go to bug id or search bugs for
The docs claim that openssl_random_pseudo_bytes() returns a "cryptographically strong" result as long as the $crypto_strong parameter is true, but I checked the source and that does not appear to be the case. The openssl_random_pseudo_bytes() PHP function calls the RAND_psuedo_bytes() OpenSSL function (https://github.com/php/php-src/blob/php-5.6.10/ext/openssl/openssl.c#L5408), which the OpenSSL docs (https://www.openssl.org/docs/crypto/RAND_bytes.html) say should only be used for non-cryptographic purposes:
RAND_pseudo_bytes() has been deprecated. Users should use RAND_bytes() instead. RAND_pseudo_bytes() puts num pseudo-random bytes into buf. Pseudo-random byte sequences generated by RAND_pseudo_bytes() will be unique if they are of sufficient length, but are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc.
Add a Patch
Add a Pull Request
Here's a patch: https://gist.github.com/MasonM/05b4e425d55c6d6d1b23
(I couldn't attach the patch since this bug is private)
The patch changes openssl_random_pseudo_bytes() to call RAND_bytes() instead, as recommended in the OpenSSL docs. I made the patch against the "php-5.6.10" tag in the Git repo and ran all the tests. I got a few "EXPECTED FAIL" errors, but they appear unrelated.
There's one additional issue with https://github.com/php/php-src/blob/php-5.6.10/ext/openssl/openssl.c#L5408 that I forgot to mention before: it only checks if the return value of RAND_pseudo_bytes() is less than zero. However, RAND_pseudo_bytes() can return 0 if the result is not "cryptographically strong" (which seems to contradict the earlier statement in the OpenSSL docs that I posted). This means the $crypto_strong isn't being set correctly. My patch fixes this issue.
Sorry, disregard my previous comment. I misread the code there.
Automatic comment on behalf of stas
Log: Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
is PHP5.4 affected?
If yes, will this path be backported?
If no, on which release was it backported?
Please check the changelog first: http://php.net/ChangeLog-5.php#5.4.44
Sorry, thanks for your reply.