php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70625 mcrypt_encrypt() : won't return data when no IV was specified under RC4.
Submitted: 2015-10-02 19:14 UTC Modified: 2015-10-02 20:29 UTC
From: jparedes at gmail dot com Assigned:
Status: Closed Package: mcrypt related
PHP Version: 5.6 OS: Linux
Private report: No CVE-ID:
 [2015-10-02 19:14 UTC] jparedes at gmail dot com
Description:
------------
Ommiting $iv in mcrypt_encrypt() under MCRYPT_ARCFOUR cipher returns false. But when "null" parameter is specified it work as expected.



Test script:
---------------
<?php

//This works php<7.0 only 
$enc_value = mcrypt_encrypt(MCRYPT_ARCFOUR,'secretkey','payload',MCRYPT_MODE_STREAM);
var_dump($enc_value);


//This work tested under 7.0RC4
$enc_value = mcrypt_encrypt(MCRYPT_ARCFOUR,'secretkey','payload',MCRYPT_MODE_STREAM,null);
var_dump($enc_value);


Expected result:
----------------
The result of $enc_value should be the result of the encryption.

Actual result:
--------------
Function returns false.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-02 19:41 UTC] jparedes at gmail dot com
Apparently the introduction of zpp checks [1]is in effect what causes the difference in the desired behaviour. This emerged in php-7.0.0beta3.

[1] https://github.com/php/php-src/commit/d8ed84e4c4d0bd0bac88d2c0ed6e072a7d7ea49d
 [2015-10-02 20:12 UTC] nikic@php.net
-PHP Version: 7.0.0RC4 +PHP Version: 5.6
 [2015-10-02 20:12 UTC] nikic@php.net
This is due to the additional IV validation in PHP 5.6: https://3v4l.org/af8oG

Probably some special handling for stream ciphers is missing.
 [2015-10-02 20:13 UTC] jparedes at gmail dot com
-PHP Version: 5.6 +PHP Version: 7.0.0RC4
 [2015-10-02 20:13 UTC] jparedes at gmail dot com
I correct myself, issue seems to arise after this commit 25d801f [1], because -if i'm not wrong- it's assumes RC4 encmode should have IV and it fact it should not.

[1] https://github.com/php/php-src/commit/25d801f97ec3f4bcac8977efd50f843eba9b19e1
 [2015-10-02 20:17 UTC] jparedes at gmail dot com
-PHP Version: 7.0.0RC4 +PHP Version: 5.6
 [2015-10-02 20:17 UTC] jparedes at gmail dot com
unintentionally changed affected php version while editing in parallel. Reverting.
 [2015-10-02 20:29 UTC] nikic@php.net
The issue here is that mcrypt_enc_mode_has_iv() reports on a property of the mode only, and reports the stream cipher mode to have an IV, regardless of used cipher. mcrypt_enc_get_iv_size() returns a property of the cipher, in this case 0, which seems to be the signal for "doesn't actually need an IV, even if mode_has_iv() says so". So we should add an additional check for 0 expected IV size.
 [2015-10-03 08:14 UTC] nikic@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe1933aae2185624bd51b1fd46b8d959f88daf4a
Log: Fixed bug #70625
 [2015-10-03 08:15 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2015-10-13 10:12 UTC] ab@php.net
Automatic comment on behalf of nikic
Revision: http://git.php.net/?p=php-src.git;a=commit;h=fe1933aae2185624bd51b1fd46b8d959f88daf4a
Log: Fixed bug #70625
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Feb 24 01:01:37 2017 UTC