Project

General

Profile

Actions

Bug #23355

closed

Speed up / restructure of random byte generator to address e.g. WIN OS specifics

Added by Marcus Krause over 14 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
Start date:
2010-08-05
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
4.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The current implementation of TYPO3's random byte generator mixes up methods that retrieve crypto-safe/non-crypto safe bytes.
Crypto-safe methods usually mean a blocking/time-consuming execution and should be used only for cryptographic use-cases like encryption/decryption.
Furthermore, the implementation does not take care of errors using mcrypt method.

This RFC is about a restructure/separation of crypto safe/non-crypto safe methods to speed up execution/prevent blocks and improvements in error handling.

http://bugs.php.net/bug.php?id=52523
http://www.php-security.org/2010/05/09/mops-submission-04-generating-unpredictable-session-ids-and-hashes/index.html
(issue imported from #M15359)


Files

15359_4-3_POC.diff (3.59 KB) 15359_4-3_POC.diff Administrator Admin, 2010-08-06 10:44

Related issues 5 (0 open5 closed)

Related to TYPO3 Core - Bug #22369: Mitigate PHP's RNG vulnerabilityClosedHelmut Hummel2010-04-01

Actions
Related to TYPO3 Core - Bug #24410: Parameter for function "mcrypt_create_iv" not correctClosed2010-12-24

Actions
Related to TYPO3 Core - Bug #23860: Installation on Windows causes Fatal error: Call to undefined method com::GetRandom() during 1-2-3 installer.ClosedMarcus Krause2010-10-28

Actions
Has duplicate TYPO3 Core - Bug #23496: t3lib_div::generateRandomBytes() is bad and buggyClosed2010-09-03

Actions
Has duplicate TYPO3 Core - Bug #24440: Improve the used random generators on *nix platformsClosedSteffen Gebert2010-12-29

Actions
Actions #1

Updated by Marcus Krause over 14 years ago

I've attached a PoC patch for TYPO3 4.3 branch.

Introduces a further optional parameter that allows to skip blocking/slow method that return crypto-safe random bytes.

In addition the code is reordered, commenting improved and errors handled in mcrypt code part.

Actions #2

Updated by Steffen Gebert almost 14 years ago

Marcus, I would really appreciate a restructuring..
/dev/urandom can be inaccessible due to open_basedir restriction, so I would not only call mycrypt function on windows.

According to the PHP bug, we should decrease the priority of COM.

You only use the openssl method, when $cryptoSafe is required. Why not always use it first and set the $cryptoStrong parameter to the value of $cryptoSafe. If no strong randomness was used but required, throw the result away.

Actions #3

Updated by Helmut Hummel almost 14 years ago

We do not need crypto safe randomness, thus define the method to return not crypto safe random bytes (which it does in some cases anyways).

Actions #4

Updated by Mr. Hudson over 13 years ago

Patch set 1 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions #5

Updated by Mr. Hudson about 13 years ago

Patch set 2 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions #6

Updated by Mr. Hudson about 13 years ago

Patch set 3 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions #7

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I42eea55dcbcd8d8f5b1a6e9493993e9ccd967dfa has been pushed to the review server.
It is available at http://review.typo3.org/4555

Actions #8

Updated by Anonymous about 13 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100
Actions #9

Updated by Steffen Gebert about 13 years ago

  • Status changed from Resolved to Under Review
  • Target version deleted (0)
  • TYPO3 Version set to 4.6

Was set to resolved, as it was pushed to a sandbox..

Actions #10

Updated by Mr. Hudson about 13 years ago

Patch set 4 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions #11

Updated by Steffen Gebert about 13 years ago

  • Priority changed from Should have to Must have
  • Target version set to 4.6.0
Actions #12

Updated by Mr. Hudson about 13 years ago

Patch set 5 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions #13

Updated by Mr. Hudson about 13 years ago

Patch set 6 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions #14

Updated by Mr. Hudson about 13 years ago

Patch set 7 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537

Actions #15

Updated by Xavier Perseguers about 13 years ago

  • Target version changed from 4.6.0 to 4.5.8
Actions #16

Updated by Anonymous about 13 years ago

  • Status changed from Under Review to Resolved
Actions #17

Updated by Steffen Gebert about 13 years ago

  • Status changed from Resolved to Under Review

Keeping it open, as it still needs to go to older branches, but needs code adjustments for that!

Actions #18

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/6460

Actions #19

Updated by Gerrit Code Review almost 13 years ago

Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/4555

Actions #20

Updated by Anonymous almost 13 years ago

  • Status changed from Under Review to Resolved
Actions #21

Updated by Riccardo De Contardi about 7 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF