Geek Answers Handbook

Replacing mcrypt_encrypt with MCRYPT_RIJNDAEL_256 with openssl_encrypt

As you probably know, the mcrypt extension will be deprecated on php 7.1.

I use to support the "outdated" application that I want to eventually migrate to this version, so I ran the tests and confirmed that I can no longer get 100% coverage, since there is a piece of code that uses the following code:

$key = 'sA*(DH'; // initialization vector $iv = md5(md5($key)); $output = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, $iv));

I tried transferring this piece of code to openssl_encrypt using this code

 $key = md5('sA*(DH'); $iv = md5($key); echo base64_encode(openssl_encrypt($data, "aes-256-cbc", $key, OPENSSL_RAW_DATA, $iv));

But I have 2 problems with this:

  • IV should be 16 characters long (and md5 gives me 32), so I get a PHP warning
  • Print it is not the same (even if I truncate to 16 characters)

Someone had similar problems (or do you know how to fix this?)

BTW: I am using the dev-master version of PHP (presumably 7.1.0 alpha 3).

+7
source share
3 answers

You really have to give up the habit of using md5 for anything.

 $iv = openssl_random_pseudo_bytes(16); $key = substr(hash('sha256', 'sA*(DH'), 0, 32)

mcrypt_encrypt and openssl_encrypt will not output the same crypto text with the same plaintext and key.

also, mcrypt deprecated in PHP 7.1, it is not deleted ... so you can upgrade to 7.1 without changing from mcrypt to openssl ... but it is a good idea to remove mcrypt in general.

+1
source

There are 2 problems:

  1. MCrypt uses zero padding, while Openssl uses PKCS # 7 by default
  2. Openssl requires the input string to have the correct length (a multiple of the length of the block)

To solve this problem:

  1. add OPENSSL_ZERO_PADDING flag to openssl_encrypt / openssl_decrypt
  2. if the length of the input string is not a multiple of the length of the block, add the null characters "\ 0" to the input string [aka chr (0)];

In doing so, this should solve the problem:

 // key/iv in ASCII binary data, $str base64 function decrypt_stuff($key, $str, $iv) { // $plaintext_dec = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, base64_decode($str), MCRYPT_MODE_CBC, $iv); $plaintext_dec = openssl_decrypt(base64_decode($str), "aes-256-cbc", $key, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv); return $plaintext_dec; } // key/iv in ascii binary data, $str ascii function encrypt_stuff($key, $str, $iv) { // $ciphertext = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $str, MCRYPT_MODE_CBC, $iv)); if (($l = (strlen($str) & 15)) > 0) { $str .= str_repeat(chr(0), 16 - $l); } $ciphertext = base64_encode(openssl_encrypt($str, "aes-256-cbc", $key, OPENSSL_RAW_DATA|OPENSSL_ZERO_PADDING, $iv)); return $ciphertext; }
0
source

Another proven solution that takes and returns ANSI text to replace the Mcrypt function with openssl_encrypt () and openssl_decrypt ():

 //Return encrypted string public function stringEncrypt ($plainText, $cryptKey = '7R7zX2Urc7qvjhkr') { $length = 8; $cstrong = true; $cipher = 'aes-128-cbc'; if (in_array($cipher, openssl_get_cipher_methods())) { $ivlen = openssl_cipher_iv_length($cipher); $iv = openssl_random_pseudo_bytes($ivlen); $ciphertext_raw = openssl_encrypt( $plainText, $cipher, $cryptKey, $options=OPENSSL_RAW_DATA, $iv); $hmac = hash_hmac('sha256', $ciphertext_raw, $cryptKey, $as_binary=true); $encodedText = base64_encode( $iv.$hmac.$ciphertext_raw ); } return $encodedText; } //Return decrypted string public function stringDecrypt ($encodedText, $cryptKey = '7R7zX2Urc7qvjhkr') { $c = base64_decode($encodedText); $cipher = 'aes-128-cbc'; if (in_array($cipher, openssl_get_cipher_methods())) { $ivlen = openssl_cipher_iv_length($cipher); $iv = substr($c, 0, $ivlen); $hmac = substr($c, $ivlen, $sha2len=32); $ivlenSha2len = $ivlen+$sha2len; $ciphertext_raw = substr($c, $ivlen+$sha2len); $plainText = openssl_decrypt( $ciphertext_raw, $cipher, $cryptKey, $options=OPENSSL_RAW_DATA, $iv); } return $plainText; }

Read the openssl documentation for more details.

0
source

More articles:


All Articles