Merge RNG fixes RFC. PR #1986

* rng-fixes:
  Fix legacy mode RAND_RANGE and 32/64-bit consistency
  Fix crypt salt not being converted to b64
  Make mode selection part of mt_srand()
  Use zend_bitset
  Improve array_rand distribution
  Fix some insecure usages of php_rand
  Alias rand to mt_rand
  Fix RAND_RANGE for mt_rand
  Fix mt_rand impl. Provide legacy impl. access.
  Split rand and mt_rand into separate files

Author: lt

NEWS

@@ -23,6 +23,7 @@ PHP                                                                        NEWS
     phpize on Windows). (Yuji Uchiyama)
   . Fixed bug #29368 (The destructor is called when an exception is thrown from
     the constructor). (Dmitry)
+  . Implemented RFC: RNG Fixes. (Leigh)
 
 - COM:
   . Fixed bug #72569 (DOTNET/COM array parameters broke in PHP7). (Anatol)

UPGRADING

@@ -49,6 +49,16 @@ PHP 7.1 UPGRADE NOTES
     the notice level only.
   . Don't call destructors of incompletely constructed objects, even if they
     are kept referenced. See bug #29368 and Zend/tests/bug29368_1.phpt.
+  . rand() and srand() are now aliases of mt_rand() and mt_srand().
+    Consequently the output of the following functions has changed:
+     . rand()
+     . shuffle()
+     . str_shuffle()
+     . array_rand()
+  . Fixes to random number generators mean that mt_rand() now produces a
+    different sequence of outputs to previous versions. If you relied on
+    mt_srand() to produce a deterministic sequence, it can be called using
+    mt_srand($seed, MT_RAND_PHP) to produce old the sequences.
 
 - JSON:
   . The serialize_precision is used instead of precision when encoding double

ext/soap/php_http.c

@@ -22,7 +22,7 @@
 #include "php_soap.h"
 #include "ext/standard/base64.h"
 #include "ext/standard/md5.h"
-#include "ext/standard/php_rand.h"
+#include "ext/standard/php_random.h"
 
 static char *get_http_header_value(char *headers, char *type);
 static zend_string *get_http_body(php_stream *socketd, int close, char *headers);
@@ -639,11 +639,15 @@ int make_http_soap_request(zval        *this_ptr,
 			if ((digest = zend_hash_str_find(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest")-1)) != NULL) {
 				if (Z_TYPE_P(digest) == IS_ARRAY) {
 					char          HA1[33], HA2[33], response[33], cnonce[33], nc[9];
+					zend_long     nonce;
 					PHP_MD5_CTX   md5ctx;
 					unsigned char hash[16];
 
+					php_random_bytes_throw(&nonce, sizeof(nonce));
+					nonce &= 0x7fffffff;
+
 					PHP_MD5Init(&md5ctx);
-					snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, php_rand());
+					snprintf(cnonce, sizeof(cnonce), ZEND_LONG_FMT, nonce);
 					PHP_MD5Update(&md5ctx, (unsigned char*)cnonce, strlen(cnonce));
 					PHP_MD5Final(hash, &md5ctx);
 					make_digest(cnonce, hash);

ext/spl/php_spl.c

@@ -39,8 +39,7 @@
 #include "spl_heap.h"
 #include "zend_exceptions.h"
 #include "zend_interfaces.h"
-#include "ext/standard/php_rand.h"
-#include "ext/standard/php_lcg.h"
+#include "ext/standard/php_mt_rand.h"
 #include "main/snprintf.h"
 
 #ifdef COMPILE_DL_SPL
@@ -747,10 +746,6 @@ PHPAPI zend_string *php_spl_object_hash(zval *obj) /* {{{*/
 	intptr_t hash_handle, hash_handlers;
 
 	if (!SPL_G(hash_mask_init)) {
-		if (!BG(mt_rand_is_seeded)) {
-			php_mt_srand((uint32_t)GENERATE_SEED());
-		}
-
 		SPL_G(hash_mask_handle)   = (intptr_t)(php_mt_rand() >> 1);
 		SPL_G(hash_mask_handlers) = (intptr_t)(php_mt_rand() >> 1);
 		SPL_G(hash_mask_init) = 1;

ext/standard/array.c

@@ -46,6 +46,7 @@
 #include "php_string.h"
 #include "php_rand.h"
 #include "zend_smart_str.h"
+#include "zend_bitset.h"
 #include "ext/spl/spl_array.h"
 
