On 12/11/2014 3:10 AM, Derick Rethans wrote:
On Wed, 10 Dec 2014, Andrea Faulds wrote:
On 10 Dec 2014, at 06:33, Remi Collet <r...@fedoraproject.org> wrote:
Having a dead upstream for crypto API is a critical issue :(
FYI some downstream (ex RHEL) don't even provide this library.
Already too much crypto libraries, and it will be a mess to provide
a dead project in an Enterprise distribution.
So php/mcrypt also not available.
But most applications. which use it, usually have alternative, and
make it optional (ex phpMyAdmin 4.3 now even use openssl as first
choice).
We probably have enough crypto API in PHP, and we probably should
mark this one as deprecated / unmaintained in 5.x, and move it to
PECL (7.x).
It’s my understanding that ext/mcrypt is quite widely used. Would it
not be possible to update the lib to use OpenSSL or something on the
backend, so existing applications would not need changing?
I think you're going to find this difficult, as the mcrypt
implementations can have some odd quircks in them. As the "maintainer"
of this extension I'd say to just drop it in PHP 7. I wouldn't even
bother trying to make it compile for it.
cheers,
Derick
To date, there still isn't a way to access CryptGenRandom() from
userland without an extension. Access to that Windows function depends
on an extension to expose php_win32_get_random_bytes() to userland.
mcrypt_create_iv() and openssl_random_pseudo_bytes() are the two
userland functions that do that and mcrypt is compiled into the Windows
builds by default. There's nothing in core for getting entropy in
userland on Windows despite the fact that two extensions use a function
already in the core.
If mcrypt is removed and no suitable replacement function for
mcrypt_create_iv() is put in place on Windows, the user will be forced
to load a library that may not even get used. This is possible because
openssl_random_pseudo_bytes() does not actually depend on OpenSSL under
Windows as it calls the php_win32_get_random_bytes() function instead -
but the 1MB OpenSSL library will get loaded anyway.
php_win32_get_random_bytes() should be consistently accessible on
Windows via an ext/standard userland function that gets random bytes of
data. Other than mcrypt_create_iv(), I don't care about the rest of mcrypt.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you will find useful.
http://cubiclesoft.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
