Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:20060 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11284 invoked by uid 1010); 16 Nov 2005 10:24:18 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 11269 invoked from network); 16 Nov 2005 10:24:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Nov 2005 10:24:18 -0000 X-Host-Fingerprint: 194.109.193.120 unknown Linux 2.4/2.6 Received: from ([194.109.193.120:33781] helo=mx1.moulin.nl) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id A5/50-07637-FC80B734 for ; Wed, 16 Nov 2005 05:24:15 -0500 Received: from localhost (localhost [127.0.0.1]) by mx1.moulin.nl (Postfix) with ESMTP id 312A9186EBC; Wed, 16 Nov 2005 11:24:15 +0100 (CET) Received: from mx1.moulin.nl ([127.0.0.1]) by localhost (moulin [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17749-17; Wed, 16 Nov 2005 11:24:12 +0100 (CET) Received: from [192.168.1.16] (bspr.xs4all.nl [194.109.161.228]) by mx1.moulin.nl (Postfix) with ESMTP id B049112D354; Wed, 16 Nov 2005 11:24:12 +0100 (CET) Message-ID: <437B08C8.20804@iamjochem.com> Date: Wed, 16 Nov 2005 11:24:08 +0100 User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stefan Esser Cc: internals@lists.php.net References: <20051115221143.GA28082@hardened-php.net> In-Reply-To: <20051115221143.GA28082@hardened-php.net> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at moulin.nl Subject: Re: [PHP-DEV] PHP 5.1.0 - sha256() and sha256_file() support From: jochem@iamjochem.com (Jochem Maas) Stefan Esser wrote: > Hello, > > with MD5 and SHA1 more or less broken, I have hacked together sha256() and sha256_file(), > because people want a secure hashing function in plain PHP without the need for 3rd party > libraries like mhash. assuming this is true then the built in session handler is pretty vulnerable right now no? one only has the choice of md5 or sha1 for the hashing mechanism of the session handlers id as far as I can see ... if php gets a sha256 in the core it would possibly be a good thing to make that available as an option for session.hash_function? > > Both functions are already available to users of the PHP Hardening-Patch for quite a while. > Actually it is too late in the release process to add it, although it just adds new files > and only adds a few things in some tables. It is more or less impossible to break something > but you never know. > > If we for some reasons need another 5.1.0 RC, we can maybe add the patch. (It doesn't need > more than a few compile tests ;) > > Patch: http://www.suspekt.org/php-5.1.0-sha256.patch > > (So ilia... It is maybe up to your judgement only if I should do a last minute feature commit ;) > > Stefan >