use arc4random_buf() in php

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

use arc4random_buf() in php

Stuart Henderson-9
This is just the diff for 5.6.17, I would appreciate some careful
eyes over this but I think it's good, and the current status of
randomness in PHP on a system without a usable (/var/www)/dev/urandom
is...not great. Test reports would be good too.

If this is OK then I'll look at applying it to the other php branches
as well.

This should help at least session id creation, mcrypt IVs (but don't
use that anyway, pecl_sodium is available), and the srand from suhosin.

(I think it would be good to enable ZEND_MM_HEAP_PROTECTION as well,
it's working in light testing with roundcube but I'm not feeling
brave enough to propose that until we move to 6.0-current ;)

Index: Makefile
===================================================================
RCS file: /cvs/ports/lang/php/5.6/Makefile,v
retrieving revision 1.24
diff -u -p -r1.24 Makefile
--- Makefile 1 Feb 2016 21:53:06 -0000 1.24
+++ Makefile 2 Feb 2016 00:12:10 -0000
@@ -3,6 +3,7 @@
 PV= 5.6
 V= ${PV}.17
 REVISION= 0
+REVISION-main= 1
 
 WANTLIB-main+= stdc++ ncurses readline
 
Index: patches/patch-Zend_zend_alloc_c
===================================================================
RCS file: patches/patch-Zend_zend_alloc_c
diff -N patches/patch-Zend_zend_alloc_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-Zend_zend_alloc_c 2 Feb 2016 00:12:10 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+Apparently not enabled by default, and currently a bit close to release to
+try doing so, but for something in #ifdef MM_HEAP_PROTECTION, you want more
+than rand()^getpid() when /dev/urandom is inaccessible, right?
+
+--- Zend/zend_alloc.c.orig.port Mon Feb  1 23:04:02 2016
++++ Zend/zend_alloc.c Mon Feb  1 23:34:27 2016
+@@ -976,6 +976,9 @@ static void zend_mm_free_cache(zend_mm_heap *heap)
+ #if ZEND_MM_HEAP_PROTECTION || ZEND_MM_COOKIES
+ static void zend_mm_random(unsigned char *buf, size_t size) /* {{{ */
+ {
++#if defined(__OpenBSD__)
++ arc4random_buf(buf, size);
++#else
+ size_t i = 0;
+ unsigned char t;
+
+@@ -1031,6 +1034,7 @@ static void zend_mm_random(unsigned char *buf, size_t
+ } while (buf[i] == 0);
+ t = buf[i++] << 1;
+     }
++#endif /* openbsd */
+ }
+ /* }}} */
+ #endif
Index: patches/patch-ext_mcrypt_mcrypt_c
===================================================================
RCS file: patches/patch-ext_mcrypt_mcrypt_c
diff -N patches/patch-ext_mcrypt_mcrypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ext_mcrypt_mcrypt_c 2 Feb 2016 00:12:10 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+mcrypt IV creation. no /dev/{u,}random? yes, it is using the last hunk.
+
+--- ext/mcrypt/mcrypt.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/mcrypt/mcrypt.c Mon Feb  1 23:42:21 2016
+@@ -1436,6 +1436,11 @@ PHP_FUNCTION(mcrypt_create_iv)
+ }
+
+ iv = ecalloc(size + 1, 1);
++
++#if defined(__OpenBSD__)
++ arc4random_buf(iv, (size_t) size);
++ n = size;
++#else
+
+ if (source == RANDOM || source == URANDOM) {
+ #if PHP_WIN32
+@@ -1481,6 +1486,7 @@ PHP_FUNCTION(mcrypt_create_iv)
+ iv[--size] = (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ }
+ }
++#endif /* openbsd */
+ RETURN_STRINGL(iv, n, 0);
+ }
+ /* }}} */
Index: patches/patch-ext_session_session_c
===================================================================
RCS file: patches/patch-ext_session_session_c
diff -N patches/patch-ext_session_session_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ext_session_session_c 2 Feb 2016 00:12:10 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+Perhaps the whole function can be replaced, but we have to start somewhere.
+
+--- ext/session/session.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/session/session.c Mon Feb  1 23:48:25 2016
+@@ -346,7 +346,11 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
+ efree(buf);
+
+ if (PS(entropy_length) > 0) {
+-#ifdef PHP_WIN32
++#if defined(__OpenBSD__)
++ unsigned char rbuf[2048];
++ size_t toread = PS(entropy_length);
++ arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
++#elif defined(PHP_WIN32)
+ unsigned char rbuf[2048];
+ size_t toread = PS(entropy_length);
+
Index: patches/patch-ext_standard_password_c
===================================================================
RCS file: patches/patch-ext_standard_password_c
diff -N patches/patch-ext_standard_password_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ext_standard_password_c 2 Feb 2016 00:12:10 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- ext/standard/password.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/standard/password.c Mon Feb  1 23:51:51 2016
+@@ -124,6 +124,9 @@ static int php_password_make_salt(size_t length, char
+
+ buffer = (char *) safe_emalloc(raw_length, 1, 1);
+
++#if defined(__OpenBSD__)
++ arc4random_buf(buffer, raw_length);
++#else
+ #if PHP_WIN32
+ {
+ BYTE *iv_b = (BYTE *) buffer;
+@@ -156,6 +159,7 @@ static int php_password_make_salt(size_t length, char
+ buffer[i] ^= (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ }
+ }
++#endif /* openbsd */
+
+ result = safe_emalloc(length, 1, 1);
+ if (php_password_salt_to64(buffer, raw_length, length, result) == FAILURE) {
Index: patches/patch-ext_suhosin_execute_c
===================================================================
RCS file: patches/patch-ext_suhosin_execute_c
diff -N patches/patch-ext_suhosin_execute_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-ext_suhosin_execute_c 2 Feb 2016 00:12:10 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- ext/suhosin/execute.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/suhosin/execute.c Mon Feb  1 23:38:49 2016
+@@ -1312,6 +1312,9 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D)
+  */
+ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC)
+ {
++#if defined(__OpenBSD__)
++    arc4random_buf(entropybuf, 8 * sizeof(php_uint32));
++#else
+     php_uint32 seedbuf[20];
+     /* On a modern OS code, stack and heap base are randomized */
+     unsigned long code_value  = (unsigned long)suhosin_gen_entropy;
+@@ -1335,7 +1338,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+ #endif
+     seedbuf[5] = (php_uint32) 0x7fffffff * php_combined_lcg(TSRMLS_C);
+
+-#ifndef PHP_WIN32
++#if !defined(PHP_WIN32)
+     fd = VCWD_OPEN("/dev/urandom", O_RDONLY);
+     if (fd >= 0) {
+         /* ignore error case - if urandom doesn't give us any/enough random bytes */
+@@ -1354,6 +1357,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+         suhosin_SHA256Update(&context, (unsigned char*)SUHOSIN_G(seedingkey), strlen(SUHOSIN_G(seedingkey)));
+     }
+     suhosin_SHA256Final((void *)entropybuf, &context);
++#endif /* openbsd */
+ }
+ /* }}} */
+

Reply | Threaded
Open this post in threaded view
|

Re: use arc4random_buf() in php

Stuart Henderson-6
Did anyone else try this yet?


On 2016/02/02 00:30, Stuart Henderson wrote:

> This is just the diff for 5.6.17, I would appreciate some careful
> eyes over this but I think it's good, and the current status of
> randomness in PHP on a system without a usable (/var/www)/dev/urandom
> is...not great. Test reports would be good too.
>
> If this is OK then I'll look at applying it to the other php branches
> as well.
>
> This should help at least session id creation, mcrypt IVs (but don't
> use that anyway, pecl_sodium is available), and the srand from suhosin.
>
> (I think it would be good to enable ZEND_MM_HEAP_PROTECTION as well,
> it's working in light testing with roundcube but I'm not feeling
> brave enough to propose that until we move to 6.0-current ;)
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/lang/php/5.6/Makefile,v
> retrieving revision 1.24
> diff -u -p -r1.24 Makefile
> --- Makefile 1 Feb 2016 21:53:06 -0000 1.24
> +++ Makefile 2 Feb 2016 00:12:10 -0000
> @@ -3,6 +3,7 @@
>  PV= 5.6
>  V= ${PV}.17
>  REVISION= 0
> +REVISION-main= 1
>  
>  WANTLIB-main+= stdc++ ncurses readline
>  
> Index: patches/patch-Zend_zend_alloc_c
> ===================================================================
> RCS file: patches/patch-Zend_zend_alloc_c
> diff -N patches/patch-Zend_zend_alloc_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-Zend_zend_alloc_c 2 Feb 2016 00:12:10 -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD$
> +
> +Apparently not enabled by default, and currently a bit close to release to
> +try doing so, but for something in #ifdef MM_HEAP_PROTECTION, you want more
> +than rand()^getpid() when /dev/urandom is inaccessible, right?
> +
> +--- Zend/zend_alloc.c.orig.port Mon Feb  1 23:04:02 2016
> ++++ Zend/zend_alloc.c Mon Feb  1 23:34:27 2016
> +@@ -976,6 +976,9 @@ static void zend_mm_free_cache(zend_mm_heap *heap)
> + #if ZEND_MM_HEAP_PROTECTION || ZEND_MM_COOKIES
> + static void zend_mm_random(unsigned char *buf, size_t size) /* {{{ */
> + {
> ++#if defined(__OpenBSD__)
> ++ arc4random_buf(buf, size);
> ++#else
> + size_t i = 0;
> + unsigned char t;
> +
> +@@ -1031,6 +1034,7 @@ static void zend_mm_random(unsigned char *buf, size_t
> + } while (buf[i] == 0);
> + t = buf[i++] << 1;
> +     }
> ++#endif /* openbsd */
> + }
> + /* }}} */
> + #endif
> Index: patches/patch-ext_mcrypt_mcrypt_c
> ===================================================================
> RCS file: patches/patch-ext_mcrypt_mcrypt_c
> diff -N patches/patch-ext_mcrypt_mcrypt_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-ext_mcrypt_mcrypt_c 2 Feb 2016 00:12:10 -0000
> @@ -0,0 +1,26 @@
> +$OpenBSD$
> +
> +mcrypt IV creation. no /dev/{u,}random? yes, it is using the last hunk.
> +
> +--- ext/mcrypt/mcrypt.c.orig.port Mon Feb  1 23:04:02 2016
> ++++ ext/mcrypt/mcrypt.c Mon Feb  1 23:42:21 2016
> +@@ -1436,6 +1436,11 @@ PHP_FUNCTION(mcrypt_create_iv)
> + }
> +
> + iv = ecalloc(size + 1, 1);
> ++
> ++#if defined(__OpenBSD__)
> ++ arc4random_buf(iv, (size_t) size);
> ++ n = size;
> ++#else
> +
> + if (source == RANDOM || source == URANDOM) {
> + #if PHP_WIN32
> +@@ -1481,6 +1486,7 @@ PHP_FUNCTION(mcrypt_create_iv)
> + iv[--size] = (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
> + }
> + }
> ++#endif /* openbsd */
> + RETURN_STRINGL(iv, n, 0);
> + }
> + /* }}} */
> Index: patches/patch-ext_session_session_c
> ===================================================================
> RCS file: patches/patch-ext_session_session_c
> diff -N patches/patch-ext_session_session_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-ext_session_session_c 2 Feb 2016 00:12:10 -0000
> @@ -0,0 +1,19 @@
> +$OpenBSD$
> +
> +Perhaps the whole function can be replaced, but we have to start somewhere.
> +
> +--- ext/session/session.c.orig.port Mon Feb  1 23:04:02 2016
> ++++ ext/session/session.c Mon Feb  1 23:48:25 2016
> +@@ -346,7 +346,11 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
> + efree(buf);
> +
> + if (PS(entropy_length) > 0) {
> +-#ifdef PHP_WIN32
> ++#if defined(__OpenBSD__)
> ++ unsigned char rbuf[2048];
> ++ size_t toread = PS(entropy_length);
> ++ arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
> ++#elif defined(PHP_WIN32)
> + unsigned char rbuf[2048];
> + size_t toread = PS(entropy_length);
> +
> Index: patches/patch-ext_standard_password_c
> ===================================================================
> RCS file: patches/patch-ext_standard_password_c
> diff -N patches/patch-ext_standard_password_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-ext_standard_password_c 2 Feb 2016 00:12:10 -0000
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +--- ext/standard/password.c.orig.port Mon Feb  1 23:04:02 2016
> ++++ ext/standard/password.c Mon Feb  1 23:51:51 2016
> +@@ -124,6 +124,9 @@ static int php_password_make_salt(size_t length, char
> +
> + buffer = (char *) safe_emalloc(raw_length, 1, 1);
> +
> ++#if defined(__OpenBSD__)
> ++ arc4random_buf(buffer, raw_length);
> ++#else
> + #if PHP_WIN32
> + {
> + BYTE *iv_b = (BYTE *) buffer;
> +@@ -156,6 +159,7 @@ static int php_password_make_salt(size_t length, char
> + buffer[i] ^= (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
> + }
> + }
> ++#endif /* openbsd */
> +
> + result = safe_emalloc(length, 1, 1);
> + if (php_password_salt_to64(buffer, raw_length, length, result) == FAILURE) {
> Index: patches/patch-ext_suhosin_execute_c
> ===================================================================
> RCS file: patches/patch-ext_suhosin_execute_c
> diff -N patches/patch-ext_suhosin_execute_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-ext_suhosin_execute_c 2 Feb 2016 00:12:10 -0000
> @@ -0,0 +1,30 @@
> +$OpenBSD$
> +--- ext/suhosin/execute.c.orig.port Mon Feb  1 23:04:02 2016
> ++++ ext/suhosin/execute.c Mon Feb  1 23:38:49 2016
> +@@ -1312,6 +1312,9 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D)
> +  */
> + static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC)
> + {
> ++#if defined(__OpenBSD__)
> ++    arc4random_buf(entropybuf, 8 * sizeof(php_uint32));
> ++#else
> +     php_uint32 seedbuf[20];
> +     /* On a modern OS code, stack and heap base are randomized */
> +     unsigned long code_value  = (unsigned long)suhosin_gen_entropy;
> +@@ -1335,7 +1338,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
> + #endif
> +     seedbuf[5] = (php_uint32) 0x7fffffff * php_combined_lcg(TSRMLS_C);
> +
> +-#ifndef PHP_WIN32
> ++#if !defined(PHP_WIN32)
> +     fd = VCWD_OPEN("/dev/urandom", O_RDONLY);
> +     if (fd >= 0) {
> +         /* ignore error case - if urandom doesn't give us any/enough random bytes */
> +@@ -1354,6 +1357,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
> +         suhosin_SHA256Update(&context, (unsigned char*)SUHOSIN_G(seedingkey), strlen(SUHOSIN_G(seedingkey)));
> +     }
> +     suhosin_SHA256Final((void *)entropybuf, &context);
> ++#endif /* openbsd */
> + }
> + /* }}} */
> +
>