 /* {{{ defines */
@@ -5033,56 +5034,79 @@ PHP_FUNCTION(array_rand)
 {
 	zval *input;
 	zend_long randval, num_req = 1;
-	int num_avail;
 	zend_string *string_key;
 	zend_ulong num_key;
+	int i;
+	int num_avail;
+	zend_bitset bitset;
+	int negative_bitset = 0;
+	uint32_t bitset_len;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "a|l", &input, &num_req) == FAILURE) {
 		return;
 	}
 
 	num_avail = zend_hash_num_elements(Z_ARRVAL_P(input));
 
-	if (ZEND_NUM_ARGS() > 1) {
-		if (num_req <= 0 || num_req > num_avail) {
-			php_error_docref(NULL, E_WARNING, "Second argument has to be between 1 and the number of elements in the array");
-			return;
-		}
+	if (num_avail == 0) {
+		php_error_docref(NULL, E_WARNING, "Array is empty");
+		return;
 	}
 
-	/* Make the return value an array only if we need to pass back more than one result. */
-	if (num_req > 1) {
-		array_init_size(return_value, (uint32_t)num_req);
-	}
+	if (num_req == 1) {
+		randval = php_mt_rand_range(0, num_avail - 1);
 
-	/* We can't use zend_hash_index_find() because the array may have string keys or gaps. */
-	ZEND_HASH_FOREACH_KEY(Z_ARRVAL_P(input), num_key, string_key) {
-		if (!num_req) {
-			break;
-		}
-
-		randval = php_rand();
-
-		if ((double) (randval / (PHP_RAND_MAX + 1.0)) < (double) num_req / (double) num_avail) {
-			/* If we are returning a single result, just do it. */
-			if (Z_TYPE_P(return_value) != IS_ARRAY) {
+		ZEND_HASH_FOREACH_KEY(Z_ARRVAL_P(input), num_key, string_key) {
+			if (randval-- == 0) {
 				if (string_key) {
 					RETURN_STR_COPY(string_key);
 				} else {
 					RETURN_LONG(num_key);
 				}
+			}
+		} ZEND_HASH_FOREACH_END();
+	}
+
+	if (num_req <= 0 || num_req > num_avail) {
+		php_error_docref(NULL, E_WARNING, "Second argument has to be between 1 and the number of elements in the array");
+		return;
+	}
+
+	/* Make the return value an array only if we need to pass back more than one result. */
+	array_init_size(return_value, (uint32_t)num_req);
+	if (num_req > (num_avail >> 1)) {
+		negative_bitset = 1;
+		num_req = num_avail - num_req;
+	}
+
+	ALLOCA_FLAG(use_heap);
+	bitset_len = zend_bitset_len(num_avail);
+	bitset = ZEND_BITSET_ALLOCA(bitset_len, use_heap);
+	zend_bitset_clear(bitset, bitset_len);
+
+	i = num_req;
+	while (i) {
+		randval = php_mt_rand_range(0, num_avail - 1);
+		if (!zend_bitset_in(bitset, randval)) {
+			zend_bitset_incl(bitset, randval);
+			i--;
+		}
+	}
+
+	/* We can't use zend_hash_index_find() because the array may have string keys or gaps. */
+	i = 0;
+	ZEND_HASH_FOREACH_KEY(Z_ARRVAL_P(input), num_key, string_key) {
+		if (zend_bitset_in(bitset, i) ^ negative_bitset) {
+			if (string_key) {
+				add_next_index_str(return_value, zend_string_copy(string_key));
 			} else {
-				/* Append the result to the return value. */
-				if (string_key) {
-					add_next_index_str(return_value, zend_string_copy(string_key));
-				} else {
-					add_next_index_long(return_value, num_key);
-				}
+				add_next_index_long(return_value, num_key);
 			}
-			num_req--;
 		}
-		num_avail--;
+		i++;
 	} ZEND_HASH_FOREACH_END();
+
+	free_alloca(bitset, use_heap);
 }
 /* }}} */
 

ext/standard/basic_functions.c

@@ -35,6 +35,7 @@
 #include "zend_operators.h"
 #include "ext/standard/php_dns.h"
 #include "ext/standard/php_uuencode.h"
+#include "ext/standard/php_mt_rand.h"
 
 #ifdef PHP_WIN32
 #include "win32/php_win32_globals.h"
@@ -1883,28 +1884,17 @@ ZEND_BEGIN_ARG_INFO(arginfo_quoted_printable_encode, 0)
 	ZEND_ARG_INFO(0, str)
 ZEND_END_ARG_INFO()
 /* }}} */
-/* {{{ rand.c */
-ZEND_BEGIN_ARG_INFO_EX(arginfo_srand, 0, 0, 0)
-	ZEND_ARG_INFO(0, seed)
-ZEND_END_ARG_INFO()
-
+/* {{{ mt_rand.c */
 ZEND_BEGIN_ARG_INFO_EX(arginfo_mt_srand, 0, 0, 0)
 	ZEND_ARG_INFO(0, seed)
-ZEND_END_ARG_INFO()
-
-ZEND_BEGIN_ARG_INFO_EX(arginfo_rand, 0, 0, 0)
-	ZEND_ARG_INFO(0, min)
-	ZEND_ARG_INFO(0, max)
+	ZEND_ARG_INFO(0, mode)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_mt_rand, 0, 0, 0)
 	ZEND_ARG_INFO(0, min)
 	ZEND_ARG_INFO(0, max)
 ZEND_END_ARG_INFO()
 
-ZEND_BEGIN_ARG_INFO(arginfo_getrandmax, 0)
-ZEND_END_ARG_INFO()
-
 ZEND_BEGIN_ARG_INFO(arginfo_mt_getrandmax, 0)
 ZEND_END_ARG_INFO()
 /* }}} */
@@ -2860,10 +2850,10 @@ const zend_function_entry basic_functions[] = { /* {{{ */
 	PHP_FE(proc_nice,														arginfo_proc_nice)
 #endif
 
-	PHP_FE(rand,															arginfo_rand)
-	PHP_FE(srand,															arginfo_srand)
-	PHP_FE(getrandmax,													arginfo_getrandmax)
-	PHP_FE(mt_rand,														arginfo_mt_rand)
+	PHP_FALIAS(rand, mt_rand,												arginfo_mt_rand)
+	PHP_FALIAS(srand, mt_srand,												arginfo_mt_srand)
+	PHP_FALIAS(getrandmax, mt_getrandmax,									arginfo_mt_getrandmax)
+	PHP_FE(mt_rand,															arginfo_mt_rand)
 	PHP_FE(mt_srand,														arginfo_mt_srand)
 	PHP_FE(mt_getrandmax,													arginfo_mt_getrandmax)
 
@@ -3478,8 +3468,8 @@ static void php_putenv_destructor(zval *zv) /* {{{ */
 
 static void basic_globals_ctor(php_basic_globals *basic_globals_p) /* {{{ */
 {
-	BG(rand_is_seeded) = 0;
 	BG(mt_rand_is_seeded) = 0;
+	BG(mt_rand_mode) = MT_RAND_MT19937;
 	BG(umask) = -1;
 	BG(next) = NULL;
 	BG(left) = -1;
@@ -3661,6 +3651,7 @@ PHP_MINIT_FUNCTION(basic) /* {{{ */
 	BASIC_MINIT_SUBMODULE(standard_filters)
 	BASIC_MINIT_SUBMODULE(user_filters)
 	BASIC_MINIT_SUBMODULE(password)
+	BASIC_MINIT_SUBMODULE(mt_rand)
 
 #if defined(HAVE_LOCALECONV) && defined(ZTS)
 	BASIC_MINIT_SUBMODULE(localeconv)

ext/standard/basic_functions.h

@@ -191,15 +191,13 @@ typedef struct _php_basic_globals {
 	char *CurrentStatFile, *CurrentLStatFile;
 	php_stream_statbuf ssb, lssb;
 
