Fixes mcrypt_encrypt deprecation

The mcrypt_encrypt function has been DEPRECATED as of PHP 7.1.0. We are encouraged to use openssl_encrypt instead.
spotorm · Aug 2, 2018 · 277ba44 · 277ba44
1 parent db62fc6
commit 277ba44
Showing 1 changed file with 28 additions and 14 deletions.
diff --git a/tests/Type/Encrypted.php b/tests/Type/Encrypted.php
@@ -7,11 +7,13 @@
 class Encrypted extends Type
 {
     public static $key;
+    private static $hashing = 'SHA256';
+    private static $cipher = 'AES-128-CBC';
 
     public function convertToPHPValue($value, AbstractPlatform $platform)
     {
         if (is_string($value)) {
-            $value = self::aes256_decrypt(self::$key, base64_decode($value));
+            $value = self::aes256_decrypt(self::$key, self::$hashing, self::$cipher, base64_decode($value));
         } else {
             $value = null;
         }
@@ -21,7 +23,7 @@ public function convertToPHPValue($value, AbstractPlatform $platform)
 
     public function convertToDatabaseValue($value, AbstractPlatform $platform)
     {
-        return base64_encode(self::aes256_encrypt(self::$key, $value));
+        return base64_encode(self::aes256_encrypt(self::$key, self::$hashing, self::$cipher, $value));
     }
 
     public function getName()
@@ -34,21 +36,33 @@ public function getSqlDeclaration(array $fieldDeclaration, AbstractPlatform $pla
         return 'TEXT';
     }
 
-    private function aes256_encrypt($key, $data)
+    private function aes256_encrypt($key, $hashing, $cipher, $data)
     {
-      if(32 !== strlen($key)) $key = hash('SHA256', $key, true);
-      $padding = 16 - (strlen($data) % 16);
-      $data .= str_repeat(chr($padding), $padding);
-
-      return mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, str_repeat("\0", 16));
+        if(32 !== strlen($key)) $key = hash($hashing, $key, true);
+
+        $ivlen = openssl_cipher_iv_length($cipher);
+        $iv = openssl_random_pseudo_bytes($ivlen);
+        $ciphertext_raw = openssl_encrypt($data, $cipher, $key, $options = OPENSSL_RAW_DATA, $iv);
+        $hmac = hash_hmac($hashing, $ciphertext_raw, $key, $as_binary = true);
+
+        return $iv.$hmac.$ciphertext_raw;
     }
 
-    private function aes256_decrypt($key, $data)
+    private function aes256_decrypt($key, $hashing, $cipher, $data)
     {
-      if(32 !== strlen($key)) $key = hash('SHA256', $key, true);
-      $data = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $data, MCRYPT_MODE_CBC, str_repeat("\0", 16));
-      $padding = ord($data[strlen($data) - 1]);
-
-      return substr($data, 0, -$padding);
+        if(32 !== strlen($key)) $key = hash($hashing, $key, true);
+
+        $ivlen = openssl_cipher_iv_length($cipher);
+        $iv = substr($data, 0, $ivlen);
+        $hmac = substr($data, $ivlen, $sha2len = 32);
+        $ciphertext_raw = substr($data, $ivlen + $sha2len);
+        $original = openssl_decrypt($ciphertext_raw, $cipher, $key, $options = OPENSSL_RAW_DATA, $iv);
+        $calcmac = hash_hmac($hashing, $ciphertext_raw, $key, $as_binary = true);
+
+        if (hash_equals($hmac, $calcmac)) { // PHP 5.6+ timing attack safe comparison
+            return $original;
+        } else {
+            throw new \RuntimeException("Timing attack safe string comparison failed.");
+        }
     }
 }