Bug #23355
closedSpeed up / restructure of random byte generator to address e.g. WIN OS specifics
100%
Description
The current implementation of TYPO3's random byte generator mixes up methods that retrieve crypto-safe/non-crypto safe bytes.
Crypto-safe methods usually mean a blocking/time-consuming execution and should be used only for cryptographic use-cases like encryption/decryption.
Furthermore, the implementation does not take care of errors using mcrypt method.
This RFC is about a restructure/separation of crypto safe/non-crypto safe methods to speed up execution/prevent blocks and improvements in error handling.
http://bugs.php.net/bug.php?id=52523
http://www.php-security.org/2010/05/09/mops-submission-04-generating-unpredictable-session-ids-and-hashes/index.html
(issue imported from #M15359)
Files
Updated by Marcus Krause over 14 years ago
I've attached a PoC patch for TYPO3 4.3 branch.
Introduces a further optional parameter that allows to skip blocking/slow method that return crypto-safe random bytes.
In addition the code is reordered, commenting improved and errors handled in mcrypt code part.
Updated by Steffen Gebert almost 14 years ago
Marcus, I would really appreciate a restructuring..
/dev/urandom can be inaccessible due to open_basedir restriction, so I would not only call mycrypt function on windows.
According to the PHP bug, we should decrease the priority of COM.
You only use the openssl method, when $cryptoSafe is required. Why not always use it first and set the $cryptoStrong parameter to the value of $cryptoSafe. If no strong randomness was used but required, throw the result away.
Updated by Helmut Hummel almost 14 years ago
We do not need crypto safe randomness, thus define the method to return not crypto safe random bytes (which it does in some cases anyways).
Updated by Mr. Hudson over 13 years ago
Patch set 1 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537
Updated by Mr. Hudson about 13 years ago
Patch set 2 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537
Updated by Mr. Hudson about 13 years ago
Patch set 3 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537
Updated by Mr. Hudson about 13 years ago
Patch set 1 of change I42eea55dcbcd8d8f5b1a6e9493993e9ccd967dfa has been pushed to the review server.
It is available at http://review.typo3.org/4555
Updated by Anonymous about 13 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Applied in changeset f7e9b0bc71906acc6bed19ab12fbb3dcbb1b592a.
Updated by Steffen Gebert about 13 years ago
- Status changed from Resolved to Under Review
- Target version deleted (
0) - TYPO3 Version set to 4.6
Was set to resolved, as it was pushed to a sandbox..
Updated by Mr. Hudson about 13 years ago
Patch set 4 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537
Updated by Steffen Gebert about 13 years ago
- Priority changed from Should have to Must have
- Target version set to 4.6.0
Updated by Mr. Hudson about 13 years ago
Patch set 5 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537
Updated by Mr. Hudson about 13 years ago
Patch set 6 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537
Updated by Mr. Hudson about 13 years ago
Patch set 7 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/4537
Updated by Xavier Perseguers about 13 years ago
- Target version changed from 4.6.0 to 4.5.8
Updated by Anonymous about 13 years ago
- Status changed from Under Review to Resolved
Applied in changeset 3580129688d0eae327e383d704dda822f3a0e4f5.
Updated by Steffen Gebert about 13 years ago
- Status changed from Resolved to Under Review
Keeping it open, as it still needs to go to older branches, but needs code adjustments for that!
Updated by Mr. Hudson about 13 years ago
Patch set 1 of change I6bad300842f3da40c620b3d79b8116345a2749a0 has been pushed to the review server.
It is available at http://review.typo3.org/6460
Updated by Gerrit Code Review almost 13 years ago
Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/4555
Updated by Anonymous almost 13 years ago
- Status changed from Under Review to Resolved
Applied in changeset 98c2451df6e62dc809107b1e6ae2cba487f7fa69.
Updated by Riccardo De Contardi about 7 years ago
- Status changed from Resolved to Closed