Edit report at https://bugs.php.net/bug.php?id=52523&edit=1
ID: 52523
Comment by: mah at everybody dot org
Reported by: php-bugs at thequod dot de
Summary: mcrypt_create_iv not reliable on win: "Could not
gather sufficient random data"
Status: Closed
Type: Feature/Change Request
Package: mcrypt related
Operating System: win32
PHP Version: 5.3.3
Assigned To: pajoye
Block user comment: N
Private report: N
New Comment:
Just came across this while trying to install the latest MediaWiki on a host
with PHP 5.3.5 phpinfo() reports has a system string of "Windows NT A1-WHW-B69
6.0 build 6002 (Windows Server 2008 Web Server Edition Service Pack 2) i586"
and a build date of "Jan 5 2011 20:33:43".
Since this was on a hosted account, I didn't have the opportunity to upgrade
PHP and I couldn't find a way to test for the bug without causing a fatal
error. If I had been able to do that, I would have added code to MediaWiki to
test for the bug.
I was able to work-around the bug by modifying the installer source so that
MCRYPT_RAND was used instead of MCRYPT_DEV_URANDOM. For a package like
MediaWiki, though, this is less than ideal.
Previous Comments:
------------------------------------------------------------------------
[2011-06-14 11:17:03] [email protected]
There is no difference between the two on Windows. Both called the same
function.
How do you get the error? Which windows version do you use?
------------------------------------------------------------------------
[2011-06-14 10:28:23] [email protected]
I'm still experiencing issues with 5.3.6. Calling the method with both
MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM results in the fatal error. IMO the
first should block, and the second should just return non-crypto-safe data, but
it should return *something*, and ideally do it fast.
------------------------------------------------------------------------
[2010-08-09 10:14:52] [email protected]
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2010-08-09 10:14:16] [email protected]
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=302024
Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data)
------------------------------------------------------------------------
[2010-08-03 18:11:15] [email protected]
@derick
urandom is not crypto safe (to be more precised).
@thequod
About the patch in typo3, this code is wrong. They use urandom on non windows
platform, then try alternatives on windows only.
Problem is that they first try COM (very slow), then try with mcrypt_create_iv
and overwrite COM output (regardless if it worked well or not). MCrypt also
always exists on windows with 5.3+, no need to test it (statically compiled).
The openssl code won't be used either (never reached this condition).
However even if the openssl code was used, its logic is wrong. It considers
non strong (not crypto safe) output as invalid. But urandom is not crypto safe
anyway. They should test for the openssl function in the 1st place then use
fopen('urandom') and finally mcrypt and other options. Much better/cleaner.
About your last comment, that fits in the explanation I gave earlier. Nothing
new.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=52523
--
Edit this bug report at https://bugs.php.net/bug.php?id=52523&edit=1
