[WIP] Easy User-land CSPRNG

[SammyK]

Submitting as a PR per @nikic's recommendation.

RFC can be found here.

[lt]

I wonder about the usefulness of this function. This can be easily achieved with random_bytes and bin2hex, so I feel like this is unnecessary duplication of functionality for the sake of one function call.

[lt]

Edit: - Hah, I see you already did this in your second commit :)

With your includes at the top:

#if PHP_WIN32
#include "win32/winutil.h"
#endif

Then use php_win32_get_random_bytes(unsigned char *buf, size_t len)
This already uses the CryptGenRandom windows API call, so we're all good here.

[lt]

This should go back to being zend_string and use bytes->val as your char *.
zend_string_alloc to create it and zend_string_release if you hit an error condition. Don't release and use RETURN_STR if you have success. This saves having to copy the string at the end of the function with RETVAL_STRINGL

[lt]

We need to be careful about uniformity in this function. If you use modulus to bring the number down to your upper bound and the divisor is not a power of 2, you can end up with some bias in the result which we obviously want to avoid with a CSPRNG.

I'll help with the implementation of fixing this.

[lt]

There's a few more options to investigate here. /dev/urandom is going to be "ok", but I also think it should be the last option. Where possible we should try and avoid opening file descriptors.

Off the top of my head, things to investigate (I can do all of this if you like):

• What would be the security impact of having a user space arc4random implementation for Linux.
• Where arc4random exists, and libc is shared amongst all processes, is the arc4random state shared or per process?
• Attempt to use /dev/arandom if it exists and for some odd reason we don't have arc4random
• Linux getrandom syscall (for kernel versions >= 3.17)

[lt]

To get a random number to work on do php_random_bytes(&number, sizeof(number));, so whatever source of random is picked as being the best for the platform is used.

[lt]

@Rican7 - Documentation issue in the RFC. The value in the implementation here is correct. I've let Sammy know.

[lt]

@SammyK I derped in the error message, minimum definitely should not be greater than the maximum :)

[lt]

This needs min putting back in.

[nikic]

Probably that should be RETURN_FALSE as well? Same in random_int.

[SammyK]

Nice catch! I'll fix.

[nikic]

Better would be ssize_t.

[nikic]

The declaration should also be moved into the while loop, otherwise this will likely generate a warning on BSD systems with arc4random.

[laruence]

since you already have LONG_MIN and LONG_MAX, so if only minimum value min is given. then simply assume it means min to LONG_MAX?

[patrickallaert]

@laruence: I thought about the same thing but then I realize that reading:
random_int(10);
might be understood as 10 being the max.

[laruence]

hmm, that could be a doc issue.. but it's not a big deal :)

[SammyK]

Oops - this is a dingleberry left over from when min and max were optional args. They are both required in the current spec that's being voted on. I'll remove this check. :)

[laruence]

maybe something like: 1st arg must be less than 2nd arg is more obvious for user?

[lt]

@sarciszewski This is something we have discussed, but decided to leave for future scope. getrandom (and getentropy on BSD) are typically used to seed RNGs, and are not designed for high throughput themselves.

If you compile against LibreSSL and have a Linux Kernel version > 3.17, you will be using getrandom today.

[ircmaxell]

The vote passed, but was never closed. This should be merged soon ;-)

[nikic]

This needs to be moved into the while look (combined declaration and assignment) to conform with C89.

[SammyK]

Thanks for the push @ircmaxell! :) I'm coordinating with @lt to get this bad boy ready for merge. :)

[lt]

@SammyK Since both parameters are required, we don't need these defaults any more.

[SammyK]

Hokay! @lt updated this PR based on feedback. I normalized the return values when errors happen & updated the tests & merged in the lest from master & fixed conflicts. Phew!

The RFC officially passed unanimously and this PR can be merged into master now. W00t! Not sure if @nikic is the one to do that or who we need to ping.

Thanks again @ircmaxell, @lt, @rdlowrey, and all the other kids who help me along on this one! 🐻 Let's do some more of these! :D

[nikic]

Zpp failures should always return null (what was implemented initially), unless there is some very strong reason to do otherwise. We usually only make exceptions to this for legacy functions.

[nikic]

Merged via #1268. Thanks everyone who worked on this!

[SammyK]

Yay! Thanks @nikic! :)

[CodesInChaos]

1. The documentation for random_int could use some improvements:
   • Clarify the behaviour if min<=max is violated
   • Specify if the bounds are inclusive or exclusive (looking at rand and mt_rand it's probably inclusive)
   • It should mention that the distribution is uniform
2. Why does it return FALSE which can easily treated as 0 instead of something you can't ignore, like an exception when the RNG in unavailable?
3. What about a secure polyfill?

[SammyK]

Why does it return FALSE which can easily treated as 0 instead of something you can't ignore, like an exception when the RNG in unavailable?

Good point. I think a RuntimeException should be thrown when a proper source of random cannot be detected. That way when errors are turned off we won't have people using false/0 as their CSPRNG. :) Thoughts @lt?

[SammyK]

@lt: I just pushed up a branch with this change, can you take a look? :)

[CodesInChaos]

@SammyK What should happen if min > max? Also an exception?

[lt]

I think when we wrote this, exceptions in the engine hadn't yet passed.

I'd be happy with InvalidArgumentException for min>max and len<=0

[CodesInChaos]

Should len === 0 be considered invalid? I'd consider it valid and only throw an exception if len < 0.

[tom--]

When someone tries to generate an empty string using the CSPRNG, I think it's likely a programming error (if it were my project, I'd define it as a programming error). So I think it is safer if PHP treats this case as invalid.

And, from the other point of view, I think PHP can reasonably reject bug reports that you can't generate empty strings with the CSPRNG, especially if the conditions for these exceptions are documented.

[lt]

If it's not a programming error, it's a stupid thing to do. Invalid all the way.

[CodesInChaos]

At least min == max on random_int shouldn't be an error, since that can be useful in practice. For example when picking the last card in a shuffling algorithm.

[tom--]

@CodesInChaos I agree.

[lt]

I'll disagree with practically useful. But I'll agree that it should be allowed, in the "spirit of PHP"

If we're going to allow min == max it should be special cased, no point fetching from the rng for it.

    if (min >= max) {
        if (min == max) {
            RETURN_LONG(min);
        }

        zend_throw_exception(spl_ce_InvalidArgumentException, "Maximum value must not be less than the minimum value", 0);
        return;

    }

@SammyK perhaps do something like this for SPL exceptions:

php-src/ext/mysqli/mysqli.c

Line 606 in ed1b648

#ifdef HAVE_SPL

So it can fall back to a less specific exception if SPL is not included.

[nikic]

Please do the change to exceptions separately from the changing any error conditions.

[SammyK]

Sounds good. I'll submit 2 separate PR's - one for throwing general exceptions and one for new error conditions. Then I'll update the docs when they are merged and post here for another once-over to make sure the docs cover all the bases. :)