My journey to the center of PHP - Midwest PHP 2017

Transcript

1. M A R C H 1 8 T H ,

   2 0 1 7 JOURNEY MY CENTER TO THE OF S A M M Y K A Y E P O W E R S @SammyK #mwphp17 joind.in/talk/01835

2. SCARY! INTERNALS IS http://saint-max.deviantart.com @SammyK #mwphp17 joind.in/talk/01835

3. I don’t know C! Internals is scary! I don’t know

   what I’m doing!

4. BOOKS ON PHP 7 INTERNALS: THIS PAGE INTENTIONALLY LEFT BLANK

   @SammyK #mwphp17 joind.in/talk/01835

5. BUBBLE MY 1998-2013 @SammyK #mwphp17 joind.in/talk/01835

6. LARACON 2014 NEW YORK PHP|TEK CHICAGO @SammyK #mwphp17 joind.in/talk/01835

7. PHP|TEK HACK-A-THON CONTRIBUTE TO PHP @SammyK #mwphp17 joind.in/talk/01835

8. I don’t know what I’m doing! @SammyK #mwphp17 joind.in/talk/01835

9. ELIZABETH SMITH DERICK RETHANS

10. @SammyK #mwphp17 joind.in/talk/01835

11. ANTHONY FERRARA @SammyK #mwphp17 joind.in/talk/01835

12. CONTRIBUTION MY FIRST

13. this is a table… @SammyK #mwphp17 joind.in/talk/01835

14. I love tabs! this is a table… Spaces is where

    it’s at! I’m trying to upgrade bison I added array_column() Have you used Docker? Licensing in FOSS is important Let’s have a PGP key signing party! JavaScript is weird

15. I love tabs! this is a table… Spaces is where

    it’s at! I’m trying to upgrade bison I added array_column() Have you used Docker? Licensing in FOSS is important Let’s have a PGP key signing party! JavaScript is weird

16. TABS SPACES VS

17. CLOSER TO INTERNALS PUSHED ME

18. OPEN SOURCE @SammyK #mwphp17 joind.in/talk/01835

19. PHP SDK FACEBOOK

20. FOSCO MAROTTO @SammyK #mwphp17 joind.in/talk/01835

21. HQ FACEBOOK @SammyK #mwphp17 joind.in/talk/01835

22. None

23. CHANGED IT ALL THE PR THAT @SammyK #mwphp17 joind.in/talk/01835

24. None
25. None

26. SCOTT ARCISZEWSKI (AR - SIZ - ZU - SKI) @SammyK

    #mwphp17 joind.in/talk/01835

27. @SammyK #mwphp17 joind.in/talk/01835

28. @SammyK #mwphp17 joind.in/talk/01835

29. SCOTT’S PR INFOSEC FALLOUT == @SammyK #mwphp17 joind.in/talk/01835

30. I HAD A CHOICE OR @SammyK #mwphp17 joind.in/talk/01835

31. CSPRNG WUT? @SammyK #mwphp17 joind.in/talk/01835

32. CSPRNG WUT? @SammyK #mwphp17 joind.in/talk/01835

33. CSPRNG mt_rand($min, $max); rand($min, $max); @SammyK #mwphp17 joind.in/talk/01835

34. CSPRNG echo mt_rand(0, 42); 11

35. CSPRNG echo mt_rand(0, 42); 7

36. echo mt_rand(0, 42); 39 CSPRNG

37. CSPRNG mt_srand(10); echo mt_rand(0, 42); 21

38. CSPRNG mt_srand(10); echo mt_rand(0, 42); 21

39. mt_srand(10); echo mt_rand(0, 42); 21 CSPRNG

40. rand(); mt_rand(); AUTO SEEDING USING TIMESTAMP + A FEW OTHER

    VARIABLES CSPRNG @SammyK #mwphp17 joind.in/talk/01835
41. None
42. None
43. None
44. None

45. AUTO SEEDING USING TIMESTAMP + A FEW OTHER VARIABLES @SammyK

    #mwphp17 joind.in/talk/01835
46. None

47. CSPRNG’S USE BETTER SEEDS @SammyK #mwphp17 joind.in/talk/01835

48. None

49. CSPRNG OPTIONS IN 5.x openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/*random @SammyK #mwphp17 joind.in/talk/01835

50. CSPRNG OPTIONS IN 5.x openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/*random @SammyK #mwphp17 joind.in/talk/01835

51. openssl_random_pseudo_bytes() https://wiki.openssl.org/index.php/Random_fork-safety Since the UNIX fork() system call duplicates the

    entire process state, a random number generator which does not take this issue into account will produce the same sequence of random numbers in both the parent and the child […], leading to cryptographic disaster… “

52. openssl_random_pseudo_bytes() https://wiki.openssl.org/index.php/Random_fork-safety OpenSSL cannot fix the fork- safety problem because

    its not in a position to do so. However, there are [solutions] available and they are listed below. “

53. openssl_random_pseudo_bytes() https://wiki.openssl.org/index.php/Random_fork-safety Don't use RAND_bytes “

54. openssl_random_pseudo_bytes() https://wiki.openssl.org/index.php/Random_fork-safety Instead, you can read directly from /dev/random, /dev/urandom

    or /dev/srandom; or use CryptGenRandom on Windows systems. “

55. CSPRNG OPTIONS IN 5.x openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/*random @SammyK #mwphp17 joind.in/talk/01835

56. mcrypt_create_iv()

57. mcrypt_create_iv()

58. mcrypt_create_iv()

59. CSPRNG OPTIONS IN 5.x openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/*random @SammyK #mwphp17 joind.in/talk/01835

60. /dev/*random

61. CSPRNG OPTIONS IN 5.x openssl_random_pseudo_bytes() mcrypt_create_iv() /dev/*random @SammyK #mwphp17 joind.in/talk/01835

62. Why is CSPRNG so hard in PHP?

63. SUNSHINE PHP 2015 @SammyK #mwphp17 joind.in/talk/01835

64. Why is CSPRNG so hard in PHP?

65. Because no one’s made it easy.

66. CSPRNG MAKE EASY

67. I have NO idea what I’m doing!

68. Start with user-land implementation

69. github.com/SammyK/php-src-csprng

70. THREE ADD NEW FUNCTIONS random_int($min, $max) random_bytes($bytes) random_hex($bytes) @SammyK #mwphp17

    joind.in/talk/01835

71. Vetted by infosec nerds. including…

72. SCOTT @SammyK #mwphp17 joind.in/talk/01835

73. THREE ADD NEW FUNCTIONS random_bytes($bytes) random_hex($bytes) random_int($min, $max) @SammyK #mwphp17

    joind.in/talk/01835

74. THREE ADD NEW FUNCTIONS random_bytes($bytes) random_hex($bytes) random_int($min, $max) two @SammyK

    #mwphp17 joind.in/talk/01835

75. ADD NEW FUNCTIONS bin2hex(random_bytes($bytes)) === THREE two random_hex($bytes) @SammyK #mwphp17

    joind.in/talk/01835

76. IMPLEMENTATION THE ACTUAL @SammyK #mwphp17 joind.in/talk/01835

77. None

78. google!

