2

The PHP documentation for openssl_random_pseudo_bytes says:

Return Values

Returns the generated string of bytes on success, or false on failure.

What would cause openssl_random_pseudo_bytes to fail? Can this be manually triggered for testing purposes? I tried disabling the entire openssl PHP extension, but as expected that raised an error due to the function not being found.

CJ Dennis
  • 4,226
  • 2
  • 40
  • 69

1 Answers1

0

When PHP cannot quantify the integer in a manner that will encrypt the integer, it will, in fact, return false. It goes without saying, it is ASSUMED php uses whole numbers for this function .. However it appears they left room for non-whole numbers (less than 1) and negative integers .. Just in case.

For example:

<?php

echo test_rando(80); // Passes

echo test_rando(80.1); // Passes

echo test_rando(.9);  //  Fails

echo test_rando(-1);  // Faile


function test_rando($rando_in){

    $rando = openssl_random_pseudo_bytes($rando_in);

    if ($rando === false){
        return  "\n\n$rando_in | WAS FALSE\n\n ";
    }else{
        return "\n\n$$rando_in | $rando\n\n";
    }

}

Output:

80 | ghg'O8I*%&E(Et(wX"vUH$0
t|5|衖y䰆rW+;

80.1 |  &iGkb s`+[byaqvgөrTE݁ᨈ\Ukfb'

0.9 | WAS FALSE

-1 | WAS FALSE

Version of PHP

PHP 8.0.10 (cli) (built: Aug 26 2021 15:50:07) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.10, Copyright (c) Zend Technologies
    with Zend OPcache v8.0.10, Copyright (c), by Zend Technologies

--

PHP 7.0.33-0ubuntu0.16.04.16 (cli) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.33-0ubuntu0.16.04.16, Copyright (c) 1999-2017, by Zend Technologies

Because PHP was not able to quantify .9 or -1 (anything less than 1), even though IT IS an integer, it will fail. Although this isn't expressly denoted in the documentation, one can assume this prevents fatal errors (division by zero and such) and presents error handling possibility for anyone who might be doing arithmetic on said integer before it's passed through the openssl_random_pseudo_bytes function.

Zak
  • 6,976
  • 2
  • 26
  • 48
  • For `openssl_random_pseudo_bytes(-42)` I get `Fatal error: Uncaught Error: Length must be greater than 0`, so it crashes and still doesn't return `false`. – CJ Dennis Oct 06 '21 at 23:14
  • I'm using PHP 7.4.24 and I can't get any of your examples to return `false`. They either pass (return a string of the correct length) or crash. – CJ Dennis Oct 06 '21 at 23:17
  • Strange! I am running it on 8.0.10 and it works .. I can also verify on another server (7.0) that it works as well. I do not have access to 7.4 – Zak Oct 06 '21 at 23:27
  • What are your error settings like? Mine are very strict (`E_ALL`). – CJ Dennis Oct 07 '21 at 01:37
  • Ever since PHP 7.4.0 (which includes [this commit](https://github.com/php/php-src/commit/74c0e580efa8feb282d0da9c830c6bd01b08b45e)), `openssl_random_pseudo_bytes` will not return `false` on failure, but will throw an exception. This should be the same regardless of the error reporting level, so for testing you can just provide a value less than 0 (for example) and assert that it fails as expected (return `false` before 7.4.0 and throw exception from 7.4.0). – msbit Oct 07 '21 at 13:05
  • @msbit Thanks for that! I can confirm that on PHP 7.3 a negative number does indeed return false, whereas on PHP 7.4 it throws an exception instead. Does this mean the PHP documentation needs to be updated to reflect this change? – CJ Dennis Oct 07 '21 at 22:49
  • I would say yes. Documentation is at https://github.com/php/doc-en/blob/master/reference/openssl/functions/openssl-random-pseudo-bytes.xml, be the change you wish to see in the world ✌️ – msbit Oct 09 '21 at 05:26