diff options
-rw-r--r-- | system/libraries/Encrypt.php | 59 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 3 | ||||
-rw-r--r-- | user_guide_src/source/libraries/encrypt.rst | 9 |
3 files changed, 16 insertions, 55 deletions
diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php index f72bd2302..2541a4467 100644 --- a/system/libraries/Encrypt.php +++ b/system/libraries/Encrypt.php @@ -81,7 +81,11 @@ class CI_Encrypt { */ public function __construct() { - $this->_mcrypt_exists = function_exists('mcrypt_encrypt'); + if (($this->_mcrypt_exists = function_exists('mcrypt_encrypt')) === FALSE) + { + show_error('The Encrypt library requires the Mcrypt extension.'); + } + log_message('debug', 'Encrypt Class Initialized'); } @@ -138,10 +142,10 @@ class CI_Encrypt { * Encodes the message string using bitwise XOR encoding. * The key is combined with a random hash, and then it * too gets converted using XOR. The whole thing is then run - * through mcrypt (if supported) using the randomized key. - * The end result is a double-encrypted message string - * that is randomized with each call to this function, - * even if the supplied message and key are the same. + * through mcrypt using the randomized key. The end result + * is a double-encrypted message string that is randomized + * with each call to this function, even if the supplied + * message and key are the same. * * @param string the string to encode * @param string the key @@ -149,8 +153,7 @@ class CI_Encrypt { */ public function encode($string, $key = '') { - $method = ($this->_mcrypt_exists === TRUE) ? 'mcrypt_encode' : '_xor_encode'; - return base64_encode($this->$method($string, $this->get_key($key))); + return base64_encode($this->mcrypt_encode($string, $this->get_key($key))); } // -------------------------------------------------------------------- @@ -171,8 +174,7 @@ class CI_Encrypt { return FALSE; } - $method = ($this->_mcrypt_exists === TRUE) ? 'mcrypt_decode' : '_xor_decode'; - return $this->$method(base64_decode($string), $this->get_key($key)); + return $this->mcrypt_decode(base64_decode($string), $this->get_key($key)); } // -------------------------------------------------------------------- @@ -194,12 +196,7 @@ class CI_Encrypt { */ public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '') { - if ($this->_mcrypt_exists === FALSE) - { - log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.'); - return FALSE; - } - elseif (preg_match('/[^a-zA-Z0-9\/\+=]/', $string)) + if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string)) { return FALSE; } @@ -230,38 +227,6 @@ class CI_Encrypt { // -------------------------------------------------------------------- /** - * XOR Encode - * - * Takes a plain-text string and key as input and generates an - * encoded bit-string using XOR - * - * @param string - * @param string - * @return string - */ - protected function _xor_encode($string, $key) - { - $rand = ''; - do - { - $rand .= mt_rand(); - } - while (strlen($rand) < 32); - - $rand = $this->hash($rand); - - $enc = ''; - for ($i = 0, $ls = strlen($string), $lr = strlen($rand); $i < $ls; $i++) - { - $enc .= $rand[($i % $lr)].($rand[($i % $lr)] ^ $string[$i]); - } - - return $this->_xor_merge($enc, $key); - } - - // -------------------------------------------------------------------- - - /** * XOR Decode * * Takes an encoded string and key as input and generates the diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index e2b37561a..8492be289 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -726,7 +726,6 @@ Bug fixes for 3.0 - Fixed a bug (#2737) - :doc:`XML-RPC Library <libraries/xmlrpc>` used objects as array keys, which triggered E_NOTICE messages. - Fixed a bug (#2729) - :doc:`Security Library <libraries/security>` internal method ``_validate_entities()`` used overly-intrusive ``preg_replace()`` patterns that produced false-positives. - Fixed a bug (#2771) - :doc:`Security Library <libraries/security>` method ``xss_clean()`` didn't take into account HTML5 entities. -- Fixed a bug in the :doc:`Session Library <libraries/sessions>` 'cookie' driver where authentication was not performed for encrypted cookies. - Fixed a bug (#2856) - ODBC method ``affected_rows()`` passed an incorrect value to ``odbc_num_rows()``. - Fixed a bug (#43) :doc:`Image Manipulation Library <libraries/image_lib>` method ``text_watermark()`` didn't properly determine watermark placement. - Fixed a bug where :doc:`HTML Table Library <libraries/table>` ignored its *auto_heading* setting if headings were not already set. @@ -743,6 +742,7 @@ Release Date: June 2, 2014 - General Changes - Security: :doc:`Encrypt Library <libraries/encrypt>` method ``xor_encode()`` has been removed. The Encrypt Class now requires the Mcrypt extension to be installed. + - Security: The :doc:`Session Library <libraries/sessions>` now uses HMAC authentication instead of a simple MD5 checksum. Bug fixes for 2.2.0 ------------------- @@ -751,6 +751,7 @@ Bug fixes for 2.2.0 - Fixed a bug (#696) - make ``oci_execute()`` calls inside ``num_rows()`` non-committing, since they are only there to reset which row is next in line for oci_fetch calls and thus don't need to be committed. - Fixed a bug (#2689) - :doc:`Database Force <database/forge>` methods ``create_table()``, ``drop_table()`` and ``rename_table()`` produced broken SQL for tge 'sqlsrv' driver. - Fixed a bug (#2427) - PDO :doc:`Database driver <database/index>` didn't properly check for query failures. +- Fixed a bug in the :doc:`Session Library <libraries/sessions>` where authentication was not performed for encrypted cookies. Version 2.1.4 ============= diff --git a/user_guide_src/source/libraries/encrypt.rst b/user_guide_src/source/libraries/encrypt.rst index faff39975..6b65099a6 100644 --- a/user_guide_src/source/libraries/encrypt.rst +++ b/user_guide_src/source/libraries/encrypt.rst @@ -2,13 +2,8 @@ Encrypt Class ############# -The Encrypt Class provides two-way data encryption. It uses a scheme -that either compiles the message using a randomly hashed bitwise XOR -encoding scheme, or is encrypted using the Mcrypt library. If Mcrypt is -not available on your server the encoded message will still provide a -reasonable degree of security for encrypted sessions or other such -"light" purposes. If Mcrypt is available, you'll be provided with a high -degree of security appropriate for storage. +The Encrypt Class provides two-way data encryption. It encrypted using +the Mcrypt PHP extension, which is required for the Encrypt Class to run. .. important:: This library has been DEPRECATED and is only kept for backwards compatibility. Please use the new :doc:`Encryption Library |