Req #52523 [Csd]: mcrypt_create_iv not reliable on win: "Could not gather sufficient random data"
Edit report at https://bugs.php.net/bug.php?id=52523&edit=1 ID: 52523 Updated by: paj...@php.net Reported by:php-bugs at thequod dot de Summary:mcrypt_create_iv not reliable on win: "Could not gather sufficient random data" Status: Closed Type: Feature/Change Request Package:mcrypt related Operating System: win32 PHP Version:5.3.3 Assigned To:pajoye Block user comment: N Private report: N New Comment: @mah at everybody dot org Again, there is zero difference between the two on Windows. If you can 100% reproduce the problem, then I really need to know your configuration, windows version, php version, etc. Also to test it, you can try using a simple script calling the mcrypt function directly instead of using mediawiki. Previous Comments: [2013-01-19 02:50:08] mah at everybody dot org Just came across this while trying to install the latest MediaWiki on a host with PHP 5.3.5 phpinfo() reports has a system string of "Windows NT A1-WHW-B69 6.0 build 6002 (Windows Server 2008 Web Server Edition Service Pack 2) i586" and a build date of "Jan 5 2011 20:33:43". Since this was on a hosted account, I didn't have the opportunity to upgrade PHP and I couldn't find a way to test for the bug without causing a fatal error. If I had been able to do that, I would have added code to MediaWiki to test for the bug. I was able to work-around the bug by modifying the installer source so that MCRYPT_RAND was used instead of MCRYPT_DEV_URANDOM. For a package like MediaWiki, though, this is less than ideal. [2011-06-14 11:17:03] paj...@php.net There is no difference between the two on Windows. Both called the same function. How do you get the error? Which windows version do you use? [2011-06-14 10:28:23] s...@php.net I'm still experiencing issues with 5.3.6. Calling the method with both MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM results in the fatal error. IMO the first should block, and the second should just return non-crypto-safe data, but it should return *something*, and ideally do it fast. [2010-08-09 10:14:52] paj...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2010-08-09 10:14:16] paj...@php.net Automatic comment from SVN on behalf of pajoye Revision: http://svn.php.net/viewvc/?view=revision&revision=302024 Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data) The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=52523 -- Edit this bug report at https://bugs.php.net/bug.php?id=52523&edit=1
Req #52523 [Csd]: mcrypt_create_iv not reliable on win: "Could not gather sufficient random data"
Edit report at http://bugs.php.net/bug.php?id=52523&edit=1 ID: 52523 Updated by: paj...@php.net Reported by:php-bugs at thequod dot de Summary:mcrypt_create_iv not reliable on win: "Could not gather sufficient random data" Status: Closed Type: Feature/Change Request Package:mcrypt related Operating System: win32 PHP Version:5.3.3 Assigned To:pajoye Block user comment: N Private report: N New Comment: There is no difference between the two on Windows. Both called the same function. How do you get the error? Which windows version do you use? Previous Comments: [2011-06-14 10:28:23] s...@php.net I'm still experiencing issues with 5.3.6. Calling the method with both MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM results in the fatal error. IMO the first should block, and the second should just return non-crypto-safe data, but it should return *something*, and ideally do it fast. [2010-08-09 10:14:52] paj...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2010-08-09 10:14:16] paj...@php.net Automatic comment from SVN on behalf of pajoye Revision: http://svn.php.net/viewvc/?view=revision&revision=302024 Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data) [2010-08-03 18:11:15] paj...@php.net @derick urandom is not crypto safe (to be more precised). @thequod About the patch in typo3, this code is wrong. They use urandom on non windows platform, then try alternatives on windows only. Problem is that they first try COM (very slow), then try with mcrypt_create_iv and overwrite COM output (regardless if it worked well or not). MCrypt also always exists on windows with 5.3+, no need to test it (statically compiled). The openssl code won't be used either (never reached this condition). However even if the openssl code was used, its logic is wrong. It considers non strong (not crypto safe) output as invalid. But urandom is not crypto safe anyway. They should test for the openssl function in the 1st place then use fopen('urandom') and finally mcrypt and other options. Much better/cleaner. About your last comment, that fits in the explanation I gave earlier. Nothing new. [2010-08-03 17:47:07] der...@php.net This is a bug actually. /dev/random is supposed to wait as long as there is enough entropy. /dev/urandom cares less (and is a worse source of entropy). The behaviour on Windows needs to behave the same as on a Unix. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=52523 -- Edit this bug report at http://bugs.php.net/bug.php?id=52523&edit=1
Req #52523 [Csd]: mcrypt_create_iv not reliable on win: "Could not gather sufficient random data"
Edit report at http://bugs.php.net/bug.php?id=52523&edit=1 ID: 52523 Updated by: s...@php.net Reported by:php-bugs at thequod dot de Summary:mcrypt_create_iv not reliable on win: "Could not gather sufficient random data" Status: Closed Type: Feature/Change Request Package:mcrypt related Operating System: win32 PHP Version:5.3.3 Assigned To:pajoye Block user comment: N Private report: N New Comment: I'm still experiencing issues with 5.3.6. Calling the method with both MCRYPT_DEV_RANDOM and MCRYPT_DEV_URANDOM results in the fatal error. IMO the first should block, and the second should just return non-crypto-safe data, but it should return *something*, and ideally do it fast. Previous Comments: [2010-08-09 10:14:52] paj...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2010-08-09 10:14:16] paj...@php.net Automatic comment from SVN on behalf of pajoye Revision: http://svn.php.net/viewvc/?view=revision&revision=302024 Log: - #52523, fix logic (0 is perfectly valid as part of the data, bin data) [2010-08-03 18:11:15] paj...@php.net @derick urandom is not crypto safe (to be more precised). @thequod About the patch in typo3, this code is wrong. They use urandom on non windows platform, then try alternatives on windows only. Problem is that they first try COM (very slow), then try with mcrypt_create_iv and overwrite COM output (regardless if it worked well or not). MCrypt also always exists on windows with 5.3+, no need to test it (statically compiled). The openssl code won't be used either (never reached this condition). However even if the openssl code was used, its logic is wrong. It considers non strong (not crypto safe) output as invalid. But urandom is not crypto safe anyway. They should test for the openssl function in the 1st place then use fopen('urandom') and finally mcrypt and other options. Much better/cleaner. About your last comment, that fits in the explanation I gave earlier. Nothing new. [2010-08-03 17:47:07] der...@php.net This is a bug actually. /dev/random is supposed to wait as long as there is enough entropy. /dev/urandom cares less (and is a worse source of entropy). The behaviour on Windows needs to behave the same as on a Unix. [2010-08-03 17:07:27] php-bugs at thequod dot de Windows: % while php -r '$s = microtime(true); if( mcrypt_create_iv(16, MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true); printf("%.5f\n", $e-$s);'; do true; done 0.00449 0.00454 Fatal error: mcrypt_create_iv(): Could not gather sufficient random data in Command line code on line 1 Linux: # while php -r '$s = microtime(true); if( mcrypt_create_iv(16, MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true); printf("%.2f\n", $e-$s);'; do true; done 0.00 3.51 3.56 4.03 3.58 4.06 3.71 5.12 4.19 3.41 3.87 3.91 3.74 5.09 4.26 3.71 3.78 4.41 5.48 5.09 6.50 4.14 3.58 3.83 6.02 3.74 3.87 4.68 6.92 4.52 6.01 ... Completely different machines though, of course. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=52523 -- Edit this bug report at http://bugs.php.net/bug.php?id=52523&edit=1