Edit report at http://bugs.php.net/bug.php?id=52523&edit=1
ID: 52523
Updated by: paj...@php.net
Reported by: php-bugs at thequod dot de
Summary: mcrypt_create_iv not reliable on win: "Could not
gather sufficient random data"
Status: Assigned
Type: Feature/Change Request
Package: mcrypt related
Operating System: win32
PHP Version: 5.3.3
Assigned To: pajoye
Block user comment: N
New Comment:
@derick
urandom is not crypto safe (to be more precised).
@thequod
About the patch in typo3, this code is wrong. They use urandom on non
windows platform, then try alternatives on windows only.
Problem is that they first try COM (very slow), then try with
mcrypt_create_iv and overwrite COM output (regardless if it worked well
or not). MCrypt also always exists on windows with 5.3+, no need to test
it (statically compiled). The openssl code won't be used either (never
reached this condition).
However even if the openssl code was used, its logic is wrong. It
considers non strong (not crypto safe) output as invalid. But urandom
is not crypto safe anyway. They should test for the openssl function in
the 1st place then use fopen('urandom') and finally mcrypt and other
options. Much better/cleaner.
About your last comment, that fits in the explanation I gave earlier.
Nothing new.
Previous Comments:
------------------------------------------------------------------------
[2010-08-03 17:47:07] der...@php.net
This is a bug actually. /dev/random is supposed to wait as long as there
is enough entropy. /dev/urandom cares less (and is a worse source of
entropy). The behaviour on Windows needs to behave the same as on a
Unix.
------------------------------------------------------------------------
[2010-08-03 17:07:27] php-bugs at thequod dot de
Windows:
% while php -r '$s = microtime(true); if( mcrypt_create_iv(16,
MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true);
printf("%.5f\n", $e-$s);'; do true; done
0.00449
0.00454
Fatal error: mcrypt_create_iv(): Could not gather sufficient random data
in Command line code on line 1
Linux:
# while php -r '$s = microtime(true); if( mcrypt_create_iv(16,
MCRYPT_DEV_RANDOM) === false ) exit(1); $e = microtime(true);
printf("%.2f\n", $e-$s);'; do true; done
0.00
3.51
3.56
4.03
3.58
4.06
3.71
5.12
4.19
3.41
3.87
3.91
3.74
5.09
4.26
3.71
3.78
4.41
5.48
5.09
6.50
4.14
3.58
3.83
6.02
3.74
3.87
4.68
6.92
4.52
6.01
...
Completely different machines though, of course.
------------------------------------------------------------------------
[2010-08-03 16:59:06] php-bugs at thequod dot de
JFI: it gets used in Typo3 to get random data (via
generateRandomBytes).
Added in
http://github.com/typo3/typo3v4core/commit/00ce0fe45aa46b62e8aa499912c9e36483185737
Also, it appears to be blocking (at least for longer) on Linux; it takes
up to a few seconds for each call, but appears to fail instantly on
Windows.
(not sure though)
------------------------------------------------------------------------
[2010-08-03 16:16:18] paj...@php.net
Yes, it can but very unlikely. The only case where it fails on the 1st
iteration is when I do such loops in parallel.
Hard to fix and not sure it is worth the effort. One argued once about
hi traffic site, but in this exact case the system activity provides
enough rng data (not like your example).
Changing to feature request and we will see what can be done (as it is
not windows specific, the timeout request).
------------------------------------------------------------------------
[2010-08-03 16:05:11] php-bugs at thequod dot de
Yes, I expect it to be blocking, at least for a certain amount of time
(why not for the maximum execution time?).
While the endless loop is unrealistic of course, it's only meant for
demonstration; it may fail with the first call already, according to the
following (cygwin code):
while php -r "if( mcrypt_create_iv(16, MCRYPT_DEV_RANDOM) === false )
exit(1);"; do ; done
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=52523
--
Edit this bug report at http://bugs.php.net/bug.php?id=52523&edit=1
