From 8de5200e7e3538fc8ffa1483ec0cffdd41f12c96 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Wed, 6 Apr 2016 14:13:38 +0900 Subject: [PATCH 01/14] Remove hash usage from session ID creation --- ext/session/php_session.h | 9 +- ext/session/session.c | 217 +++--------------- ext/session/tests/bug68063.phpt | 4 +- ext/session/tests/rfc1867_sid_invalid.phpt | 1 + ext/session/tests/session_basic2.phpt | 8 +- .../tests/session_regenerate_id_cookie.phpt | 2 +- .../session_set_save_handler_variation6.phpt | 1 + 7 files changed, 44 insertions(+), 198 deletions(-) diff --git a/ext/session/php_session.h b/ext/session/php_session.h index a3b4de82f0fae..4cf8dc6236429 100644 --- a/ext/session/php_session.h +++ b/ext/session/php_session.h @@ -151,9 +151,7 @@ typedef struct _php_ps_globals { char *session_name; zend_string *id; char *extern_referer_chk; - char *entropy_file; char *cache_limiter; - zend_long entropy_length; zend_long cookie_lifetime; char *cookie_path; char *cookie_domain; @@ -191,11 +189,8 @@ typedef struct _php_ps_globals { zend_bool use_only_cookies; zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */ - zend_long hash_func; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - php_hash_ops *hash_ops; -#endif - zend_long hash_bits_per_character; + zend_long sid_length; + zend_long sid_bits_per_character; int send_cookie; int define_sid; diff --git a/ext/session/session.c b/ext/session/session.c index 826929769f230..496245b84f17d 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -40,13 +40,11 @@ #include "rfc1867.h" #include "php_variables.h" #include "php_session.h" -#include "ext/standard/md5.h" -#include "ext/standard/sha1.h" +#include "ext/standard/php_random.h" #include "ext/standard/php_var.h" #include "ext/date/php_date.h" #include "ext/standard/php_lcg.h" #include "ext/standard/url_scanner_ex.h" -#include "ext/standard/php_rand.h" /* for RAND_MAX */ #include "ext/standard/info.h" #include "zend_smart_str.h" #include "ext/standard/url.h" @@ -81,6 +79,8 @@ zend_class_entry *php_session_update_timestamp_class_entry; /* SessionUpdateTimestampInterface */ zend_class_entry *php_session_update_timestamp_iface_entry; +#define PS_MAX_SID_LENGTH 256 + /* *********** * Helpers * *********** */ @@ -266,10 +266,11 @@ enum { }; /* returns a pointer to the byte after the last valid character in out */ -static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {{{ */ +static size_t bin_to_readable(unsigned char *in, size_t inlen, char *out, char nbits) /* {{{ */ { unsigned char *p, *q; unsigned short w; + size_t len = inlen; int mask; int have; @@ -280,7 +281,7 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* { have = 0; mask = (1 << nbits) - 1; - while (1) { + while (inlen--) { if (have < nbits) { if (p < q) { w |= *p++ << have; @@ -300,151 +301,21 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* { } *out = '\0'; - return out; + return len; } /* }}} */ PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ { - PHP_MD5_CTX md5_context; - PHP_SHA1_CTX sha1_context; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - void *hash_context = NULL; -#endif - unsigned char *digest; - size_t digest_len; - char *buf; - struct timeval tv; - zval *array; - zval *token; + unsigned char rbuf[PS_MAX_SID_LENGTH]; zend_string *outid; - char *remote_addr = NULL; - - gettimeofday(&tv, NULL); - - if ((array = zend_hash_str_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER") - 1)) && - Z_TYPE_P(array) == IS_ARRAY && - (token = zend_hash_str_find(Z_ARRVAL_P(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR") - 1)) && - Z_TYPE_P(token) == IS_STRING - ) { - remote_addr = Z_STRVAL_P(token); - } - /* maximum 15+19+19+10 bytes */ - spprintf(&buf, 0, "%.15s%ld" ZEND_LONG_FMT "%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (zend_long)tv.tv_usec, php_combined_lcg() * 10); - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Init(&md5_context); - PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf)); - digest_len = 16; - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Init(&sha1_context); - PHP_SHA1Update(&sha1_context, (unsigned char *) buf, strlen(buf)); - digest_len = 20; - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - if (!PS(hash_ops)) { - efree(buf); - php_error_docref(NULL, E_ERROR, "Invalid session hash function"); - return NULL; - } - - hash_context = emalloc(PS(hash_ops)->context_size); - PS(hash_ops)->hash_init(hash_context); - PS(hash_ops)->hash_update(hash_context, (unsigned char *) buf, strlen(buf)); - digest_len = PS(hash_ops)->digest_size; - break; -#endif /* HAVE_HASH_EXT */ - default: - efree(buf); - php_error_docref(NULL, E_ERROR, "Invalid session hash function"); - return NULL; + if (php_random_bytes_throw(rbuf, PS(sid_length)) == FAILURE) { + return NULL; } - efree(buf); - - if (PS(entropy_length) > 0) { -#ifdef PHP_WIN32 - unsigned char rbuf[2048]; - size_t toread = PS(entropy_length); - - if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf))) == SUCCESS){ - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Update(&md5_context, rbuf, toread); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Update(&sha1_context, rbuf, toread); - break; -# if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_update(hash_context, rbuf, toread); - break; -# endif /* HAVE_HASH_EXT */ - } - } -#else - int fd; - - fd = VCWD_OPEN(PS(entropy_file), O_RDONLY); - if (fd >= 0) { - unsigned char rbuf[2048]; - int n; - int to_read = PS(entropy_length); - - while (to_read > 0) { - n = read(fd, rbuf, MIN(to_read, sizeof(rbuf))); - if (n <= 0) break; - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Update(&md5_context, rbuf, n); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Update(&sha1_context, rbuf, n); - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_update(hash_context, rbuf, n); - break; -#endif /* HAVE_HASH_EXT */ - } - to_read -= n; - } - close(fd); - } -#endif - } - - digest = emalloc(digest_len + 1); - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Final(digest, &md5_context); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Final(digest, &sha1_context); - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_final(digest, hash_context); - efree(hash_context); - break; -#endif /* HAVE_HASH_EXT */ - } - - if (PS(hash_bits_per_character) < 4 - || PS(hash_bits_per_character) > 6) { - PS(hash_bits_per_character) = 4; - - php_error_docref(NULL, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now"); - } - - outid = zend_string_alloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character) + 0.5)), 0); - ZSTR_LEN(outid) = (size_t)(bin_to_readable((char *)digest, digest_len, ZSTR_VAL(outid), (char)PS(hash_bits_per_character)) - (char *)&ZSTR_VAL(outid)); - efree(digest); + outid = zend_string_alloc(PS(sid_length), 0); + ZSTR_LEN(outid) = bin_to_readable(rbuf, PS(sid_length), ZSTR_VAL(outid), (char)PS(sid_bits_per_character)); return outid; } @@ -763,55 +634,43 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */ } /* }}} */ -static PHP_INI_MH(OnUpdateHashFunc) /* {{{ */ +static PHP_INI_MH(OnUpdateSidLength) /* {{{ */ { zend_long val; char *endptr = NULL; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - PS(hash_ops) = NULL; -#endif - val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); - if (endptr && (*endptr == '\0')) { + if (endptr && (*endptr == '\0') + && val >= 32 && val <= PS_MAX_SID_LENGTH) { /* Numeric value */ - PS(hash_func) = val ? 1 : 0; - - return SUCCESS; - } - - if (ZSTR_LEN(new_value) == (sizeof("md5") - 1) && - strncasecmp(ZSTR_VAL(new_value), "md5", sizeof("md5") - 1) == 0) { - PS(hash_func) = PS_HASH_FUNC_MD5; - + PS(sid_length) = val; return SUCCESS; } - if (ZSTR_LEN(new_value) == (sizeof("sha1") - 1) && - strncasecmp(ZSTR_VAL(new_value), "sha1", sizeof("sha1") - 1) == 0) { - PS(hash_func) = PS_HASH_FUNC_SHA1; - - return SUCCESS; - } + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must between 32 and 256."); + return FAILURE; +} +/* }}} */ -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) /* {{{ */ +static PHP_INI_MH(OnUpdateSidBits) /* {{{ */ { - php_hash_ops *ops = (php_hash_ops*)php_hash_fetch_ops(ZSTR_VAL(new_value), ZSTR_LEN(new_value)); - - if (ops) { - PS(hash_func) = PS_HASH_FUNC_OTHER; - PS(hash_ops) = ops; + zend_long val; + char *endptr = NULL; + val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); + if (endptr && (*endptr == '\0') + && val >= 4 && val <=6) { + /* Numeric value */ + PS(sid_bits_per_character) = val; return SUCCESS; } -} -#endif /* HAVE_HASH_EXT }}} */ - php_error_docref(NULL, E_WARNING, "session.configuration 'session.hash_function' must be existing hash function. %s does not exist.", ZSTR_VAL(new_value)); + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits' must between 4 and 6."); return FAILURE; } /* }}} */ + static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */ { int tmp; @@ -850,23 +709,13 @@ PHP_INI_BEGIN() STD_PHP_INI_BOOLEAN("session.cookie_httponly", "", PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) - STD_PHP_INI_BOOLEAN("session.use_strict_mode", "0", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN("session.use_strict_mode", "1", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) -#if HAVE_DEV_URANDOM - STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) -#elif HAVE_DEV_ARANDOM - STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) -#else - STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) -#endif STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) - PHP_INI_ENTRY("session.hash_function", "0", PHP_INI_ALL, OnUpdateHashFunc) - STD_PHP_INI_ENTRY("session.hash_bits_per_character", "4", PHP_INI_ALL, OnUpdateLong, hash_bits_per_character, php_ps_globals, ps_globals) + PHP_INI_ENTRY("session.sid_length", "48", PHP_INI_ALL, OnUpdateSidLength) + PHP_INI_ENTRY("session.sid_bits_per_character", "5", PHP_INI_ALL, OnUpdateSidBits) STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateBool, lazy_write, php_ps_globals, ps_globals) /* Upload progress */ diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt index ec3a70d156399..d21a877631d99 100644 --- a/ext/session/tests/bug68063.phpt +++ b/ext/session/tests/bug68063.phpt @@ -4,8 +4,8 @@ Bug #68063 (Empty session IDs do still start sessions) --INI-- session.use_strict_mode=0 -session.hash_function=1 -session.hash_bits_per_character=4 +session.sid_length=40 +session.sid_bits_per_character=4 --FILE-- Date: Wed, 6 Apr 2016 18:41:39 +0900 Subject: [PATCH 02/14] Remove unneeded tests --- ext/session/tests/bug71186.phpt | 32 ---------- .../tests/session_hash_function_basic.phpt | 52 ---------------- ext/session/tests/session_id_error4.phpt | 37 ----------- ext/session/tests/session_id_variation1.phpt | 48 --------------- ext/session/tests/session_id_variation2.phpt | 61 ------------------- 5 files changed, 230 deletions(-) delete mode 100644 ext/session/tests/bug71186.phpt delete mode 100644 ext/session/tests/session_hash_function_basic.phpt delete mode 100644 ext/session/tests/session_id_error4.phpt delete mode 100644 ext/session/tests/session_id_variation1.phpt delete mode 100644 ext/session/tests/session_id_variation2.phpt diff --git a/ext/session/tests/bug71186.phpt b/ext/session/tests/bug71186.phpt deleted file mode 100644 index 5eeba6035f43e..0000000000000 --- a/ext/session/tests/bug71186.phpt +++ /dev/null @@ -1,32 +0,0 @@ ---TEST-- -Bug #71186 session.hash_function - algorithm changes ---SKIPIF-- - ---INI-- -session.hash_function=sha512 -session.save_handler=files ---FILE-- - ---EXPECT-- -int(128) -int(128) -int(40) -int(40) diff --git a/ext/session/tests/session_hash_function_basic.phpt b/ext/session/tests/session_hash_function_basic.phpt deleted file mode 100644 index a9c921581bec3..0000000000000 --- a/ext/session/tests/session_hash_function_basic.phpt +++ /dev/null @@ -1,52 +0,0 @@ ---TEST-- -Test session.hash_function ini setting : basic functionality ---SKIPIF-- - ---INI-- -session.hash_bits_per_character=4 ---FILE-- - ---EXPECTF-- -*** Testing session.hash_function : basic functionality *** -string(1) "0" -bool(true) -bool(true) -string(32) "%s" -bool(true) -string(3) "md5" -bool(true) -bool(true) -string(40) "%s" -bool(true) - -Warning: ini_set(): session.configuration 'session.hash_function' must be existing hash function. none does not exist. in %s%esession_hash_function_basic.php on line 17 -bool(false) -bool(true) -bool(true) -string(40) "%s" -bool(true) -Done diff --git a/ext/session/tests/session_id_error4.phpt b/ext/session/tests/session_id_error4.phpt deleted file mode 100644 index 6c1fdbcd6b673..0000000000000 --- a/ext/session/tests/session_id_error4.phpt +++ /dev/null @@ -1,37 +0,0 @@ ---TEST-- -Test session_id() function : error functionality ---SKIPIF-- - ---INI-- -session.hash_function=0 -session.hash_bits_per_character=4 ---FILE-- - ---EXPECTF-- -*** Testing session_id() : error functionality *** -string(1) "0" -string(0) "" -bool(true) -string(40) "%s" -bool(true) -Done diff --git a/ext/session/tests/session_id_variation1.phpt b/ext/session/tests/session_id_variation1.phpt deleted file mode 100644 index 983ca29170f29..0000000000000 --- a/ext/session/tests/session_id_variation1.phpt +++ /dev/null @@ -1,48 +0,0 @@ ---TEST-- -Test session_id() function : variation ---SKIPIF-- - ---INI-- -session.hash_function=0 ---FILE-- - ---EXPECTF-- -*** Testing session_id() : variation *** -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -Done - diff --git a/ext/session/tests/session_id_variation2.phpt b/ext/session/tests/session_id_variation2.phpt deleted file mode 100644 index f69aa44c0d6d1..0000000000000 --- a/ext/session/tests/session_id_variation2.phpt +++ /dev/null @@ -1,61 +0,0 @@ ---TEST-- -Test session_id() function : variation ---SKIPIF-- - ---INI-- -session.hash_function=0 -session.entropy_file= -session.entropy_length=0 ---FILE-- - ---EXPECTF-- -*** Testing session_id() : variation *** -string(0) "" -int(12) -string(1) "0" -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -bool(true) -Done - From cc328ff7e02b8f871c74b15cf1676956277875c7 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Sat, 2 Jul 2016 12:54:05 +0900 Subject: [PATCH 03/14] Read extra 60 bytes. Change min sid len --- ext/session/session.