PHP :: Doc Bug #63146 :: Use /dev/urandom as default random pool dev

Doc Bug #63146	Use /dev/urandom as default random pool dev
Submitted:	2012-09-24 04:27 UTC	Modified:	2015-06-14 21:41 UTC
From:	laruence@php.net	Assigned:	cmb (profile)
Status:	Closed	Package:	mcrypt related
PHP Version:	5.4.7	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	laruence@php.net
New email:
PHP Version:		OS:

New/Additional Comment:

[2012-09-24 04:27 UTC] laruence@php.net

Description:
------------
Hey, mcrypt_create_iv use /dev/random as the default random dev, this will cause 
some unexpected issues for new users.

see:

"
nils at nm dot cx 19-Jun-2012 12:26
If you use /dev/random you need a well filled entropy pool or the application will 
block until enough good entropy comes available
"
http://us.php.net/manual/en/function.mcrypt-create-iv.php

Test script:
---------------
none

Expected result:
----------------
none

Actual result:
--------------
none

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-09-24 04:45 UTC] aharvey@php.net

Given it's a cryptographic function, I think we should continue to use /dev/random, but we could document more clearly that the default behaviour may block until more entropy is available.

[2012-09-24 07:32 UTC] pajoye@php.net

hi!

mcrypt extensions is about crypto safe usage. /dev/random is crypto safe, 
/dev/urandom is only good enough for password generations and the like.

However I totally agree that we should document the possible blocking behavior. It 
is already mentioned in the notes, but better if we have a warning/notice on that 
page.

[2012-09-25 02:43 UTC] laruence@php.net

IMO, most users are using mcrypt as a password generator, 

however, I do agree, we can solve this with a well documentation.

change to doc bug

[2012-09-25 02:43 UTC] laruence@php.net

-Type: Feature/Change Request +Type: Documentation Problem

[2015-06-14 21:41 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=336958
Log: added note about potential blocking of MCRYPT_DEV_RANDOM (fixes #63146)

[2015-06-14 21:41 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2015-06-14 21:41 UTC] cmb@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 03:01:28 2024 UTC