php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43143 Warning about empty IV with MCRYPT_MODE_ECB.
Submitted: 2007-10-30 14:21 UTC Modified: 2007-12-01 17:20 UTC
Votes:3
Avg. Score:3.7 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: dylan at wedefy dot com Assigned: derick (profile)
Status: Closed Package: mcrypt related
PHP Version: 5.2.4 OS: Windows XP
Private report: No CVE-ID: None
 [2007-10-30 14:21 UTC] dylan at wedefy dot com
Description:
------------
This warning makes sense for the other block cipher modes, but when using MCRYPT_MODE_ECB the initialization vector is not used at all, so it is misleading to recommend using one.  In fact there should be a notice/warning when an IV is supplied with mode MCRYPT_MODE_ECB to alert that the IV is ignored.

Reproduce code:
---------------
<?php
$input = 'to be encrypted';
$mkey = hash('sha256', 'secret key', TRUE);
$data = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $mkey, $input, MCRYPT_MODE_ECB);
?>

Expected result:
----------------
no warning

Actual result:
--------------
PHP Warning:  mcrypt_encrypt(): Attempt to use an empty IV, which is NOT recommend

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-12 10:05 UTC] tony2001@php.net
Assigned to the maintainer.
 [2007-12-01 17:20 UTC] derick@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 17:01:58 2024 UTC