Reply | Threaded
Open this post in threaded view
|

update: php 5.5, 5.6

Stuart Henderson
Here are updates for the recent security releases 5.5.32 and 5.6.18,
including my arc4random patches for both.

http://php.net/ChangeLog-5.php

ok?

> On 2016/02/02 00:30, Stuart Henderson wrote:
> > This is just the diff for 5.6.17, I would appreciate some careful
> > eyes over this but I think it's good, and the current status of
> > randomness in PHP on a system without a usable (/var/www)/dev/urandom
> > is...not great. Test reports would be good too.
> >
> > If this is OK then I'll look at applying it to the other php branches
> > as well.
> >
> > This should help at least session id creation, mcrypt IVs (but don't
> > use that anyway, pecl_sodium is available), and the srand from suhosin.

positive test report on the arc4random patches from martijn@.

Index: 5.5/Makefile
===================================================================
RCS file: /cvs/ports/lang/php/5.5/Makefile,v
retrieving revision 1.48
diff -u -p -r1.48 Makefile
--- 5.5/Makefile 1 Feb 2016 21:53:06 -0000 1.48
+++ 5.5/Makefile 6 Feb 2016 12:09:34 -0000
@@ -1,7 +1,6 @@
 # $OpenBSD: Makefile,v 1.48 2016/02/01 21:53:06 sthen Exp $
 
