[mcrypt_encrypt] PHP5.4 Despite producing warning error, mcrypt still produce a result for mcrypt_encrypt, phpseclib_mcrypt_encrypt does not.
evaisse opened this issue · 2 comments
evaisse commented
Despite producing warning error, mcrypt still produce a result for mcrypt_encrypt on php5.4, phpseclib_mcrypt_encrypt does not.
In short the following code does not produce the same result :
<?php
$input = ""; // empty string
$iv = str_repeat('a', mcrypt_get_iv_size(MCRYPT_3DES, MCRYPT_MODE_CBC));
$key = "someKeyThatDoesNot"; // empty
mcrypt_encrypt(MCRYPT_3DES, $key, $input, MCRYPT_MODE_CBC, $iv);
phpseclib_mcrypt_encrypt(MCRYPT_3DES, $key, $input, MCRYPT_MODE_CBC, $iv);
Results here : http://sandbox.onlinephpfunctions.com/code/931a527873bfcaca5a1837993cb180c7b6843716
terrafrost commented
Just saw this lol. I'll try to take a look at it later today.
Thanks!
terrafrost commented
Quoting https://github.com/phpseclib/mcrypt_compat/blob/master/lib/mcrypt.php#L889,
// PHP 5.6 made mcrypt_encrypt() a lot less tolerant of bad input but it neglected to change
// anything about mcrypt_generic(). and despite the changes insufficiently long plaintext
// is still accepted.