-	/* rand.c */
+	/* mt_rand.c */
 	uint32_t state[MT_N+1];  /* state vector + 1 extra to not violate ANSI C */
 	uint32_t *next;       /* next random value is computed from here */
 	int      left;        /* can *next++ this many times before reloading */
 
-	unsigned int rand_seed; /* Seed for rand(), in ts version */
-
-	zend_bool rand_is_seeded; /* Whether rand() has been seeded */
 	zend_bool mt_rand_is_seeded; /* Whether mt_rand() has been seeded */
+	zend_long mt_rand_mode;
 
 	/* syslog.c */
 	char *syslog_device;

ext/standard/config.m4

@@ -557,7 +557,7 @@ PHP_NEW_EXTENSION(standard, array.c base64.c basic_functions.c browscap.c crc32.
                             cyr_convert.c datetime.c dir.c dl.c dns.c exec.c file.c filestat.c \
                             flock_compat.c formatted_print.c fsock.c head.c html.c image.c \
                             info.c iptc.c lcg.c link.c mail.c math.c md5.c metaphone.c \
-                            microtime.c pack.c pageinfo.c quot_print.c rand.c \
+                            microtime.c pack.c pageinfo.c quot_print.c rand.c mt_rand.c \
                             soundex.c string.c scanf.c syslog.c type.c uniqid.c url.c \
                             var.c versioning.c assert.c strnatcmp.c levenshtein.c \
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \

ext/standard/config.w32

@@ -14,7 +14,7 @@ EXTENSION("standard", "array.c base64.c basic_functions.c browscap.c \
 	cyr_convert.c datetime.c dir.c dl.c dns.c dns_win32.c exec.c \
 	file.c filestat.c formatted_print.c fsock.c head.c html.c image.c \
 	info.c iptc.c lcg.c link_win32.c mail.c math.c md5.c metaphone.c microtime.c \
-	pack.c pageinfo.c quot_print.c rand.c soundex.c \
+	pack.c pageinfo.c quot_print.c rand.c mt_rand.c soundex.c \
 	string.c scanf.c syslog.c type.c uniqid.c url.c var.c \
 	versioning.c assert.c strnatcmp.c levenshtein.c incomplete_class.c \
 	url_scanner_ex.c ftp_fopen_wrapper.c http_fopen_wrapper.c \

ext/standard/crypt.c

@@ -54,15 +54,12 @@
 #include <process.h>
 #endif
 
-#include "php_lcg.h"
 #include "php_crypt.h"
-#include "php_rand.h"
+#include "php_random.h"
 
 /* sha512 crypt has the maximal salt length of 123 characters */
 #define PHP_MAX_SALT_LEN 123
 
-#define PHP_CRYPT_RAND php_rand()
-
 /* Used to check DES salts to ensure that they contain only valid characters */
 #define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') || ((c) >= 'A' && (c) <= 'Z') || ((c) >= 'a' && (c) <= 'z'))
 
@@ -99,11 +96,10 @@ PHP_MSHUTDOWN_FUNCTION(crypt) /* {{{ */
 
 static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 
-static void php_to64(char *s, zend_long v, int n) /* {{{ */
+static void php_to64(char *s, int n) /* {{{ */
 {
 	while (--n >= 0) {
-		*s++ = itoa64[v&0x3f];
-		v >>= 6;
+		*s++ = itoa64[*s&0x3f];
 	}
 }
 /* }}} */
@@ -266,9 +262,9 @@ PHP_FUNCTION(crypt)
 
 	/* The automatic salt generation covers standard DES, md5-crypt and Blowfish (simple) */
 	if (!*salt) {
-		strncpy(salt, "$1$", PHP_MAX_SALT_LEN);
-		php_to64(&salt[3], PHP_CRYPT_RAND, 4);
-		php_to64(&salt[7], PHP_CRYPT_RAND, 4);
+		strncpy(salt, "$1$", 3);
+		php_random_bytes_throw(&salt[3], 8);
+		php_to64(&salt[3], 8);
 		strncpy(&salt[11], "$", PHP_MAX_SALT_LEN - 11);
 		salt_in_len = strlen(salt);
 	} else {