Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Experimental] switch Crypt to use Sodium encryption
NOTE: This requires PHP7.2, the libsodium PECL extension, or the ParagonIE sodium-compat package! NOTE: This has not been properly tested yet! Upgrade on your own risk! NOTE: If you have Crypt in use, it will automatically decrypt using the old mechanism, and crypt using the new one, retaining BC. However, since the new encrypted results are quite a bit longer, you may have issues when you store encrypted results in fixed-length fields, for example database columns. NOTE: There will be gremlins! For those who want to test, feedback is highly appreciated.
- Loading branch information
59112c9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you make this change optional?
59112c9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. This adresses a huge security issue (the current encryption can be broken in seconds with the correct tools).
What is your use-case?
59112c9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am using develop on my apps, and this will break it, will check if I use the Crypt class in my apps...
59112c9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If shouldn't. If it detects a string encrypted with the old method, it will automatically use legacy_decode() and convert it to the new encryption when saved again.
The only challenge you may have is a storage problem. Since the new encryption uses longer keys, plus a random salt and a random nonce, the encrypted result is about 120 bytes longer.
We're using develop on our apps too, I'm planning to migrate the first today, so then we'll know.
59112c9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just updated the first app. When without a hitch, the encrypted session cookie was converted without the loss of the session, transparent for the enduser.
59112c9
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also tested the pecl-libsodium extension (ext-libsodium), works fine too. I don't have PHP 7.2 handy at the moment, which has sodium support built-in, and doesn't need the sodium-compat composer package.