Issues in Encrypt.php (develop) - Issues in develop - ci-bonfire/Sprint - Measure and Improve Code Quality continuously with Scrutinizer

Issues (423)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

system/libraries/Encrypt.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * CodeIgniter
 *
 * An open source application development framework for PHP
 *
 * This content is released under the MIT License (MIT)
 *
 * Copyright (c) 2014 - 2015, British Columbia Institute of Technology
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 * THE SOFTWARE.
 *
 * @package	CodeIgniter
 * @author	EllisLab Dev Team
 * @copyright	Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
 * @copyright	Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/)
 * @license	http://opensource.org/licenses/MIT	MIT License
 * @link	http://codeigniter.com
 * @since	Version 1.0.0
 * @filesource
 */
defined('BASEPATH') OR exit('No direct script access allowed');

/**
 * CodeIgniter Encryption Class
 *
 * Provides two-way keyed encoding using Mcrypt
 *
 * @package		CodeIgniter
 * @subpackage	Libraries
 * @category	Libraries
 * @author		EllisLab Dev Team
 * @link		http://codeigniter.com/user_guide/libraries/encryption.html
 */
class CI_Encrypt {

	/**
	 * Reference to the user's encryption key
	 *
	 * @var string
	 */
	public $encryption_key		= '';

	/**
	 * Type of hash operation
	 *
	 * @var string
	 */
	protected $_hash_type		= 'sha1';

	/**
	 * Flag for the existence of mcrypt
	 *
	 * @var bool
	 */
	protected $_mcrypt_exists	= FALSE;

	/**
	 * Current cipher to be used with mcrypt
	 *
	 * @var string
	 */
	protected $_mcrypt_cipher;

	/**
	 * Method for encrypting/decrypting data
	 *
	 * @var int
	 */
	protected $_mcrypt_mode;

	/**
	 * Initialize Encryption class
	 *
	 * @return	void
	 */
	public function __construct()
	{
		if (($this->_mcrypt_exists = function_exists('mcrypt_encrypt')) === FALSE)
		{
			show_error('The Encrypt library requires the Mcrypt extension.');
		}

		log_message('info', 'Encrypt Class Initialized');
	}

	// --------------------------------------------------------------------

	/**
	 * Fetch the encryption key
	 *
	 * Returns it as MD5 in order to have an exact-length 128 bit key.
	 * Mcrypt is sensitive to keys that are not the correct length
	 *
	 * @param	string
	 * @return	string
	 */
	public function get_key($key = '')
	{
		if ($key === '')
		{
			if ($this->encryption_key !== '')
			{
				return $this->encryption_key;
			}

			$key = config_item('encryption_key');

			if ( ! strlen($key))
			{
				show_error('In order to use the encryption class requires that you set an encryption key in your config file.');
			}
		}

		return md5($key);
	}

	// --------------------------------------------------------------------

	/**
	 * Set the encryption key
	 *
	 * @param	string
	 * @return	CI_Encrypt
	 */
	public function set_key($key = '')
	{
		$this->encryption_key = $key;
		return $this;
	}

	// --------------------------------------------------------------------

	/**
	 * Encode
	 *
	 * Encodes the message string using bitwise XOR encoding.
	 * The key is combined with a random hash, and then it
	 * too gets converted using XOR. The whole thing is then run
	 * through mcrypt using the randomized key. The end result
	 * is a double-encrypted message string that is randomized
	 * with each call to this function, even if the supplied
	 * message and key are the same.
	 *
	 * @param	string	the string to encode
	 * @param	string	the key
	 * @return	string
	 */
	public function encode($string, $key = '')
	{
		return base64_encode($this->mcrypt_encode($string, $this->get_key($key)));
	}

	// --------------------------------------------------------------------

	/**
	 * Decode
	 *
	 * Reverses the above process
	 *
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	public function decode($string, $key = '')
	{
		if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string) OR base64_encode(base64_decode($string)) !== $string)
		{
			return FALSE;
		}

		return $this->mcrypt_decode(base64_decode($string), $this->get_key($key));
	}

	// --------------------------------------------------------------------

	/**
	 * Encode from Legacy
	 *
	 * Takes an encoded string from the original Encryption class algorithms and
	 * returns a newly encoded string using the improved method added in 2.0.0
	 * This allows for backwards compatibility and a method to transition to the
	 * new encryption algorithms.
	 *
	 * For more details, see http://codeigniter.com/user_guide/installation/upgrade_200.html#encryption
	 *
	 * @param	string
	 * @param	int		(mcrypt mode constant)
	 * @param	string
	 * @return	string
	 */
	public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '')
	{
		if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string))
		{
			return FALSE;
		}

