View Issue Details

IDProjectCategoryView StatusLast Update
0022708mantisbtcode cleanuppublic2017-04-11 06:46
Reporteratrol Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionopen 
Summary0022708: Remove usage of deprecated function mcrypt_create_iv
Description

Remove usage of deprecated function mcrypt_create_iv

mcrypt_create_iv is deprecated in PHP 7.1 [1]
We use it in function crypto_generate_random_string

Warnings are generated, depending on operating system and setting error_reporting.

e.g. it seems that our first choice to use openssl_random_pseudo_bytes is typically not available on Windows [2]

[1] http://php.net/manual/en/function.mcrypt-create-iv.php
[2] https://www.mantisbt.org/forums/viewtopic.php?f=3&t=24586

TagsNo tags attached.

Activities

dregad

dregad

2017-04-11 06:46

developer   ~0056493

I did a quick research on this, and it appears that the use of openssl_random_pseudo_bytes() for crypto purposes is no longer recommended [1][2], and it's also worth mentioning that there's been a security issue with this function [3] (fixed in 5.6.12, 5.5.28, 5.4.44).

I would suggest that we change crypto_generate_random_string() to

We could also decide to bundle https://github.com/paragonie/random_compat for older PHP versions, this way we could further simplify the code in crypto_generate_random_string()