Re: libmcrypt: abandonware?

From:	Thomas Hruska	Date:	Thu, 11 Dec 2014 15:38:57 +0000
Subject:	Re: libmcrypt: abandonware?
References:	1 2 3 4	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On 12/11/2014 3:10 AM, Derick Rethans wrote:
On Wed, 10 Dec 2014, Andrea Faulds wrote:

On 10 Dec 2014, at 06:33, Remi Collet <[email protected]> wrote:

Having a dead upstream for crypto API is a critical issue :(

FYI some downstream (ex RHEL) don't even provide this library.
Already too much crypto libraries, and it will be a mess to provide
a dead project in an Enterprise distribution.

So php/mcrypt also not available.

But most applications. which use it, usually have alternative, and
make it optional (ex phpMyAdmin 4.3 now even use openssl as first
choice).

We probably have enough crypto API in PHP, and we probably should
mark this one as deprecated / unmaintained in 5.x, and move it to
PECL (7.x).

It’s my understanding that ext/mcrypt is quite widely used. Would it
not be possible to update the lib to use OpenSSL or something on the
backend, so existing applications would not need changing?

I think you're going to find this difficult, as the mcrypt
implementations can have some odd quircks in them. As the "maintainer"
of this extension I'd say to just drop it in PHP 7. I wouldn't even
bother trying to make it compile for it.

cheers,
Derick

To date, there still isn't a way to access CryptGenRandom() from userland without an extension.  Access to that Windows function depends on an extension to expose php_win32_get_random_bytes() to userland. mcrypt_create_iv() and openssl_random_pseudo_bytes() are the two userland functions that do that and mcrypt is compiled into the Windows builds by default.  There's nothing in core for getting entropy in userland on Windows despite the fact that two extensions use a function already in the core.

If mcrypt is removed and no suitable replacement function for mcrypt_create_iv() is put in place on Windows, the user will be forced to load a library that may not even get used.  This is possible because openssl_random_pseudo_bytes() does not actually depend on OpenSSL under Windows as it calls the php_win32_get_random_bytes() function instead - but the 1MB OpenSSL library will get loaded anyway.

php_win32_get_random_bytes() should be consistently accessible on Windows via an ext/standard userland function that gets random bytes of data.  Other than mcrypt_create_iv(), I don't care about the rest of mcrypt.

-- 
Thomas Hruska
CubicleSoft President

I've got great, time saving software that you will find useful.

http://cubiclesoft.com/


   

Thread (15 messages)

• Scott ArciszewskiFri, 05 Dec 2014 16:17:43 +0000
  • Remi ColletWed, 10 Dec 2014 06:33:01 +0000
    • Andrea FauldsWed, 10 Dec 2014 18:31:24 +0000
      • LeighWed, 10 Dec 2014 19:37:36 +0000
      • Pierre JoyeThu, 11 Dec 2014 06:54:52 +0000
        • Andrea FauldsThu, 11 Dec 2014 07:11:47 +0000
      • Derick RethansThu, 11 Dec 2014 10:10:58 +0000
        • Thomas HruskaThu, 11 Dec 2014 15:38:57 +0000
          • LeighThu, 11 Dec 2014 19:44:53 +0000
            • Ángel GonzálezThu, 11 Dec 2014 22:29:33 +0000
          • Pierre JoyeFri, 12 Dec 2014 04:29:27 +0000
        • Pierre JoyeWed, 04 Feb 2015 00:53:18 +0000
    • Pierre JoyeThu, 11 Dec 2014 06:53:37 +0000
  • LeighThu, 11 Dec 2014 13:47:17 +0000
• Scott ArciszewskiWed, 10 Dec 2014 18:25:28 +0000Re: libmcrypt: abandonware?