Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#12134] - Use Framework Crypt package

? ? Failure

User tests: Successful: Unsuccessful:

avatar mbabker
mbabker
21 Sep 2016

Summary of Changes

Pull in the Framework's Crypt package, rebase the JCrypt classes onto it.

This pulls in the updated defuse/php-encryption package too. It has B/C breaks between the version we have now and 2.0 but it's written in a way the two can be used side-by-side.

The random_bytes() polyfill is updated too as a requirement of the updated encryption package. The change here is that it doesn't use the OpenSSL pseudo random number generator.

Testing Instructions

The encryption API continues to work.

Documentation Changes Required

JCryptKey is now an immutable object. Pass all values into the constructor when creating it.

There are now getter methods for all key properties, use those instead of direct access.

avatar mbabker mbabker - open - 21 Sep 2016
avatar mbabker mbabker - change - 21 Sep 2016
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 21 Sep 2016
Category Repository External Library Libraries
avatar joomla-cms-bot joomla-cms-bot - change - 21 Sep 2016
Labels Added: ? ?
avatar zero-24
zero-24 - comment - 21 Sep 2016

Can we remove with this change the old cipher that are vulnerable? If you agree i can do it in a different PR.

  • JCryptCipher3Des
  • JCryptCipherBlowfish
  • JCryptCipherMcrypt
  • JCryptCipherRijndael256
  • JCryptCipherSimple
avatar mbabker
mbabker - comment - 21 Sep 2016

If they're deprecated then yes they should be dumped. I just aimed to make
everything that's there now work, wasn't looking for class deletion.

On Wednesday, September 21, 2016, zero-24 notifications@github.com wrote:

Can we remove with this change the old cipher that are vulnerable? If you
agree i can do it in a different PR.

  • JCryptCipher3Des
  • JCryptCipherBlowfish
  • JCryptCipherMcrypt
  • JCryptCipherRijndael256
  • JCryptCipherSimple


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#12134 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAWfoUa0n_nmSG949PWKZ_O3tBMqntYsks5qsYhKgaJpZM4KDMLW
.

avatar zero-24
zero-24 - comment - 21 Sep 2016

Ok i'm going to prepare two PRs than one for staging and one for 4.0 ?

avatar wilsonge
wilsonge - comment - 22 Sep 2016

I merged @zero-24 's PR before I saw this. Unsure how we want to proceed with this? Remove the unsecure ones from the framework? Do we even want to be doing this ourselves or is there a better 3rd party full implementation?

avatar mbabker
mbabker - comment - 22 Sep 2016

They're already gone in the Framework. All that's left is the defuse
package crypto class.

On Thursday, September 22, 2016, George Wilson notifications@github.com
wrote:

I merged @zero-24 https://github.com/zero-24 's PR before I saw this.
Unsure how we want to proceed with this? Remove the unsecure ones from the
framework? Do we even want to be doing this ourselves or is there a better
3rd party full implementation?


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#12134 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAWfoZo7YUSHaOmsI7sJnvaPwwS3o77Yks5qsckbgaJpZM4KDMLW
.

avatar mbabker
mbabker - comment - 22 Sep 2016

I've rebased this.

avatar wilsonge wilsonge - change - 23 Sep 2016
Status Pending Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2016-09-23 09:01:23
Closed_By wilsonge

Add a Comment

Login with GitHub to post a comment