php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70150 $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM ); times out
Submitted: 2015-07-27 07:24 UTC Modified: 2015-08-15 15:46 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: gessel at blackrosetech dot com Assigned:
Status: Duplicate Package: mcrypt related
PHP Version: 5.5.27 OS: FreeBSD 10.1-RELEASE #0 r285883
Private report: No CVE-ID: None
 [2015-07-27 07:24 UTC] gessel at blackrosetech dot com
Description:
------------
---
From manual page: http://www.php.net/function.mcrypt-create-iv
---

MediaWiki's MWCryptRand.php calls  
 $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM );
This times out on FreeBSD without returning a value (even with max_execution_time set to 3000).  

modifying the call to 
  $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM|MCRYPT_RAND );
returns as expected, however, the MW dev is concerned that MCRYPT_RAND is not cryptographically secure, and that CC's note at https://secure.php.net/manual/en/function.mcrypt-create-iv.php#117047 is incorrect and that this piped construction will return "3" (rather than 0,1,2 or as Cory states, first attempt 1 and if that isn't available, try 2) and with "3" will always initialize with the crytographically insecure MCRYPT_RAND.

Test script:
---------------
$iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM );


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-27 17:03 UTC] cmb@php.net
MCRYPT_DEV_URANDOM|MCRYPT_RAND has the same behavior as
MCRYPT_RAND, i.e. the else clause[1] will be processed. I have
deleted Cory's note.

[1] <https://github.com/php/php-src/blob/php-5.6.11/ext/mcrypt/mcrypt.c#L1426-L1469>
 [2015-08-15 15:46 UTC] ab@php.net
-Status: Open +Status: Duplicate
 [2015-08-15 15:46 UTC] ab@php.net
@gessel, please check the latest 5.6 or 7 branch/snapshot (no release yet). This is likely a duplicate of bug #69833.

Thanks.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Aug 21 07:01:27 2019 UTC