On 2018/06/01 22:07, Stefan Sperling wrote:
> On Fri, Jun 01, 2018 at 09:03:08PM +0100, Stuart Henderson wrote:
> > On 2018/06/01 15:35, Daniel Jakots wrote:
> > > On Fri, 1 Jun 2018 18:46:25 +0100, Stuart Henderson
> > > <stu@spacehopper.org> wrote:
> > >
> > > > Thanks - this is a common problem with many PHP apps rather than being
> > > > specific to nextcloud/owncloud. Rather than repeating it all over the
> > > > place I've just added a section to the pkg-readme for PHP that
> > > > explains this.
> > >
> > > Great! Would you mind documenting the creation of *random devices?
> >
> > Hmm, what uses these? I've not run into anything, and if there is,
> > it really should be using random_bytes / random_int in 7.x, or the
> > random_compat polyfill + one of the other sources (preferably
> > libsodium) for 5.x ...
>
> Nextcloud complains in its admin panel if it cannot find this
> device node... I haven't checked if the device node is actually
> used but adding it on an mfs was an easy quick solution.
>
> If this is not a common issue among PHP apps, adding a hint to
> nextcloud's README file should be sufficient.
>
So from looking at this, nextcloud has two pieces of RNG interaction.
In both cases the default setup for packages is now with php 7 so
will use random_bytes (-> arc4random_buf).
Otherwise (i.e. with php 5):
- one piece is phpseclib, if random_bytes is unavailable, the fallback
is openssl_random_pseudo_bytes (which for us is a couple of layer of
wrapper around arc4random_bytes). /dev/urandom is a subsequent fallback,
but the openssl module is compiled-in so will be available.
- the other is random_compat, if random_bytes is unavailable then
libsodium is preferred (install+activate pecl-libsodium). Subsequent
fallbacks are fread() of /dev/urandom, then mcrypt which also I believe
uses /dev/random, then openssl_random_pseudo_bytes.
If we still used php 5 for this port, I'd suggest adding pecl-libsodium
as a dependency to avoid multiple tests+fallbacks (though eventually to a
source which is sane on OpenBSD).
Unless there's some other reason I didn't spot, it would be nice if
nextcloud didn't complain about this on php 7+.
No comments:
Post a Comment