Skip to content
Snippets Groups Projects
Commit 3fd76a6b authored by Jaime Perez Crespo's avatar Jaime Perez Crespo
Browse files

Reimplement \SimpleSAML\Utils\Crypto::aesDecrypt() and... 

Reimplement \SimpleSAML\Utils\Crypto::aesDecrypt() and \SimpleSAML\Utils\Crypto::aesEncrypt() to use openssl instead of mcrypt. This removes the direct dependency on mcrypt and closes #228.
parent d640a086
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lib/SimpleSAML/Utils/Crypto.php
+ 30
51
View file @ 3fd76a6b
...@@ -11,14 +11,14 @@ class Crypto ...@@ -11,14 +11,14 @@ class Crypto
{ {
/** /**
* Decrypt data using AES and the system-wide secret salt as key. * Decrypt data using AES-256-CBC and the key provided as a parameter.
* *
* @param string $ciphertext The encrypted data to decrypt. * @param string $ciphertext The IV and the encrypted data, concatenated.
* @param string $secret The secret to use to decrypt the data. * @param string $secret The secret to use to decrypt the data.
* *
* @return string The decrypted data. * @return string The decrypted data.
* @htorws \InvalidArgumentException If $ciphertext is not a string. * @htorws \InvalidArgumentException If $ciphertext is not a string.
* @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded. * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
* *
* @see \SimpleSAML\Utils\Crypto::aesDecrypt() * @see \SimpleSAML\Utils\Crypto::aesDecrypt()
*/ */
...@@ -27,40 +27,29 @@ class Crypto ...@@ -27,40 +27,29 @@ class Crypto
if (!is_string($ciphertext)) { if (!is_string($ciphertext)) {
throw new \InvalidArgumentException('Input parameter "$ciphertext" must be a string.'); throw new \InvalidArgumentException('Input parameter "$ciphertext" must be a string.');
} }
if (!function_exists("mcrypt_encrypt")) { if (!function_exists("openssl_decrypt")) {
throw new \SimpleSAML_Error_Exception("The mcrypt PHP module is not loaded."); throw new \SimpleSAML_Error_Exception("The openssl PHP module is not loaded.");
} }
$enc = MCRYPT_RIJNDAEL_256; $raw = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
$mode = MCRYPT_MODE_CBC; $key = openssl_digest($secret, 'sha256');
$method = 'AES-256-CBC';
$ivSize = 16;
$iv = substr($ciphertext, 0, $ivSize);
$data = substr($ciphertext, $ivSize);
$ivSize = mcrypt_get_iv_size($enc, $mode); return openssl_decrypt($data, $method, $key, $raw, $iv);
$keySize = mcrypt_get_key_size($enc, $mode);
$key = hash('sha256', $secret, true);
$key = substr($key, 0, $keySize);
$iv = substr($ciphertext, 0, $ivSize);
$data = substr($ciphertext, $ivSize);
$clear = mcrypt_decrypt($enc, $key, $data, $mode, $iv);
$len = strlen($clear);
$numpad = ord($clear[$len - 1]);
$clear = substr($clear, 0, $len - $numpad);
return $clear;
} }
/** /**
* Decrypt data using AES and the system-wide secret salt as key. * Decrypt data using AES-256-CBC and the system-wide secret salt as key.
* *
* @param string $ciphertext The encrypted data to decrypt. * @param string $ciphertext The IV used and the encrypted data, concatenated.
* *
* @return string The decrypted data. * @return string The decrypted data.
* @htorws \InvalidArgumentException If $ciphertext is not a string. * @htorws \InvalidArgumentException If $ciphertext is not a string.
* @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded. * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
* *
* @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no> * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
* @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no> * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
...@@ -72,12 +61,14 @@ class Crypto ...@@ -72,12 +61,14 @@ class Crypto
/** /**
* Encrypt data using AES-256-CBC and the key provided as a parameter.
*
* @param string $data The data to encrypt. * @param string $data The data to encrypt.
* @param string $secret The secret to use to encrypt the data. * @param string $secret The secret to use to encrypt the data.
* *
* @return string The encrypted data and IV. * @return string The IV and encrypted data concatenated.
* @throws \InvalidArgumentException If $data is not a string. * @throws \InvalidArgumentException If $data is not a string.
