php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55169 mcrypt_create_iv always fails to gather sufficient random data
Submitted: 2011-07-09 16:23 UTC Modified: 2011-07-23 06:21 UTC
From: nikic@php.net Assigned: pajoye
Status: Closed Package: mcrypt related
PHP Version: 5.4SVN-2011-07-09 (snap) OS: Windows 7
Private report: No CVE-ID:
 [2011-07-09 16:23 UTC] nikic@php.net
Description:
------------
When using the 5.4 snaps calling mcrypt_create_iv with either MCRYPT_DEV_RANDOM or MCRYPT_DEV_URANDOM as source always fails to gather sufficient random data regardless of the specified size.

(Could be related: http://svn.php.net/viewvc?view=revision&revision=312201 )

Test script:
---------------
<?php var_dump(mcrypt_create_iv(1, MCRYPT_DEV_URANDOM));

Expected result:
----------------
string 'm' (length=1)
[or similar]

Actual result:
--------------
Fatal error: mcrypt_create_iv() [<a href='function.mcrypt-create-iv'>function.mcrypt-create-iv</a>]: Could not gather sufficient random data in D:\htdocs\stack\quick.php on line 3

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-07-09 16:26 UTC] nikic@php.net
Some further notes:

The code always fails, not just sometimes.
It fails regardless of the specified size.
It worked on PHP 5.3.1 (haven't tested later versions).
 [2011-07-10 10:36 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313110
Log: - fix bug #55169, mcrypt_create_iv always fails to gather sufficient random data
 [2011-07-10 10:37 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2011-07-10 10:37 UTC] pajoye@php.net
I apply a fix to all branches (5.3 was possibly affected as well). Please try a 
snapshot with the revision id equal or higher to the commit referred here.
 [2011-07-10 11:09 UTC] nikic@php.net
I just tried snaps for 312169 and 312203. The former still worked, but the latter was already broken:

D:\htdocs\stack>C:\php312169\php.exe -f quick.php
string(1) "ð"

D:\htdocs\stack>C:\php312203\php.exe -f quick.php

Fatal error: mcrypt_create_iv(): Could not gather sufficient random data in D:\h
tdocs\stack\quick.php on line 3
 [2011-07-10 11:12 UTC] nikic@php.net
Just tried the snap for 312201, too, and it seems to work there too. Does that mean that either 312202 or 312203 broke it?

D:\htdocs\stack>C:\php312201\php.exe -f quick.php
string(1) "B"
 [2011-07-10 11:19 UTC] nikic@php.net
Oi, I didn't see your comment, I'm sorry. I will try as soon as a binary is available ;)
 [2011-07-10 11:32 UTC] pajoye@php.net
yes, 313110 or higher is what you have to test (see the commit in this report, the 
commits tab).
 [2011-07-10 14:32 UTC] nikic@php.net
I'm still seeing the issue in 313114:

D:\htdocs\stack>C:\php313114\php.exe -f quick.php

Warning: mcrypt_create_iv(): Could not gather sufficient random data in D:\htdoc
s\stack\quick.php on line 3
bool(false)
 [2011-07-10 14:53 UTC] nikic@php.net
I just tried using an nts instead of a ts build, and it worked there. So it's seems to be some thread safety related problem.
 [2011-07-10 16:58 UTC] pajoye@php.net
I can't reproduce the problem, are you sure you used the right binaries?


c:\test\php540r313114>php -d extension_dir=ext -d extension=php_openssl.dll -r 
"var_dump(mcrypt_create_iv(1, MCRYPT_DEV_URANDOM));"
string(1) "☺"

and using NTS:

c:\test\php540ntsr313114>php -d extension_dir=ext -d extension=php_openssl.dll -
r "var_dump(mcrypt_create_iv(1, MCRYPT_DEV_URANDOM));"
string(1) "║"
 [2011-07-10 17:38 UTC] nikic@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: nikic
 [2011-07-10 17:38 UTC] nikic@php.net
Hm, seems like I indeed used some wrong binary. I have just downloaded 313114ts again and it worked :)

Thanks for the quick fix and sorry for the confusion ^^

Closing this then ;)
 [2011-07-10 17:41 UTC] nikic@php.net
-Assigned To: nikic +Assigned To: pajoye
 [2011-07-10 17:41 UTC] nikic@php.net
Argh, I just can't handle this bugtracker :( Seems like it assignes the bug to me if I leave the "Assign to" field empty.
 [2011-07-11 11:06 UTC] aharvey@php.net
-Status: Closed +Status: Bogus -Assigned To: pajoye +Assigned To:
 [2011-07-11 11:08 UTC] nikic@php.net
Why is this Bogus now?
 [2011-07-11 12:41 UTC] pajoye@php.net
-Status: Bogus +Status: Open
 [2011-07-11 12:41 UTC] pajoye@php.net
No idea, who made that change?
 [2011-07-11 12:50 UTC] aharvey@php.net
I did. Sorry, misread the bug. The lesson is that I need to do one thing at once, 
rather than ten. :)
 [2011-07-11 14:20 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2011-07-11 14:20 UTC] nikic@php.net
Okay, closing it again then ;)
 [2011-07-11 14:23 UTC] pajoye@php.net
-Status: Closed +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2011-07-11 14:23 UTC] pajoye@php.net
just assigning it to me, needs some more testing under apache and IIS, Seldaek is 
still having this problem
 [2011-07-12 07:46 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313175
Log: - Bug #55169, improve fix, allow non interactive user, hash-like ops only usage
 [2011-07-18 13:10 UTC] pajoye@php.net
Quick update, issue fixed in svn (5.3+), keep it open until Ryan applies the new 
tests.
 [2011-07-20 14:59 UTC] yaauie@php.net
Automatic comment from SVN on behalf of yaauie
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313485
Log: tests for bug #55169 (mcrypt and openssl)
 [2011-07-20 16:57 UTC] yaauie@php.net
Automatic comment from SVN on behalf of yaauie
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313487
Log: update test for bug #55169, don't require the extension in INI
 [2011-07-20 17:12 UTC] yaauie@php.net
Automatic comment from SVN on behalf of yaauie
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313488
Log: update test for bug #55169, fix skipif
 [2011-07-20 17:25 UTC] yaauie@php.net
Automatic comment from SVN on behalf of yaauie
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313489
Log: removing openssl test for bug #55169 per Scott MacVicar's request; duplicate coverage of opensssl_random_pseudo_bytes.phpt
 [2011-07-23 06:21 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
 [2011-07-23 06:21 UTC] pajoye@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-04-18 09:49 UTC] laruence@php.net
Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=04432e7dd85d774a3eac6f3effca9f4e7cfb42d6
Log: - fix bug #55169, mcrypt_create_iv always fails to gather sufficient random data
 [2012-07-24 23:41 UTC] rasmus@php.net
Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=04432e7dd85d774a3eac6f3effca9f4e7cfb42d6
Log: - fix bug #55169, mcrypt_create_iv always fails to gather sufficient random data
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=04432e7dd85d774a3eac6f3effca9f4e7cfb42d6
Log: - fix bug #55169, mcrypt_create_iv always fails to gather sufficient random data
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 16:02:23 2014 UTC