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ext/session/session.c b/ext/session/session.c index e27d68740f96a..eded3618a75fa 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -310,7 +310,8 @@ PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ unsigned char rbuf[PS_MAX_SID_LENGTH]; zend_string *outid; - if (php_random_bytes_throw(rbuf, PS(sid_length)) == FAILURE) { + /* Read additiona 60 bytes just in case CSPRNG is not safe enough */ + if (php_random_bytes_throw(rbuf, PS(sid_length) + 60) == FAILURE) { return NULL; } @@ -651,7 +652,7 @@ static PHP_INI_MH(OnUpdateSidLength) /* {{{ */ val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); if (endptr && (*endptr == '\0') - && val >= 32 && val <= PS_MAX_SID_LENGTH) { + && val >= 22 && val <= PS_MAX_SID_LENGTH) { /* Numeric value */ PS(sid_length) = val; return SUCCESS; From 1c369b726a54278622b0a14890ad74506eb32003 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Sun, 3 Jul 2016 10:12:28 +0900 Subject: [PATCH 04/14] use_strict_mode will be changed by other RFC --- ext/session/session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/session/session.c b/ext/session/session.c index eded3618a75fa..790ec8376c578 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -720,7 +720,7 @@ PHP_INI_BEGIN() STD_PHP_INI_BOOLEAN("session.cookie_httponly", "", PHP_INI_ALL, OnUpdateBool, cookie_httponly, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) - STD_PHP_INI_BOOLEAN("session.use_strict_mode", "1", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals) + STD_PHP_INI_BOOLEAN("session.use_strict_mode", "0", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) From 9faf042685cba52db632323e8ebcf8744cf53912 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Thu, 7 Jul 2016 06:19:17 +0900 Subject: [PATCH 05/14] Fix possible overflow --- ext/session/session.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ext/session/session.c b/ext/session/session.c index 790ec8376c578..7b97899ce0967 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -305,13 +305,15 @@ static size_t bin_to_readable(unsigned char *in, size_t inlen, char *out, char n } /* }}} */ +#define PS_EXTRA_RAND_BYTES 60 + PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ { - unsigned char rbuf[PS_MAX_SID_LENGTH]; + unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES]; zend_string *outid; - /* Read additiona 60 bytes just in case CSPRNG is not safe enough */ - if (php_random_bytes_throw(rbuf, PS(sid_length) + 60) == FAILURE) { + /* Read additiona PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */ + if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) { return NULL; } From c6fb46f0044b51945750be99f32278a04a1aa122 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Tue, 12 Jul 2016 18:08:11 +0900 Subject: [PATCH 06/14] Fix typo and error message --- ext/session/session.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/session/session.c b/ext/session/session.c index 7b97899ce0967..42d80e9e29385 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -312,7 +312,7 @@ PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES]; zend_string *outid; - /* Read additiona PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */ + /* Read additional PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */ if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) { return NULL; } @@ -660,7 +660,7 @@ static PHP_INI_MH(OnUpdateSidLength) /* {{{ */ return SUCCESS; } - php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must between 32 and 256."); + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must between 22 and 256."); return FAILURE; } /* }}} */ From 399720ed4f3077e2552aa1e6a04d6e1c8fe315a7 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Tue, 12 Jul 2016 18:14:35 +0900 Subject: [PATCH 07/14] Remove unneeded hash enum --- ext/session/session.