Search code examples
phpencryptionopensslopencartmcrypt

Replace Mcrypt Encription with OpenSSL Encription for OpenCart CMS

I have OpenCart 1.5.6.4 with encryption.php file in system library folder.
The codes in encryption.php are :

<?php
final class Encryption {
    private $key;
    private $iv;

    public function __construct($key) {
        $this->key = hash('sha256', $key, true);
        $this->iv = mcrypt_create_iv(32, MCRYPT_RAND);
    }

    public function encrypt($value) {
        return strtr(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->key, $value, MCRYPT_MODE_ECB, $this->iv)), '+/=', '-_,');
    }

    public function decrypt($value) {
        return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->key, base64_decode(strtr($value, '-_,', '+/=')), MCRYPT_MODE_ECB, $this->iv));
    }
}
?>

For migration from php 5.6 to php 7.2 , I need to replace Mcrypt Encription with OpenSSL Encription.
I have replaced mcrypt_create_iv(32, MCRYPT_RAND) with openssl_random_pseudo_bytes(32, true) , but for encrypt function and decrypt function , I do not know what parameters to use for these functions.
What changes needed in encription.php codes?

Solution

  • I originally wrote this to address the empty iv warning that comes up with the current encryption class for OC3:

    Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended

    And recently backported it to work with OC1.5 for the precise reason you posted this question. Here's a complete drop in replacement for system/library/encryption.php that will work on OC1.5.6.4 and PHP7.2:

    final class Encryption {

    private $cipher = 'aes-256-ctr';
    private $digest = 'sha256';
    private $key;

    public function __construct($key) {
        $this->key = $key;
    }

    public function encrypt($value) {
        $key       = openssl_digest($this->key, $this->digest, true);
        $iv_length = openssl_cipher_iv_length($this->cipher);
        $iv        = openssl_random_pseudo_bytes($iv_length);
        return base64_encode($iv . openssl_encrypt($value, $this->cipher, $key, OPENSSL_RAW_DATA, $iv));
    }

    public function decrypt($value) {
        $result    = NULL;
        $key       = openssl_digest($this->key, $this->digest, true);
        $iv_length = openssl_cipher_iv_length($this->cipher);
        $value     = base64_decode($value);
        $iv        = substr($value, 0, $iv_length);
        $value     = substr($value, $iv_length);
        if (strlen($iv) == $iv_length) {
            $result = openssl_decrypt($value, $this->cipher, $key, OPENSSL_RAW_DATA, $iv);
        }
        return $result;
    }
}