From: Rasmus Lerdorf Date: Wed, 31 Mar 2010 18:03:17 +0000 (+0000) Subject: Set session.entropy_file to /dev/urandom or /dev/arandom by X-Git-Tag: php-5.4.0alpha1~191^2~1822 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9692a3619c8def5f558fabb7b89284e199616587;p=php Set session.entropy_file to /dev/urandom or /dev/arandom by default if present at compile-time. Addresses part of bug #51436 --- diff --git a/NEWS b/NEWS index f9ab1413c4..8dffac53dc 100644 --- a/NEWS +++ b/NEWS @@ -13,7 +13,9 @@ PHP NEWS - Added command line option --rz to CLI. (Johannes) - default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus) - +- default session.entropy_file is now /dev/urandom or /dev/arandom if either + is present at compile time. (Rasmus) + ?? ??? 20??, PHP 5.3.3 - Upgraded bundled PCRE to version 8.01. (Ilia) diff --git a/UPGRADING b/UPGRADING index ae123e53c7..72b81c571c 100755 --- a/UPGRADING +++ b/UPGRADING @@ -40,7 +40,19 @@ UPGRADE NOTES - PHP X.Y default_charset = iso-8859-1 - to your php.ini to preserve pre-PHPX.Y behavior + to your php.ini to preserve pre-PHPX.Y behavior. + +- We now check at compile time if /dev/urandom or /dev/arandom + are present to provide non-blocking entropy to session id + generation. If either is present, session.entropy_file + now defaults to that file and session.entropy_length defaults + to 32. If you do not want extra entropy for your session ids + for some reason, add: + + session.entropy_file= + session.entropy_length=0 + + to your php.ini to preserve pre-PHPX.Y behavior. ============================= 2. Reserved words and classes diff --git a/Zend/Zend.m4 b/Zend/Zend.m4 index 6b1f705bee..c56b769a99 100644 --- a/Zend/Zend.m4 +++ b/Zend/Zend.m4 @@ -419,4 +419,11 @@ if test -r "/dev/urandom" && test -c "/dev/urandom"; then AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) + AC_MSG_CHECKING(whether /dev/arandom exists) + if test -r "/dev/arandom" && test -c "/dev/arandom"; then + AC_DEFINE([HAVE_DEV_ARANDOM], 1, [Define if the target system has /dev/arandom device]) + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) + fi fi diff --git a/ext/session/session.c b/ext/session/session.c index 6456f68163..3455421a7e 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -781,8 +781,16 @@ PHP_INI_BEGIN() STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) +#if HAVE_DEV_URANDOM + STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) +#elif HAVE_DEV_ARANDOM + STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) +#else STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) +#endif STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) diff --git a/php.ini-development b/php.ini-development index 7e304461c5..123187350d 100644 --- a/php.ini-development +++ b/php.ini-development @@ -1582,15 +1582,18 @@ session.referer_check = ; How many bytes to read from the file. ; http://php.net/session.entropy-length -session.entropy_length = 0 +;session.entropy_length = 32 ; Specified here to create the session id. ; http://php.net/session.entropy-file +; Defaults to /dev/urandom +; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom +; If neither are found at compile time, the default is no entropy file. ;session.entropy_file = /dev/urandom -session.entropy_file = ; http://php.net/session.entropy-length -;session.entropy_length = 16 +; defaults to 32 +;session.entropy_length = 32 ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. diff --git a/php.ini-production b/php.ini-production index 793f67ed7a..448be26405 100644 --- a/php.ini-production +++ b/php.ini-production @@ -1588,17 +1588,16 @@ session.bug_compat_warn = Off ; http://php.net/session.referer-check session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -session.entropy_length = 0 - ; Specified here to create the session id. ; http://php.net/session.entropy-file +; Defaults to /dev/urandom +; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom +; If neither are found at compile time, the default is no entropy file. ;session.entropy_file = /dev/urandom -session.entropy_file = ; http://php.net/session.entropy-length -;session.entropy_length = 16 +; defaults to 32 +;session.entropy_length = 32 ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers.