-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mcrypt library is long ago abandoned #7215
Comments
I confirm that everything said about mcrypt isn't maintained is true. It's good to replace it and openssl looks like a good alternative. |
Not sure about milestone though since while API could be compatible, requirements won't be. |
In terms of requirements, on Linux, BSD or most Unix platforms, OpenSSL will be required only for encrypt and decrypt. On Windows, OpenSSL will be required also for randomness. So requirements will change but OpenSSL will, on *nux/nix platforms, be not a requirement for Yii but a requirement for encrypt/decrypt, which is much weaker. |
OpenSSL extension is required for Composer to download from secure locations so it's likely installed. |
completely untested first draft only look at if you're really interested, it's not ready for real review |
its definitely time to upgrade to OpenSSL or better. Requirements are less important in my opinion. |
reading the rfc mail list is so painful. PHP is not great because of their custodians but despite of them. The scalar typehinting voting right now is a huge example. |
@Faryshta yup, but let's keep on topic. |
In my yii2 repo these two classes are passing the tests: https://github.com/tom--/yii2/blob/7215-replace-mcrypt/framework/base/Security.php I'm not happy about the base64 bullshit on lines 179 and 219. But I couldn't get openssl_en/decrypt to work with raw binary data. Any help greatly appreciated. I added unit tests and test vectors to test:
The whole thing is confusing and I don't know how to organize this so we have regression tests for forwards and backwards compat in future releases of Yii. Again, any help greatly appreciated. The SecurityTest class also has the test vector generator I needed but that isn't actually a test. It should be removed and the test vectors set in stone once we have this figured out. |
for reference: https://twitter.com/ircmaxell/status/564919926700658689 |
Not sure what to do with base64encode. All PHP implementations I'm aware of are using it. I guess we need to move old implementation into tests in order to check backwards compatibility. |
i may be wrong but according to php.net it was updated at 5.6 version at least once also openssl mcrypt mature doesn't need to be changed often |
@yurii-github PHP's library is a wrapper around C mcrypt that was abandoned in 2003. There are about 10 bugs most probably related to the algorithm itself that aren't going to be fixed since some of these are 12 years old. |
The upstream we all derive from hasn't been touched by its authors in 8 years. The last update in Debian was 5 or 6 years ago. RHEL has dropped it.
I think it's fairly a straight forward task to replace everything we use from mcrypt in yii\base\Security. The API will be backwards compatible and I think encrypted data will be compatible too, if we do it right.
So I think we can remove mcrypt from Security without it being a breaking change. The headache for users would be the openssl extension requirement. But I think that is widely deployed already because PHP relies on it for all the SSL io in built-ins.
There may be small gains too, e.g. better random numbers on Windows.
I will start work this week if there's consensus to do this.
The text was updated successfully, but these errors were encountered: