[PHP-DEV] Re: Crypt salts not random.. (fwd)
On Fri, 27 Apr 2001, Andi Gutmans wrote: Oh OK now I understand. The problem is that MINIT is called before Apache forks and then all children start from the same number. However, calling it during each request init is also a bit of an overkill and slows down each request. Calling it once should be enough so maybe RINIT should check if this is the first time RINIT is called and if it is then initialize the random number generator. With attached patch I (seem to) get random salts now. Please check it out. --Jani Index: basic_functions.c === RCS file: /repository/php4/ext/standard/basic_functions.c,v retrieving revision 1.325 diff -u -r1.325 basic_functions.c --- basic_functions.c 2001/04/17 17:08:03 1.325 +++ basic_functions.c 2001/04/28 04:02:57 @@ -839,6 +839,10 @@ PHP_RINIT(assert)(INIT_FUNC_ARGS_PASSTHRU); PHP_RINIT(dir)(INIT_FUNC_ARGS_PASSTHRU); +#if HAVE_CRYPT + PHP_RINIT(crypt)(INIT_FUNC_ARGS_PASSTHRU); +#endif + #ifdef TRANS_SID if (BG(use_trans_sid)) { PHP_RINIT(url_scanner)(INIT_FUNC_ARGS_PASSTHRU); Index: crypt.c === RCS file: /repository/php4/ext/standard/crypt.c,v retrieving revision 1.39 diff -u -r1.39 crypt.c --- crypt.c 2001/04/05 18:48:03 1.39 +++ crypt.c 2001/04/28 04:02:57 @@ -89,7 +89,10 @@ #define PHP_CRYPT_RAND php_rand() +/* whether random number generator is feeded or not */ +static int php_rand_is_init=0; + PHP_MINIT_FUNCTION(crypt) { #if PHP_STD_DES_CRYPT @@ -101,11 +104,20 @@ REGISTER_LONG_CONSTANT(CRYPT_EXT_DES, PHP_EXT_DES_CRYPT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT(CRYPT_MD5, PHP_MD5_CRYPT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT(CRYPT_BLOWFISH, PHP_BLOWFISH_CRYPT, CONST_CS | CONST_PERSISTENT); + + return SUCCESS; +} - php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); +PHP_RINIT_FUNCTION(crypt) +{ + if(!php_rand_is_init) { + php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); + php_rand_is_init=1; + } return SUCCESS; } + static unsigned char itoa64[] = ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz; Index: php_crypt.h === RCS file: /repository/php4/ext/standard/php_crypt.h,v retrieving revision 1.7 diff -u -r1.7 php_crypt.h --- php_crypt.h 2001/02/26 06:07:23 1.7 +++ php_crypt.h 2001/04/28 04:02:57 @@ -26,6 +26,7 @@ PHP_FUNCTION(crypt); #if HAVE_CRYPT extern PHP_MINIT_FUNCTION(crypt); +extern PHP_RINIT_FUNCTION(crypt); #endif #endif -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
How did you arrive to the conclusion that the current crypt() salts are not random? At 11:27 29/4/2001, Jani Taskinen wrote: Well, what's the deal with this? Sascha? --Jani -- Forwarded message -- Date: Sat, 28 Apr 2001 15:05:08 +0200 From: Andi Gutmans [EMAIL PROTECTED] To: Jani Taskinen [EMAIL PROTECTED] Subject: Re: Crypt salts not random.. At 06:17 AM 4/28/2001 +0200, Jani Taskinen wrote: One thing I had in my mind about these random numbers.. Why don't we use the seedMT() and randomMT() funcs everywhere instead of the system provided ones? If I have understood correctly these would give more random numbers and are even faster than any of the system provided ones? Or have I missed some important thing here? :) I really don't know this random stuff too well. It looks to me as if we could use the MT stuff but I'm not sure what the considerations are. Probably Sascha Schumann has a better idea. I also suggest php-dev :) Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
On Sun, 29 Apr 2001, Zeev Suraski wrote: How did you arrive to the conclusion that the current crypt() salts are not random? Uhm..how do you think? :) If I get same salt after 5 page reloads it obviously isn't random? (when I have 5 max apache childs..) --Jani -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
