Red Hat Bugzilla – Bug 1260315
Wrong warning by PHP openssl_encrypt() for missing IV even IV is not required
Last modified: 2016-05-31 21:45:52 EDT
Description of problem: When running e.g. phpMyAdmin 4.4.14 on RHEL 6 this causes a warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended This however is not a bug in phpMyAdmin, but in PHP 5.3.3 as shipped by RHEL 6 and is already fixed at upstream. Finally, something like openssl_encrypt(str_repeat('.', 16), 'aes-256-ecb', str_repeat('a', 32), true); causes the warning while ECB mode doesn't make use of an IV. Note: This requires phpMyAdmin 4.4.x as shipped by upstream, not the EPEL package (which is 4.0.x due to the old MySQL version in RHEL 6). And this also requires a MariaDB (either via SCL or remote). Version-Release number of selected component (if applicable): php-5.3.3-46.el6_6 How reproducible: Everytime, see above and below. Actual results: Wrong warning of openssl_encrypt() for missing IV even IV is not required. Expected results: No warning. Additional info: - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613815 - http://git.php.net/?p=php-src.git;a=commitdiff;h=412d15168192fdd3afafca5cff034bb5b451942f - http://git.php.net/?p=php-src.git;a=commit;h=a4252ab2be8a0231477396fd475397b23a089d0e
Cross-filed case/ticket 01503945 on the Red Hat customer portal.
Low risk patch (same code still used in latest versions) Nice to have especially as we encourage the use of openssl extension for encryption (instead of dead mcrypt). php-phpseclib test suite is a good reproducer.
Both reproducer from description and phpseclib test suite ok with linked patch.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0842.html