ID: 40999 Updated by: [EMAIL PROTECTED] Reported By: john dot hargrove at sellingsource dot com -Status: Closed +Status: Assigned Bug Type: mcrypt related Operating System: All PHP Version: 5.2.1 Assigned To: iliaa New Comment:
Was not committed to HEAD. Previous Comments: ------------------------------------------------------------------------ [2007-04-05 01:49:05] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2007-04-04 23:57:49] john dot hargrove at sellingsource dot com Description: ------------ This bug is only for mcrypt_create_iv() when passing MCRYPT_RAND as the source. I believe this is a bug that has been re-introduced to PHP at some point after 5.1.4. This bug is not in 5.1.4, but is currently in PHP 5.2.1, and it was reported previously in 5.0.X. So it seems fixed, then unfixed. mcrypt_create_iv() is making a call to php_rand_r(), but is passing an uninitialized unsigned int as the random seed. I believe it should be calling php_rand() with no argument (which would invoke the auto-seeding feature of the php function rand()), or simply rand(). In 5.1.4, it was rand(). Here is a patch: http://www.fortheloot.com/public/mcrypt.patch That should fix it. Additionally, the "expected output" below is from a version after applying the patch above. Sorry for the Wall-O-Text, just wanted to make sure this was considered legit. Reproduce code: --------------- srand((double) microtime(true) * 1000000); $module = mcrypt_module_open(MCRYPT_RIJNDAEL_128, NULL, MCRYPT_MODE_CFB, NULL); echo "iv1: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n"; echo "iv2: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n"; echo "iv3: " . bin2hex(mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_RAND)) . "\n"; Expected result: ---------------- 3 random hex strings. e.g., iv1: 3e280c689f08c1a6e7993e41040eec1b iv2: caa3b8ae0241995d36a346904b7672bf iv3: a4d25fe39436d72b96cf68efe7ceb1a5 Actual result: -------------- iv1: a67ed3dd28eb59be57bbfee36f75df52 iv2: a67ed3dd28eb59be57bbfee36f75df52 iv3: a67ed3dd28eb59be57bbfee36f75df52 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40999&edit=1