PHP :: Bug #40999 :: mcrypt_create_iv() not using random seed.

Bug #40999	mcrypt_create_iv() not using random seed.
Submitted:	2007-04-04 23:57 UTC	Modified:	2007-04-08 15:06 UTC
From:	john dot hargrove at sellingsource dot com	Assigned:	iliaa (profile)
Status:	Closed	Package:	mcrypt related
PHP Version:	5.2.1	OS:	All
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-04-04 23:57 UTC] john dot hargrove at sellingsource dot com

Description:
------------
This bug is only for mcrypt_create_iv() when passing MCRYPT_RAND as the source. 

I believe this is a bug that has been re-introduced to PHP at some point after 5.1.4.  This bug is not in 5.1.4, but is currently in PHP 5.2.1, and it was reported previously in 5.0.X.  So it seems fixed, then unfixed.  

mcrypt_create_iv() is making a call to php_rand_r(), but is passing an uninitialized unsigned int as the random seed.

I believe it should be calling php_rand() with no argument (which would invoke the auto-seeding feature of the php function rand()), or simply rand().   In 5.1.4, it was rand().

Here is a patch: http://www.fortheloot.com/public/mcrypt.patch

That should fix it.  Additionally, the "expected output" below is from a version after applying the patch above.

Sorry for the Wall-O-Text, just wanted to make sure this was considered legit.






Reproduce code:
---------------
srand((double) microtime(true) * 1000000);

$module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, NULL, MCRYPT_MODE_CFB, NULL);

echo "iv1: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n";
echo "iv2: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n";
echo "iv3: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n";

Expected result:
----------------
3 random hex strings. e.g.,
iv1: 3e280c689f08c1a6e7993e41040eec1b
iv2: caa3b8ae0241995d36a346904b7672bf
iv3: a4d25fe39436d72b96cf68efe7ceb1a5



Actual result:
--------------
iv1: a67ed3dd28eb59be57bbfee36f75df52
iv2: a67ed3dd28eb59be57bbfee36f75df52
iv3: a67ed3dd28eb59be57bbfee36f75df52

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-04-05 01:49 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2007-04-07 11:15 UTC] derick@php.net

Was not committed to HEAD.

[2007-04-08 15:06 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 22 17:01:28 2025 UTC