Deprecated warnings on PHP 7.1

[shadowhand]

When running RandomLib 1.2.0 under PHP 7.1, the following warning appears:

Function mcrypt_module_open() is deprecated

https://wiki.php.net/rfc/mcrypt-viking-funeral

[byrnedo]

Hi, Any idea when this will be fixed?

[shadowhand]

Sounds like never, since random_bytes effectively replaces it.

[byrnedo]

Sorry, how do you mean?

Edit: Ah ok, you mean effectively replaces this lib in 7+?

[shadowhand]

It doesn't generate as much variation, but this works equally well:

$length = 32;
$random = substr(bin2hex(random_bytes($length)), 0, $length);

[it-can]

Please fix this...

[abada]

Please fix it !

[romeritoCL]

+1

[JanisGruzis]

+1

[codeator]

+1

[wernersbacher]

+1

[spidgorny]

I was also stuck with this and had to make it working ASAP. I'm no-way a security specialist - I only have a vague idea of what I'm doing. Improvements are welcome.

OpenSSLMixer.php

[mosiyash]

+1

[Tjab]

Somehow, my error_reporting is set to -1, even though my php.ini shows E_ALL & ~E_DEPRECATED. Might be the issue for other people who can't continue with this...

[ramsey]

In PHP 7.2, the mcrypt library will be removed from core completely. There is a PECL extension for mcrypt, but you cannot install it on PHP 7.1, so you're left with a deprecation warning until 7.2.

We should update this lib to check for the extension and only provide mcrypt if the extension is present.

[ramsey]

I've just opened this request on bugs.php.net to ask that pecl/mcrypt be installable on PHP 7.1. https://bugs.php.net/bug.php?id=74375

[vlyagusha]

Another one warning "Function mcrypt_enc_get_iv_size() is deprecated" in AbstractMcryptMixer.php at line 77

[techi602]

+1

[levelfivehub]

+1000000000

[techi602]

I had to abandon this library and use openssl_random_pseudo_bytes

[SamuelMoraesF]

+1

[jazithedev]

+1

[paragonie-scott]

@techi602 Might not be a good idea. ramsey/uuid#80

See https://packagist.org/packages/paragonie/random_compat instead.

[pavarnos]

If we change https://github.com/ircmaxell/RandomLib/blob/master/lib/RandomLib/AbstractMcryptMixer.php#L67 to

return version_compare(PHP_VERSION, '7.1') < 0 && extension_loaded('mcrypt');

would that fix it?

[tarlepp]

Any progress with this one ?

[the94air]

A lot of people are using this package. It is so sad that it is not working any more.

[paragonie-scott]

I'm debating forking it. It's been nigh impossible to get any feedback from Anthony for... going on a year now... from any venue or channel.

[the94air]

I found an alternative here https://github.com/antonioribeiro/random. He is using random_bytes() and random_int()

[tarlepp]

@ircmaxell any updates with this ?

[paragonie-scott]

In the off-chance that it takes months or years before we hear back from @ircmaxell, I've gone ahead with a fork of this library.

https://github.com/paragonie/RandomLib

It solves this issue, by not loading mcrypt at all on PHP 7.1 and higher. Instead, the kernel's CSPRNG is preferred.

[ramsey]

I have commit/merge access on this library, and I’ll be happy to review and merge in any PR to address this that doesn’t break BC.

[paragonie-scott]

@ramsey I may, after I get my fork stable, send a PR from a branch that undoes the BC breaks to review.

[Lauriy]

composer require paragonie/random-lib

"replace": { "ircmaxell/random-lib":"*" },