		// decode it first
		// set mode temporarily to what it was when string was encoded with the legacy
		// algorithm - typically MCRYPT_MODE_ECB
		$current_mode = $this->_get_mode();
		$this->set_mode($legacy_mode);

		$key = $this->get_key($key);
		$dec = base64_decode($string);
		if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
		{
			$this->set_mode($current_mode);
			return FALSE;
		}

		$dec = $this->_xor_decode($dec, $key);

		// set the mcrypt mode back to what it should be, typically MCRYPT_MODE_CBC
		$this->set_mode($current_mode);

		// and re-encode
		return base64_encode($this->mcrypt_encode($dec, $key));
	}

	// --------------------------------------------------------------------

	/**
	 * XOR Decode
	 *
	 * Takes an encoded string and key as input and generates the
	 * plain-text original message
	 *
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	protected function _xor_decode($string, $key)
	{
		$string = $this->_xor_merge($string, $key);

		$dec = '';
		for ($i = 0, $l = strlen($string); $i < $l; $i++)
		{
			$dec .= ($string[$i++] ^ $string[$i]);
		}

		return $dec;
	}

	// --------------------------------------------------------------------

	/**
	 * XOR key + string Combiner
	 *
	 * Takes a string and key as input and computes the difference using XOR
	 *
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	protected function _xor_merge($string, $key)
	{
		$hash = $this->hash($key);
		$str = '';
		for ($i = 0, $ls = strlen($string), $lh = strlen($hash); $i < $ls; $i++)
		{
			$str .= $string[$i] ^ $hash[($i % $lh)];
		}

		return $str;
	}

	// --------------------------------------------------------------------

	/**
	 * Encrypt using Mcrypt
	 *
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	public function mcrypt_encode($data, $key)
	{
		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
		$init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
		return $this->_add_cipher_noise($init_vect.mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), $key);
	}

	// --------------------------------------------------------------------

	/**
	 * Decrypt using Mcrypt
	 *
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	public function mcrypt_decode($data, $key)
	{
		$data = $this->_remove_cipher_noise($data, $key);
		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());

		if ($init_size > strlen($data))
		{
			return FALSE;
		}

		$init_vect = substr($data, 0, $init_size);
		$data = substr($data, $init_size);
		return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");
	}

	// --------------------------------------------------------------------

	/**
	 * Adds permuted noise to the IV + encrypted data to protect
	 * against Man-in-the-middle attacks on CBC mode ciphers
	 * http://www.ciphersbyritter.com/GLOSSARY.HTM#IV
	 *
	 * @param	string
	 * @param	string
	 * @return	string
	 */
	protected function _add_cipher_noise($data, $key)
	{
		$key = $this->hash($key);
		$str = '';

		for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
		{
			if ($j >= $lk)
			{
				$j = 0;
			}

			$str .= chr((ord($data[$i]) + ord($key[$j])) % 256);
		}

		return $str;
	}

	// --------------------------------------------------------------------

	/**
	 * Removes permuted noise from the IV + encrypted data, reversing
	 * _add_cipher_noise()
	 *
	 * Function description
	 *
	 * @param	string	$data
	 * @param	string	$key
	 * @return	string
	 */
	protected function _remove_cipher_noise($data, $key)
	{
		$key = $this->hash($key);
		$str = '';

		for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
		{
			if ($j >= $lk)
			{
				$j = 0;
			}

			$temp = ord($data[$i]) - ord($key[$j]);

			if ($temp < 0)
			{
				$temp += 256;
			}

			$str .= chr($temp);
		}

		return $str;
	}

	// --------------------------------------------------------------------

	/**
	 * Set the Mcrypt Cipher
	 *
	 * @param	int
	 * @return	CI_Encrypt
	 */
	public function set_cipher($cipher)
	{
		$this->_mcrypt_cipher = $cipher;
		return $this;
	}

	// --------------------------------------------------------------------

	/**
	 * Set the Mcrypt Mode
	 *
	 * @param	int
	 * @return	CI_Encrypt
	 */
	public function set_mode($mode)
	{
		$this->_mcrypt_mode = $mode;
		return $this;
	}