The seed was initialized in MINIT before the children forked. So what happened was that the children started returning the same random numbers. Andi At 12:52 PM 4/29/2001 +0300, Zeev Suraski wrote: How did you arrive to the conclusion that the current crypt() salts are not random? At 11:27 29/4/2001, Jani Taskinen wrote: Well, what's the deal with this? Sascha? --Jani -- Forwarded message -- Date: Sat, 28 Apr 2001 15:05:08 +0200 From: Andi Gutmans [EMAIL PROTECTED] To: Jani Taskinen [EMAIL PROTECTED] Subject: Re: Crypt salts not random.. At 06:17 AM 4/28/2001 +0200, Jani Taskinen wrote: One thing I had in my mind about these random numbers.. Why don't we use the seedMT() and randomMT() funcs everywhere instead of the system provided ones? If I have understood correctly these would give more random numbers and are even faster than any of the system provided ones? Or have I missed some important thing here? :) I really don't know this random stuff too well. It looks to me as if we could use the MT stuff but I'm not sure what the considerations are. Probably Sascha Schumann has a better idea. I also suggest php-dev :) Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 13:58 29/4/2001, Andi Gutmans wrote: The seed was initialized in MINIT before the children forked. So what happened was that the children started returning the same random numbers. It doesn't really matter where it was initialized, but rather, when it was initialized... Jani - are you getting the same values after 5 reloads? Or any chance you're getting the same value if you're reloading very quickly, at the same second? Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 01:55 PM 4/29/2001 +0300, Zeev Suraski wrote: At 13:58 29/4/2001, Andi Gutmans wrote: The seed was initialized in MINIT before the children forked. So what happened was that the children started returning the same random numbers. It doesn't really matter where it was initialized, but rather, when it was initialized... Well as it was initialized in MINIT it is initialized *exactly* at the same time for all apache children. Therefore, the numbers returned by each child are the same. Jani - are you getting the same values after 5 reloads? Or any chance you're getting the same value if you're reloading very quickly, at the same second? Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 14:57 29/4/2001, Andi Gutmans wrote: At 01:55 PM 4/29/2001 +0300, Zeev Suraski wrote: At 13:58 29/4/2001, Andi Gutmans wrote: The seed was initialized in MINIT before the children forked. So what happened was that the children started returning the same random numbers. It doesn't really matter where it was initialized, but rather, when it was initialized... Well as it was initialized in MINIT it is initialized *exactly* at the same time for all apache children. Therefore, the numbers returned by each child are the same. In order to avoid this you actually have to call it at completely different times, something you can't really guarantee. We should probably not use the timestamp as the seed (at least not alone), but also take the pid into account. Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 02:05 PM 4/29/2001 +0300, Zeev Suraski wrote: At 14:57 29/4/2001, Andi Gutmans wrote: At 01:55 PM 4/29/2001 +0300, Zeev Suraski wrote: At 13:58 29/4/2001, Andi Gutmans wrote: The seed was initialized in MINIT before the children forked. So what happened was that the children started returning the same random numbers. It doesn't really matter where it was initialized, but rather, when it was initialized... Well as it was initialized in MINIT it is initialized *exactly* at the same time for all apache children. Therefore, the numbers returned by each child are the same. In order to avoid this you actually have to call it at completely different times, something you can't really guarantee. We should probably not use the timestamp as the seed (at least not alone), but also take the pid into account. Jani has already moved it to RINIT which is a good beginning. Adding the pid is a good idea. Is there a function which gives us the pid for both threaded and un-threaded modes? Or do we need to use #ifdef ZTS and use the tsrm_thread_id() function in threaded mode and getpid() in non-threaded? Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 15:27 29/4/2001, Andi Gutmans wrote: Jani has already moved it to RINIT which is a good beginning. It may be a good beginning functionality wise, but it might not be a very good beginning performance-wise. We should probably do it JIT. Adding the pid is a good idea. Is there a function which gives us the pid for both threaded and un-threaded modes? Or do we need to use #ifdef ZTS and use the tsrm_thread_id() function in threaded mode and getpid() in non-threaded? I don't think there's such a function right now... Zeev -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 02:35 PM 4/29/2001 +0300, Zeev Suraski wrote: At 15:27 29/4/2001, Andi Gutmans wrote: Jani has already moved it to RINIT which is a good beginning. It may be a good beginning functionality wise, but it might not be a very good beginning performance-wise. We should probably do it JIT. Well Jani's patch doesn't do it each time. It just does it the first time RINIT is called. Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