79. COPY I DON’T ALWAYS PASTE & BUT WHEN I DO…

80. github.com/php/php-src/pull/191/files

81. /ext/standard/basic_functions.c

82. /ext/standard/base64.c

83. COPY PASTE @SammyK #mwphp17 joind.in/talk/01835

84. COMPILE TEST @SammyK #mwphp17 joind.in/talk/01835

85. random bytes int min max ?? ?? ? ??!! @SammyK

    #mwphp17 joind.in/talk/01835

86. ROOM 11 @SammyK #mwphp17 joind.in/talk/01835

87. segfault @SammyK #mwphp17 joind.in/talk/01835

88. I have NO idea what I’m doing! random bytes int

    min max

89. LEIGH LAST NAME? @SammyK #mwphp17 joind.in/talk/01835

90. @SammyK #mwphp17 joind.in/talk/01835

91. THE P R O C E S S (REQUEST FOR

    COMMENTS) @SammyK #mwphp17 joind.in/talk/01835

92. [email protected] @SammyK #mwphp17 joind.in/talk/01835

93. GET YOU SOME WIKI KARMA @SammyK #mwphp17 joind.in/talk/01835

94. GET YOU SOME WIKI KARMA wiki.php.net @SammyK #mwphp17 joind.in/talk/01835

95. GET YOU SOME WIKI KARMA [email protected] @SammyK #mwphp17 joind.in/talk/01835

96. YOUR RFC CREATE wiki.php.net/rfc/howto @SammyK #mwphp17 joind.in/talk/01835

97. YOUR RFC ANNOUNCE [email protected] @SammyK #mwphp17 joind.in/talk/01835

98. FOR 2 WEEKS WAIT @SammyK #mwphp17 joind.in/talk/01835

99. UNDER DISCUSSION @SammyK #mwphp17 joind.in/talk/01835

100. ANNOUNCE THE VOTING PHASE [email protected] @SammyK #mwphp17 joind.in/talk/01835

101. USUALLY 2 WEEKS @SammyK #mwphp17 joind.in/talk/01835

102. @SammyK #mwphp17 joind.in/talk/01835

103. sammyk.me/how-to-contribute-to-php-documentation @SammyK #mwphp17 joind.in/talk/01835

104. THE PROCESS FIN @SammyK #mwphp17 joind.in/talk/01835

105. RFC WORKING IMPLEMENTATION ANNOUNCE TO INTERNALS CHECKLIST @SammyK #mwphp17 joind.in/talk/01835

106. RFC WORKING IMPLEMENTATION ANNOUNCE TO INTERNALS CHECKLIST ✓ @SammyK #mwphp17

     joind.in/talk/01835

107. RFC WORKING IMPLEMENTATION ANNOUNCE TO INTERNALS CHECKLIST ✓ ✓ @SammyK

     #mwphp17 joind.in/talk/01835

108. RFC WORKING IMPLEMENTATION ANNOUNCE TO INTERNALS CHECKLIST ✓ ✓ x

     @SammyK #mwphp17 joind.in/talk/01835

109. RFC WORKING IMPLEMENTATION ANNOUNCE TO INTERNALS CHECKLIST ✓ ✓ x

     PHP internals is scawy!

110. Everyone is smarter than me - I’ll be a laughingstock!

     Everyone is mean - look at scalar type- hints drama!

111. Let’s do this sh… stuff!

112. None
113. None

114. LATER …TWO WEEKS

115. None
116. None

117. @SammyK #mwphp17 joind.in/talk/01835

118. @SammyK #mwphp17 joind.in/talk/01835

119. JOURNEY MY CENTER TO THE OF IT’S LIKE EATING @SammyK

     #mwphp17 joind.in/talk/01835

120. LEARNED WHAT I I don’t know what I’m doing! HOW

     FEATURES ARE ADDED TO PHP THE CULTURE OF PHP INTERNALS BETTER AT C & C++ DEEPER UNDERSTANDING OF CSPRNG’S BINARY AND HEXADECIMAL NUMBER SYSTEMS HOW TO CONTRIBUTE TO THE PHP DOCS AND TONS MORE!

121. I STILL have no idea what I’m doing!

122. SCARY! INTERNALS IS http://saint-max.deviantart.com @SammyK #mwphp17 joind.in/talk/01835

123. SCARY! INTERNALS IS http://saint-max.deviantart.com not ^ @SammyK #mwphp17 joind.in/talk/01835

124. COMMUNITY LOVING @SammyK #mwphp17 joind.in/talk/01835

125. I N T E R N A L S N

     E E D S YOU SOURCE BUGS WEBSITE TESTS @SammyK #mwphp17 joind.in/talk/01835

126. TABS INTERNALS USES @SammyK #mwphp17 joind.in/talk/01835

127. THANKS! SAMMY KAYE POWERS @SammyK SammyK.me Host of @PHPRoundtable @ChiPHPUG

     West Coast Swing Hire me! :) /talk/01835