Reimplement \SimpleSAML\Utils\Crypto::aesDecrypt() and...

Reimplement \SimpleSAML\Utils\Crypto::aesDecrypt() and \SimpleSAML\Utils\Crypto::aesEncrypt() to use openssl instead of mcrypt. This removes the direct dependency on mcrypt and closes #228.

lib/SimpleSAML/Utils/Crypto.php

@@ -11,14 +11,14 @@ class Crypto
 {
 
     /**
-     * Decrypt data using AES and the system-wide secret salt as key.
+     * Decrypt data using AES-256-CBC and the key provided as a parameter.
      *
-     * @param string $ciphertext The encrypted data to decrypt.
+     * @param string $ciphertext The IV and the encrypted data, concatenated.
      * @param string $secret The secret to use to decrypt the data.
      *
      * @return string The decrypted data.
      * @htorws \InvalidArgumentException If $ciphertext is not a string.
-     * @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded.
+     * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
      *
      * @see \SimpleSAML\Utils\Crypto::aesDecrypt()
      */
@@ -27,40 +27,29 @@ class Crypto
         if (!is_string($ciphertext)) {
             throw new \InvalidArgumentException('Input parameter "$ciphertext" must be a string.');
         }
-        if (!function_exists("mcrypt_encrypt")) {
-            throw new \SimpleSAML_Error_Exception("The mcrypt PHP module is not loaded.");
+        if (!function_exists("openssl_decrypt")) {
+            throw new \SimpleSAML_Error_Exception("The openssl PHP module is not loaded.");
         }
 
-        $enc = MCRYPT_RIJNDAEL_256;
-        $mode = MCRYPT_MODE_CBC;
+        $raw    = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
+        $key    = openssl_digest($secret, 'sha256');
+        $method = 'AES-256-CBC';
+        $ivSize = 16;
+        $iv     = substr($ciphertext, 0, $ivSize);
+        $data   = substr($ciphertext, $ivSize);
 
-        $ivSize = mcrypt_get_iv_size($enc, $mode);
-        $keySize = mcrypt_get_key_size($enc, $mode);
-
-        $key = hash('sha256', $secret, true);
-        $key = substr($key, 0, $keySize);
-
-        $iv = substr($ciphertext, 0, $ivSize);
-        $data = substr($ciphertext, $ivSize);
-
-        $clear = mcrypt_decrypt($enc, $key, $data, $mode, $iv);
-
-        $len = strlen($clear);
-        $numpad = ord($clear[$len - 1]);
-        $clear = substr($clear, 0, $len - $numpad);
-
-        return $clear;
+        return openssl_decrypt($data, $method, $key, $raw, $iv);
     }
 
 
     /**
-     * Decrypt data using AES and the system-wide secret salt as key.
+     * Decrypt data using AES-256-CBC and the system-wide secret salt as key.
      *
-     * @param string $ciphertext The encrypted data to decrypt.
+     * @param string $ciphertext The IV used and the encrypted data, concatenated.
      *
      * @return string The decrypted data.
      * @htorws \InvalidArgumentException If $ciphertext is not a string.
-     * @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded.
+     * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
      *
      * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
      * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
@@ -72,12 +61,14 @@ class Crypto
 
 
     /**
+     * Encrypt data using AES-256-CBC and the key provided as a parameter.
+     *
      * @param string $data The data to encrypt.
      * @param string $secret The secret to use to encrypt the data.
      *
-     * @return string The encrypted data and IV.
+     * @return string The IV and encrypted data concatenated.
      * @throws \InvalidArgumentException If $data is not a string.
-     * @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded.
+     * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
      *
      * @see \SimpleSAML\Utils\Crypto::aesEncrypt()
      */
@@ -87,40 +78,28 @@ class Crypto
             throw new \InvalidArgumentException('Input parameter "$data" must be a string.');
         }
 
-        if (!function_exists("mcrypt_encrypt")) {
-            throw new \SimpleSAML_Error_Exception('The mcrypt PHP module is not loaded.');
+        if (!function_exists("openssl_encrypt")) {
+            throw new \SimpleSAML_Error_Exception('The openssl PHP module is not loaded.');
         }
 
-        $enc = MCRYPT_RIJNDAEL_256;
-        $mode = MCRYPT_MODE_CBC;
-
-        $blockSize = mcrypt_get_block_size($enc, $mode);
-        $ivSize = mcrypt_get_iv_size($enc, $mode);
-        $keySize = mcrypt_get_key_size($enc, $mode);
-
-        $key = hash('sha256', $secret, true);
-        $key = substr($key, 0, $keySize);
-
-        $len = strlen($data);
-        $numpad = $blockSize - ($len % $blockSize);
-        $data = str_pad($data, $len + $numpad, chr($numpad));
-
-        $iv = openssl_random_pseudo_bytes($ivSize);
-
-        $data = mcrypt_encrypt($enc, $key, $data, $mode, $iv);
+        $raw    = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
+        $key    = openssl_digest($secret, 'sha256');
+        $method = 'AES-256-CBC';
+        $ivSize = 16;
+        $iv     = substr($key, 0, $ivSize);
 
-        return $iv.$data;
+        return $iv.openssl_encrypt($data, $method, $key, $raw, $iv);
     }
 
 
     /**
-     * Encrypt data using AES and the system-wide secret salt as key.
+     * Encrypt data using AES-256-CBC and the system-wide secret salt as key.
      *
      * @param string $data The data to encrypt.
      *
-     * @return string The encrypted data and IV.
+     * @return string The IV and encrypted data concatenated.
      * @throws \InvalidArgumentException If $data is not a string.
-     * @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded.
+     * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
      *
      * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
      * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>

tests/lib/SimpleSAML/Utils/CryptoTest.php

@@ -41,7 +41,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase
      */
     public function testAesDecrypt()
     {
-        if (!extension_loaded('mcrypt')) {
+        if (!extension_loaded('openssl')) {
             $this->setExpectedException('\SimpleSAML_Error_Exception');
         }
 
@@ -50,7 +50,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase
         $m->setAccessible(true);
 
         $plaintext = 'SUPER_SECRET_TEXT';
-        $ciphertext = 'J5/rmhc54DpEbnP4rLD3IUUiSOE28165Gpr8BzNF4bFHjjesCe6mnHRZ6EiRbQE41ZDB/qg3ilWlw1gWzlKKww==';
+        $ciphertext = 'NmRkODJlZGE2OTA3YTYwMm9En+KAReUk2z7Xi/b3c39kF/c1n6Vdj/zNARQt+UHU';
         $this->assertEquals($plaintext, $m->invokeArgs(null, array(base64_decode($ciphertext), $secret)));
     }
 
@@ -60,7 +60,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase
      */
     public function testAesEncrypt()
     {
-        if (!extension_loaded('mcrypt')) {
+        if (!extension_loaded('openssl')) {
             $this->setExpectedException('\SimpleSAML_Error_Exception');
         }