[mcrypt_encrypt] PHP5.4 Despite producing warning error, mcrypt still produce a result for mcrypt_encrypt, phpseclib_mcrypt_encrypt does not.

Question

[mcrypt_encrypt] PHP5.4 Despite producing warning error, mcrypt still produce a result for mcrypt_encrypt, phpseclib_mcrypt_encrypt does not.

evaisse opened this issue 7 years ago · 2 comments

Despite producing warning error, mcrypt still produce a result for mcrypt_encrypt on php5.4, phpseclib_mcrypt_encrypt does not.

In short the following code does not produce the same result :

<?php
$input = ""; // empty string 
$iv = str_repeat('a', mcrypt_get_iv_size(MCRYPT_3DES, MCRYPT_MODE_CBC));
$key = "someKeyThatDoesNot"; // empty 
mcrypt_encrypt(MCRYPT_3DES, $key, $input, MCRYPT_MODE_CBC, $iv);
phpseclib_mcrypt_encrypt(MCRYPT_3DES, $key, $input, MCRYPT_MODE_CBC, $iv);

Results here : http://sandbox.onlinephpfunctions.com/code/931a527873bfcaca5a1837993cb180c7b6843716

Answer 1 · 2017-05-06T18:13:29.000Z

Just saw this lol. I'll try to take a look at it later today.

Thanks!

Answer 2 · 2017-05-06T23:51:16.000Z

Quoting https://github.com/phpseclib/mcrypt_compat/blob/master/lib/mcrypt.php#L889,

// PHP 5.6 made mcrypt_encrypt() a lot less tolerant of bad input but it neglected to change
// anything about mcrypt_generic(). and despite the changes insufficiently long plaintext
// is still accepted.