rasmus                                   Wed, 31 Mar 2010 18:03:17 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=297232

Log:
Set session.entropy_file to /dev/urandom or /dev/arandom by
default if present at compile-time.  Addresses part of bug #51436

Bug: http://bugs.php.net/51436 (Open) LCG entropy fix insufficient, uniqid 
leaks entropy, leads to weak session IDs
      
Changed paths:
    U   php/php-src/trunk/NEWS
    U   php/php-src/trunk/UPGRADING
    U   php/php-src/trunk/Zend/Zend.m4
    U   php/php-src/trunk/ext/session/session.c
    U   php/php-src/trunk/php.ini-development
    U   php/php-src/trunk/php.ini-production

Modified: php/php-src/trunk/NEWS
===================================================================
--- php/php-src/trunk/NEWS      2010-03-31 17:35:28 UTC (rev 297231)
+++ php/php-src/trunk/NEWS      2010-03-31 18:03:17 UTC (rev 297232)
@@ -13,7 +13,9 @@
 - Added command line option --rz to CLI. (Johannes)

 - default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus)
-
+- default session.entropy_file is now /dev/urandom or /dev/arandom if either
+  is present at compile time. (Rasmus)
+
 ?? ??? 20??, PHP 5.3.3
 - Upgraded bundled PCRE to version 8.01. (Ilia)


Modified: php/php-src/trunk/UPGRADING
===================================================================
--- php/php-src/trunk/UPGRADING 2010-03-31 17:35:28 UTC (rev 297231)
+++ php/php-src/trunk/UPGRADING 2010-03-31 18:03:17 UTC (rev 297232)
@@ -40,8 +40,20 @@

     default_charset = iso-8859-1

-  to your php.ini to preserve pre-PHPX.Y behavior
+  to your php.ini to preserve pre-PHPX.Y behavior.

+- We now check at compile time if /dev/urandom or /dev/arandom
+  are present to provide non-blocking entropy to session id
+  generation.  If either is present, session.entropy_file
+  now defaults to that file and session.entropy_length defaults
+  to 32.  If you do not want extra entropy for your session ids
+  for some reason, add:
+
+    session.entropy_file=
+    session.entropy_length=0
+
+  to your php.ini to preserve pre-PHPX.Y behavior.
+
 =============================
 2. Reserved words and classes
 =============================

Modified: php/php-src/trunk/Zend/Zend.m4
===================================================================
--- php/php-src/trunk/Zend/Zend.m4      2010-03-31 17:35:28 UTC (rev 297231)
+++ php/php-src/trunk/Zend/Zend.m4      2010-03-31 18:03:17 UTC (rev 297232)
@@ -419,4 +419,11 @@
   AC_MSG_RESULT(yes)
 else
   AC_MSG_RESULT(no)
+  AC_MSG_CHECKING(whether /dev/arandom exists)
+  if test -r "/dev/arandom" && test -c "/dev/arandom"; then
+    AC_DEFINE([HAVE_DEV_ARANDOM], 1, [Define if the target system has 
/dev/arandom device])
+    AC_MSG_RESULT(yes)
+  else
+    AC_MSG_RESULT(no)
+  fi
 fi

Modified: php/php-src/trunk/ext/session/session.c
===================================================================
--- php/php-src/trunk/ext/session/session.c     2010-03-31 17:35:28 UTC (rev 
297231)
+++ php/php-src/trunk/ext/session/session.c     2010-03-31 18:03:17 UTC (rev 
297232)
@@ -781,8 +781,16 @@
        STD_PHP_INI_BOOLEAN("session.use_cookies",      "1",         
PHP_INI_ALL, OnUpdateBool,   use_cookies,        php_ps_globals,    ps_globals)
        STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1",         
PHP_INI_ALL, OnUpdateBool,   use_only_cookies,   php_ps_globals,    ps_globals)
        STD_PHP_INI_ENTRY("session.referer_check",      "",          
PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals,    ps_globals)
+#if HAVE_DEV_URANDOM
+       STD_PHP_INI_ENTRY("session.entropy_file",       "/dev/urandom",         
 PHP_INI_ALL, OnUpdateString, entropy_file,       php_ps_globals,    ps_globals)
+       STD_PHP_INI_ENTRY("session.entropy_length",     "32",         
PHP_INI_ALL, OnUpdateLong,   entropy_length,     php_ps_globals,    ps_globals)
+#elif HAVE_DEV_ARANDOM
+       STD_PHP_INI_ENTRY("session.entropy_file",       "/dev/arandom",         
 PHP_INI_ALL, OnUpdateString, entropy_file,       php_ps_globals,    ps_globals)
+       STD_PHP_INI_ENTRY("session.entropy_length",     "32",         
PHP_INI_ALL, OnUpdateLong,   entropy_length,     php_ps_globals,    ps_globals)
+#else
        STD_PHP_INI_ENTRY("session.entropy_file",       "",          
PHP_INI_ALL, OnUpdateString, entropy_file,       php_ps_globals,    ps_globals)
        STD_PHP_INI_ENTRY("session.entropy_length",     "0",         
PHP_INI_ALL, OnUpdateLong,   entropy_length,     php_ps_globals,    ps_globals)
+#endif
        STD_PHP_INI_ENTRY("session.cache_limiter",      "nocache",   
PHP_INI_ALL, OnUpdateString, cache_limiter,      php_ps_globals,    ps_globals)
        STD_PHP_INI_ENTRY("session.cache_expire",       "180",       
PHP_INI_ALL, OnUpdateLong,   cache_expire,       php_ps_globals,    ps_globals)
        PHP_INI_ENTRY("session.use_trans_sid",          "0",         
PHP_INI_ALL, OnUpdateTransSid)

Modified: php/php-src/trunk/php.ini-development
===================================================================
--- php/php-src/trunk/php.ini-development       2010-03-31 17:35:28 UTC (rev 
297231)
+++ php/php-src/trunk/php.ini-development       2010-03-31 18:03:17 UTC (rev 
297232)
@@ -1582,15 +1582,18 @@

 ; How many bytes to read from the file.
 ; http://php.net/session.entropy-length
-session.entropy_length = 0
+;session.entropy_length = 32

 ; Specified here to create the session id.
 ; http://php.net/session.entropy-file
+; Defaults to /dev/urandom
+; On systems that don't have /dev/urandom but do have /dev/arandom, this will 
default to /dev/arandom
+; If neither are found at compile time, the default is no entropy file.
 ;session.entropy_file = /dev/urandom
-session.entropy_file =

 ; http://php.net/session.entropy-length
-;session.entropy_length = 16
+; defaults to 32
+;session.entropy_length = 32

 ; Set to {nocache,private,public,} to determine HTTP caching aspects
 ; or leave this empty to avoid sending anti-caching headers.

Modified: php/php-src/trunk/php.ini-production
===================================================================
--- php/php-src/trunk/php.ini-production        2010-03-31 17:35:28 UTC (rev 
297231)
+++ php/php-src/trunk/php.ini-production        2010-03-31 18:03:17 UTC (rev 
297232)
@@ -1588,17 +1588,16 @@
 ; http://php.net/session.referer-check
 session.referer_check =

-; How many bytes to read from the file.
-; http://php.net/session.entropy-length
-session.entropy_length = 0
-
 ; Specified here to create the session id.
 ; http://php.net/session.entropy-file
+; Defaults to /dev/urandom
+; On systems that don't have /dev/urandom but do have /dev/arandom, this will 
default to /dev/arandom
+; If neither are found at compile time, the default is no entropy file.
 ;session.entropy_file = /dev/urandom
-session.entropy_file =

 ; http://php.net/session.entropy-length
-;session.entropy_length = 16
+; defaults to 32
+;session.entropy_length = 32

 ; Set to {nocache,private,public,} to determine HTTP caching aspects
 ; or leave this empty to avoid sending anti-caching headers.

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to