SessionモジュールSHA1パッチ(4.4.2用)
コレに関連する事ですが(主にコレ)。
PHP5からはセッションIDの生成にSHA1を利用できるのですが、PHP4ではMD5だけです。
(なんとなく)PHP4でもSHA1を利用したいので(またしても適当な)タコさんパッチ。
作ったというよりは移植だなぁ。。。かなりコピー&ペースト作業だし。(w
(これまた長いけど)全文貼り付けぢゃっ!事前にこのパッチを当ててから、以下のパッチを当てて下さい。
--- php-4.4.2/ext/session/php_session.h,orig 2006-02-02 18:09:37.000000000 +0900 +++ php-4.4.2/ext/session/php_session.h 2006-03-06 08:48:07.000000000 +0900 @@ -126,6 +126,8 @@ zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */ zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */ zend_bool use_strict_mode; /* whether or not PHP accepts unknown session ids */ + long hash_func; + long hash_bits_per_character; int send_cookie; int define_sid; } php_ps_globals; --- php-4.4.2/ext/session/session.c,orig 2006-02-02 18:09:37.000000000 +0900 +++ php-4.4.2/ext/session/session.c 2006-03-06 08:48:07.000000000 +0900 @@ -38,6 +38,7 @@ #include "SAPI.h" #include "php_session.h" #include "ext/standard/md5.h" +#include "ext/standard/sha1.h" #include "ext/standard/php_var.h" #include "ext/standard/datetime.h" #include "ext/standard/php_lcg.h" @@ -162,6 +163,8 @@ STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateInt, cache_expire, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_trans_sid", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool, use_trans_sid, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.hash_function", "0", PHP_INI_ALL, OnUpdateInt, hash_func, php_ps_globals, ps_globals) + STD_PHP_INI_ENTRY("session.hash_bits_per_character", "4", PHP_INI_ALL, OnUpdateInt, hash_bits_per_character, php_ps_globals, ps_globals) /* Commented out until future discussion */ /* PHP_INI_ENTRY("session.encode_sources", "globals,track", PHP_INI_ALL, NULL) */ @@ -571,55 +574,150 @@ } } -static char hexconvtab[] = "0123456789abcdef"; +/* + * Note that we cannot use the BASE64 alphabet here, because + * it contains "/" and "+": both are unacceptable for simple inclusion + * into URLs. + */ + +static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-"; + +enum { + PS_HASH_FUNC_MD5, + PS_HASH_FUNC_SHA1 +}; + +/* returns a pointer to the byte after the last valid character in out */ +static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) +{ + unsigned char *p, *q; + unsigned short w; + int mask; + int have; + + p = in; + q = in + inlen; + + w = 0; + have = 0; + mask = (1 << nbits) - 1; + + while (1) { + if (have < nbits) { + if (p < q) { + w |= *p++ << have; + have += 8; + } else { + /* consumed everything? */ + if (have == 0) break; + /* No? We need a final round */ + have = nbits; + } + } + + /* consume nbits */ + *out++ = hexconvtab[w & mask]; + w >>= nbits; + have -= nbits; + } + + *out = '\0'; + return out; +} char *php_session_create_id(PS_CREATE_SID_ARGS) { - PHP_MD5_CTX context; - unsigned char digest[16]; - char buf[256]; + PHP_MD5_CTX md5_context; + PHP_SHA1_CTX sha1_context; + unsigned char digest[21]; + int digest_len; + int j; + char *buf; struct timeval tv; - int i; - int j = 0; - unsigned char c; + zval **array; + zval **token; + char *remote_addr = NULL; gettimeofday(&tv, NULL); - PHP_MD5Init(&context); - sprintf(buf, "%ld%ld%0.8f", tv.tv_sec, tv.tv_usec, php_combined_lcg(TSRMLS_C) * 10); - PHP_MD5Update(&context, buf, strlen(buf)); + if (zend_hash_find(&EG(symbol_table), "_SERVER", + sizeof("_SERVER"), (void **) &array) == SUCCESS && + Z_TYPE_PP(array) == IS_ARRAY && + zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", + sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS) { + remote_addr = Z_STRVAL_PP(token); + } + + buf = emalloc(100); + + /* maximum 15+19+19+10 bytes */ + sprintf(buf, "%.15s%ld%ld%0.8f", remote_addr ? remote_addr : "", + tv.tv_sec, tv.tv_usec, php_combined_lcg(TSRMLS_C) * 10); + + switch (PS(hash_func)) { + case PS_HASH_FUNC_MD5: + PHP_MD5Init(&md5_context); + PHP_MD5Update(&md5_context, buf, strlen(buf)); + digest_len = 16; + break; + case PS_HASH_FUNC_SHA1: + PHP_SHA1Init(&sha1_context); + PHP_SHA1Update(&sha1_context, buf, strlen(buf)); + digest_len = 20; + break; + default: + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid session hash function"); + efree(buf); + return NULL; + } if (PS(entropy_length) > 0) { int fd; fd = VCWD_OPEN(PS(entropy_file), O_RDONLY); if (fd >= 0) { - unsigned char buf[2048]; + unsigned char rbuf[2048]; int n; int to_read = PS(entropy_length); while (to_read > 0) { - n = read(fd, buf, MIN(to_read, sizeof(buf))); + n = read(fd, rbuf, MIN(to_read, sizeof(rbuf))); if (n <= 0) break; - PHP_MD5Update(&context, buf, n); + + switch (PS(hash_func)) { + case PS_HASH_FUNC_MD5: + PHP_MD5Update(&md5_context, rbuf, n); + break; + case PS_HASH_FUNC_SHA1: + PHP_SHA1Update(&sha1_context, rbuf, n); + break; + } to_read -= n; } close(fd); } } - PHP_MD5Final(digest, &context); - - for (i = 0; i < 16; i++) { - c = digest[i]; - buf[j++] = hexconvtab[c >> 4]; - buf[j++] = hexconvtab[c & 15]; + switch (PS(hash_func)) { + case PS_HASH_FUNC_MD5: + PHP_MD5Final(digest, &md5_context); + break; + case PS_HASH_FUNC_SHA1: + PHP_SHA1Final(digest, &sha1_context); + break; + } + + if (PS(hash_bits_per_character) < 4 + || PS(hash_bits_per_character) > 6) { + PS(hash_bits_per_character) = 4; + + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now"); } - buf[j] = '\0'; + j = (int) (bin_to_readable(digest, digest_len, buf, PS(hash_bits_per_character)) - buf); if (newlen) *newlen = j; - return estrdup(buf); + return buf; } static void php_session_initialize(TSRMLS_D)
「php.ini」ファイルにに「session.hash_function = 1」のエントリを追加する事をお忘れなく。