Edit report at http://bugs.php.net/bug.php?id=52523&edit=1
ID: 52523 Updated by: paj...@php.net Reported by: php-bugs at thequod dot de Summary: mcrypt_create_iv not reliable on win: "Could not gather sufficient random data" -Status: Assigned +Status: Closed Type: Feature/Change Request Package: mcrypt related Operating System: win32 PHP Version: 5.3.3 Assigned To: pajoye Block user comment: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2010-08-09 10:14:16] paj...@php.net Automatic comment from SVN on behalf of pajoye Revision: http://svn.php.net/viewvc/?view=revision&revision=302024 Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data) ------------------------------------------------------------------------ [2010-08-03 18:11:15] paj...@php.net @derick urandom is not crypto safe (to be more precised). @thequod About the patch in typo3, this code is wrong. They use urandom on non windows platform, then try alternatives on windows only. Problem is that they first try COM (very slow), then try with mcrypt_create_iv and overwrite COM output (regardless if it worked well or not). MCrypt also always exists on windows with 5.3+, no need to test it (statically compiled). The openssl code won't be used either (never reached this condition). However even if the openssl code was used, its logic is wrong. It considers non strong (not crypto safe) output as invalid. But urandom is not crypto safe anyway. They should test for the openssl function in the 1st place then use fopen('urandom') and finally mcrypt and other options. Much better/cleaner. About your last comment, that fits in the explanation I gave earlier. Nothing new. ------------------------------------------------------------------------ [2010-08-03 17:47:07] der...@php.net This is a bug actually. /dev/random is supposed to wait as long as there is enough entropy. /dev/urandom cares less (and is a worse source of entropy). The behaviour on Windows needs to behave the same as on a Unix. ------------------------------------------------------------------------ [2010-08-03 17:07:27] php-bugs at thequod dot de Windows: % while php -r '$s = microtime(true); if( mcrypt_create_iv(16, MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true); printf("%.5f\n", $e-$s);'; do true; done 0.00449 0.00454 Fatal error: mcrypt_create_iv(): Could not gather sufficient random data in Command line code on line 1 Linux: # while php -r '$s = microtime(true); if( mcrypt_create_iv(16, MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true); printf("%.2f\n", $e-$s);'; do true; done 0.00 3.51 3.56 4.03 3.58 4.06 3.71 5.12 4.19 3.41 3.87 3.91 3.74 5.09 4.26 3.71 3.78 4.41 5.48 5.09 6.50 4.14 3.58 3.83 6.02 3.74 3.87 4.68 6.92 4.52 6.01 ... Completely different machines though, of course. ------------------------------------------------------------------------ [2010-08-03 16:59:06] php-bugs at thequod dot de JFI: it gets used in Typo3 to get random data (via generateRandomBytes). Added in http://github.com/typo3/typo3v4core/commit/00ce0fe45aa46b62e8aa499912c9e36483185737 Also, it appears to be blocking (at least for longer) on Linux; it takes up to a few seconds for each call, but appears to fail instantly on Windows. (not sure though) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=52523 -- Edit this bug report at http://bugs.php.net/bug.php?id=52523&edit=1