php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #70014 openssl_random_pseudo_bytes() is not cryptographically secure
Submitted: 2015-07-08 00:50 UTC Modified: 2016-04-26 09:30 UTC
From: masonm at the-jci dot org Assigned: stas (profile)
Status: Closed Package: OpenSSL related
PHP Version: 5.6.10 OS:
Private report: No CVE-ID: 2015-8867
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: masonm at the-jci dot org
New email:
PHP Version: OS:

 

 [2015-07-08 00:50 UTC] masonm at the-jci dot org 
Description:
------------
The docs claim that openssl_random_pseudo_bytes() returns a "cryptographically strong" result as long as the $crypto_strong parameter is true, but I checked the source and that does not appear to be the case. The openssl_random_pseudo_bytes() PHP function calls the RAND_psuedo_bytes() OpenSSL function (https://github.com/php/php-src/blob/php-5.6.10/ext/openssl/openssl.c#L5408), which the OpenSSL docs (https://www.openssl.org/docs/crypto/RAND_bytes.html) say should only be used for non-cryptographic purposes:

    RAND_pseudo_bytes() has been deprecated. Users should use RAND_bytes() instead. RAND_pseudo_bytes() puts num pseudo-random bytes into buf. Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be unique if they are of sufficient length, but are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc.


Test script:
---------------
N/A

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-08 02:58 UTC] masonm at the-jci dot org 
Here's a patch: https://gist.github.com/MasonM/05b4e425d55c6d6d1b23
(I couldn't attach the patch since this bug is private)

The patch changes openssl_random_pseudo_bytes() to call RAND_bytes() instead, as recommended in the OpenSSL docs. I made the patch against the "php-5.6.10" tag in the Git repo and ran all the tests. I got a few "EXPECTED FAIL" errors, but they appear unrelated.
 [2015-07-08 14:43 UTC] masonm at the-jci dot org 
There's one additional issue with https://github.com/php/php-src/blob/php-5.6.10/ext/openssl/openssl.c#L5408 that I forgot to mention before: it only checks if the return value of RAND_pseudo_bytes() is less than zero. However, RAND_pseudo_bytes() can return 0 if the result is not "cryptographically strong" (which seems to contradict the earlier statement in the OpenSSL docs that I posted). This means the $crypto_strong isn't being set correctly. My patch fixes this issue.
 [2015-07-16 06:12 UTC] masonm at the-jci dot org 
Sorry, disregard my previous comment. I misread the code there.
 [2015-08-04 22:22 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
Log: Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
 [2015-08-04 22:22 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-08-04 22:23 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
Log: Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
 [2015-08-04 22:30 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
Log: Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
 [2015-08-05 07:29 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
Log: Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
 [2015-08-05 10:12 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
Log: Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
 [2016-04-22 21:33 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-04-26 09:30 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2015-8867
 [2016-06-20 08:40 UTC] samuel dot chemla at orange dot com 
Hi guys,

is PHP5.4 affected?
If yes, will this path be backported?
If no, on which release was it backported?

Regards
 [2016-06-20 11:26 UTC] kaplan@php.net 
Please check the changelog first: http://php.net/ChangeLog-5.php#5.4.44
 [2016-06-20 11:45 UTC] samuel dot chemla at orange dot com 
Sorry, thanks for your reply.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC