MCrypt Woes
As part of our ever increasing need to be secure, I started working on universalizing our encryption schemes and coming up with an easy and standard way for all of our applications to handle encryption. The main goal was to wrap mcrypt. For the most part, this worked great. A problem arose, however!
It seems the mcrypt_create_iv() method in PHP's mcrypt module has been broken for some time. Specifically, when creating an initialization vector using the MCRYPT_RAND constant (instead of, say, MCRYPT_DEV_RAND, etc), it will return the same IV every time. After digging in the extension itself, I found the bug, created a patch and submitted to the PHP bugs site here:
http://bugs.php.net/bug.php?id=40999
The bug should be fixed in the next release. In the meantime, we're using MCRYPT_DEV_URAND, which is similar to using /dev/rand, but won't block if the system hasn't accumulated enough entropy.
It seems the mcrypt_create_iv() method in PHP's mcrypt module has been broken for some time. Specifically, when creating an initialization vector using the MCRYPT_RAND constant (instead of, say, MCRYPT_DEV_RAND, etc), it will return the same IV every time. After digging in the extension itself, I found the bug, created a patch and submitted to the PHP bugs site here:
http://bugs.php.net/bug.php?id=40999
The bug should be fixed in the next release. In the meantime, we're using MCRYPT_DEV_URAND, which is similar to using /dev/rand, but won't block if the system hasn't accumulated enough entropy.