On 11 December 2014 at 15:38, Thomas Hruska <thru...@cubiclesoft.com> wrote: > > To date, there still isn't a way to access CryptGenRandom() from userland > without an extension. Access to that Windows function depends on an > extension to expose php_win32_get_random_bytes() to userland. > mcrypt_create_iv() and openssl_random_pseudo_bytes() are the two userland > functions that do that and mcrypt is compiled into the Windows builds by > default. There's nothing in core for getting entropy in userland on Windows > despite the fact that two extensions use a function already in the core. > > If mcrypt is removed and no suitable replacement function for > mcrypt_create_iv() is put in place on Windows, the user will be forced to > load a library that may not even get used. This is possible because > openssl_random_pseudo_bytes() does not actually depend on OpenSSL under > Windows as it calls the php_win32_get_random_bytes() function instead - but > the 1MB OpenSSL library will get loaded anyway. > > php_win32_get_random_bytes() should be consistently accessible on Windows > via an ext/standard userland function that gets random bytes of data. Other > than mcrypt_create_iv(), I don't care about the rest of mcrypt. >
I actually think a generic random bytes function outside of any cryptographic extensions would be a good idea. Even mcrypt seems like overkill if all you want is random strings. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
