summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2008-01-17 20:21:03 +0100
committerDerek Jones <derek.jones@ellislab.com>2008-01-17 20:21:03 +0100
commitd32d45c350ac692db6397648d77b8b0d69ef7923 (patch)
treecbfdcdba46082985b57e57a1f0c04ffd7689e321
parent57211eb60cb5bcb844695746e8cba9aa6c1f9924 (diff)
fixed bug #3003 preventing encryption from working with modes other than MCRYPT_MODE_ECB. Also added some noise to the cipher so the IV can safely be transported along with the encrypted data.
-rw-r--r--system/libraries/Encrypt.php77
-rw-r--r--user_guide/changelog.html6
2 files changed, 79 insertions, 4 deletions
diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php
index e5ad78c11..5b2b7c017 100644
--- a/system/libraries/Encrypt.php
+++ b/system/libraries/Encrypt.php
@@ -249,7 +249,7 @@ class CI_Encrypt {
{
$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
$init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
- return mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect);
+ return $this->_add_cipher_noise($init_vect.mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), $key);
}
// --------------------------------------------------------------------
@@ -264,14 +264,87 @@ class CI_Encrypt {
*/
function mcrypt_decode($data, $key)
{
+ $data = $this->_remove_cipher_noise($data, $key);
$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
- $init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
+ $init_vect = substr($data, 0, $init_size);
+ $data = substr($data, $init_size);
return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");
}
// --------------------------------------------------------------------
/**
+ * Adds permuted noise to the IV + encrypted data to protect
+ * against Man-in-the-middle attacks on CBC mode ciphers
+ * http://www.ciphersbyritter.com/GLOSSARY.HTM#IV
+ *
+ * Function description
+ *
+ * @access private
+ * @param string
+ * @param string
+ * @return string
+ */
+ function _add_cipher_noise($data, $key)
+ {
+ $keyhash = $this->hash($key);
+ $keylen = strlen($keyhash);
+ $str = '';
+
+ for ($i = 0, $j = 0, $len = strlen($data); $i < $len; ++$i, ++$j)
+ {
+ if ($j >= $keylen)
+ {
+ $j = 0;
+ }
+
+ $str .= chr((ord($data[$i]) + ord($keyhash[$j])) % 256);
+ }
+
+ return $str;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Removes permuted noise from the IV + encrypted data, reversing
+ * _add_cipher_noise()
+ *
+ * Function description
+ *
+ * @access public
+ * @param type
+ * @return type
+ */
+ function _remove_cipher_noise($data, $key)
+ {
+ $keyhash = $this->hash($key);
+ $keylen = strlen($keyhash);
+ $str = '';
+
+ for ($i = 0, $j = 0, $len = strlen($data); $i < $len; ++$i, ++$j)
+ {
+ if ($j >= $keylen)
+ {
+ $j = 0;
+ }
+
+ $temp = ord($data[$i]) - ord($keyhash[$j]);
+
+ if ($temp < 0)
+ {
+ $temp = $temp + 256;
+ }
+
+ $str .= chr($temp);
+ }
+
+ return $str;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
* Set the Mcrypt Cipher
*
* @access public
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index eec1c2e95..3b6a3220e 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -97,7 +97,8 @@ Change Log
<li>Modified variable names in _ci_load() method of Loader class to avoid conflicts with view variables.</li>
<li>Changed the behaviour of custom callbacks so that they no longer trigger the &quot;required&quot; rule. </li>
<li>Changed the behaviour of variables submitted to the where() clause with no values to auto set &quot;IS NULL&quot;</li>
- <li>Documented <kbd>distinct()</kbd> in <a href="./database/active_record.html">Active Record</a>. </li>
+ <li>Strengthened the Encryption library to help protect against man in the middle attacks when MCRYPT_MODE_CBC mode is used.</li>
+ <li>Documented <kbd>distinct()</kbd> in <a href="./database/active_record.html">Active Record</a>. </li>
<li>Documented the <kbd>timezones()</kbd> function in the <a href="./helpers/date_helper.html">Date Helper</a>.</li>
<li>Documented unset_userdata in the <a href="./libraries/sessions.html">Session class</a>.</li>
<li>Documented 2 config options to the <a href="./database/configuration.html">Database configuration</a> page.</li>
@@ -123,7 +124,8 @@ Change Log
<li>Fixed a bug in the clean_email() method of the Email class to allow for non-numeric / non-sequential array keys.</li>
<li>Fixed a bug in Pagination to scan for non-positive num_links.</li>
<li>Fixed a bug in the typography helper causing extraneous paragraph tags when string contains tags.</li>
- <li>Fixed an example of comma-separated emails in the email library documentation.</li>
+ <li>Fixed a bug in the Encryption Library to support modes other than MCRYPT_MODE_ECB</li>
+ <li>Fixed an example of comma-separated emails in the email library documentation.</li>
<li>Fixed an example in the Calendar library for Showing Next/Previous Month Links.</li>
<li>Fixed a typo in the database language file.</li>
<li>Fixed a typo in the image language file &quot;suppor&quot; to &quot;support&quot;.</li>