Hi Sammy, On Wed, Jul 15, 2015 at 6:04 AM, Sammy Kaye Powers <m...@sammyk.me> wrote:
> There are two open PR's for PHP7 to modify the behavior of the CSPRNG's: > > https://github.com/php/php-src/pull/1397 (main discussion) > https://github.com/php/php-src/pull/1398 > > Currently the random_*() functions will issue a warning and return false if > a good source of random cannot be found. This is a potential security hole > in the event the RNG fails and returns false which gets evaluated as 0 in a > cryptographic context. > > To prevent this exploit the proposed behavior will throw an Exception when > the RNG fails or certain argument validation fails. This also gives the > developer a graceful way to fall back to an alternate CSPRNG. > > Since the core functions in PHP don't throw Exceptions, there is debate on > whether or not this change should be implemented. Some say the CSPRNG's > should get a special pass since they will be relied on for cryptography. If > we can't throw Exceptions, there were suggestions of raising a fatal error > if the RNG fails. > > I think the argument can be boiled down to consistency vs security. We'd > love to hear your feedback to decide what we should do in this context. :) > I prefer exception rather than error. However, I would not like to see exception in "some" functions. It's whether we use exception for builtin functions or not. I understand the risk, but users should handle all errors properly to be secure anyway. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
