diff options
author | Quinn Chrzan <quinnchrzan@gmail.com> | 2014-05-30 19:25:12 +0200 |
---|---|---|
committer | Quinn Chrzan <quinnchrzan@gmail.com> | 2014-05-30 19:25:12 +0200 |
commit | c77e1933e64e9e93d6318752deb668d96efeb62f (patch) | |
tree | db3074ea63d6701c88bc5519b6a12d60f49bd439 | |
parent | 5800de6835bfa943b7ffca94917f3f85696cc35f (diff) | |
parent | 9eb99bce5e1a62c5df8758eaf82f6edee61c35b1 (diff) |
Merge pull request #3071 from EllisLab/bug/xor_encode
Bug/xor encode
-rw-r--r-- | system/libraries/Encrypt.php | 77 | ||||
-rw-r--r-- | user_guide/libraries/encryption.html | 9 | ||||
-rw-r--r-- | user_guide/libraries/sessions.html | 4 |
3 files changed, 21 insertions, 69 deletions
diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php index b30a8cf0b..b6758d98f 100644 --- a/system/libraries/Encrypt.php +++ b/system/libraries/Encrypt.php @@ -18,7 +18,7 @@ /** * CodeIgniter Encryption Class * - * Provides two-way keyed encoding using XOR Hashing and Mcrypt + * Provides two-way keyed encoding using Mcrypt * * @package CodeIgniter * @subpackage Libraries @@ -45,6 +45,12 @@ class CI_Encrypt { { $this->CI =& get_instance(); $this->_mcrypt_exists = ( ! function_exists('mcrypt_encrypt')) ? FALSE : TRUE; + + if ($this->_mcrypt_exists === FALSE) + { + show_error('The Encrypt library requires the Mcrypt extension.'); + } + log_message('debug', "Encrypt Class Initialized"); } @@ -103,10 +109,10 @@ class CI_Encrypt { * Encodes the message string using bitwise XOR encoding. * The key is combined with a random hash, and then it * too gets converted using XOR. The whole thing is then run - * through mcrypt (if supported) using the randomized key. - * The end result is a double-encrypted message string - * that is randomized with each call to this function, - * even if the supplied message and key are the same. + * through mcrypt using the randomized key. The end result + * is a double-encrypted message string that is randomized + * with each call to this function, even if the supplied + * message and key are the same. * * @access public * @param string the string to encode @@ -116,15 +122,7 @@ class CI_Encrypt { function encode($string, $key = '') { $key = $this->get_key($key); - - if ($this->_mcrypt_exists === TRUE) - { - $enc = $this->mcrypt_encode($string, $key); - } - else - { - $enc = $this->_xor_encode($string, $key); - } + $enc = $this->mcrypt_encode($string, $key); return base64_encode($enc); } @@ -152,16 +150,9 @@ class CI_Encrypt { $dec = base64_decode($string); - if ($this->_mcrypt_exists === TRUE) - { - if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE) - { - return FALSE; - } - } - else + if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE) { - $dec = $this->_xor_decode($dec, $key); + return FALSE; } return $dec; @@ -187,12 +178,6 @@ class CI_Encrypt { */ function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '') { - if ($this->_mcrypt_exists === FALSE) - { - log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.'); - return FALSE; - } - // decode it first // set mode temporarily to what it was when string was encoded with the legacy // algorithm - typically MCRYPT_MODE_ECB @@ -225,38 +210,6 @@ class CI_Encrypt { // -------------------------------------------------------------------- /** - * XOR Encode - * - * Takes a plain-text string and key as input and generates an - * encoded bit-string using XOR - * - * @access private - * @param string - * @param string - * @return string - */ - function _xor_encode($string, $key) - { - $rand = ''; - while (strlen($rand) < 32) - { - $rand .= mt_rand(0, mt_getrandmax()); - } - - $rand = $this->hash($rand); - - $enc = ''; - for ($i = 0; $i < strlen($string); $i++) - { - $enc .= substr($rand, ($i % strlen($rand)), 1).(substr($rand, ($i % strlen($rand)), 1) ^ substr($string, $i, 1)); - } - - return $this->_xor_merge($enc, $key); - } - - // -------------------------------------------------------------------- - - /** * XOR Decode * * Takes an encoded string and key as input and generates the @@ -544,4 +497,4 @@ class CI_Encrypt { // END CI_Encrypt class /* End of file Encrypt.php */ -/* Location: ./system/libraries/Encrypt.php */
\ No newline at end of file +/* Location: ./system/libraries/Encrypt.php */ diff --git a/user_guide/libraries/encryption.html b/user_guide/libraries/encryption.html index cd59a6c30..4331372a3 100644 --- a/user_guide/libraries/encryption.html +++ b/user_guide/libraries/encryption.html @@ -58,11 +58,8 @@ Encryption Class <h1>Encryption Class</h1> -<p>The Encryption Class provides two-way data encryption. It uses a scheme that either compiles -the message using a randomly hashed bitwise XOR encoding scheme, or is encrypted using -the Mcrypt library. If Mcrypt is not available on your server the encoded message will -still provide a reasonable degree of security for encrypted sessions or other such "light" purposes. -If Mcrypt is available, you'll be provided with a high degree of security appropriate for storage.</p> +<p>The Encryption Class provides two-way data encryption. It is encrypted using +the Mcrypt library. The Encryption Class requires the Mcrypt extension to run.</p> <h2>Setting your Key</h2> @@ -221,4 +218,4 @@ Next Topic: <a href="file_uploading.html">File Uploading Class</a> </div> </body> -</html>
\ No newline at end of file +</html> diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html index 1b7b73ab9..989170a45 100644 --- a/user_guide/libraries/sessions.html +++ b/user_guide/libraries/sessions.html @@ -71,6 +71,8 @@ generates its own session data, offering more flexibility for developers.</p> <p class="important"><strong>Note:</strong> Even if you are not using encrypted sessions, you must set an <a href="./encryption.html">encryption key</a> in your config file which is used to aid in preventing session data manipulation.</p> +<p class="important"><strong>Note:</strong> The Session class relies on the Encryption class, so you must have Mcrypt extension installed</p> + <h2>Initializing a Session</h2> <p>Sessions will typically run globally with each page load, so the session class must either be @@ -338,4 +340,4 @@ Next Topic: <a href="trackback.html">Trackback Class</a> </div> </body> -</html>
\ No newline at end of file +</html> |