rfc:rng_fixes
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
rfc:rng_fixes [2016/07/06 11:45] – leigh | rfc:rng_fixes [2016/08/08 15:37] – this RFC has already been implemented cmb | ||
---|---|---|---|
Line 3: | Line 3: | ||
* Date: 2016-05-03 | * Date: 2016-05-03 | ||
* Author: Leigh T < | * Author: Leigh T < | ||
- | * Status: | + | * Status: |
* First Published at: https:// | * First Published at: https:// | ||
Line 34: | Line 34: | ||
As < | As < | ||
- | The legacy implementation will be preserved and be selectable with a new `mt_rand_mode(int $mode)` | + | The legacy implementation will be preserved and be selectable with a new `mt_srand(int $seed [, int $mode])` parameter, along with new constants representing the two modes. |
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
== Alias rand() to mt_rand() == | == Alias rand() to mt_rand() == | ||
Line 41: | Line 46: | ||
Aliasing it to < | Aliasing it to < | ||
- | == Replace | + | <doodle title="Alias rand() to mt_rand()" |
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
+ | |||
+ | == Fix RAND_RANGE() == | ||
The macro used to scale the output of an RNG between two bounds is insufficient for large ranges. ([[https:// | The macro used to scale the output of an RNG between two bounds is insufficient for large ranges. ([[https:// | ||
The proposed fix is to concatenate multiple outputs for ranges exceeding 32 bits, and use rejection sampling (the same as used in < | The proposed fix is to concatenate multiple outputs for ranges exceeding 32 bits, and use rejection sampling (the same as used in < | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
== Replace insecure uses of php_rand() with php_random_bytes() == | == Replace insecure uses of php_rand() with php_random_bytes() == | ||
Line 51: | Line 66: | ||
* < | * < | ||
* SOAP HTTP auth nonce generation | * SOAP HTTP auth nonce generation | ||
- | * < | ||
These instances should all be fixed to use the secure random number generator (even mcrypt which is deprecated) | These instances should all be fixed to use the secure random number generator (even mcrypt which is deprecated) | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
== Make array_rand() more efficient == | == Make array_rand() more efficient == | ||
It has been noted that ([[http:// | It has been noted that ([[http:// | ||
+ | |||
+ | <doodle title=" | ||
+ | * Yes | ||
+ | * No | ||
+ | </ | ||
===== Backward Incompatible Changes ===== | ===== Backward Incompatible Changes ===== | ||
Line 67: | Line 91: | ||
* < | * < | ||
* < | * < | ||
- | * < | ||
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== | ||
Line 97: | Line 120: | ||
===== Implementation ===== | ===== Implementation ===== | ||
+ | https:// | ||
===== References ===== | ===== References ===== |
rfc/rng_fixes.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1