Edit report at http://bugs.php.net/bug.php?id=51436&edit=1
ID: 51436
Updated by: paj...@php.net
Reported by: andreas at andreas dot org
Summary: LCG entropy fix insufficient, uniqid leaks entropy,
leads to weak session IDs
Status: Assigned
Type: Bug
Package: *Encryption and hash functions
Operating System: all
PHP Version: 5.3.2
Assigned To: pajoye
New Comment:
RAND_pseudo_bytes does pretty much the same anyway, but I would prefer
to give a possible not to use openssl first.
Also this exact function may not be crypto safe. It is not a problem for
the session but that will then not solve the need of a crypto safe
function.
Previous Comments:
------------------------------------------------------------------------
[2010-04-09 18:41:56] crrodriguez at opensuse dot org
I think trying RAND_pseudo_bytes() if -lcrypto is found in the system
first and
then your_own_function ight be a suitable approach.
------------------------------------------------------------------------
[2010-04-09 18:18:32] paj...@php.net
That's the idea but not using zend's mm which is incomplete.
------------------------------------------------------------------------
[2010-04-09 17:51:14] crrodriguez at opensuse dot org
I think uniqid() should also use zend_mm_random()-like random value when
more_entropy is set to true instead of the LCG ...
------------------------------------------------------------------------
[2010-04-07 17:44:16] paj...@php.net
And assigned to me, almost done with the patch we discussed.
------------------------------------------------------------------------
[2010-04-07 17:43:49] paj...@php.net
Well, the easiest to "backport" something now and here is to use the
given settings. You can do it right now.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=51436
--
Edit this bug report at http://bugs.php.net/bug.php?id=51436&edit=1