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ext/session/session.c b/ext/session/session.c index 42d80e9e29385..5479ee165953e 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -259,12 +259,6 @@ static int php_session_decode(zend_string *data) /* {{{ */ static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-"; -enum { - PS_HASH_FUNC_MD5, - PS_HASH_FUNC_SHA1, - PS_HASH_FUNC_OTHER -}; - /* returns a pointer to the byte after the last valid character in out */ static size_t bin_to_readable(unsigned char *in, size_t inlen, char *out, char nbits) /* {{{ */ { From 79fbe49c89260d39f90ed18d0f63f0994c83e825 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Mon, 18 Jul 2016 11:54:52 +0900 Subject: [PATCH 08/14] Update UPGRADING --- UPGRADING | 21 ++++++++- ext/session/session.c | 103 ------------------------------------------ 2 files changed, 19 insertions(+), 105 deletions(-) diff --git a/UPGRADING b/UPGRADING index adb4741a5b13f..cd16dd37a9777 100644 --- a/UPGRADING +++ b/UPGRADING @@ -58,6 +58,24 @@ PHP 7.1 UPGRADE NOTES . When calling json_encode with JSON_UNESCAPED_UNICODE option, U+2028 and U+2029 are escaped. +- Session: + . Session ID is generated from CSPNG directly. As a result, Session ID length + could be any length between 22 and 256. + . New default has much larger bits for session ID (240 bits vs. 128 bits), less + likely to have collisions. (Note: Session module has collision detection) + . Following INIs are removed + . session.hash_function + . session.hash_bits_per_charactor + . session.entropy_file + . session.entropy_length + . New INIs and defaults + . session.sid_length (Number of session ID characters - 22 to 256. Default: 48) + . session.sid_bits_per_character (Bits used per byte. 4 to 6. Default: 5) + . If you need old INI compatibility, use following settings. + . session.sid_length=32 + . session.sid_bits_per_character=4 + + ======================================== 2. New Features ======================================== @@ -222,8 +240,7 @@ PHP 7.1 UPGRADE NOTES . Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID. - . An invalid setting for session.hash_function will throw an instance of - Error instead of resulting in a fatal error when a session ID is created. + . Only CSPRNG is used to generate session ID. - SimpleXML: . Creating an unnamed or duplicate attribute will throw an instance of Error diff --git a/ext/session/session.c b/ext/session/session.c index 9e8ccc053aa24..aa8d18956b1ce 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -305,109 +305,6 @@ PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ { unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES]; zend_string *outid; -<<<<<<< HEAD -======= - char *remote_addr = NULL; - - gettimeofday(&tv, NULL); - - if ((array = zend_hash_str_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER") - 1)) && - Z_TYPE_P(array) == IS_ARRAY && - (token = zend_hash_str_find(Z_ARRVAL_P(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR") - 1)) && - Z_TYPE_P(token) == IS_STRING - ) { - remote_addr = Z_STRVAL_P(token); - } - - /* maximum 15+19+19+10 bytes */ - spprintf(&buf, 0, "%.15s%ld" ZEND_LONG_FMT "%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (zend_long)tv.tv_usec, php_combined_lcg() * 10); - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Init(&md5_context); - PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf)); - digest_len = 16; - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Init(&sha1_context); - PHP_SHA1Update(&sha1_context, (unsigned char *) buf, strlen(buf)); - digest_len = 20; - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - if (!PS(hash_ops)) { - efree(buf); - zend_throw_error(NULL, "Invalid session hash function"); - return NULL; - } - - hash_context = emalloc(PS(hash_ops)->context_size); - PS(hash_ops)->hash_init(hash_context); - PS(hash_ops)->hash_update(hash_context, (unsigned char *) buf, strlen(buf)); - digest_len = PS(hash_ops)->digest_size; - break; -#endif /* HAVE_HASH_EXT */ - default: - efree(buf); - zend_throw_error(NULL, "Invalid session hash function"); - return NULL; - } - efree(buf); - - if (PS(entropy_length) > 0) { -#ifdef PHP_WIN32 - unsigned char rbuf[2048]; - size_t toread = PS(entropy_length); - - if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf))) == SUCCESS){ - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Update(&md5_context, rbuf, toread); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Update(&sha1_context, rbuf, toread); - break; -# if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_update(hash_context, rbuf, toread); - break; -# endif /* HAVE_HASH_EXT */ - } - } -#else - int fd; - - fd = VCWD_OPEN(PS(entropy_file), O_RDONLY); - if (fd >= 0) { - unsigned char rbuf[2048]; - int n; - int to_read = PS(entropy_length); - - while (to_read > 0) { - n = read(fd, rbuf, MIN(to_read, sizeof(rbuf))); - if (n <= 0) break; - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Update(&md5_context, rbuf, n); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Update(&sha1_context, rbuf, n); - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_update(hash_context, rbuf, n); - break; -#endif /* HAVE_HASH_EXT */ - } - to_read -= n; - } - close(fd); - } -#endif - } ->>>>>>> master /* Read additional PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */ if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) { From 106ee4d73993123e3fb1e0a3253c5314e6a1bc9f Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Mon, 18 Jul 2016 11:56:16 +0900 Subject: [PATCH 09/14] Fix error message --- ext/session/session.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/session/session.c b/ext/session/session.c index aa8d18956b1ce..f4264ec09bd50 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -654,7 +654,7 @@ static PHP_INI_MH(OnUpdateSidLength) /* {{{ */ return SUCCESS; } - php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must between 22 and 256."); + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must be between 22 and 256."); return FAILURE; } /* }}} */ @@ -672,7 +672,7 @@ static PHP_INI_MH(OnUpdateSidBits) /* {{{ */ return SUCCESS; } - php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits' must between 4 and 6."); + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits' must be between 4 and 6."); return FAILURE; } /* }}} */ From 4742cce11d4946e00f6798c084033315e09d0169 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Mon, 18 Jul 2016 13:45:09 +0900 Subject: [PATCH 10/14] Add test. Relax validtion --- ext/session/session.c | 2 +- ext/session/tests/session_id_basic2.phpt | 38 ++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 ext/session/tests/session_id_basic2.phpt diff --git a/ext/session/session.c b/ext/session/session.c index f4264ec09bd50..0818848bd21fc 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -344,7 +344,7 @@ PHPAPI int php_session_valid_key(const char *key) /* {{{ */ /* Somewhat arbitrary length limit here, but should be way more than anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ - if (len == 0 || len > 128) { + if (len == 0 || len > 256) { ret = FAILURE; } diff --git a/ext/session/tests/session_id_basic2.phpt b/ext/session/tests/session_id_basic2.phpt new file mode 100644 index 0000000000000..4421a5391025e --- /dev/null +++ b/ext/session/tests/session_id_basic2.phpt @@ -0,0 +1,38 @@ +--TEST-- +Test session_id() function : basic functionality +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +*** Testing session_id() : basic functionality *** +string(240) "%s" +string(22) "%s" +Done + From 49acf57eba055326905ef06b96d9be96d434caae Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Tue, 26 Jul 2016 04:22:12 +0900 Subject: [PATCH 11/14] Use macro --- ext/session/session.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/session/session.c b/ext/session/session.c index 0818848bd21fc..e58c830189697 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -344,7 +344,7 @@ PHPAPI int php_session_valid_key(const char *key) /* {{{ */ /* Somewhat arbitrary length limit here, but should be way more than anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ - if (len == 0 || len > 256) { + if (len == 0 || len > PS_MAX_SID_LENGTH) { ret = FAILURE; } From 413ff78f9e72f9178401e9b63b6442ec6cc539bc Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Thu, 4 Aug 2016 15:18:51 +0900 Subject: [PATCH 12/14] Change INI defaults according to RFC passed. session.sid_length = 32 session.sid_bits_per_charactor = 4 However, php.ini-development/production had session.hash_func = 0 (MD5 128) session.hash_bits_per_character = 5 <--- This differs from compiled default. I didn't notice this. This config results in shorter session ID length. (26 chars) Anyway, most PHP installation would have session ID length = 32. So normal(?) users who are using php.ini-production as php.ini would get - session.sid_length=32 - session.sid_bits_per_character=5 and bits in session ID is 160 bits. (Older config was 128 bits) --- UPGRADING | 14 ++++----- ext/session/session.c | 4 +-- ext/session/tests/session_basic2.phpt | 8 ++--- .../tests/session_regenerate_id_cookie.phpt | 2 +- php.ini-development | 31 +++++-------------- php.ini-production | 31 +++++-------------- 6 files changed, 28 insertions(+), 62 deletions(-) diff --git a/UPGRADING b/UPGRADING index 41162346274a8..56221f4efe296 100644 --- a/UPGRADING +++ b/UPGRADING @@ -73,20 +73,20 @@ PHP 7.1 UPGRADE NOTES - Session: . Session ID is generated from CSPNG directly. As a result, Session ID length - could be any length between 22 and 256. - . New