 PV= 5.5
-V= ${PV}.31
-REVISION= 0
+V= ${PV}.32
 
 .include <bsd.port.mk>
Index: 5.5/distinfo
===================================================================
RCS file: /cvs/ports/lang/php/5.5/distinfo,v
retrieving revision 1.26
diff -u -p -r1.26 distinfo
--- 5.5/distinfo 11 Jan 2016 16:46:38 -0000 1.26
+++ 5.5/distinfo 6 Feb 2016 12:09:34 -0000
@@ -1,4 +1,4 @@
-SHA256 (php-5.5.31.tar.bz2) = +0o4K5qdzrdJt+8EfYJRMgvI03HIQ3FOW09LcNYbonc=
+SHA256 (php-5.5.32.tar.bz2) = sPLBCNuOBdufY2aqupp1T9DuMfP4buiJVhtgjf1uku4=
 SHA256 (suhosin-0.9.38.tar.gz) = wC12xOfOd3kQo3wYGBy2f9npDv4BB/6rPeMTG1+JvOo=
-SIZE (php-5.5.31.tar.bz2) = 13659002
+SIZE (php-5.5.32.tar.bz2) = 13685561
 SIZE (suhosin-0.9.38.tar.gz) = 122800
Index: 5.5/patches/patch-Zend_zend_alloc_c
===================================================================
RCS file: 5.5/patches/patch-Zend_zend_alloc_c
diff -N 5.5/patches/patch-Zend_zend_alloc_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.5/patches/patch-Zend_zend_alloc_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+Apparently not enabled by default, and currently a bit close to release to
+try doing so, but for something in #ifdef MM_HEAP_PROTECTION, you want more
+than rand()^getpid() when /dev/urandom is inaccessible, right?
+
+--- Zend/zend_alloc.c.orig.port Mon Feb  1 23:04:02 2016
++++ Zend/zend_alloc.c Mon Feb  1 23:34:27 2016
+@@ -976,6 +976,9 @@ static void zend_mm_free_cache(zend_mm_heap *heap)
+ #if ZEND_MM_HEAP_PROTECTION || ZEND_MM_COOKIES
+ static void zend_mm_random(unsigned char *buf, size_t size) /* {{{ */
+ {
++#if defined(__OpenBSD__)
++ arc4random_buf(buf, size);
++#else
+ size_t i = 0;
+ unsigned char t;
+
+@@ -1031,6 +1034,7 @@ static void zend_mm_random(unsigned char *buf, size_t
+ } while (buf[i] == 0);
+ t = buf[i++] << 1;
+     }
++#endif /* openbsd */
+ }
+ /* }}} */
+ #endif
Index: 5.5/patches/patch-ext_mcrypt_mcrypt_c
===================================================================
RCS file: 5.5/patches/patch-ext_mcrypt_mcrypt_c
diff -N 5.5/patches/patch-ext_mcrypt_mcrypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.5/patches/patch-ext_mcrypt_mcrypt_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+mcrypt IV creation. no /dev/{u,}random? yes, it is using the last hunk.
+
+--- ext/mcrypt/mcrypt.c.orig.port Tue Feb  2 13:33:56 2016
++++ ext/mcrypt/mcrypt.c Sat Feb  6 11:40:43 2016
+@@ -1402,6 +1402,11 @@ PHP_FUNCTION(mcrypt_create_iv)
+ }
+
+ iv = ecalloc(size + 1, 1);
++
++#if defined(__OpenBSD__)
++ arc4random_buf(iv, (size_t) size);
++ n = size;
++#else
+
+ if (source == RANDOM || source == URANDOM) {
+ #if PHP_WIN32
+@@ -1447,6 +1452,7 @@ PHP_FUNCTION(mcrypt_create_iv)
+ iv[--size] = (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ }
+ }
++#endif /* openbsd */
+ RETURN_STRINGL(iv, n, 0);
+ }
+ /* }}} */
Index: 5.5/patches/patch-ext_session_session_c
===================================================================
RCS file: 5.5/patches/patch-ext_session_session_c
diff -N 5.5/patches/patch-ext_session_session_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.5/patches/patch-ext_session_session_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+Perhaps the whole function can be replaced, but we have to start somewhere.
+
+--- ext/session/session.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/session/session.c Mon Feb  1 23:48:25 2016
+@@ -346,7 +346,11 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
+ efree(buf);
+
+ if (PS(entropy_length) > 0) {
+-#ifdef PHP_WIN32
++#if defined(__OpenBSD__)
++ unsigned char rbuf[2048];
++ size_t toread = PS(entropy_length);
++ arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
++#elif defined(PHP_WIN32)
+ unsigned char rbuf[2048];
+ size_t toread = PS(entropy_length);
+
Index: 5.5/patches/patch-ext_standard_password_c
===================================================================
RCS file: 5.5/patches/patch-ext_standard_password_c
diff -N 5.5/patches/patch-ext_standard_password_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.5/patches/patch-ext_standard_password_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- ext/standard/password.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/standard/password.c Mon Feb  1 23:51:51 2016
+@@ -124,6 +124,9 @@ static int php_password_make_salt(size_t length, char
+
+ buffer = (char *) safe_emalloc(raw_length, 1, 1);
+
++#if defined(__OpenBSD__)
++ arc4random_buf(buffer, raw_length);
++#else
+ #if PHP_WIN32
+ {
+ BYTE *iv_b = (BYTE *) buffer;
+@@ -156,6 +159,7 @@ static int php_password_make_salt(size_t length, char
+ buffer[i] ^= (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ }
+ }
++#endif /* openbsd */
+
+ result = safe_emalloc(length, 1, 1);
+ if (php_password_salt_to64(buffer, raw_length, length, result) == FAILURE) {
Index: 5.5/patches/patch-ext_suhosin_execute_c
===================================================================
RCS file: 5.5/patches/patch-ext_suhosin_execute_c
diff -N 5.5/patches/patch-ext_suhosin_execute_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.5/patches/patch-ext_suhosin_execute_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- ext/suhosin/execute.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/suhosin/execute.c Mon Feb  1 23:38:49 2016
+@@ -1312,6 +1312,9 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D)
+  */
+ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC)
+ {
++#if defined(__OpenBSD__)
++    arc4random_buf(entropybuf, 8 * sizeof(php_uint32));
++#else
+     php_uint32 seedbuf[20];
+     /* On a modern OS code, stack and heap base are randomized */
+     unsigned long code_value  = (unsigned long)suhosin_gen_entropy;
+@@ -1335,7 +1338,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+ #endif
+     seedbuf[5] = (php_uint32) 0x7fffffff * php_combined_lcg(TSRMLS_C);
+
+-#ifndef PHP_WIN32
++#if !defined(PHP_WIN32)
+     fd = VCWD_OPEN("/dev/urandom", O_RDONLY);
+     if (fd >= 0) {
+         /* ignore error case - if urandom doesn't give us any/enough random bytes */
+@@ -1354,6 +1357,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+         suhosin_SHA256Update(&context, (unsigned char*)SUHOSIN_G(seedingkey), strlen(SUHOSIN_G(seedingkey)));
+     }
+     suhosin_SHA256Final((void *)entropybuf, &context);
++#endif /* openbsd */
+ }
+ /* }}} */
+
Index: 5.5/pkg/PLIST-main
===================================================================
RCS file: /cvs/ports/lang/php/5.5/pkg/PLIST-main,v
retrieving revision 1.9
diff -u -p -r1.9 PLIST-main
--- 5.5/pkg/PLIST-main 1 Feb 2016 21:53:06 -0000 1.9
+++ 5.5/pkg/PLIST-main 6 Feb 2016 12:09:34 -0000
@@ -187,6 +187,7 @@ share/php-${PV}/include/ext/iconv/php_ha
 share/php-${PV}/include/ext/iconv/php_have_libiconv.h
 share/php-${PV}/include/ext/iconv/php_iconv.h
 share/php-${PV}/include/ext/iconv/php_iconv_aliased_libiconv.h
+share/php-${PV}/include/ext/iconv/php_iconv_broken_ignore.h
 share/php-${PV}/include/ext/iconv/php_iconv_supports_errno.h
 share/php-${PV}/include/ext/iconv/php_php_iconv_h_path.h
 share/php-${PV}/include/ext/iconv/php_php_iconv_impl.h
Index: 5.6/Makefile
===================================================================
RCS file: /cvs/ports/lang/php/5.6/Makefile,v
retrieving revision 1.24
diff -u -p -r1.24 Makefile
--- 5.6/Makefile 1 Feb 2016 21:53:06 -0000 1.24
+++ 5.6/Makefile 6 Feb 2016 12:09:34 -0000
@@ -1,8 +1,7 @@
 # $OpenBSD: Makefile,v 1.24 2016/02/01 21:53:06 sthen Exp $
 
