This is an old revision of the document!
PHP RFC: Unify crypt source INI settings
- Version: 0.1
- Date: 2014-02-24
- Author: Yasuo Ohgaki yohgaki@ohgaki.net
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/unified-crypt-source
Introduction
Crypt source such as /dev/urandom is mandatory for secure programs. None the less, PHP does not have way to specify crypt source as a core. This RFC proposes 2 new INIs for it.
Proposal
Introduce 2 new INIs for UNIX like OSes.
Pseudo RNG - non-blocking
random.entropy_strong_source= (/dev/(u|a)random etc. Default: /dev/urandom)
RNG - may block
random.entropy_crypto_source= (/dev/random etc. Default: /dev/random)
Under windows, Windows provided API wrapper php_win32_get_random_bytes() will be used as both source.
Backward Incompatible Changes
session.entropy_file is deprecated in favor of randon.entropy_strong_source
Proposed PHP Version(s)
Next PHP 5.x
Impact to Existing Extensions
session/mcrypt, any extension uses /dev/*random. These module's code is changed to use new INI settings where it is possible.
New Constants
None
php.ini Defaults
- hardcoded default values
- php.ini-development values
- php.ini-production values
random.entropy_strong_source=/dev/urandom random.entropy_crypto_source=/dev/random
Under Windows, these are ignored.
Open Issues
Use OpenSSL RNG/PRNG?
Unaffected PHP Functionality
Although this RFC affects some modules, it does not affects existing feature. All function should remains as it is now.
Future Scope
TBD
Proposed Voting Choices
Yes/No
Patches and Tests
TBD
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
References
Links to external references, discussions or RFCs
Rejected Features
Keep this updated with features that were discussed on the mail lists.