won't return data when no IV was specified under RC4.

Bug #70625 mcrypt_encrypt() : won't return data when no IV was specified under RC4.
Submitted: 2015-10-02 19:14 UTC Modified: 2015-10-02 20:29 UTC
From: jparedes at gmail dot com Assigned:
Status: Closed Package: mcrypt related
PHP Version: 5.6 OS: Linux
Private report: No CVE-ID: None

 [2015-10-02 19:14 UTC] jparedes at gmail dot com

Description:
------------
Ommiting $iv in mcrypt_encrypt() under MCRYPT_ARCFOUR cipher returns false. But when "null" parameter is specified it work as expected.



Test script:
---------------
<?php

//This works php<7.0 only 
$enc_value = mcrypt_encrypt(MCRYPT_ARCFOUR,'secretkey','payload',MCRYPT_MODE_STREAM);
var_dump($enc_value);


//This work tested under 7.0RC4
$enc_value = mcrypt_encrypt(MCRYPT_ARCFOUR,'secretkey','payload',MCRYPT_MODE_STREAM,null);
var_dump($enc_value);


Expected result:
----------------
The result of $enc_value should be the result of the encryption.

Actual result:
--------------
Function returns false.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2015-10-02 20:12 UTC] nikic@php.net

-PHP Version: 7.0.0RC4 +PHP Version: 5.6

 [2015-10-02 20:12 UTC] nikic@php.net

This is due to the additional IV validation in PHP 5.6: https://3v4l.org/af8oG

Probably some special handling for stream ciphers is missing.

 [2015-10-02 20:13 UTC] jparedes at gmail dot com

-PHP Version: 5.6 +PHP Version: 7.0.0RC4

 [2015-10-02 20:17 UTC] jparedes at gmail dot com

-PHP Version: 7.0.0RC4 +PHP Version: 5.6

 [2015-10-02 20:17 UTC] jparedes at gmail dot com

unintentionally changed affected php version while editing in parallel. Reverting.

 [2015-10-02 20:29 UTC] nikic@php.net

The issue here is that mcrypt_enc_mode_has_iv() reports on a property of the mode only, and reports the stream cipher mode to have an IV, regardless of used cipher. mcrypt_enc_get_iv_size() returns a property of the cipher, in this case 0, which seems to be the signal for "doesn't actually need an IV, even if mode_has_iv() says so". So we should add an additional check for 0 expected IV size.

 [2015-10-03 08:15 UTC] nikic@php.net

-Status: Open +Status: Closed