 PV= 5.6
-V= ${PV}.17
-REVISION= 0
+V= ${PV}.18
 
 WANTLIB-main+= stdc++ ncurses readline
 
Index: 5.6/distinfo
===================================================================
RCS file: /cvs/ports/lang/php/5.6/distinfo,v
retrieving revision 1.15
diff -u -p -r1.15 distinfo
--- 5.6/distinfo 11 Jan 2016 16:52:18 -0000 1.15
+++ 5.6/distinfo 6 Feb 2016 12:09:34 -0000
@@ -1,4 +1,4 @@
-SHA256 (php-5.6.17.tar.bz2) = d7RfVqHmPnW7IrQs+4tDjsQIPFnOd0tNfBaFVEt63Ts=
+SHA256 (php-5.6.18.tar.bz2) = w81KKalWIwnTbisShAfW6qXH3eWQ0rGkZEVzg+UX9O0=
 SHA256 (suhosin-0.9.38.tar.gz) = wC12xOfOd3kQo3wYGBy2f9npDv4BB/6rPeMTG1+JvOo=
-SIZE (php-5.6.17.tar.bz2) = 14072840
+SIZE (php-5.6.18.tar.bz2) = 14094993
 SIZE (suhosin-0.9.38.tar.gz) = 122800
Index: 5.6/patches/patch-Zend_zend_alloc_c
===================================================================
RCS file: 5.6/patches/patch-Zend_zend_alloc_c
diff -N 5.6/patches/patch-Zend_zend_alloc_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.6/patches/patch-Zend_zend_alloc_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+Apparently not enabled by default, and currently a bit close to release to
+try doing so, but for something in #ifdef MM_HEAP_PROTECTION, you want more
+than rand()^getpid() when /dev/urandom is inaccessible, right?
+
+--- Zend/zend_alloc.c.orig.port Mon Feb  1 23:04:02 2016
++++ Zend/zend_alloc.c Mon Feb  1 23:34:27 2016
+@@ -976,6 +976,9 @@ static void zend_mm_free_cache(zend_mm_heap *heap)
+ #if ZEND_MM_HEAP_PROTECTION || ZEND_MM_COOKIES
+ static void zend_mm_random(unsigned char *buf, size_t size) /* {{{ */
+ {
++#if defined(__OpenBSD__)
++ arc4random_buf(buf, size);
++#else
+ size_t i = 0;
+ unsigned char t;
+
+@@ -1031,6 +1034,7 @@ static void zend_mm_random(unsigned char *buf, size_t
+ } while (buf[i] == 0);
+ t = buf[i++] << 1;
+     }
++#endif /* openbsd */
+ }
+ /* }}} */
+ #endif
Index: 5.6/patches/patch-ext_mcrypt_mcrypt_c
===================================================================
RCS file: 5.6/patches/patch-ext_mcrypt_mcrypt_c
diff -N 5.6/patches/patch-ext_mcrypt_mcrypt_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.6/patches/patch-ext_mcrypt_mcrypt_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,26 @@
+$OpenBSD$
+
+mcrypt IV creation. no /dev/{u,}random? yes, it is using the last hunk.
+
+--- ext/mcrypt/mcrypt.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/mcrypt/mcrypt.c Mon Feb  1 23:42:21 2016
+@@ -1436,6 +1436,11 @@ PHP_FUNCTION(mcrypt_create_iv)
+ }
+
+ iv = ecalloc(size + 1, 1);
++
++#if defined(__OpenBSD__)
++ arc4random_buf(iv, (size_t) size);
++ n = size;
++#else
+
+ if (source == RANDOM || source == URANDOM) {
+ #if PHP_WIN32
+@@ -1481,6 +1486,7 @@ PHP_FUNCTION(mcrypt_create_iv)
+ iv[--size] = (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ }
+ }
++#endif /* openbsd */
+ RETURN_STRINGL(iv, n, 0);
+ }
+ /* }}} */
Index: 5.6/patches/patch-ext_session_session_c
===================================================================
RCS file: 5.6/patches/patch-ext_session_session_c
diff -N 5.6/patches/patch-ext_session_session_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.6/patches/patch-ext_session_session_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+Perhaps the whole function can be replaced, but we have to start somewhere.
