PHP RFC: Unify crypt source INI settings

• Version: 0.1
• Date: 2014-02-24
• Author: Yasuo Ohgaki yohgaki@ohgaki.net
• Status: Under Discussion
• First Published at: http://wiki.php.net/rfc/unified-crypt-source

Crypt source such as /dev/urandom is mandatory for secure programs. None the less, PHP does not have way to specify crypt source as a core. This RFC proposes 2 new INIs for it.

Introduce 2 new INIs for UNIX like OSes.

Pseudo RNG - non-blocking

random.entropy_strong_source=       (/dev/(u|a)random etc. Default: /dev/urandom)

RNG - may block

random.entropy_crypto_source=        (/dev/random etc. Default: /dev/random)

Under windows, Windows provided API wrapper php_win32_get_random_bytes() will be used as both source.

session.entropy_file is deprecated in favor of randon.entropy_strong_source

Next PHP 5.x

session/mcrypt, any extension uses /dev/*random. These module's code is changed to use new INI settings where it is possible.

None

• hardcoded default values
• php.ini-development values
• php.ini-production values

random.entropy_strong_source=/dev/urandom
random.entropy_crypto_source=/dev/random

Under Windows, these are ignored.

Use OpenSSL RNG/PRNG?

Although this RFC affects some modules, it does not affects existing feature. All function should remains as it is now.

TBD

Yes/No

TBD

After the project is implemented, this section should contain

1. the version(s) it was merged to
2. a link to the git commit(s)
3. a link to the PHP manual entry for the feature

Links to external references, discussions or RFCs

Keep this updated with features that were discussed on the mail lists.