|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43143 Warning about empty IV with MCRYPT_MODE_ECB.
Submitted: 2007-10-30 14:21 UTC Modified: 2007-12-01 17:20 UTC
Avg. Score:3.7 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: dylan at wedefy dot com Assigned: derick (profile)
Status: Closed Package: mcrypt related
PHP Version: 5.2.4 OS: Windows XP
Private report: No CVE-ID: None
 [2007-10-30 14:21 UTC] dylan at wedefy dot com
This warning makes sense for the other block cipher modes, but when using MCRYPT_MODE_ECB the initialization vector is not used at all, so it is misleading to recommend using one.  In fact there should be a notice/warning when an IV is supplied with mode MCRYPT_MODE_ECB to alert that the IV is ignored.

Reproduce code:
$input = 'to be encrypted';
$mkey = hash('sha256', 'secret key', TRUE);
$data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $mkey, $input, MCRYPT_MODE_ECB);

Expected result:
no warning

Actual result:
PHP Warning:  mcrypt_encrypt(): Attempt to use an empty IV, which is NOT recommend


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-12 10:05 UTC]
Assigned to the maintainer.
 [2007-12-01 17:20 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Jul 06 22:05:44 2022 UTC