1

I have OpenCart 1.5.6.4 with encryption.php file in system library folder.
The codes in encryption.php are :

<?php
final class Encryption {
    private $key;
    private $iv;

    public function __construct($key) {
        $this->key = hash('sha256', $key, true);
        $this->iv = mcrypt_create_iv(32, MCRYPT_RAND);
    }

    public function encrypt($value) {
        return strtr(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $value, MCRYPT_MODE_ECB, $this->iv)), '+/=', '-_,');
    }

    public function decrypt($value) {
        return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, base64_decode(strtr($value, '-_,', '+/=')), MCRYPT_MODE_ECB, $this->iv));
    }
}
?>

For migration from php 5.6 to php 7.2 , I need to replace Mcrypt Encription with OpenSSL Encription.
I have replaced mcrypt_create_iv(32, MCRYPT_RAND) with openssl_random_pseudo_bytes(32, true) , but for encrypt function and decrypt function , I do not know what parameters to use for these functions.
What changes needed in encription.php codes?

Pasakgroup
  • 13
  • 5
  • Possible duplicate of [MCrypt rijndael-256 to OpenSSL aes-256-ecb conversion](https://stackoverflow.com/questions/49997338/mcrypt-rijndael-256-to-openssl-aes-256-ecb-conversion) – Jirka Hrazdil Jul 03 '18 at 17:40
  • @jiri-hrazdil , If you read carefully you will find that these two questions are very different. – Pasakgroup Jul 03 '18 at 18:01
  • `openssl_encrypt($data=$value, $method="AES-256-CBC", $key=$this->key, $options=OPENSSL_RAW_DATA, $iv=$this->iv)`. I assume you want to use `"AES-256-CBC"` because your key is 256 bits, and you're using an IV. If you insist on using ECB (not recommended) just replace "CBC" with "ECB". Either way you won't be able to decrypt your data because AES doesn't support 256 block size. – t.m.adam Jul 03 '18 at 19:06
  • @t.m.adam Its perfectly work. – Pasakgroup Jul 03 '18 at 20:06
  • Great! Since you're using PHP 7.2 and compatibility isn't an issue apparently, consider using an [AEAD](https://en.wikipedia.org/wiki/Authenticated_encryption) cipher – t.m.adam Jul 03 '18 at 20:14

1 Answers1

0

I originally wrote this to address the empty iv warning that comes up with the current encryption class for OC3:

Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended

And recently backported it to work with OC1.5 for the precise reason you posted this question. Here's a complete drop in replacement for system/library/encryption.php that will work on OC1.5.6.4 and PHP7.2:

final class Encryption {

    private $cipher = 'aes-256-ctr';
    private $digest = 'sha256';
    private $key;

    public function __construct($key) {
        $this->key = $key;
    }

    public function encrypt($value) {
        $key       = openssl_digest($this->key, $this->digest, true);
        $iv_length = openssl_cipher_iv_length($this->cipher);
        $iv        = openssl_random_pseudo_bytes($iv_length);
        return base64_encode($iv . openssl_encrypt($value, $this->cipher, $key, OPENSSL_RAW_DATA, $iv));
    }

    public function decrypt($value) {
        $result    = NULL;
        $key       = openssl_digest($this->key, $this->digest, true);
        $iv_length = openssl_cipher_iv_length($this->cipher);
        $value     = base64_decode($value);
        $iv        = substr($value, 0, $iv_length);
        $value     = substr($value, $iv_length);
        if (strlen($iv) == $iv_length) {
            $result = openssl_decrypt($value, $this->cipher, $key, OPENSSL_RAW_DATA, $iv);
        }
        return $result;
    }
}
But those new buttons though..
  • 21,377
  • 10
  • 81
  • 108