Currently only php5.6 has a session patch and the generated entropy
isn't added to the session id. The following patch fixes that and adds
support to php7.
martijn@
Index: 5.6/patches/patch-ext_session_session_c
===================================================================
RCS file: /cvs/ports/lang/php/5.6/patches/patch-ext_session_session_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-ext_session_session_c
--- 5.6/patches/patch-ext_session_session_c 6 Feb 2016 23:30:25 -0000
1.1
+++ 5.6/patches/patch-ext_session_session_c 1 Jun 2018 07:14:32 -0000
@@ -2,18 +2,74 @@ $OpenBSD: patch-ext_session_session_c,v
Perhaps the whole function can be replaced, but we have to start somewhere.
---- ext/session/session.c.orig.port Mon Feb 1 23:04:02 2016
-+++ ext/session/session.c Mon Feb 1 23:48:25 2016
-@@ -346,7 +346,11 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
+--- ext/session/session.c.orig Thu Jul 6 00:25:00 2017
++++ ext/session/session.c Wed Oct 11 16:43:22 2017
+@@ -346,57 +346,23 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
efree(buf);
if (PS(entropy_length) > 0) {
-#ifdef PHP_WIN32
-+#if defined(__OpenBSD__)
-+ unsigned char rbuf[2048];
-+ size_t toread = PS(entropy_length);
-+ arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
-+#elif defined(PHP_WIN32)
unsigned char rbuf[2048];
size_t toread = PS(entropy_length);
++ arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
+
+- if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf)))
== SUCCESS){
+-
+- switch (PS(hash_func)) {
+- case PS_HASH_FUNC_MD5:
+- PHP_MD5Update(&md5_context, rbuf,
toread);
+- break;
+- case PS_HASH_FUNC_SHA1:
+- PHP_SHA1Update(&sha1_context, rbuf,
toread);
+- break;
++ switch (PS(hash_func)) {
++ case PS_HASH_FUNC_MD5:
++ PHP_MD5Update(&md5_context, rbuf, toread);
++ break;
++ case PS_HASH_FUNC_SHA1:
++ PHP_SHA1Update(&sha1_context, rbuf, toread);
++ break;
+ # if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
+- case PS_HASH_FUNC_OTHER:
+- PS(hash_ops)->hash_update(hash_context,
rbuf, toread);
+- break;
++ case PS_HASH_FUNC_OTHER:
++ PS(hash_ops)->hash_update(hash_context, rbuf,
toread);
++ break;
+ # endif /* HAVE_HASH_EXT */
+- }
+ }
+-#else
+- int fd;
+-
+- fd = VCWD_OPEN(PS(entropy_file), O_RDONLY);
+- if (fd >= 0) {
+- unsigned char rbuf[2048];
+- int n;
+- int to_read = PS(entropy_length);
+-
+- while (to_read > 0) {
+- n = read(fd, rbuf, MIN(to_read, sizeof(rbuf)));
+- if (n <= 0) break;
+-
+- switch (PS(hash_func)) {
+- case PS_HASH_FUNC_MD5:
+- PHP_MD5Update(&md5_context,
rbuf, n);
+- break;
+- case PS_HASH_FUNC_SHA1:
+- PHP_SHA1Update(&sha1_context,
rbuf, n);
+- break;
+-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
+- case PS_HASH_FUNC_OTHER:
+-
PS(hash_ops)->hash_update(hash_context, rbuf, n);
+- break;
+-#endif /* HAVE_HASH_EXT */
+- }
+- to_read -= n;
+- }
+- close(fd);
+- }
+-#endif
+ }
+ digest = emalloc(digest_len + 1);
Index: 5.6/Makefile
===================================================================
RCS file: /cvs/ports/lang/php/5.6/Makefile,v
retrieving revision 1.72
diff -u -p -r1.72 Makefile
--- 5.6/Makefile 27 May 2018 22:05:50 -0000 1.72
+++ 5.6/Makefile 1 Jun 2018 07:14:32 -0000
@@ -4,7 +4,7 @@ BROKEN-alpha= pcre_jit_compile.c:65:2: e
PV= 5.6
V= ${PV}.36
-REVISION= 4
+REVISION= 5
MASTER_SITES0= https://download.suhosin.org/
Index: 7.0/patches/patch-ext_session_session_c
===================================================================
RCS file: 7.0/patches/patch-ext_session_session_c
diff -N 7.0/patches/patch-ext_session_session_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 7.0/patches/patch-ext_session_session_c 1 Jun 2018 07:14:32 -0000
@@ -0,0 +1,64 @@
+$OpenBSD$
+Index: ext/session/session.c
+--- ext/session/session.c.orig Tue Sep 26 10:56:02 2017
++++ ext/session/session.c Tue Oct 10 15:06:52 2017
+@@ -47,6 +47,7 @@
+ #include "ext/standard/php_lcg.h"
+ #include "ext/standard/url_scanner_ex.h"
+ #include "ext/standard/php_rand.h" /* for RAND_MAX */
++#include "ext/standard/php_random.h"
+ #include "ext/standard/info.h"
+ #include "zend_smart_str.h"
+ #include "ext/standard/url.h"
+@@ -360,12 +361,9 @@ PHPAPI zend_string *php_session_create_id(PS_CREATE_SI
+ efree(buf);
+
+ if (PS(entropy_length) > 0) {
+-#ifdef PHP_WIN32
+ unsigned char rbuf[2048];
+ size_t toread = PS(entropy_length);
+-
+- if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf)))
== SUCCESS){
+-
++ if (php_random_bytes_silent(rbuf, MIN(toread, sizeof(rbuf))) ==
SUCCESS) {
+ switch (PS(hash_func)) {
+ case PS_HASH_FUNC_MD5:
+ PHP_MD5Update(&md5_context, rbuf,
toread);
+@@ -380,37 +378,6 @@ PHPAPI zend_string *php_session_create_id(PS_CREATE_SI
+ # endif /* HAVE_HASH_EXT */
+ }
+ }
+-#else
+- int fd;
+-
+- fd = VCWD_OPEN(PS(entropy_file), O_RDONLY);
+- if (fd >= 0) {
+- unsigned char rbuf[2048];
+- int n;
+- int to_read = PS(entropy_length);
+-
+- while (to_read > 0) {
+- n = read(fd, rbuf, MIN(to_read, sizeof(rbuf)));
+- if (n <= 0) break;
+-
+- switch (PS(hash_func)) {
+- case PS_HASH_FUNC_MD5:
+- PHP_MD5Update(&md5_context,
rbuf, n);
+- break;
+- case PS_HASH_FUNC_SHA1:
+- PHP_SHA1Update(&sha1_context,
rbuf, n);
+- break;
+-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
+- case PS_HASH_FUNC_OTHER:
+-
PS(hash_ops)->hash_update(hash_context, rbuf, n);
+- break;
+-#endif /* HAVE_HASH_EXT */
+- }
+- to_read -= n;
+- }
+- close(fd);
+- }
+-#endif
+ }
+
+ digest = emalloc(digest_len + 1);
Index: 7.0/Makefile
===================================================================
RCS file: /cvs/ports/lang/php/7.0/Makefile,v
retrieving revision 1.55
diff -u -p -r1.55 Makefile
--- 7.0/Makefile 27 May 2018 22:05:50 -0000 1.55
+++ 7.0/Makefile 1 Jun 2018 07:14:32 -0000
@@ -2,7 +2,7 @@
PV= 7.0
V= ${PV}.30
-REVISION= 4
+REVISION= 5
BUILD_DEPENDS+= devel/bison