default has much larger bits for session ID (240 bits vs. 128 bits), less - likely to have collisions. (Note: Session module has collision detection) + could be any length between 22 and 256. Note: Max size of session ID depends + on save handler you are using. . Following INIs are removed . session.hash_function . session.hash_bits_per_charactor . session.entropy_file . session.entropy_length . New INIs and defaults - . session.sid_length (Number of session ID characters - 22 to 256. Default: 48) - . session.sid_bits_per_character (Bits used per byte. 4 to 6. Default: 5) - . If you need old INI compatibility, use following settings. + . session.sid_length (Number of session ID characters - 22 to 256. Default: 32) + . session.sid_bits_per_character (Bits used per byte. 4 to 6. Default: 4) + . If you were using session.hash_func=1(SHA1) and session.hash_bits_per_charactor=6 + Use following INIs to achive the same or better session ID strength. . session.sid_length=32 - . session.sid_bits_per_character=4 + . session.sid_bits_per_character=6 diff --git a/ext/session/session.c b/ext/session/session.c index 7e4090c64c098..9f7e47144934c 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -721,8 +721,8 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) - PHP_INI_ENTRY("session.sid_length", "48", PHP_INI_ALL, OnUpdateSidLength) - PHP_INI_ENTRY("session.sid_bits_per_character", "5", PHP_INI_ALL, OnUpdateSidBits) + PHP_INI_ENTRY("session.sid_length", "32", PHP_INI_ALL, OnUpdateSidLength) + PHP_INI_ENTRY("session.sid_bits_per_character", "4", PHP_INI_ALL, OnUpdateSidBits) STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateBool, lazy_write, php_ps_globals, ps_globals) /* Upload progress */ diff --git a/ext/session/tests/session_basic2.phpt b/ext/session/tests/session_basic2.phpt index 0e38e613394fa..179b82971eacd 100644 --- a/ext/session/tests/session_basic2.phpt +++ b/ext/session/tests/session_basic2.phpt @@ -65,15 +65,15 @@ string(6) "testid" bool(true) bool(true) NULL -string(48) "%s" +string(32) "%s" *** With lazy_write *** -string(48) "%s" +string(32) "%s" bool(true) bool(true) NULL -string(48) "%s" +string(32) "%s" *** Cleanup *** -string(48) "%s" +string(32) "%s" bool(true) bool(true) string(0) "" diff --git a/ext/session/tests/session_regenerate_id_cookie.phpt b/ext/session/tests/session_regenerate_id_cookie.phpt index 7c9b5f2eccd1a..d366d36e8d349 100644 --- a/ext/session/tests/session_regenerate_id_cookie.phpt +++ b/ext/session/tests/session_regenerate_id_cookie.phpt @@ -78,7 +78,7 @@ bool(true) Set-Cookie: PHPSESSID=%s; path=/ bool(true) bool(true) -string(48) "%s" +string(32) "%s" bool(true) " Done diff --git a/php.ini-development b/php.ini-development index b39689f5db38b..d0a1c5ae0d480 100644 --- a/php.ini-development +++ b/php.ini-development @@ -143,7 +143,7 @@ ; Development Value: 1000 ; Production Value: 1000 -; session.hash_bits_per_character +; session.sid_bits_per_character ; Default Value: 4 ; Development Value: 5 ; Production Value: 5 @@ -1403,19 +1403,6 @@ session.gc_maxlifetime = 1440 ; http://php.net/session.referer-check session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; Defaults to /dev/urandom -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom -; If neither are found at compile time, the default is no entropy file. -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom - ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. ; http://php.net/session.cache-limiter @@ -1437,15 +1424,11 @@ session.cache_expire = 180 ; http://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Select a hash function for use in generating session ids. -; Possible Values -; 0 (MD5 128 bits) -; 1 (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 +; Set session ID charactor length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users must use 32 or more chars. +; http://php.net/session.sid_length +;session.sid_length = 32 ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. @@ -1457,7 +1440,7 @@ session.hash_function = 0 ; Development Value: 5 ; Production Value: 5 ; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 +session.sid_bits_per_character = 5 ; The URL rewriter will look for URLs in a defined set of HTML tags. ; form/fieldset are special; if you include them here, the rewriter will diff --git a/php.ini-production b/php.ini-production index 3c07f752dd47b..10218d5d07575 100644 --- a/php.ini-production +++ b/php.ini-production @@ -143,7 +143,7 @@ ; Development Value: 1000 ; Production Value: 1000 -; session.hash_bits_per_character +; session.sid_bits_per_character ; Default Value: 4 ; Development Value: 5 ; Production Value: 5 @@ -1403,19 +1403,6 @@ session.gc_maxlifetime = 1440 ; http://php.net/session.referer-check session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; Defaults to /dev/urandom -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom -; If neither are found at compile time, the default is no entropy file. -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom - ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. ; http://php.net/session.cache-limiter @@ -1437,15 +1424,11 @@ session.cache_expire = 180 ; http://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Select a hash function for use in generating session ids. -; Possible Values -; 0 (MD5 128 bits) -; 1 (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 +; Set session ID charactor length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users must use 32 or more chars. +; http://php.net/session.sid_length +;session.sid_length = 32 ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. @@ -1457,7 +1440,7 @@ session.hash_function = 0 ; Development Value: 5 ; Production Value: 5 ; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 +session.sid_bits_per_character = 5 ; The URL rewriter will look for URLs in a defined set of HTML tags. ; form/fieldset are special; if you include them here, the rewriter will From 13a26e7bb54cfe11a81c4b05a857ed4ae9b69b96 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Thu, 4 Aug 2016 17:19:38 +0900 Subject: [PATCH 13/14] Use compatible defaults in php.ini-* --- php.ini-development | 9 ++++++--- php.ini-production | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/php.ini-development b/php.ini-development index d0a1c5ae0d480..eb68260e5cf8d 100644 --- a/php.ini-development +++ b/php.ini-development @@ -1424,11 +1424,14 @@ session.cache_expire = 180 ; http://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Set session ID charactor length. This value could be between 22 to 256. +; Set session ID character length. This value could be between 22 to 256. ; Shorter length than default is supported only for compatibility reason. -; Users must use 32 or more chars. +; Users should use 32 or more chars. ; http://php.net/session.sid_length -;session.sid_length = 32 +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. diff --git a/php.ini-production b/php.ini-production index 10218d5d07575..8314bcec2e548 100644 --- a/php.ini-production +++ b/php.ini-production @@ -1424,11 +1424,14 @@ session.cache_expire = 180 ; http://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Set session ID charactor length. This value could be between 22 to 256. +; Set session ID character length. This value could be between 22 to 256. ; Shorter length than default is supported only for compatibility reason. -; Users must use 32 or more chars. +; Users should use 32 or more chars. ; http://php.net/session.sid_length -;session.sid_length = 32 +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. From ab5b4302433367a96019f19469a346a4e8481676 Mon Sep 17 00:00:00 2001 From: Yasuo Ohgaki Date: Tue, 9 Aug 2016 19:22:09 +0900 Subject: [PATCH 14/14] Update UPGRADING --- UPGRADING | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/UPGRADING b/UPGRADING index 56221f4efe296..b229a39224a4f 100644 --- a/UPGRADING +++ b/UPGRADING @@ -81,13 +81,23 @@ PHP 7.1 UPGRADE NOTES . session.entropy_file . session.entropy_length . New INIs and defaults - . session.sid_length (Number of session ID characters - 22 to 256. Default: 32) - . session.sid_bits_per_character (Bits used per byte. 4 to 6. Default: 4) - . If you were using session.hash_func=1(SHA1) and session.hash_bits_per_charactor=6 - Use following INIs to achive the same or better session ID strength. - . session.sid_length=32 - . session.sid_bits_per_character=6 - + . session.sid_length (Number of session ID characters - 22 to 256. + (php.ini-* default: 26 Compitled default: 32) + . session.sid_bits_per_character (Bits used per character. 4 to 6. + php.ini-* default: 5 Compiled default: 4) + Length of old session ID string is determined as follows + . Used hash function's bits. + . session.hash_function=0 - MD5 128 bits (This was default) + . session.hash_function=1 - SHA1 192 bits + . Bits per character. (4, 5 or 6 bits per character) + . Examples + MD5 and 4 bits = 32 chars, ceil(128/4)=32 + MD5 and 5 bits = 26 chars, ceil(128/5)=26 + MD5 and 6 bits = 22 chars, ceil(128/6)=22 + SHA1 and 4 bits = 48 chars, ceil(192/4)=48 + SHA2 and 5 bits = 39 chars, ceil(192/5)=39 + SHA1 and 6 bits = 32 chars, ceil(192/6)=32 + and so on. ========================================