Bug #23355: Speed up / restructure of random byte generator to address e.g. WIN OS specifics - TYPO3 Core - TYPO3 Forge

Actions

Bug #23355

closed

Speed up / restructure of random byte generator to address e.g. WIN OS specifics

Added by Marcus Krause over 14 years ago. Updated about 7 years ago.

Status:

Closed

Priority:

Must have

Assignee:

-

Category:

-

Target version:

Start date:

2010-08-05

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

4.6

PHP Version:

4.3

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

The current implementation of TYPO3's random byte generator mixes up methods that retrieve crypto-safe/non-crypto safe bytes.
Crypto-safe methods usually mean a blocking/time-consuming execution and should be used only for cryptographic use-cases like encryption/decryption.
Furthermore, the implementation does not take care of errors using mcrypt method.

This RFC is about a restructure/separation of crypto safe/non-crypto safe methods to speed up execution/prevent blocks and improvements in error handling.

http://bugs.php.net/bug.php?id=52523
http://www.php-security.org/2010/05/09/mops-submission-04-generating-unpredictable-session-ids-and-hashes/index.html
(issue imported from #M15359)

Files

15359_4-3_POC.diff (3.59 KB) 15359_4-3_POC.diff

Administrator Admin, 2010-08-06 10:44

Related issues 5 (0 open — 5 closed)

Actions

#1

Updated by Marcus Krause over 14 years ago

I've attached a PoC patch for TYPO3 4.3 branch.

Introduces a further optional parameter that allows to skip blocking/slow method that return crypto-safe random bytes.

In addition the code is reordered, commenting improved and errors handled in mcrypt code part.

Actions

#2

Updated by Steffen Gebert almost 14 years ago

Marcus, I would really appreciate a restructuring..
/dev/urandom can be inaccessible due to open_basedir restriction, so I would not only call mycrypt function on windows.

According to the PHP bug, we should decrease the priority of COM.

You only use the openssl method, when $cryptoSafe is required. Why not always use it first and set the $cryptoStrong parameter to the value of $cryptoSafe. If no strong randomness was used but required, throw the result away.

Actions

#3

Updated by Helmut Hummel almost 14 years ago

We do not need crypto safe randomness, thus define the method to return not crypto safe random bytes (which it does in some cases anyways).

Actions

#4

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions

#5

Updated by Mr. Hudson about 13 years ago

Patch set 2 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions

#6

Updated by Mr. Hudson about 13 years ago

Patch set 3 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions

#7

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I42eea55dcbcd8d8f5b1a6e9493993e9ccd967dfa has been pushed to the review server.
It is available at http://review.typo3.org/4555

Actions

#8

Updated by Anonymous about 13 years ago

Status changed from New to Resolved
% Done changed from 0 to 100

Applied in changeset f7e9b0bc71906acc6bed19ab12fbb3dcbb1b592a.

Actions

#9

Updated by Steffen Gebert about 13 years ago

Status changed from Resolved to Under Review
Target version deleted (0)
TYPO3 Version set to 4.6

Was set to resolved, as it was pushed to a sandbox..

Actions

#10

Updated by Mr. Hudson about 13 years ago

Patch set 4 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions

#11

Updated by Steffen Gebert about 13 years ago

Priority changed from Should have to Must have
Target version set to 4.6.0

Actions

#12

Updated by Mr. Hudson about 13 years ago

Patch set 5 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions

#13

Updated by Mr. Hudson about 13 years ago

Patch set 6 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions

#14

Updated by Mr. Hudson about 13 years ago

Patch set 7 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions

#15

Updated by Xavier Perseguers about 13 years ago

Target version changed from 4.6.0 to 4.5.8

Actions

#16

Updated by Anonymous about 13 years ago

Status changed from Under Review to Resolved

Applied in changeset 3580129688d0eae327e383d704dda822f3a0e4f5.

Actions

#17

Updated by Steffen Gebert about 13 years ago

Status changed from Resolved to Under Review

Keeping it open, as it still needs to go to older branches, but needs code adjustments for that!

Actions

#18

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/6460

Actions

#19

Updated by Gerrit Code Review almost 13 years ago

Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/4555

Actions

#20

Updated by Anonymous almost 13 years ago

Status changed from Under Review to Resolved

Applied in changeset 98c2451df6e62dc809107b1e6ae2cba487f7fa69.

Actions

#21

Updated by Riccardo De Contardi about 7 years ago

Status changed from Resolved to Closed

Actions

Also available in: Atom PDF