	// --------------------------------------------------------------------

	/**
	 * Get Mcrypt cipher Value
	 *
	 * @return	int
	 */
	protected function _get_cipher()
	{
		if ($this->_mcrypt_cipher === NULL)
		{
			return $this->_mcrypt_cipher = MCRYPT_RIJNDAEL_256;
		}

		return $this->_mcrypt_cipher;
	}

	// --------------------------------------------------------------------

	/**
	 * Get Mcrypt Mode Value
	 *
	 * @return	int
	 */
	protected function _get_mode()
	{
		if ($this->_mcrypt_mode === NULL)
		{
			return $this->_mcrypt_mode = MCRYPT_MODE_CBC;
		}

		return $this->_mcrypt_mode;
	}

	// --------------------------------------------------------------------

	/**
	 * Set the Hash type
	 *
	 * @param	string
	 * @return	void
	 */
	public function set_hash($type = 'sha1')
	{
		$this->_hash_type = in_array($type, hash_algos()) ? $type : 'sha1';
	}

	// --------------------------------------------------------------------

	/**
	 * Hash encode a string
	 *
	 * @param	string
	 * @return	string
	 */
	public function hash($str)
	{
		return hash($this->_hash_type, $str);
	}

}


GitHub Access Token became invalid

Issues (423)

