php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40999 mcrypt_create_iv() not using random seed.
Submitted: 2007-04-04 23:57 UTC Modified: 2007-04-08 15:06 UTC
From: john dot hargrove at sellingsource dot com Assigned: iliaa
Status: Closed Package: mcrypt related
PHP Version: 5.2.1 OS: All
Private report: No CVE-ID:
 [2007-04-04 23:57 UTC] john dot hargrove at sellingsource dot com
Description:
------------
This bug is only for mcrypt_create_iv() when passing MCRYPT_RAND as the source. 

I believe this is a bug that has been re-introduced to PHP at some point after 5.1.4.  This bug is not in 5.1.4, but is currently in PHP 5.2.1, and it was reported previously in 5.0.X.  So it seems fixed, then unfixed.  

mcrypt_create_iv() is making a call to php_rand_r(), but is passing an uninitialized unsigned int as the random seed.

I believe it should be calling php_rand() with no argument (which would invoke the auto-seeding feature of the php function rand()), or simply rand().   In 5.1.4, it was rand().

Here is a patch: http://www.fortheloot.com/public/mcrypt.patch

That should fix it.  Additionally, the "expected output" below is from a version after applying the patch above.

Sorry for the Wall-O-Text, just wanted to make sure this was considered legit.






Reproduce code:
---------------
srand((double) microtime(true) * 1000000);

$module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, NULL, MCRYPT_MODE_CFB, NULL);

echo "iv1: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n";
echo "iv2: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n";
echo "iv3: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n";

Expected result:
----------------
3 random hex strings. e.g.,
iv1: 3e280c689f08c1a6e7993e41040eec1b
iv2: caa3b8ae0241995d36a346904b7672bf
iv3: a4d25fe39436d72b96cf68efe7ceb1a5



Actual result:
--------------
iv1: a67ed3dd28eb59be57bbfee36f75df52
iv2: a67ed3dd28eb59be57bbfee36f75df52
iv3: a67ed3dd28eb59be57bbfee36f75df52


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-05 01:49 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-04-07 11:15 UTC] derick@php.net
Was not committed to HEAD.
 [2007-04-08 15:06 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC