php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70150 $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM ); times out
Submitted: 2015-07-27 07:24 UTC Modified: 2015-08-15 15:46 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: gessel at blackrosetech dot com Assigned:
Status: Duplicate Package: mcrypt related
PHP Version: 5.5.27 OS: FreeBSD 10.1-RELEASE #0 r285883
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gessel at blackrosetech dot com
New email:
PHP Version: OS:

 

 [2015-07-27 07:24 UTC] gessel at blackrosetech dot com
Description:
------------
---
From manual page: http://www.php.net/function.mcrypt-create-iv
---

MediaWiki's MWCryptRand.php calls  
 $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM );
This times out on FreeBSD without returning a value (even with max_execution_time set to 3000).  

modifying the call to 
  $iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM|MCRYPT_RAND );
returns as expected, however, the MW dev is concerned that MCRYPT_RAND is not cryptographically secure, and that CC's note at https://secure.php.net/manual/en/function.mcrypt-create-iv.php#117047 is incorrect and that this piped construction will return "3" (rather than 0,1,2 or as Cory states, first attempt 1 and if that isn't available, try 2) and with "3" will always initialize with the crytographically insecure MCRYPT_RAND.

Test script:
---------------
$iv = mcrypt_create_iv( $rem, MCRYPT_DEV_URANDOM );


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-27 17:03 UTC] cmb@php.net
MCRYPT_DEV_URANDOM|MCRYPT_RAND has the same behavior as
MCRYPT_RAND, i.e. the else clause[1] will be processed. I have
deleted Cory's note.

[1] <https://github.com/php/php-src/blob/php-5.6.11/ext/mcrypt/mcrypt.c#L1426-L1469>
 [2015-08-15 15:46 UTC] ab@php.net
-Status: Open +Status: Duplicate
 [2015-08-15 15:46 UTC] ab@php.net
@gessel, please check the latest 5.6 or 7 branch/snapshot (no release yet). This is likely a duplicate of bug #69833.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 12:01:32 2024 UTC