PHP 8.4 and pecl_mcrypt: mcrypt.so: Undefined symbol "php_rand"

R

richardtoohey2

EDIT: Looks like I could have saved myself some time & typing: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290932

Looks like PHP 8.4 does not like pecl_mcrypt 1.0.7.

This is both ports and binary packages, so PHP 8.4.13 (quarterly packages) and PHP 8.4.15 (ports) on FreeBSD 13.5 and 14.3.

One line of code is enough to trigger the error:

Code: 
$iv=mcrypt_create_iv(32,MCRYPT_RAND);

Code: 
ld-elf.so.1: /usr/local/lib/php/20240924/mcrypt.so: Undefined symbol "php_rand"

The ports version is 1.0.7 and there's a specific 1.0.9 version that is PHP 8.4 compatible:

PECL :: Package :: mcrypt 1.0.9

pecl.php.net pecl.php.net

The comment for the new version: "Make changes to how the extension uses random, to make it work with PHP 8.4 (and PHP 8.5)."

1.0.9 has the FreeBSD patch file in it, so that patch file can be removed.

To fix (I've just checked I can stop the error message appearing so far; I'll do a bit more testing for my use case):

In /usr/ports/security/pecl-mcrypt change Makefile to 1.0.9:

Code: 
PORTVERSION= 1.0.9

Then:

Code: 
# make makesum
# rm files/patch-php84
# make install

Is anyone else seeing this? Is the suggested set of changes "good"? And yes, I know I need to move this legacy code to openssl or libsodium (current workaround is phpseclib).
 
…as I never came across mcrypt_create_iv() I thought "well, let's read what it does". And now I'm a little bit confused as the documentation says this command is removed since PHP 7.2 (and suggests to use random_bytes() instead). Also the PECL link you provided says "unmaintained libmcrypt", and leads me to the deprecation notice ("Homepage" link).

So, if it is your PHP code I would simply fix it; If it is code from somewhere else contact the upstream. In any case it is not PHP 8.4 ready.
 
jmos said:
…as I never came across mcrypt_create_iv() I thought "well, let's read what it does". And now I'm a little bit confused as the documentation says this command is removed since PHP 7.2 (and suggests to use random_bytes() instead). Also the PECL link you provided says "unmaintained libmcrypt", and leads me to the deprecation notice ("Homepage" link).

So, if it is your PHP code I would simply fix it; If it is code from somewhere else contact the upstream. In any case it is not PHP 8.4 ready.
Click to expand...
After posting I found the exact issue & patch already reported (not sure how I missed it) - I edited my post but put the edit at the top so that probably wasn't very useful.

mcrypt was removed in PHP 7.2 but moved to a pecl component instead; that works fine with 8.2 (and probably 8.3) but it needs the newer pecl-mcrypt-1.0.9 to work with PHP 8.4.

I've band-aided with phpseclib for now, but will have to move to openssl or libsodium as a long-term fix.

I left my thread here is case of any use to any one else who hits the problem.
 
You must log in or register to reply here.
Back
Top