Hi, On Tue, Feb 24, 2015 at 8:36 AM, Sammy Kaye Powers <m...@sammyk.me> wrote: > The RFC to add a user-land API for an easy-to-use and reliable CSPRNG in > PHP is up for discussion: https://wiki.php.net/rfc/easy_userland_csprng > > This proposes adding two methods: `random_bytes()` and `random_int()` that > return cryptographically secure pseudo-random data. > > This has been quite a team effort so far and would love to hear your > feedback! :)
I noticed that the patch checks for /dev/arandom availability first, and I'm pretty sure that on systems that have it, /dev/urandom simply redirects to /dev/urandom, so that might be a bit redundant ... Maybe Leigh can say more about this if I'm missing something. Also, you don't need 100s of lines of code to write the same thing in userland ... you need ~30 lines, your Facebook SDK example is just over-complicated. I'm sure everybody will agree that this is a feature that PHP needs, so I think you should rather focus on explaining that it's better than leaving it to userland implementations that may screw up a lot of details. And finally, a suggestion to remove the default $length value of 16 for random_bytes() - it just happens to be what you need for i.e. an AES-128 IV, but other than that it doesn't make sense to have a default length. Otherwise - great! I'm really looking forward to this, and many others surely do as well. I've got no doubt that the RFC will pass and I intend to write a compat package for use in pre-PHP7 environments, to ease the new API's adoption. Cheers, Andrey. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
