On 12/21/11 12:07 PM, "Kiall Mac Innes" <ki...@managedit.ie> wrote:
>On Wed, Dec 21, 2011 at 3:31 PM, Tom Worster <f...@thefsb.org> wrote:
>>
>> 1. /dev/random and /dev/urandom are unavailable on Windows and
>> cannot be fopen()¹ed in safe mode on *nix/nux
>
>Safe mode has been deprecated for two and a half years.. Adding features
>to work around its limitations is (IMO) a bad idea..
Why do you think so?
>>
>> 2. openssl_random_pseudo_bytes() requires openssl extension
>> installed and enabled. Most of the popular AMP packages for
>> Windows fail on this count. Many shared web hosts don¹t have it
>> either.
>
>As far as I remember, WAMP Server (Arguably the most popular AMP package
>for windows) does include openssl support. Its simply disabled by default
>like everything else! Some quick googling seems to confirm this..
>Some more googling confirms XAMPP also includes OpenSSL out of the box..
Default configs are a big issue. It's hard to overestimate this.
Then, once the user knows to do so, configuring openssl on wamp is
reasonably straight forward. Much less so on xampp.
But all this is often moot since the app developer often has no
way to reconfigure the host other than to switch hosting provider
and often that is not a decision the developer makes.
>
>>3. mcrypt_create_iv() depends on mcrypt extension and so suffers
>> similar problems as openssl
>
>mcrypt again comes with both WAMP and XAMPP servers, but disabled by
>default.
See my responses above.
>
>> 4. Another method is to set runtime config param
>> session.entropy_length followed by @session_start();
>> session_regenerate_id(); after which session_id() will return a
>> CS random string, but this is also foiled by safe mode.
>
>This is obviously not a solution, even if it worked... ;)
It covers the case when mcrypt and openssl are not available but
safe mode is off.
What's wrong with it otherwise?
> 5. On Windows you could try COM('CAPICOM.Utilities.1')->GetRandom
>> but that API is obsolescent and not in many default Windows
>> installs.
>
>I can't speak for windows specific APIs So I'm going to ignore the rest!
>It seems that the two preferable cross platform options (openssl and
>mcrypt) are already both widely available on all platforms, I'm not sure
>I see the need to be honest.
I couldn't find a machine or VM on which I could make these Windows
APIs work.
I disagree with your assessment about availability. In my
experience, safe mode combined with an absence of both mcrypt and
openssl is quite common.
For the sake of argument, assume that the availability problem
is not trivial and someone was hired to write an app for a
customer and you don't know what it will be run on. Your best bet
would be to use something like what Anthony Ferrara wrote that
tries everything and falls back on a non-CS source. 1. this is
way too sophisticated for most people; 2. it's really hard to
test; 3. you don't know if your client is secure or not; 4. it
just seems a bit much for PHP to say "No, you can't have access
to the system's CSPRNG, instead you can do this:
https://github.com/ircmaxell/PHP-CryptLib/tree/master/lib/CryptLib/Random
"
Tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
