Commit 57b9b409 authored by Helmut Hummel's avatar Helmut Hummel
Browse files

[BUGFIX] Always use MCRYPT_DEV_URANDOM if using mcrypt

Using MCRYPT_RAND was introduced because of a bug in PHP versions lower
than 5.3.7 on Windows in combination with IIS.

Since we require higher PHP versions in all maintained versions we can
remove this workaround and use MCRYPT_DEV_URANDOM again. By doing so we
fix a bug on Windows caused by not enough randomness.

Releases: 6.2, master
Resolves: #53034
Change-Id: Ibe74eb0277934e9300ffd9b00cc89a5f8bb008fb
Reviewed-on: http://review.typo3.org/40251


Reviewed-by: Stephan Großberndt's avatarStephan Großberndt <stephan@grossberndt.de>
Reviewed-by: Nicole Cordes's avatarNicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes's avatarNicole Cordes <typo3@cordes.co>
Reviewed-by: default avatarHelmut Hummel <helmut.hummel@typo3.org>
Tested-by: default avatarHelmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters's avatarWouter Wolters <typo3@wouterwolters.nl>
parent 436461fb
......@@ -1153,13 +1153,12 @@ class GeneralUtility {
if (!isset($bytes[($bytesToReturn - 1)])) {
if (TYPO3_OS === 'WIN') {
// Openssl seems to be deadly slow on Windows, so try to use mcrypt
// Windows PHP versions have a bug when using urandom source (see #24410)
$bytes .= self::generateRandomBytesMcrypt($bytesToGenerate, MCRYPT_RAND);
$bytes .= self::generateRandomBytesMcrypt($bytesToGenerate);
} else {
// Try to use native PHP functions first, precedence has openssl
$bytes .= self::generateRandomBytesOpenSsl($bytesToGenerate);
if (!isset($bytes[($bytesToReturn - 1)])) {
$bytes .= self::generateRandomBytesMcrypt($bytesToGenerate, MCRYPT_DEV_URANDOM);
$bytes .= self::generateRandomBytesMcrypt($bytesToGenerate);
}
// If openssl and mcrypt failed, try /dev/urandom
if (!isset($bytes[($bytesToReturn - 1)])) {
......@@ -1195,14 +1194,13 @@ class GeneralUtility {
* Generate random bytes using mcrypt if available
*
* @param $bytesToGenerate
* @param $randomSource
* @return string
*/
static protected function generateRandomBytesMcrypt($bytesToGenerate, $randomSource) {
static protected function generateRandomBytesMcrypt($bytesToGenerate) {
if (!function_exists('mcrypt_create_iv')) {
return '';
}
return (string)(@mcrypt_create_iv($bytesToGenerate, $randomSource));
return (string)(@mcrypt_create_iv($bytesToGenerate, MCRYPT_DEV_URANDOM));
}
/**
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment