diff options
author | Andrey Andreev <narf@devilix.net> | 2014-02-05 17:59:55 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2014-02-05 17:59:55 +0100 |
commit | 8e20216f25624524d7d6e0322e85e6ccb47e3778 (patch) | |
tree | d2aeaa22cc9f3323a32e02d700d23109f0704b15 | |
parent | f401767c04a24677e11a3b6c4e3590e8b2e06e88 (diff) |
More CI_Encryption improvements
- Make OpenSSL the default driver if available (because MCrypt is stupid).
- Require MCRYPT_DEV_URANDOM for the MCrypt availability check
(because security; also, incidentally - it's faster that way ;)).
-rw-r--r-- | system/libraries/Encryption.php | 52 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 7 |
2 files changed, 10 insertions, 49 deletions
diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php index 51e390c91..fe177fce3 100644 --- a/system/libraries/Encryption.php +++ b/system/libraries/Encryption.php @@ -135,7 +135,7 @@ class CI_Encryption { public function __construct(array $params = array()) { $this->_drivers = array( - 'mcrypt' => extension_loaded('mcrypt'), + 'mcrypt' => defined('MCRYPT_DEV_URANDOM'), // While OpenSSL is available for PHP 5.3.0, an IV parameter // for the encrypt/decrypt functions is only available since 5.3.3 'openssl' => (is_php('5.3.3') && extension_loaded('openssl')) @@ -188,9 +188,9 @@ class CI_Encryption { if (empty($this->_driver)) { - $this->_driver = ($this->_drivers['mcrypt'] === TRUE) - ? 'mcrypt' - : 'openssl'; + $this->_driver = ($this->_drivers['openssl'] === TRUE) + ? 'openssl' + : 'mcrypt'; log_message('debug', "Encryption: Auto-configured driver '".$this->_driver."'."); } @@ -372,7 +372,7 @@ class CI_Encryption { elseif ( ! isset($params['iv'])) { $params['iv'] = ($iv_size = mcrypt_enc_get_iv_size($params['handle'])) - ? $this->_mcrypt_get_iv($iv_size) + ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM) : NULL; } @@ -438,7 +438,7 @@ class CI_Encryption { elseif ( ! isset($params['iv'])) { $params['iv'] = ($iv_size = openssl_cipher_iv_length($params['handle'])) - ? $this->_openssl_get_iv($iv_size) + ? openssl_random_pseudo_bytes($iv_size) : NULL; } @@ -614,46 +614,6 @@ class CI_Encryption { // -------------------------------------------------------------------- /** - * Get IV via MCrypt - * - * @param int $size - * @return int - */ - protected function _mcrypt_get_iv($size) - { - // If /dev/urandom is available - use it, otherwise there's - // also /dev/random, but it is highly unlikely that it would - // be available while /dev/urandom is not and it is known to be - // blocking anyway. - if (defined(MCRYPT_DEV_URANDOM)) - { - $source = MCRYPT_DEV_URANDOM; - } - else - { - $source = MCRYPT_RAND; - is_php('5.3') OR srand(microtime(TRUE)); - } - - return mcrypt_create_iv($size, $source); - } - - // -------------------------------------------------------------------- - - /** - * Get IV via OpenSSL - * - * @param int $size IV size - * @return int - */ - protected function _openssl_get_iv($size) - { - return openssl_random_pseudo_bytes($size); - } - - // -------------------------------------------------------------------- - - /** * Get params * * @param array $params Input parameters diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 94385978e..a88d34e39 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -340,9 +340,10 @@ Following numerous vulnerability reports, the :doc:`Encrypt Library <../librarie been deprecated and a new, :doc:`Encryption Library <../libraries/encryption>` is added to take its place. -The new library requires either the `MCrypt extension <http://php.net/mcrypt>`_ or PHP 5.3.3 and -the `OpenSSL extension <http://php.net/openssl>`_. While this might be rather inconvenient, it is -a requirement that allows us to have properly implemented cryptographic functions. +The new library requires either the `MCrypt extension <http://php.net/mcrypt>`_ (and /dev/urandom +availability) or PHP 5.3.3 and the `OpenSSL extension <http://php.net/openssl>`_. +While this might be rather inconvenient, it is a requirement that allows us to have properly +implemented cryptographic functions. .. note:: The :doc:`Encrypt Library <../libraries/encrypt>` is still available for the purpose of keeping backwards compatibility. |