So it's probably not a lot more random than it was before... Zeev At 15:44 29/4/2001, Andi Gutmans wrote: At 02:35 PM 4/29/2001 +0300, Zeev Suraski wrote: At 15:27 29/4/2001, Andi Gutmans wrote: Jani has already moved it to RINIT which is a good beginning. It may be a good beginning functionality wise, but it might not be a very good beginning performance-wise. We should probably do it JIT. Well Jani's patch doesn't do it each time. It just does it the first time RINIT is called. Andi -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 02:50 PM 4/29/2001 +0300, Zeev Suraski wrote: So it's probably not a lot more random than it was before... I think it is because the time of the rinit()'s are different now (unless some of them run at exactly the same time). Andi Zeev At 15:44 29/4/2001, Andi Gutmans wrote: At 02:35 PM 4/29/2001 +0300, Zeev Suraski wrote: At 15:27 29/4/2001, Andi Gutmans wrote: Jani has already moved it to RINIT which is a good beginning. It may be a good beginning functionality wise, but it might not be a very good beginning performance-wise. We should probably do it JIT. Well Jani's patch doesn't do it each time. It just does it the first time RINIT is called. Andi -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
Since it only occurs on the first time, chances are that (on a reasonably loaded web site), most rinits will happen at the same second. Zeev At 15:54 29/4/2001, Andi Gutmans wrote: At 02:50 PM 4/29/2001 +0300, Zeev Suraski wrote: So it's probably not a lot more random than it was before... I think it is because the time of the rinit()'s are different now (unless some of them run at exactly the same time). Andi Zeev At 15:44 29/4/2001, Andi Gutmans wrote: At 02:35 PM 4/29/2001 +0300, Zeev Suraski wrote: At 15:27 29/4/2001, Andi Gutmans wrote: Jani has already moved it to RINIT which is a good beginning. It may be a good beginning functionality wise, but it might not be a very good beginning performance-wise. We should probably do it JIT. Well Jani's patch doesn't do it each time. It just does it the first time RINIT is called. Andi -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
On Sun, 29 Apr 2001, Zeev Suraski wrote: In order to avoid this you actually have to call it at completely different times, something you can't really guarantee. We should probably not use the timestamp as the seed (at least not alone), but also take the pid into account. Zeev That only really works for forking webservers, does it not? Another alternative would be to use microseconds... -- John Donagher Application Engineer Intacct Corp. - Powerful Accounting on the Web 408-395-0989 720 University Ave. Los Gatos CA 95032 www.intacct.com Public key available off http://www.keyserver.net Key fingerprint = 4024 DF50 56EE 19A3 258A D628 22DE AD56 EEBE 8DDD -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DEV] Re: Crypt salts not random.. (fwd)
In order to avoid this you actually have to call it at completely different times, something you can't really guarantee. We should probably not use the timestamp as the seed (at least not alone), but also take the pid into account. Zeev That only really works for forking webservers, does it not? Another alternative would be to use microseconds... Yeah we could use microseconds but are they available on all platforms? In any case, on non-forking servers we can use thread id. We have accuracy to milliseconds only on Win32. - James -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DEV] Re: Crypt salts not random.. (fwd)
