Req #52523 [Csd]: mcrypt_create_iv not reliable on win: "Could not gather sufficient random data"
Edit report at https://bugs.php.net/bug.php?id=52523&edit=1 ID: 52523 Updated by: paj...@php.net Reported by:php-bugs at thequod dot de Summary:mcrypt_create_iv not reliable on win: "Could not gather sufficient random data" Status: Closed Type: Feature/Change Request Package:mcrypt related Operating System: win32 PHP Version:5.3.3 Assigned To:pajoye Block user comment: N Private report: N New Comment: @mah at everybody dot org Again, there is zero difference between the two on Windows. If you can 100% reproduce the problem, then I really need to know your configuration, windows version, php version, etc. Also to test it, you can try using a simple script calling the mcrypt function directly instead of using mediawiki. Previous Comments: [2013-01-19 02:50:08] mah at everybody dot org Just came across this while trying to install the latest MediaWiki on a host with PHP 5.3.5 phpinfo() reports has a system string of "Windows NT A1-WHW-B69 6.0 build 6002 (Windows Server 2008 Web Server Edition Service Pack 2) i586" and a build date of "Jan 5 2011 20:33:43". Since this was on a hosted account, I didn't have the opportunity to upgrade PHP and I couldn't find a way to test for the bug without causing a fatal error. If I had been able to do that, I would have added code to MediaWiki to test for the bug. I was able to work-around the bug by modifying the installer source so that MCRYPT_RAND was used instead of MCRYPT_DEV_URANDOM. For a package like MediaWiki, though, this is less than ideal. [2011-06-14 11:17:03] paj...@php.net There is no difference between the two on Windows. Both called the same function. How do you get the error? Which windows version do you use? [2011-06-14 10:28:23] s...@php.net I'm still experiencing issues with 5.3.6. Calling the method with both MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM results in the fatal error. IMO the first should block, and the second should just return non-crypto-safe data, but it should return *something*, and ideally do it fast. [2010-08-09 10:14:52] paj...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2010-08-09 10:14:16] paj...@php.net Automatic comment from SVN on behalf of pajoye Revision: http://svn.php.net/viewvc/?view=revision&revision=302024 Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data) The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=52523 -- Edit this bug report at https://bugs.php.net/bug.php?id=52523&edit=1
Req #52523 [Csd]: mcrypt_create_iv not reliable on win: "Could not gather sufficient random data"
Edit report at http://bugs.php.net/bug.php?id=52523&edit=1
ID: 52523
Updated by: paj...@php.net
Reported by:php-bugs at thequod dot de
Summary:mcrypt_create_iv not reliable on win: "Could not
gather sufficient random data"
Status: Closed
Type: Feature/Change Request
Package:mcrypt related
Operating System: win32
PHP Version:5.3.3
Assigned To:pajoye
Block user comment: N
Private report: N
New Comment:
There is no difference between the two on Windows. Both called the same
function.
How do you get the error? Which windows version do you use?
Previous Comments:
[2011-06-14 10:28:23] s...@php.net
I'm still experiencing issues with 5.3.6. Calling the method with both
MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM results in the fatal error. IMO the
first should block, and the second should just return non-crypto-safe data, but
it should return *something*, and ideally do it fast.
[2010-08-09 10:14:52] paj...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
[2010-08-09 10:14:16] paj...@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=302024
Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data)
[2010-08-03 18:11:15] paj...@php.net
@derick
urandom is not crypto safe (to be more precised).
@thequod
About the patch in typo3, this code is wrong. They use urandom on non windows
platform, then try alternatives on windows only.
Problem is that they first try COM (very slow), then try with mcrypt_create_iv
and overwrite COM output (regardless if it worked well or not). MCrypt also
always exists on windows with 5.3+, no need to test it (statically compiled).
The openssl code won't be used either (never reached this condition).
However even if the openssl code was used, its logic is wrong. It considers
non strong (not crypto safe) output as invalid. But urandom is not crypto safe
anyway. They should test for the openssl function in the 1st place then use
fopen('urandom') and finally mcrypt and other options. Much better/cleaner.
About your last comment, that fits in the explanation I gave earlier. Nothing
new.
[2010-08-03 17:47:07] der...@php.net
This is a bug actually. /dev/random is supposed to wait as long as there is
enough entropy. /dev/urandom cares less (and is a worse source of entropy). The
behaviour on Windows needs to behave the same as on a Unix.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=52523
--
Edit this bug report at http://bugs.php.net/bug.php?id=52523&edit=1
Req #52523 [Csd]: mcrypt_create_iv not reliable on win: "Could not gather sufficient random data"
Edit report at http://bugs.php.net/bug.php?id=52523&edit=1
ID: 52523
Updated by: s...@php.net
Reported by:php-bugs at thequod dot de
Summary:mcrypt_create_iv not reliable on win: "Could not
gather sufficient random data"
Status: Closed
Type: Feature/Change Request
Package:mcrypt related
Operating System: win32
PHP Version:5.3.3
Assigned To:pajoye
Block user comment: N
Private report: N
New Comment:
I'm still experiencing issues with 5.3.6. Calling the method with both
MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM results in the fatal error. IMO the
first should block, and the second should just return non-crypto-safe data, but
it should return *something*, and ideally do it fast.
Previous Comments:
[2010-08-09 10:14:52] paj...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
[2010-08-09 10:14:16] paj...@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&revision=302024
Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data)
[2010-08-03 18:11:15] paj...@php.net
@derick
urandom is not crypto safe (to be more precised).
@thequod
About the patch in typo3, this code is wrong. They use urandom on non windows
platform, then try alternatives on windows only.
Problem is that they first try COM (very slow), then try with mcrypt_create_iv
and overwrite COM output (regardless if it worked well or not). MCrypt also
always exists on windows with 5.3+, no need to test it (statically compiled).
The openssl code won't be used either (never reached this condition).
However even if the openssl code was used, its logic is wrong. It considers
non strong (not crypto safe) output as invalid. But urandom is not crypto safe
anyway. They should test for the openssl function in the 1st place then use
fopen('urandom') and finally mcrypt and other options. Much better/cleaner.
About your last comment, that fits in the explanation I gave earlier. Nothing
new.
[2010-08-03 17:47:07] der...@php.net
This is a bug actually. /dev/random is supposed to wait as long as there is
enough entropy. /dev/urandom cares less (and is a worse source of entropy). The
behaviour on Windows needs to behave the same as on a Unix.
[2010-08-03 17:07:27] php-bugs at thequod dot de
Windows:
% while php -r '$s = microtime(true); if( mcrypt_create_iv(16,
MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true); printf("%.5f\n",
$e-$s);'; do true; done
0.00449
0.00454
Fatal error: mcrypt_create_iv(): Could not gather sufficient random data in
Command line code on line 1
Linux:
# while php -r '$s = microtime(true); if( mcrypt_create_iv(16,
MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true); printf("%.2f\n",
$e-$s);'; do true; done
0.00
3.51
3.56
4.03
3.58
4.06
3.71
5.12
4.19
3.41
3.87
3.91
3.74
5.09
4.26
3.71
3.78
4.41
5.48
5.09
6.50
4.14
3.58
3.83
6.02
3.74
3.87
4.68
6.92
4.52
6.01
...
Completely different machines though, of course.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=52523
--
Edit this bug report at http://bugs.php.net/bug.php?id=52523&edit=1
