Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update encryption.php #6326

Open
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
1 participant
@billynoah
Copy link
Contributor

billynoah commented Jan 8, 2018

The current encryption class contains some legacy code and fails to implement an iv in such a way to satisfy the openssl functions. Because of this, most modern versions of php will throw a warning which is visible to the admin user: "Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended"

This is more or less a complete rewrite using all openssl library functions, sha256 digest and (currently) the strongest encryption cipher I know of 'aes-256-ctr'. Both the cipher and digest are now class properties which should make this easy to update in the future should these become obsolete.

I've tested this on php 5.6, 7.0 and 7.1 with success.

billynoah added some commits Jan 8, 2018

Update encryption.php
The current encryption class contains some legacy code and fails to implement an iv in such a way to satisfy the openssl functions.  Because of this, most modern versions of php will throw a warning which is visible to the admin user: "Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended"

This is more or less a complete rewrite using all openssl library functions, sha256 digest and (currently) the strongest encryption cipher I know of 'aes-256-ctr'.  Both the cipher and digest are now class properties which should make this easy to update in the future should these become obsolete.

I've tested this on php 5.6, 7.0 and 7.1 with success.
Update encryption.php
Validate `iv` is the correct length.  Avoids warning if invalid encryption string is passed in.
@billynoah

This comment has been minimized.

Copy link
Contributor Author

billynoah commented May 4, 2018

Update - tested on PHP 7.2 and no conflicts.

For the sake of anyone still on OC1.5, here's a drop in replacement of the version provided here that will work on older versions of Opencart: https://forum.opencart.com/viewtopic.php?f=181&t=199924&p=722688#p722648

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.