francislavoie
commented
6 years ago I think ultimately, #64 would preclude this change. Using random_bytes is better.
Closed MKodde closed 6 years ago
francislavoie
commented
6 years ago I think ultimately, #64 would preclude this change. Using random_bytes is better.
MKodde
commented
6 years ago Great, did not see that PR, but using random_bytes in favor of the openssl_random_pseudo_bytes indeed is preferable in my opinion. This, however, is a BC breaking change for legacy users stuck to PHP 5.
francislavoie
commented
6 years ago Not if the polyfill is also installed (check the PR again, it's included in the composer.json)
On Wed., Aug. 8, 2018, 2:47 a.m. Michiel Kodde, notifications@github.com wrote:
Great, did not see that PR, but using random_bytes in favor of the openssl_random_pseudo_bytes indeed is preferable in my opinion. This, however, is a BC breaking change for legacy users stuck to PHP 5.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Yubico/php-u2flib-server/pull/66#issuecomment-411304153, or mute the thread https://github.com/notifications/unsubscribe-auth/ACA41fsO6b5Q4gF4RIKWcrAsg7J1q0aNks5uOomEgaJpZM4Vwfq0 .
By also testing the outcome of the openssl_random_pseudo_bytes which is caught in the
$challengevariable. We can prevent a possible unexpected error down the line.Admittedly a minor improvement, but it could prove useful someday.
See https://github.com/Yubico/php-u2flib-server/issues/65