PHP RFC: Remove MCRYPT_RAND (Formerly: Deprecate MCRYPT_RAND)

• Version: 0.2
• Date: 2014-07-08
• Author: Scott Arciszewski, scott@arciszewski.me
• Status: Obsoleted by mcrypt-viking-funeral
• First Published at: http://wiki.php.net/rfc/deprecate_mcrypt_rand

MCRYPT_RAND should removed from PHP 7.0 so that developers are discouraged from using it in production systems or in frameworks used by other developers. MCRYPT_RAND is a constant that instructs mcrypt_create_iv() to use a non-cryptographically-secure entropy source. While IVs do not have the same secrecy requirements as a private key, they should be unpredictable. Using MCRYPT_RAND is therefore unsuitable for cryptographic applications.

The following changes should be made:

• MCRYPT_RAND should be removed as of PHP 7.0.
• With MCRYPT_RAND gone, mcrypt_create_iv() should transparently fall back to the default (currently MCRYPT_DEV_URANDOM)

The MCRYPT_RAND constant will be removed, and support for it will also be removed.

This proposal should be considered for the PHP 7.0.

Include these so readers know where you are heading and can discuss the proposed voting options.

State whether this project requires a 2/3 or 50%+1 majority (see voting)

The patch (and a relevant discussion) is already on GitHub

• https://github.com/php/php-src/pull/889 - Patch by sarciszewski
• https://github.com/php/php-src/pull/579 - Original patch by yohgaki + discussion