diff options
-rw-r--r-- | system/libraries/Encryption.php | 87 | ||||
-rw-r--r-- | tests/codeigniter/libraries/Encryption_test.php | 9 | ||||
-rw-r--r-- | user_guide_src/source/libraries/encryption.rst | 1 |
3 files changed, 37 insertions, 60 deletions
diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php index 810b7bf4a..d6ffc9bfe 100644 --- a/system/libraries/Encryption.php +++ b/system/libraries/Encryption.php @@ -356,16 +356,14 @@ class CI_Encryption { { return FALSE; } - elseif ( ! isset($params['iv'])) - { - // The greater-than-1 comparison is mostly a work-around for a bug, - // where 1 is returned for ARCFour instead of 0. - $params['iv'] = (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) - ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM) - : NULL; - } - if (mcrypt_generic_init($params['handle'], $params['key'], $params['iv']) < 0) + // The greater-than-1 comparison is mostly a work-around for a bug, + // where 1 is returned for ARCFour instead of 0. + $iv = (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) + ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM) + : NULL; + + if (mcrypt_generic_init($params['handle'], $params['key'], $iv) < 0) { if ($params['handle'] !== $this->_handle) { @@ -396,7 +394,7 @@ class CI_Encryption { // but OpenSSL isn't that dumb and we need to make the process // portable, so ... $data = (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB') - ? $params['iv'].mcrypt_generic($params['handle'], $data) + ? $iv.mcrypt_generic($params['handle'], $data) : mcrypt_generic($params['handle'], $data); mcrypt_generic_deinit($params['handle']); @@ -423,19 +421,17 @@ class CI_Encryption { { return FALSE; } - elseif ( ! isset($params['iv'])) - { - $params['iv'] = ($iv_size = openssl_cipher_iv_length($params['handle'])) - ? openssl_random_pseudo_bytes($iv_size) - : NULL; - } + + $iv = ($iv_size = openssl_cipher_iv_length($params['handle'])) + ? openssl_random_pseudo_bytes($iv_size) + : NULL; $data = openssl_encrypt( $data, $params['handle'], $params['key'], 1, // DO NOT TOUCH! - $params['iv'] + $iv ); if ($data === FALSE) @@ -443,7 +439,7 @@ class CI_Encryption { return FALSE; } - return $params['iv'].$data; + return $iv.$data; } // -------------------------------------------------------------------- @@ -499,11 +495,6 @@ class CI_Encryption { $data = base64_decode($data); } - if (isset($params['iv']) && strncmp($params['iv'], $data, $iv_size = strlen($params['iv'])) === 0) - { - $data = substr($data, $iv_size); - } - isset($params['key']) OR $params['key'] = $this->hkdf($this->_key, 'sha512', NULL, strlen($this->_key), 'encryption'); return $this->{'_'.$this->_driver.'_decrypt'}($data, $params); @@ -524,30 +515,28 @@ class CI_Encryption { { return FALSE; } - elseif ( ! isset($params['iv'])) + + // The greater-than-1 comparison is mostly a work-around for a bug, + // where 1 is returned for ARCFour instead of 0. + if (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) { - // The greater-than-1 comparison is mostly a work-around for a bug, - // where 1 is returned for ARCFour instead of 0. - if (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1) + if (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB') { - if (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB') - { - $params['iv'] = substr($data, 0, $iv_size); - $data = substr($data, $iv_size); - } - else - { - // MCrypt is dumb and this is ignored, only size matters - $params['iv'] = str_repeat("\x0", $iv_size); - } + $iv = substr($data, 0, $iv_size); + $data = substr($data, $iv_size); } else { - $params['iv'] = NULL; + // MCrypt is dumb and this is ignored, only size matters + $iv = str_repeat("\x0", $iv_size); } } + else + { + $iv = NULL; + } - if (mcrypt_generic_init($params['handle'], $params['key'], $params['iv']) < 0) + if (mcrypt_generic_init($params['handle'], $params['key'], $iv) < 0) { if ($params['handle'] !== $this->_handle) { @@ -584,17 +573,14 @@ class CI_Encryption { */ protected function _openssl_decrypt($data, $params) { - if ( ! isset($params['iv'])) + if ($iv_size = openssl_cipher_iv_length($params['handle'])) { - if ($iv_size = openssl_cipher_iv_length($params['handle'])) - { - $params['iv'] = substr($data, 0, $iv_size); - $data = substr($data, $iv_size); - } - else - { - $params['iv'] = NULL; - } + $iv = substr($data, 0, $iv_size); + $data = substr($data, $iv_size); + } + else + { + $iv = NULL; } return empty($params['handle']) @@ -604,7 +590,7 @@ class CI_Encryption { $params['handle'], $params['key'], 1, // DO NOT TOUCH! - $params['iv'] + $iv ); } @@ -679,7 +665,6 @@ class CI_Encryption { 'cipher' => $params['cipher'], 'mode' => $params['mode'], 'key' => $params['key'], - 'iv' => isset($params['iv']) ? $params['iv'] : NULL, 'base64' => isset($params['raw_data']) ? ! $params['raw_data'] : FALSE, 'hmac_digest' => $params['hmac_digest'], 'hmac_key' => $params['hmac_key'] diff --git a/tests/codeigniter/libraries/Encryption_test.php b/tests/codeigniter/libraries/Encryption_test.php index 759d7cdac..f457fe325 100644 --- a/tests/codeigniter/libraries/Encryption_test.php +++ b/tests/codeigniter/libraries/Encryption_test.php @@ -141,7 +141,6 @@ class Encryption_test extends CI_TestCase { $this->assertTrue(is_array($this->encryption->__get_params($params))); - $params['iv'] = NULL; $params['base64'] = TRUE; $params['hmac_digest'] = 'sha512'; @@ -150,7 +149,6 @@ class Encryption_test extends CI_TestCase { 'cipher' => 'aes-128', 'mode' => 'cbc', 'key' => str_repeat("\x0", 16), - 'iv' => str_repeat("\x0", 16), 'raw_data' => TRUE, 'hmac_key' => str_repeat("\x0", 16), 'hmac_digest' => 'sha256' @@ -216,22 +214,17 @@ class Encryption_test extends CI_TestCase { $this->assertFalse($this->encryption->encrypt($message, array('foo'))); $this->assertFalse($this->encryption->decrypt($message, array('foo'))); - // Custom IV (we'll check it), no HMAC, binary output + // No HMAC, binary output $params = array( 'cipher' => 'tripledes', 'mode' => 'cfb', 'key' => str_repeat("\x1", 16), - 'iv' => str_repeat("\x2", 8), 'base64' => FALSE, 'hmac' => FALSE ); $ciphertext = $this->encryption->encrypt($message, $params); - $this->assertEquals(0, strncmp($params['iv'], $ciphertext, 8)); - // IV should be found in the cipher-text, no matter if it was supplied or not - $this->assertEquals($message, $this->encryption->decrypt($ciphertext, $params)); - unset($params['iv']); $this->assertEquals($message, $this->encryption->decrypt($ciphertext, $params)); } diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst index a4415f510..ff41ade78 100644 --- a/user_guide_src/source/libraries/encryption.rst +++ b/user_guide_src/source/libraries/encryption.rst @@ -425,7 +425,6 @@ Option Default value Mandatory / Optional Description cipher N/A Yes Encryption algorithm (see :ref:`ciphers-and-modes`). mode N/A Yes Encryption mode (see :ref:`encryption-modes`). key N/A Yes Encryption key. -iv N/A No Initialization vector (IV). If not provided it will be automatically generated during encryption and looked for during decryption. hmac TRUE No Whether to use a HMAC. |