On Sun, 29 Apr 2001, James Moore wrote: In order to avoid this you actually have to call it at completely different times, something you can't really guarantee. We should probably not use the timestamp as the seed (at least not alone), but also take the pid into account. Zeev That only really works for forking webservers, does it not? Another alternative would be to use microseconds... Yeah we could use microseconds but are they available on all platforms? In any case, on non-forking servers we can use thread id. We have accuracy to milliseconds only on Win32. It is enough... We can use gettimeofday or getitimer on linux, gethrtime on Solaris, ftime on windows, etc. There are other ways to insert some more pseudo randomness as well. Hashes of data that changes quickly is enough (environment, all PIDs, ideas?). BTW we do not need so much randomness for the crypt function. It can not be used for cryptography - the salt is just to prevent pregenerated dictionaries. Perhaps we can add another function for the PHP programmer to insert additional entropy while working? The modern linuxes gather some random data from the times between the keystrokes and the time between the network packets arrive - we can use it but it is only available on some linuxes. Or we can add some extension to gather better random data from the times between the page requests? - James -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
This is the line in question: php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); This is now (in my patch) in RINIT and thus it is a different pid it doesn't matter if the RINIT happens the same second.. Or did I misunderstood something? And I know it works now. :) And it didn't work before. As the PID was always the same like Andi said. I attached the patch in case you missed it before.. --Jani On Sun, 29 Apr 2001, Zeev Suraski wrote: Since it only occurs on the first time, chances are that (on a reasonably loaded web site), most rinits will happen at the same second. Zeev At 15:54 29/4/2001, Andi Gutmans wrote: At 02:50 PM 4/29/2001 +0300, Zeev Suraski wrote: So it's probably not a lot more random than it was before... I think it is because the time of the rinit()'s are different now (unless some of them run at exactly the same time). Andi Zeev At 15:44 29/4/2001, Andi Gutmans wrote: At 02:35 PM 4/29/2001 +0300, Zeev Suraski wrote: At 15:27 29/4/2001, Andi Gutmans wrote: Jani has already moved it to RINIT which is a good beginning. It may be a good beginning functionality wise, but it might not be a very good beginning performance-wise. We should probably do it JIT. Well Jani's patch doesn't do it each time. It just does it the first time RINIT is called. Andi -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ -- Zeev Suraski [EMAIL PROTECTED] CTO co-founder, Zend Technologies Ltd. http://www.zend.com/ Index: basic_functions.c === RCS file: /repository/php4/ext/standard/basic_functions.c,v retrieving revision 1.325 diff -u -r1.325 basic_functions.c --- basic_functions.c 2001/04/17 17:08:03 1.325 +++ basic_functions.c 2001/04/28 04:02:57 @@ -839,6 +839,10 @@ PHP_RINIT(assert)(INIT_FUNC_ARGS_PASSTHRU); PHP_RINIT(dir)(INIT_FUNC_ARGS_PASSTHRU); +#if HAVE_CRYPT + PHP_RINIT(crypt)(INIT_FUNC_ARGS_PASSTHRU); +#endif + #ifdef TRANS_SID if (BG(use_trans_sid)) { PHP_RINIT(url_scanner)(INIT_FUNC_ARGS_PASSTHRU); Index: crypt.c === RCS file: /repository/php4/ext/standard/crypt.c,v retrieving revision 1.39 diff -u -r1.39 crypt.c --- crypt.c 2001/04/05 18:48:03 1.39 +++ crypt.c 2001/04/28 04:02:57 @@ -89,7 +89,10 @@ #define PHP_CRYPT_RAND php_rand() +/* whether random number generator is feeded or not */ +static int php_rand_is_init=0; + PHP_MINIT_FUNCTION(crypt) { #if PHP_STD_DES_CRYPT @@ -101,11 +104,20 @@ REGISTER_LONG_CONSTANT(CRYPT_EXT_DES, PHP_EXT_DES_CRYPT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT(CRYPT_MD5, PHP_MD5_CRYPT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT(CRYPT_BLOWFISH, PHP_BLOWFISH_CRYPT, CONST_CS | CONST_PERSISTENT); + + return SUCCESS; +} - php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); +PHP_RINIT_FUNCTION(crypt) +{ + if(!php_rand_is_init) { + php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); + php_rand_is_init=1; + } return SUCCESS; } + static unsigned char itoa64[] = ./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz; Index: php_crypt.h === RCS file: /repository/php4/ext/standard/php_crypt.h,v retrieving revision 1.7 diff -u -r1.7 php_crypt.h --- php_crypt.h 2001/02/26 06:07:23 1.7 +++ php_crypt.h 2001/04/28 04:02:57 @@ -26,6 +26,7 @@ PHP_FUNCTION(crypt); #if HAVE_CRYPT extern PHP_MINIT_FUNCTION(crypt); +extern PHP_RINIT_FUNCTION(crypt); #endif #endif -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 