Security Analysis not enabled

system/libraries/Encrypt.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1		<?php
		0 ignored issues – show Coding Style Compatibility introduced 2016-02-16 16:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this For compatibility and reusability of your code, PSR1 recommends that a file should introduce either new symbols (like classes, functions, etc.) or have side-effects (like outputting something, or including other files), but not both at the same time. The first symbol is defined on line 51 and the first side effect is on line 38. The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file. The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place. To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1. Loading history...
2		/**
3		* CodeIgniter
4		*
5		* An open source application development framework for PHP
6		*
7		* This content is released under the MIT License (MIT)
8		*
9		* Copyright (c) 2014 - 2015, British Columbia Institute of Technology
10		*
11		* Permission is hereby granted, free of charge, to any person obtaining a copy
12		* of this software and associated documentation files (the "Software"), to deal
13		* in the Software without restriction, including without limitation the rights
14		* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
15		* copies of the Software, and to permit persons to whom the Software is
16		* furnished to do so, subject to the following conditions:
17		*
18		* The above copyright notice and this permission notice shall be included in
19		* all copies or substantial portions of the Software.
20		*
21		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
22		* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
23		* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
24		* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
25		* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
26		* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
27		* THE SOFTWARE.
28		*
29		* @package CodeIgniter
30		* @author EllisLab Dev Team
31		* @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
32		* @copyright Copyright (c) 2014 - 2015, British Columbia Institute of Technology (http://bcit.ca/)
33		* @license http://opensource.org/licenses/MIT MIT License
34		* @link http://codeigniter.com
35		* @since Version 1.0.0
36		* @filesource
37		*/
38		defined('BASEPATH') OR exit('No direct script access allowed');
39
40		/**
41		* CodeIgniter Encryption Class
42		*
43		* Provides two-way keyed encoding using Mcrypt
44		*
45		* @package CodeIgniter
46		* @subpackage Libraries
47		* @category Libraries
48		* @author EllisLab Dev Team
49		* @link http://codeigniter.com/user_guide/libraries/encryption.html
50		*/
51		class CI_Encrypt {
52
53		/**
54		* Reference to the user's encryption key
55		*
56		* @var string
57		*/
58		public $encryption_key = '';
59
60		/**
61		* Type of hash operation
62		*
63		* @var string
64		*/
65		protected $_hash_type = 'sha1';
66
67		/**
68		* Flag for the existence of mcrypt
69		*
70		* @var bool
71		*/
72		protected $_mcrypt_exists = FALSE;
73
74		/**
75		* Current cipher to be used with mcrypt
76		*
77		* @var string
78		*/
79		protected $_mcrypt_cipher;
80
81		/**
82		* Method for encrypting/decrypting data
83		*
84		* @var int
85		*/
86		protected $_mcrypt_mode;
87
88		/**
89		* Initialize Encryption class
90		*
91		* @return void
92		*/
93		public function __construct()
94		{
95		if (($this->_mcrypt_exists = function_exists('mcrypt_encrypt')) === FALSE)
96		{
97		show_error('The Encrypt library requires the Mcrypt extension.');
98		}
99
100		log_message('info', 'Encrypt Class Initialized');
101		}
102
103		// --------------------------------------------------------------------
104
105		/**
106		* Fetch the encryption key
107		*
108		* Returns it as MD5 in order to have an exact-length 128 bit key.
109		* Mcrypt is sensitive to keys that are not the correct length
110		*
111		* @param string
112		* @return string
113		*/
114		public function get_key($key = '')
115		{
116		if ($key === '')
117		{
118		if ($this->encryption_key !== '')
119		{
120		return $this->encryption_key;
121		}
122
123		$key = config_item('encryption_key');
124
125		if ( ! strlen($key))
126		{
127		show_error('In order to use the encryption class requires that you set an encryption key in your config file.');
128		}
129		}
130
131		return md5($key);
132		}
133
134		// --------------------------------------------------------------------
135
136		/**
137		* Set the encryption key
138		*
139		* @param string
140		* @return CI_Encrypt
141		*/
142		public function set_key($key = '')
143		{
144		$this->encryption_key = $key;
145		return $this;
146		}
147
148		// --------------------------------------------------------------------
149
150		/**
151		* Encode
152		*
153		* Encodes the message string using bitwise XOR encoding.
154		* The key is combined with a random hash, and then it
155		* too gets converted using XOR. The whole thing is then run
156		* through mcrypt using the randomized key. The end result
157		* is a double-encrypted message string that is randomized
158		* with each call to this function, even if the supplied
159		* message and key are the same.
160		*
161		* @param string the string to encode
162		* @param string the key
163		* @return string
164		*/
165		public function encode($string, $key = '')
166		{
167		return base64_encode($this->mcrypt_encode($string, $this->get_key($key)));
168		}
169
170		// --------------------------------------------------------------------
171
172		/**
173		* Decode
174		*
175		* Reverses the above process
176		*
177		* @param string
178		* @param string
179		* @return string
180		*/
181		public function decode($string, $key = '')
182		{
183		if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string) OR base64_encode(base64_decode($string)) !== $string)
184		{
185		return FALSE;
186		}
187
188		return $this->mcrypt_decode(base64_decode($string), $this->get_key($key));
189		}
190
191		// --------------------------------------------------------------------
192
193		/**
194		* Encode from Legacy
195		*
196		* Takes an encoded string from the original Encryption class algorithms and
197		* returns a newly encoded string using the improved method added in 2.0.0
198		* This allows for backwards compatibility and a method to transition to the
199		* new encryption algorithms.
200		*
201		* For more details, see http://codeigniter.com/user_guide/installation/upgrade_200.html#encryption
202		*
203		* @param string
204		* @param int (mcrypt mode constant)
205		* @param string
206		* @return string