* @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded. * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
* *
* @see \SimpleSAML\Utils\Crypto::aesEncrypt() * @see \SimpleSAML\Utils\Crypto::aesEncrypt()
*/ */
...@@ -87,40 +78,28 @@ class Crypto ...@@ -87,40 +78,28 @@ class Crypto
throw new \InvalidArgumentException('Input parameter "$data" must be a string.'); throw new \InvalidArgumentException('Input parameter "$data" must be a string.');
} }
if (!function_exists("mcrypt_encrypt")) { if (!function_exists("openssl_encrypt")) {
throw new \SimpleSAML_Error_Exception('The mcrypt PHP module is not loaded.'); throw new \SimpleSAML_Error_Exception('The openssl PHP module is not loaded.');
} }
$enc = MCRYPT_RIJNDAEL_256; $raw = defined('OPENSSL_RAW_DATA') ? OPENSSL_RAW_DATA : true;
$mode = MCRYPT_MODE_CBC; $key = openssl_digest($secret, 'sha256');
$method = 'AES-256-CBC';
$blockSize = mcrypt_get_block_size($enc, $mode); $ivSize = 16;
$ivSize = mcrypt_get_iv_size($enc, $mode); $iv = substr($key, 0, $ivSize);
$keySize = mcrypt_get_key_size($enc, $mode);
$key = hash('sha256', $secret, true);
$key = substr($key, 0, $keySize);
$len = strlen($data);
$numpad = $blockSize - ($len % $blockSize);
$data = str_pad($data, $len + $numpad, chr($numpad));
$iv = openssl_random_pseudo_bytes($ivSize);
$data = mcrypt_encrypt($enc, $key, $data, $mode, $iv);
return $iv.$data; return $iv.openssl_encrypt($data, $method, $key, $raw, $iv);
} }
/** /**
* Encrypt data using AES and the system-wide secret salt as key. * Encrypt data using AES-256-CBC and the system-wide secret salt as key.
* *
* @param string $data The data to encrypt. * @param string $data The data to encrypt.
* *
* @return string The encrypted data and IV. * @return string The IV and encrypted data concatenated.
* @throws \InvalidArgumentException If $data is not a string. * @throws \InvalidArgumentException If $data is not a string.
* @throws \SimpleSAML_Error_Exception If the mcrypt module is not loaded. * @throws \SimpleSAML_Error_Exception If the openssl module is not loaded.
* *
* @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no> * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
* @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no> * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
......
tests/lib/SimpleSAML/Utils/CryptoTest.php
+ 3
3
View file @ 3fd76a6b
...@@ -41,7 +41,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase ...@@ -41,7 +41,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase
*/ */
public function testAesDecrypt() public function testAesDecrypt()
{ {
if (!extension_loaded('mcrypt')) { if (!extension_loaded('openssl')) {
$this->setExpectedException('\SimpleSAML_Error_Exception'); $this->setExpectedException('\SimpleSAML_Error_Exception');
} }
...@@ -50,7 +50,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase ...@@ -50,7 +50,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase
$m->setAccessible(true); $m->setAccessible(true);
$plaintext = 'SUPER_SECRET_TEXT'; $plaintext = 'SUPER_SECRET_TEXT';
$ciphertext = 'J5/rmhc54DpEbnP4rLD3IUUiSOE28165Gpr8BzNF4bFHjjesCe6mnHRZ6EiRbQE41ZDB/qg3ilWlw1gWzlKKww=='; $ciphertext = 'NmRkODJlZGE2OTA3YTYwMm9En+KAReUk2z7Xi/b3c39kF/c1n6Vdj/zNARQt+UHU';
$this->assertEquals($plaintext, $m->invokeArgs(null, array(base64_decode($ciphertext), $secret))); $this->assertEquals($plaintext, $m->invokeArgs(null, array(base64_decode($ciphertext), $secret)));
} }
...@@ -60,7 +60,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase ...@@ -60,7 +60,7 @@ class CryptoTest extends PHPUnit_Framework_TestCase
*/ */
public function testAesEncrypt() public function testAesEncrypt()
{ {
if (!extension_loaded('mcrypt')) { if (!extension_loaded('openssl')) {
$this->setExpectedException('\SimpleSAML_Error_Exception'); $this->setExpectedException('\SimpleSAML_Error_Exception');
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment