Both sides previous revisionPrevious revisionNext revision | Previous revision |
rfc:rng_fixes [2016/07/07 11:01] – leigh | rfc:rng_fixes [2017/09/22 13:28] (current) – external edit 127.0.0.1 |
---|
* Date: 2016-05-03 | * Date: 2016-05-03 |
* Author: Leigh T <leigh@php.net> | * Author: Leigh T <leigh@php.net> |
* Status: Voting | * Status: Implemented (PHP 7.1) |
* First Published at: https://wiki.php.net/rfc/rng_fixes | * First Published at: https://wiki.php.net/rfc/rng_fixes |
| |
As <php>mt_rand()</php> can be seeded for repeatable sequences the current implementation makes it incompatible with other systems that do use correct implementations. However fixing it also means that the sequence generated for a given seed in PHP will also now be different. | As <php>mt_rand()</php> can be seeded for repeatable sequences the current implementation makes it incompatible with other systems that do use correct implementations. However fixing it also means that the sequence generated for a given seed in PHP will also now be different. |
| |
The legacy implementation will be preserved and be selectable with a new `mt_rand_mode(int $mode)` function, along with new constants representing the two modes. The default will be the fixed algorithm. | The legacy implementation will be preserved and be selectable with a new `mt_srand(int $seed [, int $mode])` parameter, along with new constants representing the two modes. The default will be the fixed algorithm. |
| |
<doodle title="Fix mt_rand() implementation" auth="leigh" voteType="single" closed="false"> | <doodle title="Fix mt_rand() implementation" auth="leigh" voteType="single" closed="true"> |
* Yes | * Yes |
* No | * No |
Aliasing it to <php>mt_rand()</php> improves the quality of the output and means the same output can be expected for a given seed regardless of platform. | Aliasing it to <php>mt_rand()</php> improves the quality of the output and means the same output can be expected for a given seed regardless of platform. |
| |
<doodle title="Alias rand() to mt_rand()" auth="leigh" voteType="single" closed="false"> | <doodle title="Alias rand() to mt_rand()" auth="leigh" voteType="single" closed="true"> |
* Yes | * Yes |
* No | * No |
The proposed fix is to concatenate multiple outputs for ranges exceeding 32 bits, and use rejection sampling (the same as used in <php>random_bytes()</php>) to produce unbiased outputs. | The proposed fix is to concatenate multiple outputs for ranges exceeding 32 bits, and use rejection sampling (the same as used in <php>random_bytes()</php>) to produce unbiased outputs. |
| |
<doodle title="Fix RAND_RANGE()" auth="leigh" voteType="single" closed="false"> | <doodle title="Fix RAND_RANGE()" auth="leigh" voteType="single" closed="true"> |
* Yes | * Yes |
* No | * No |
These instances should all be fixed to use the secure random number generator (even mcrypt which is deprecated) | These instances should all be fixed to use the secure random number generator (even mcrypt which is deprecated) |
| |
<doodle title="Replace insecure uses of php_rand() with php_random_bytes()" auth="leigh" voteType="single" closed="false"> | <doodle title="Replace insecure uses of php_rand() with php_random_bytes()" auth="leigh" voteType="single" closed="true"> |
* Yes | * Yes |
* No | * No |
It has been noted that ([[http://php.net/manual/en/function.array-rand.php#117114|array_rand() produces weird and very uneven random distribution]]). As the above proposals change the output of <php>array_rand()</php> anyway, we can fix this at the same time. | It has been noted that ([[http://php.net/manual/en/function.array-rand.php#117114|array_rand() produces weird and very uneven random distribution]]). As the above proposals change the output of <php>array_rand()</php> anyway, we can fix this at the same time. |
| |
<doodle title="Make array_rand() more efficient" auth="leigh" voteType="single" closed="false"> | <doodle title="Make array_rand() more efficient" auth="leigh" voteType="single" closed="true"> |
* Yes | * Yes |
* No | * No |
===== Implementation ===== | ===== Implementation ===== |
| |
| https://github.com/php/php-src/commit/ab834f4 |
| |
===== References ===== | ===== References ===== |