207		*/
208		public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '')
209		{
210		if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string))
211		{
212		return FALSE;
213		}
214
215		// decode it first
216		// set mode temporarily to what it was when string was encoded with the legacy
217		// algorithm - typically MCRYPT_MODE_ECB
218		$current_mode = $this->_get_mode();
219		$this->set_mode($legacy_mode);
220
221		$key = $this->get_key($key);
222		$dec = base64_decode($string);
223		if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
224		{
225		$this->set_mode($current_mode);
226		return FALSE;
227		}
228
229		$dec = $this->_xor_decode($dec, $key);
230
231		// set the mcrypt mode back to what it should be, typically MCRYPT_MODE_CBC
232		$this->set_mode($current_mode);
233
234		// and re-encode
235		return base64_encode($this->mcrypt_encode($dec, $key));
236		}
237
238		// --------------------------------------------------------------------
239
240		/**
241		* XOR Decode
242		*
243		* Takes an encoded string and key as input and generates the
244		* plain-text original message
245		*
246		* @param string
247		* @param string
248		* @return string
249		*/
250	View Code Duplication	protected function _xor_decode($string, $key)
251		{
252		$string = $this->_xor_merge($string, $key);
253
254		$dec = '';
255		for ($i = 0, $l = strlen($string); $i < $l; $i++)
256		{
257		$dec .= ($string[$i++] ^ $string[$i]);
258		}
259
260		return $dec;
261		}
262
263		// --------------------------------------------------------------------
264
265		/**
266		* XOR key + string Combiner
267		*
268		* Takes a string and key as input and computes the difference using XOR
269		*
270		* @param string
271		* @param string
272		* @return string
273		*/
274	View Code Duplication	protected function _xor_merge($string, $key)
275		{
276		$hash = $this->hash($key);
277		$str = '';
278		for ($i = 0, $ls = strlen($string), $lh = strlen($hash); $i < $ls; $i++)
279		{
280		$str .= $string[$i] ^ $hash[($i % $lh)];
281		}
282
283		return $str;
284		}
285
286		// --------------------------------------------------------------------
287
288		/**
289		* Encrypt using Mcrypt
290		*
291		* @param string
292		* @param string
293		* @return string
294		*/
295		public function mcrypt_encode($data, $key)
296		{
297		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
298		$init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND);
299		return $this->_add_cipher_noise($init_vect.mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), $key);
300		}
301
302		// --------------------------------------------------------------------
303
304		/**
305		* Decrypt using Mcrypt
306		*
307		* @param string
308		* @param string
309		* @return string
310		*/
311		public function mcrypt_decode($data, $key)
312		{
313		$data = $this->_remove_cipher_noise($data, $key);
314		$init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode());
315
316		if ($init_size > strlen($data))
317		{
318		return FALSE;
319		}
320
321		$init_vect = substr($data, 0, $init_size);
322		$data = substr($data, $init_size);
323		return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0");
324		}
325
326		// --------------------------------------------------------------------
327
328		/**
329		* Adds permuted noise to the IV + encrypted data to protect
330		* against Man-in-the-middle attacks on CBC mode ciphers
331		* http://www.ciphersbyritter.com/GLOSSARY.HTM#IV
332		*
333		* @param string
334		* @param string
335		* @return string
336		*/
337		protected function _add_cipher_noise($data, $key)
338		{
339		$key = $this->hash($key);
340		$str = '';
341
342		for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
343		{
344		if ($j >= $lk)
345		{
346		$j = 0;
347		}
348
349		$str .= chr((ord($data[$i]) + ord($key[$j])) % 256);
350		}
351
352		return $str;
353		}
354
355		// --------------------------------------------------------------------
356
357		/**
358		* Removes permuted noise from the IV + encrypted data, reversing
359		* _add_cipher_noise()
360		*
361		* Function description
362		*
363		* @param string $data
364		* @param string $key
365		* @return string
366		*/
367		protected function _remove_cipher_noise($data, $key)
368		{
369		$key = $this->hash($key);
370		$str = '';
371
372		for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j)
373		{
374		if ($j >= $lk)
375		{
376		$j = 0;
377		}
378
379		$temp = ord($data[$i]) - ord($key[$j]);
380
381		if ($temp < 0)
382		{
383		$temp += 256;
384		}
385
386		$str .= chr($temp);
387		}
388
389		return $str;
390		}
391
392		// --------------------------------------------------------------------
393
394		/**
395		* Set the Mcrypt Cipher
396		*
397		* @param int
398		* @return CI_Encrypt
399		*/
400		public function set_cipher($cipher)
401		{
402		$this->_mcrypt_cipher = $cipher;
403		return $this;
404		}
405
406		// --------------------------------------------------------------------
407
408		/**
409		* Set the Mcrypt Mode
410		*
411		* @param int
412		* @return CI_Encrypt
413		*/
414		public function set_mode($mode)
415		{
416		$this->_mcrypt_mode = $mode;
417		return $this;
418		}
419
420		// --------------------------------------------------------------------
421
422		/**
423		* Get Mcrypt cipher Value
424		*
425		* @return int
426		*/
427		protected function _get_cipher()
428		{
429		if ($this->_mcrypt_cipher === NULL)
430		{
431		return $this->_mcrypt_cipher = MCRYPT_RIJNDAEL_256;
432		}
433
434		return $this->_mcrypt_cipher;
435		}
436
437		// --------------------------------------------------------------------
438
439		/**
440		* Get Mcrypt Mode Value
441		*
442		* @return int
443		*/
444		protected function _get_mode()
445		{
446		if ($this->_mcrypt_mode === NULL)
447		{
448		return $this->_mcrypt_mode = MCRYPT_MODE_CBC;
449		}
450
451		return $this->_mcrypt_mode;
452		}
453
454		// --------------------------------------------------------------------
455
456		/**
457		* Set the Hash type
458		*
459		* @param string
460		* @return void
461		*/
462		public function set_hash($type = 'sha1')
463		{
464		$this->_hash_type = in_array($type, hash_algos()) ? $type : 'sha1';
465		}
466
467		// --------------------------------------------------------------------
468
469		/**
470		* Hash encode a string
471		*
472		* @param string
473		* @return string
474		*/
475		public function hash($str)
476		{
477		return hash($this->_hash_type, $str);
478		}
479
480		}
481

ci-bonfire / Sprint

GitHub Access Token became invalid

Issues (423)

Security Analysis not enabled

system/libraries/Encrypt.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like