09:42 PM 4/29/2001 +0200, Jani Taskinen wrote: This is the line in question: php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); This is now (in my patch) in RINIT and thus it is a different pid it doesn't matter if the RINIT happens the same second.. Or did I misunderstood something? And I know it works now. :) And it didn't work before. As the PID was always the same like Andi said. I attached the patch in case you missed it before.. It's OK but in multi-threaded mode it should use (long) tsrm_thread_id() because getpid() will usually be the same. I hope the case is good enough and will work in all multi-threaded environments. Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
On Sun, 29 Apr 2001, Andi Gutmans wrote: At 09:42 PM 4/29/2001 +0200, Jani Taskinen wrote: This is the line in question: php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); This is now (in my patch) in RINIT and thus it is a different pid it doesn't matter if the RINIT happens the same second.. Or did I misunderstood something? And I know it works now. :) And it didn't work before. As the PID was always the same like Andi said. I attached the patch in case you missed it before.. It's OK but in multi-threaded mode it should use (long) tsrm_thread_id() because getpid() will usually be the same. I hope the case is good enough and will work in all multi-threaded environments. hmm..I wonder. That php_srand() line is the same it was before my patch.. It has had that getpid() in it for a long time. How could it have worked on multi-threaded environments?? Something else is different on those? --Jani -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
At 10:01 PM 4/29/2001 +0200, Jani Taskinen wrote: On Sun, 29 Apr 2001, Andi Gutmans wrote: At 09:42 PM 4/29/2001 +0200, Jani Taskinen wrote: This is the line in question: php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); This is now (in my patch) in RINIT and thus it is a different pid it doesn't matter if the RINIT happens the same second.. Or did I misunderstood something? And I know it works now. :) And it didn't work before. As the PID was always the same like Andi said. I attached the patch in case you missed it before.. It's OK but in multi-threaded mode it should use (long) tsrm_thread_id() because getpid() will usually be the same. I hope the case is good enough and will work in all multi-threaded environments. hmm..I wonder. That php_srand() line is the same it was before my patch.. It has had that getpid() in it for a long time. How could it have worked on multi-threaded environments?? Something else is different on those? No reason for it not to have worked. If two threads ran at the same time they would each reinitialize the seed. It's not really a problem. Actually come to think of it we don't need to fix threaded environments :) Andi -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
On Sun, 29 Apr 2001, Andi Gutmans wrote: At 09:42 PM 4/29/2001 +0200, Jani Taskinen wrote: This is the line in question: php_srand(time(0) * getpid() * (php_combined_lcg() * 1.0)); This is now (in my patch) in RINIT and thus it is a different pid it doesn't matter if the RINIT happens the same second.. Or did I misunderstood something? And I know it works now. :) And it didn't work before. As the PID was always the same like Andi said. I attached the patch in case you missed it before.. It's OK but in multi-threaded mode it should use (long) tsrm_thread_id() because getpid() will usually be the same. I hope the case is good enough and will work in all multi-threaded environments. Ehem..answer to my wondering: It's already done in php_combined_lcg() --Jani -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DEV] Re: Crypt salts not random.. (fwd)
hi, That only really works for forking webservers, does it not? Another alternative would be to use microseconds... Yeah we could use microseconds but are they available on all platforms? In any case, on non-forking servers we can use thread id. if it is a threading server then why not make crypt's salt seed global... at least there is no wat to generate two equal salts with it. btw, in real life when one needs security he will generate the salt himself b. -- PHP Development Mailing List http://www.php.net/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]