Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added OpensslRandPseudo random source. #25

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

derekmarcotte
Copy link

This uses openssl_random_pseudo_bytes. This is suggested for use only with
with php5-openssl compiled against LibreSSL:

OpenSSL copying RNG state on fork:
ramsey/uuid#80 (comment)
Fixed in LibreSSL:
http://opensslrampage.org/post/91910269738/fix-for-the-libressl-prng-issue-under-linux

Additionally, CVE-2015-8867 was fixed only in versions 5.6.12, 5.5.28,
5.4.44 and above:

https://bugs.php.net/bug.php?id=70014
http://www.php.net/ChangeLog-5.php

CVE-2015-8867 does not affect versions compiled against LibreSSL.

For these reasons, it only is considered a LOW source of randomness,
unless it is compiled against LibreSSL.

The reason for this to exist at all is because of problems with the
nature of /dev/urandom. For example, if we cannot open or read the
file. openssl_random_pseudo_bytes should never fail.

derekmarcotte and others added 2 commits October 19, 2017 06:29
This uses openssl_random_pseudo_bytes.  This is suggested for use only with
with php5-openssl compiled against LibreSSL:

  OpenSSL copying RNG state on fork:
    ramsey/uuid#80 (comment)
  Fixed in LibreSSL:
    http://opensslrampage.org/post/91910269738/fix-for-the-libressl-prng-issue-under-linux

Additionally, CVE-2015-8867 was fixed only in versions 5.6.12, 5.5.28,
5.4.44 and above:

  https://bugs.php.net/bug.php?id=70014
  http://www.php.net/ChangeLog-5.php

CVE-2015-8867 does not affect versions compiled against LibreSSL.

For these reasons, it only is considered a LOW source of randomness,
unless it is compiled against LibreSSL.

The reason for this to exist at all is because of problems with the
nature of /dev/urandom.  For example, if we cannot open or read the
file.  openssl_random_pseudo_bytes should never fail.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant