$OpenBSD: patch-ext_session_session_c,v 1.2 2018/09/13 14:15:12 sthen Exp $

use arc4random_buf rather than /dev/urandom to add entropy to session ids

Index: ext/session/session.c
--- ext/session/session.c.orig
+++ ext/session/session.c
@@ -346,7 +346,24 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS)
 	efree(buf);
 
 	if (PS(entropy_length) > 0) {
-#ifdef PHP_WIN32
+#if defined(__OpenBSD__)
+		unsigned char rbuf[2048];
+		size_t toread = PS(entropy_length);
+		arc4random_buf(rbuf, MIN(toread, sizeof(rbuf)));
+		switch (PS(hash_func)) {
+			case PS_HASH_FUNC_MD5:
+				PHP_MD5Update(&md5_context, rbuf, toread);
+				break;
+			case PS_HASH_FUNC_SHA1:
+				PHP_SHA1Update(&sha1_context, rbuf, toread);
+				break;
+# if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
+			case PS_HASH_FUNC_OTHER:
+				PS(hash_ops)->hash_update(hash_context, rbuf, toread);
+				break;
+# endif /* HAVE_HASH_EXT */
+		}
+#elif defined(PHP_WIN32)
 		unsigned char rbuf[2048];
 		size_t toread = PS(entropy_length);
 
