php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70625 mcrypt_encrypt() : won't return data when no IV was specified under RC4.
Submitted: 2015-10-02 19:14 UTC Modified: 2015-10-02 20:29 UTC
From: jparedes at gmail dot com Assigned:
Status: Closed Package: mcrypt related
PHP Version: 5.6 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jparedes at gmail dot com
New email:
PHP Version: OS:

 

 [2015-10-02 19:14 UTC] jparedes at gmail dot com 
Description:
------------
Ommiting $iv in mcrypt_encrypt() under MCRYPT_ARCFOUR cipher returns false. But when "null" parameter is specified it work as expected.



Test script:
---------------
<?php

//This works php<7.0 only 
$enc_value = mcrypt_encrypt(MCRYPT_ARCFOUR,'secretkey','payload',MCRYPT_MODE_STREAM);
var_dump($enc_value);


//This work tested under 7.0RC4
$enc_value = mcrypt_encrypt(MCRYPT_ARCFOUR,'secretkey','payload',MCRYPT_MODE_STREAM,null);
var_dump($enc_value);


Expected result:
----------------
The result of $enc_value should be the result of the encryption.

Actual result:
--------------
Function returns false.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-02 19:41 UTC] jparedes at gmail dot com 
Apparently the introduction of zpp checks [1]is in effect what causes the difference in the desired behaviour. This emerged in php-7.0.0beta3.

[1] https://github.com/php/php-src/commit/d8ed84e4c4d0bd0bac88d2c0ed6e072a7d7ea49d
 [2015-10-02 20:12 UTC] nikic@php.net
-PHP Version: 7.0.0RC4 +PHP Version: 5.6
 [2015-10-02 20:12 UTC] nikic@php.net 
This is due to the additional IV validation in PHP 5.6: https://3v4l.org/af8oG

Probably some special handling for stream ciphers is missing.
 [2015-10-02 20:13 UTC] jparedes at gmail dot com
-PHP Version: 5.6 +PHP Version: 7.0.0RC4
 [2015-10-02 20:13 UTC] jparedes at gmail dot com 
I correct myself, issue seems to arise after this commit 25d801f [1], because -if i'm not wrong- it's assumes RC4 encmode should have IV and it fact it should not.

[1] https://github.com/php/php-src/commit/25d801f97ec3f4bcac8977efd50f843eba9b19e1
 [2015-10-02 20:17 UTC] jparedes at gmail dot com
-PHP Version: 7.0.0RC4 +PHP Version: 5.6
 [2015-10-02 20:17 UTC] jparedes at gmail dot com 
unintentionally changed affected php version while editing in parallel. Reverting.
 [2015-10-02 20:29 UTC] nikic@php.net 
The issue here is that mcrypt_enc_mode_has_iv() reports on a property of the mode only, and reports the stream cipher mode to have an IV, regardless of used cipher. mcrypt_enc_get_iv_size() returns a property of the cipher, in this case 0, which seems to be the signal for "doesn't actually need an IV, even if mode_has_iv() says so". So we should add an additional check for 0 expected IV size.
 [2015-10-03 08:14 UTC] nikic@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe1933aae2185624bd51b1fd46b8d959f88daf4a
Log: Fixed bug #70625
 [2015-10-03 08:15 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2015-10-13 10:12 UTC] ab@php.net 
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe1933aae2185624bd51b1fd46b8d959f88daf4a
Log: Fixed bug #70625
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC