PHP-PasswordLib icon indicating copy to clipboard operation
PHP-PasswordLib copied to clipboard
verified publisher icon ircmaxell

Added OpensslRandPseudo random source.

Open derekmarcotte opened this issue 8 years ago • 0 comments

This uses openssl_random_pseudo_bytes. This is suggested for use only with with php5-openssl compiled against LibreSSL:

OpenSSL copying RNG state on fork: https://github.com/ramsey/uuid/issues/80#issuecomment-188286637 Fixed in LibreSSL: http://opensslrampage.org/post/91910269738/fix-for-the-libressl-prng-issue-under-linux

Additionally, CVE-2015-8867 was fixed only in versions 5.6.12, 5.5.28, 5.4.44 and above:

https://bugs.php.net/bug.php?id=70014 http://www.php.net/ChangeLog-5.php

CVE-2015-8867 does not affect versions compiled against LibreSSL.

For these reasons, it only is considered a LOW source of randomness, unless it is compiled against LibreSSL.

The reason for this to exist at all is because of problems with the nature of /dev/urandom. For example, if we cannot open or read the file. openssl_random_pseudo_bytes should never fail.

derekmarcotte avatar Oct 19 '17 10:10 derekmarcotte