On 2016/03/09 15:12, Renaud Allard wrote: > > > On 03/09/2016 03:06 PM, Stuart Henderson wrote: > >On 2016/03/09 14:54, Renaud Allard wrote: > >>Meanwhile, it has been fixed here: > >>https://github.com/paragonie/random_compat/commit/cb4b63fff6313e928556a9865ddaaf8daf0da0ec > > > >Argh - we will have to undo that when we fix mcrypt... > > > > > mcrypt will just be skipped if it's there and urandom is not usable. The > best would be to make owncloud dependent on pecl-libsodium anyway, so > neither urandom nor mcrypt would be used anyway.
The problem with a dependency on a pecl module is that you can't guarantee the user has enabled it, and if the software is doing fallback to other methods this might be invisible. We should add the dep, because that's the best option, but should keep the fallback options as good as possible. And in fact here is the code, https://github.com/paragonie/random_compat/blob/master/lib/random_bytes_mcrypt.php#L58 so it is using mcrypt_create_iv, which is not actually from ports/security/mcrypt, it's just a function in the PHP source tree. Take a look at ports/lang/php/5.6/patch-ext_mcrypt_mcrypt_c, you should be able to call it safely anyway ..
