summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-02-05 17:59:55 +0100
committerAndrey Andreev <narf@devilix.net>2014-02-05 17:59:55 +0100
commit8e20216f25624524d7d6e0322e85e6ccb47e3778 (patch)
treed2aeaa22cc9f3323a32e02d700d23109f0704b15
parentf401767c04a24677e11a3b6c4e3590e8b2e06e88 (diff)
More CI_Encryption improvements
- Make OpenSSL the default driver if available (because MCrypt is stupid). - Require MCRYPT_DEV_URANDOM for the MCrypt availability check (because security; also, incidentally - it's faster that way ;)).
-rw-r--r--system/libraries/Encryption.php52
-rw-r--r--user_guide_src/source/installation/upgrade_300.rst7
2 files changed, 10 insertions, 49 deletions
diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php
index 51e390c91..fe177fce3 100644
--- a/system/libraries/Encryption.php
+++ b/system/libraries/Encryption.php
@@ -135,7 +135,7 @@ class CI_Encryption {
public function __construct(array $params = array())
{
$this->_drivers = array(
- 'mcrypt' => extension_loaded('mcrypt'),
+ 'mcrypt' => defined('MCRYPT_DEV_URANDOM'),
// While OpenSSL is available for PHP 5.3.0, an IV parameter
// for the encrypt/decrypt functions is only available since 5.3.3
'openssl' => (is_php('5.3.3') && extension_loaded('openssl'))
@@ -188,9 +188,9 @@ class CI_Encryption {
if (empty($this->_driver))
{
- $this->_driver = ($this->_drivers['mcrypt'] === TRUE)
- ? 'mcrypt'
- : 'openssl';
+ $this->_driver = ($this->_drivers['openssl'] === TRUE)
+ ? 'openssl'
+ : 'mcrypt';
log_message('debug', "Encryption: Auto-configured driver '".$this->_driver."'.");
}
@@ -372,7 +372,7 @@ class CI_Encryption {
elseif ( ! isset($params['iv']))
{
$params['iv'] = ($iv_size = mcrypt_enc_get_iv_size($params['handle']))
- ? $this->_mcrypt_get_iv($iv_size)
+ ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM)
: NULL;
}
@@ -438,7 +438,7 @@ class CI_Encryption {
elseif ( ! isset($params['iv']))
{
$params['iv'] = ($iv_size = openssl_cipher_iv_length($params['handle']))
- ? $this->_openssl_get_iv($iv_size)
+ ? openssl_random_pseudo_bytes($iv_size)
: NULL;
}
@@ -614,46 +614,6 @@ class CI_Encryption {
// --------------------------------------------------------------------
/**
- * Get IV via MCrypt
- *
- * @param int $size
- * @return int
- */
- protected function _mcrypt_get_iv($size)
- {
- // If /dev/urandom is available - use it, otherwise there's
- // also /dev/random, but it is highly unlikely that it would
- // be available while /dev/urandom is not and it is known to be
- // blocking anyway.
- if (defined(MCRYPT_DEV_URANDOM))
- {
- $source = MCRYPT_DEV_URANDOM;
- }
- else
- {
- $source = MCRYPT_RAND;
- is_php('5.3') OR srand(microtime(TRUE));
- }
-
- return mcrypt_create_iv($size, $source);
- }
-
- // --------------------------------------------------------------------
-
- /**
- * Get IV via OpenSSL
- *
- * @param int $size IV size
- * @return int
- */
- protected function _openssl_get_iv($size)
- {
- return openssl_random_pseudo_bytes($size);
- }
-
- // --------------------------------------------------------------------
-
- /**
* Get params
*
* @param array $params Input parameters
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 94385978e..a88d34e39 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -340,9 +340,10 @@ Following numerous vulnerability reports, the :doc:`Encrypt Library <../librarie
been deprecated and a new, :doc:`Encryption Library <../libraries/encryption>` is added to take
its place.
-The new library requires either the `MCrypt extension <http://php.net/mcrypt>`_ or PHP 5.3.3 and
-the `OpenSSL extension <http://php.net/openssl>`_. While this might be rather inconvenient, it is
-a requirement that allows us to have properly implemented cryptographic functions.
+The new library requires either the `MCrypt extension <http://php.net/mcrypt>`_ (and /dev/urandom
+availability) or PHP 5.3.3 and the `OpenSSL extension <http://php.net/openssl>`_.
+While this might be rather inconvenient, it is a requirement that allows us to have properly
+implemented cryptographic functions.
.. note:: The :doc:`Encrypt Library <../libraries/encrypt>` is still available for the purpose
of keeping backwards compatibility.