... you had the same idea I had, but took it a couple steps farther. Question though, what is a PHALANGER on line #6? |
|
It is a PHP compiler for .NET. The code is based heavily on Anthony's password-compat salt generator. I've tried to follow his advice, and let the professionals handle cryptography. There is very little deviation from what he wrote in the code I was playing with. I'm not sure, but I recall some crypto functions had flaws and/or performance issues on Windows. I know openssl_random_pseudo_bytes had issues some time ago. I've always thought that check may have been related to one of those Windows issues. |
|
@scottchiefbaker It's impossible to directly mimic I agree with Anthony, it's better in it's own library, we'd have to put limiters in this one to prevent it descending into Imho it only needs to check for and use The first two appropriately select |
|
PHP7 is closer to landing now, has anyone made any headway on a userland implementation? |
|
@sarciszewski just posted one. |
|
Should I send a PR adding |
Once the Easy User-land CSPRNG gets added to PHP7, what are your thoughts of using RandomLib as a back-port for older PHP versions and adding the
random_bytes()andrandom_int()functions as wrappers? :)The text was updated successfully, but these errors were encountered: