rasmus Wed, 31 Mar 2010 18:03:17 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=297232
Log: Set session.entropy_file to /dev/urandom or /dev/arandom by default if present at compile-time. Addresses part of bug #51436 Bug: http://bugs.php.net/51436 (Open) LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Changed paths: U php/php-src/trunk/NEWS U php/php-src/trunk/UPGRADING U php/php-src/trunk/Zend/Zend.m4 U php/php-src/trunk/ext/session/session.c U php/php-src/trunk/php.ini-development U php/php-src/trunk/php.ini-production Modified: php/php-src/trunk/NEWS =================================================================== --- php/php-src/trunk/NEWS 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/NEWS 2010-03-31 18:03:17 UTC (rev 297232) @@ -13,7 +13,9 @@ - Added command line option --rz to CLI. (Johannes) - default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus) - +- default session.entropy_file is now /dev/urandom or /dev/arandom if either + is present at compile time. (Rasmus) + ?? ??? 20??, PHP 5.3.3 - Upgraded bundled PCRE to version 8.01. (Ilia) Modified: php/php-src/trunk/UPGRADING =================================================================== --- php/php-src/trunk/UPGRADING 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/UPGRADING 2010-03-31 18:03:17 UTC (rev 297232) @@ -40,8 +40,20 @@ default_charset = iso-8859-1 - to your php.ini to preserve pre-PHPX.Y behavior + to your php.ini to preserve pre-PHPX.Y behavior. +- We now check at compile time if /dev/urandom or /dev/arandom + are present to provide non-blocking entropy to session id + generation. If either is present, session.entropy_file + now defaults to that file and session.entropy_length defaults + to 32. If you do not want extra entropy for your session ids + for some reason, add: + + session.entropy_file= + session.entropy_length=0 + + to your php.ini to preserve pre-PHPX.Y behavior. + ============================= 2. Reserved words and classes ============================= Modified: php/php-src/trunk/Zend/Zend.m4 =================================================================== --- php/php-src/trunk/Zend/Zend.m4 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/Zend/Zend.m4 2010-03-31 18:03:17 UTC (rev 297232) @@ -419,4 +419,11 @@ AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) + AC_MSG_CHECKING(whether /dev/arandom exists) + if test -r "/dev/arandom" && test -c "/dev/arandom"; then + AC_DEFINE([HAVE_DEV_ARANDOM], 1, [Define if the target system has /dev/arandom device]) + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) + fi fi Modified: php/php-src/trunk/ext/session/session.c =================================================================== --- php/php-src/trunk/ext/session/session.c 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/ext/session/session.c 2010-03-31 18:03:17 UTC (rev 297232) @@ -781,8 +781,16 @@ STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) +#if HAVE_DEV_URANDOM + STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) +#elif HAVE_DEV_ARANDOM + STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) +#else STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) +#endif STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) Modified: php/php-src/trunk/php.ini-development =================================================================== --- php/php-src/trunk/php.ini-development 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/php.ini-development 2010-03-31 18:03:17 UTC (rev 297232) @@ -1582,15 +1582,18 @@ ; How many bytes to read from the file. ; http://php.net/session.entropy-length -session.entropy_length = 0 +;session.entropy_length = 32 ; Specified here to create the session id. ; http://php.net/session.entropy-file +; Defaults to /dev/urandom +; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom +; If neither are found at compile time, the default is no entropy file. ;session.entropy_file = /dev/urandom -session.entropy_file = ; http://php.net/session.entropy-length -;session.entropy_length = 16 +; defaults to 32 +;session.entropy_length = 32 ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. Modified: php/php-src/trunk/php.ini-production =================================================================== --- php/php-src/trunk/php.ini-production 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/php.ini-production 2010-03-31 18:03:17 UTC (rev 297232) @@ -1588,17 +1588,16 @@ ; http://php.net/session.referer-check session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -session.entropy_length = 0 - ; Specified here to create the session id. ; http://php.net/session.entropy-file +; Defaults to /dev/urandom +; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom +; If neither are found at compile time, the default is no entropy file. ;session.entropy_file = /dev/urandom -session.entropy_file = ; http://php.net/session.entropy-length -;session.entropy_length = 16 +; defaults to 32 +;session.entropy_length = 32 ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers.
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php