[TYPO3-core] RFC: #15359: Speed up / restructure of random byte generator
Helmut Hummel
helmut.hummel at typo3.org
Mon Feb 14 23:48:39 CET 2011
Hi,
this is a SVN patch request.
Type: Bugfix
BT reference: http://bugs.typo3.org/view.php?id=15359
Branches: trunk, 4_5; optional: 4_4, 4_3
Problem:
The random byte generation method is in heavy use in the backend because
of the CSRF token generation and the code if by far not optimal.
Solution:
Restructure the code to use the most performant methods first if available.
Read/ generate more bytes than needed in one call, because it does not
cost (much) more to generate more random bytes, but it's much cheaper
for the next calls, because the bytes are already there.
Note:
I completely removed the COM object call on windows, because it is known
to be slow is almost never available, and causes trouble (#16154).
Because of a PHP bug, also the mcrypt_create_iv() method is now not used
on Windows any more (#16837).
Since we do not need crypto safe randomness anywhere in the core, I
removed the try to get secure randomness and added a comment, that the
method cannot be used for crypto safe stuff (which was also not relyably
the case before anyways).
The new version is (depending on the number of calls and the random
function used depending on the system) between 2 times and 200 times
faster. I attached my test script, so you can play around yourself.
This patch fixes also: #16154, #16837.
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader
TYPO3 .... inspiring people to share!
Get involved: typo3.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: randombytes-test.php
Type: text/php
Size: 8092 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110214/216160e5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 15359_v2.diff
Type: text/x-patch
Size: 3817 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20110214/216160e5/attachment-0001.bin>
More information about the TYPO3-team-core
mailing list