+
+--- ext/session/session.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/session/session.c Mon Feb  1 23:48:25 2016
+@@ -346,7 +346,11 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
+ efree(buf);
+
+ if (PS(entropy_length) > 0) {
+-#ifdef PHP_WIN32
++#if defined(__OpenBSD__)
++ unsigned char rbuf[2048];
++ size_t toread = PS(entropy_length);
++ arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
++#elif defined(PHP_WIN32)
+ unsigned char rbuf[2048];
+ size_t toread = PS(entropy_length);
+
Index: 5.6/patches/patch-ext_standard_password_c
===================================================================
RCS file: 5.6/patches/patch-ext_standard_password_c
diff -N 5.6/patches/patch-ext_standard_password_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.6/patches/patch-ext_standard_password_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,21 @@
+$OpenBSD$
+--- ext/standard/password.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/standard/password.c Mon Feb  1 23:51:51 2016
+@@ -124,6 +124,9 @@ static int php_password_make_salt(size_t length, char
+
+ buffer = (char *) safe_emalloc(raw_length, 1, 1);
+
++#if defined(__OpenBSD__)
++ arc4random_buf(buffer, raw_length);
++#else
+ #if PHP_WIN32
+ {
+ BYTE *iv_b = (BYTE *) buffer;
+@@ -156,6 +159,7 @@ static int php_password_make_salt(size_t length, char
+ buffer[i] ^= (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
+ }
+ }
++#endif /* openbsd */
+
+ result = safe_emalloc(length, 1, 1);
+ if (php_password_salt_to64(buffer, raw_length, length, result) == FAILURE) {
Index: 5.6/patches/patch-ext_suhosin_execute_c
===================================================================
RCS file: 5.6/patches/patch-ext_suhosin_execute_c
diff -N 5.6/patches/patch-ext_suhosin_execute_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ 5.6/patches/patch-ext_suhosin_execute_c 6 Feb 2016 12:09:34 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- ext/suhosin/execute.c.orig.port Mon Feb  1 23:04:02 2016
++++ ext/suhosin/execute.c Mon Feb  1 23:38:49 2016
+@@ -1312,6 +1312,9 @@ static php_uint32 suhosin_mt_rand(TSRMLS_D)
+  */
+ static void suhosin_gen_entropy(php_uint32 *entropybuf TSRMLS_DC)
+ {
++#if defined(__OpenBSD__)
++    arc4random_buf(entropybuf, 8 * sizeof(php_uint32));
++#else
+     php_uint32 seedbuf[20];
+     /* On a modern OS code, stack and heap base are randomized */
+     unsigned long code_value  = (unsigned long)suhosin_gen_entropy;
+@@ -1335,7 +1338,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+ #endif
+     seedbuf[5] = (php_uint32) 0x7fffffff * php_combined_lcg(TSRMLS_C);
+
+-#ifndef PHP_WIN32
++#if !defined(PHP_WIN32)
+     fd = VCWD_OPEN("/dev/urandom", O_RDONLY);
+     if (fd >= 0) {
+         /* ignore error case - if urandom doesn't give us any/enough random bytes */
+@@ -1354,6 +1357,7 @@ static void suhosin_gen_entropy(php_uint32 *entropybuf
+         suhosin_SHA256Update(&context, (unsigned char*)SUHOSIN_G(seedingkey), strlen(SUHOSIN_G(seedingkey)));
+     }
+     suhosin_SHA256Final((void *)entropybuf, &context);
++#endif /* openbsd */
+ }
+ /* }}} */
+