Edit report at http://bugs.php.net/bug.php?id=51436&edit=1
ID: 51436 Updated by: paj...@php.net Reported by: andreas at andreas dot org Summary: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Status: Assigned Type: Bug Package: *Encryption and hash functions Operating System: all PHP Version: 5.3.2 Assigned To: pajoye New Comment: I added support for the entropy source to 5.3 and trunk. See http://svn.php.net/viewvc?view=revision&revision=300273 and http://svn.php.net/viewvc?view=revision&revision=300278 Will close the bug once we also have defined the default hash (would like to make it a default in trunk as well). Previous Comments: ------------------------------------------------------------------------ [2010-04-09 19:05:46] paj...@php.net RAND_pseudo_bytes does pretty much the same anyway, but I would prefer to give a possible not to use openssl first. Also this exact function may not be crypto safe. It is not a problem for the session but that will then not solve the need of a crypto safe function. ------------------------------------------------------------------------ [2010-04-09 18:41:56] crrodriguez at opensuse dot org I think trying RAND_pseudo_bytes() if -lcrypto is found in the system first and then your_own_function ight be a suitable approach. ------------------------------------------------------------------------ [2010-04-09 18:18:32] paj...@php.net That's the idea but not using zend's mm which is incomplete. ------------------------------------------------------------------------ [2010-04-09 17:51:14] crrodriguez at opensuse dot org I think uniqid() should also use zend_mm_random()-like random value when more_entropy is set to true instead of the LCG ... ------------------------------------------------------------------------ [2010-04-07 17:44:16] paj...@php.net And assigned to me, almost done with the patch we discussed. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=51436 -- Edit this bug report at http://bugs.php.net/bug.php?id=51436&edit=1