Use php_random_bytes() for uniqid() #2123
Conversation
|
|
||
| /* The max value usec can have is 0xF423F, so we use only five hex | ||
| * digits for usecs. | ||
| */ | ||
| if (more_entropy) { | ||
| uniqid = strpprintf(0, "%s%08x%05x%.8F", prefix, sec, usec, php_combined_lcg() * 10); | ||
| uniqid = strpprintf(0, "%s%08x%05x%s", prefix, sec, usec, bytes); |
There was a problem hiding this comment.
I can already see half the world breaking here...
There was a problem hiding this comment.
@Ocramius
Why? It could break code, but almost all code does not care return value from uniqid() at all.
e.g. https://searchcode.com/?q=uniqid&loc=0&loc2=10000&lan=24
|
Why? Manual clearly states it's no crypto-secure. |
|
@smalyshev New code is not crypto secure also. It improves "more_entropy" option. We don't have to keep using poor entropy source now. |
|
Yes, but why improve it? What it makes possible now that wasn't possible before? Why it is important which entropy source does it use, which practical value is in it? |
|
@smalyshev My main objective is to mitigate risk of misuse. Fault tolerance is important security factor. It should not be used for crypto purpose anyways, though. It's faster also :) |
|
@smalyshev Even if user misuses uniqid() and attackers found exploitable code, attackers will never try to exploit vulnerable code with this change, probably. Let's be nicer to user's mistakes. It seems misuse is common still. |
|
I don't understand. You admit it's not secure, so what's the improvement? That if you severely misuse it, such as using it for security context, it provides you a bit more false sense of security? |
|
@smalyshev I agree that we shouldn't give false sense of security. Think of this as improving unserialize(). IMO, users should never unserialize external data (manual states it, too) without validation e.g. hmac (I added this to the manual) , but user uses it so you fixed many unserialize vulnerabilities. I don't think it's a false sense of security as well as this change. |
| @@ -72,12 +74,17 @@ PHP_FUNCTION(uniqid) | |||
| gettimeofday((struct timeval *) &tv, (struct timezone *) NULL); | |||
| sec = (int) tv.tv_sec; | |||
| usec = (int) (tv.tv_usec % 0x100000); | |||
| php_random_bytes(bytes, UNIQID_RAND_CHARS*2, 1); | |||
| for (i = 0; i < UNIQID_RAND_CHARS; i++) { | |||
There was a problem hiding this comment.
I'm by no means knowledgeable on security (in fact I know almost nothing about it). But doesn't building up the uniqid like this (assuming that's what it's doing) open up a user to timing attacks?
There was a problem hiding this comment.
EDIT: In other words shouldn't building up of the uniqid be done in constant time?
There was a problem hiding this comment.
@CarwynNelson
uniqid() produces timestamp based unique ID. This is what it supposed to do. (AFAIK, it was made for SMTP's message ID which uses timestamp based ID)
"more entropy" option should do better job. This RFC improves "more entropy" option by replacing php_combined_lcg() to php_random_bytes().
|
Closing this due to inactivity. Please open a new PR and link to this if active work is being put back into it. |
RFC: https://wiki.php.net/rfc/uniqid
uniqid() uses php_combined_lcg() for more entropy. Use php_random_bytes() as entropy source because it's much better entropy source than php_combined_lcg().
Additionally, this PR enables $more_entropy option by default. This makes default behavior much faster.
Entropy space (php_combined_lcg() is very poor quality also)
More entropy should mean "more randomness".
New code will have much better space and quality.
Although uniqid() should never used for crypto related usage even with this PR, misusage risk is mitigated a lot.
Changed
Not changed.
BC
Performance
Since uniqid() does not call usleep(1) with more entropy, it's 20x faster. php_combined_lcg() is simple arithmetic function, so it's 2x faster than php_random_bytes().
With entropy. (More entropy is TRUE in new code by default)
No entropy.
With entropy by php_combined_lcg()