[BUGFIX] Always use MCRYPT_DEV_URANDOM if using mcrypt 51/40251/4
authorHelmut Hummel <helmut.hummel@typo3.org>
Mon, 15 Jun 2015 14:00:27 +0000 (16:00 +0200)
committerHelmut Hummel <helmut.hummel@typo3.org>
Mon, 15 Jun 2015 16:22:32 +0000 (18:22 +0200)
Using MCRYPT_RAND was introduced because of a bug in PHP versions lower
than 5.3.7 on Windows in combination with IIS.

Since we require higher PHP versions in all maintained versions we can
remove this workaround and use MCRYPT_DEV_URANDOM again. By doing so we
fix a bug on Windows caused by not enough randomness.

Releases: 6.2, master
Resolves: #53034
Change-Id: Ibe74eb0277934e9300ffd9b00cc89a5f8bb008fb
Reviewed-on: http://review.typo3.org/40251
Reviewed-by: Stephan GroƟberndt <stephan@grossberndt.de>
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
typo3/sysext/core/Classes/Utility/GeneralUtility.php

index 22b2fe9..c6ce084 100755 (executable)
@@ -1153,13 +1153,12 @@ class GeneralUtility {
                if (!isset($bytes[($bytesToReturn - 1)])) {
                        if (TYPO3_OS === 'WIN') {
                                // Openssl seems to be deadly slow on Windows, so try to use mcrypt
-                               // Windows PHP versions have a bug when using urandom source (see #24410)
-                               $bytes .= self::generateRandomBytesMcrypt($bytesToGenerate, MCRYPT_RAND);
+                               $bytes .= self::generateRandomBytesMcrypt($bytesToGenerate);
                        } else {
                                // Try to use native PHP functions first, precedence has openssl
                                $bytes .= self::generateRandomBytesOpenSsl($bytesToGenerate);
                                if (!isset($bytes[($bytesToReturn - 1)])) {
-                                       $bytes .= self::generateRandomBytesMcrypt($bytesToGenerate, MCRYPT_DEV_URANDOM);
+                                       $bytes .= self::generateRandomBytesMcrypt($bytesToGenerate);
                                }
                                // If openssl and mcrypt failed, try /dev/urandom
                                if (!isset($bytes[($bytesToReturn - 1)])) {
@@ -1195,14 +1194,13 @@ class GeneralUtility {
         * Generate random bytes using mcrypt if available
         *
         * @param $bytesToGenerate
-        * @param $randomSource
         * @return string
         */
-       static protected function generateRandomBytesMcrypt($bytesToGenerate, $randomSource) {
+       static protected function generateRandomBytesMcrypt($bytesToGenerate) {
                if (!function_exists('mcrypt_create_iv')) {
                        return '';
                }
-               return (string)(@mcrypt_create_iv($bytesToGenerate, $randomSource));
+               return (string)(@mcrypt_create_iv($bytesToGenerate, MCRYPT_DEV_URANDOM));
        }
 
        /**