Remove mcrypt as a dependency #101
Conversation
skymeyer
changed the title
skymeyer
force-pushed
the
remove_mcrypt
branch
6 times, most recently
from
3b5dd0c to
b6cbb97
Compare
skymeyer
changed the title
|
@robrichards can this be reviewed ? As per https://wiki.php.net/rfc/mcrypt-viking-funeral mcrypt (as known for a long time) is abandon ware. A new major version of If need you can always maintain 2.x for 5.3 with mcrypt and 3.x for 5.4+ without mcrypt if that makes sense. |
|
@robrichards Please can you re-visit both this and #100
I understand your reservations about introducing openssl as a dependency, but given that there is now a plan for the removal of mcrypt I think it makes sense to make this change sooner rather than later, with an appropriate version bump to go with it. |
|
What is the issue of going up to 5.4 as a minimum requirement anyway? 5.4 (and even 5.5 for that matter) are already out of support and do not receive any security fixes by the PHP team any more! |
|
Change my previous comment. |
|
I need to go through this commit and make the changes to remove the crypt dependancy. The PR includes additional changes on top of the mcrypt removal. Will take care of it this week |
|
@robrichards any news on this? |
|
I have now removed mcrypt from php-src/master I'd really prefer not to have to fork this library :( |
skymeyer
force-pushed
the
remove_mcrypt
branch
from
b6cbb97 to
8944eb6
Compare
Current coverage is 28.40% (diff: 77.65%)
|
|
Thanks for the headsup @lt, that was expected 👍 @robrichards is there anything you want me to do on this PR to move forward with this ? I recommend first looking at #100 as this PR is an increment of it. Is there somebody else who can help you reviewing the proposed changes ? Maybe @paragonie-scott or @ircmaxell ? |
|
I thought about it a bit as I really didn't want to add additional dependency unless absolutely required. With PHP 5.6 going into security only support I am thinking about making Master branch PHP 7+ only which means we can drop the paragonie/random_compat requirement. Can you make that change as well as well as update the composer file to drop all PHP 5 support? |
|
Uhm, that's a bit drastic, isn't it? "Security support only" is quite different than "no support at all", and considering how some distros keep supporting old versions backporting security fixes for them (i.e. PHP 5.3 still supported by Red Hat), I think dropping support for PHP 5 completely is a bit too much. I fully agree with the principle of minimizing the dependencies, but not at any expense. Besides, even if we drop support for PHP 5 in master, that's still development. Stable releases will still depend on mcrypt, and everybody will, of course, depend on stable releases. What we really need here is to drop the dependency on mcrypt in the stable releases (at least 2.0), and then we simply can't afford dropping support for PHP 5 in a stable release. |
|
I was planning on keeping 2.0 as is and creating a 3.0 release for the PHP 7+. |
|
But having 2.0 as is (meaning, requiring mcrypt) and a 3.0 dropping the dependency on mcrypt and support for PHP 5 doesn't change much, right? People who can't get rid of PHP 5 won't be able to get rid of mcrypt either... |
|
It looks like there is an alternative which would allow mcrypt to be dropped using PHP 5.6.24+. The only place random_bytes would have been needed is in when generating the session key as the guid generation did not need to be cryptographically strong. Now that openssl_random_pseudo_bytes has been fixed under forked conditions in June, and was fixed a while back with respect to the cryptographic strength, that can be used exclusively in the generateSessionKey method. I think this may be a decent compromise. |
|
That sounds like an improvement indeed, thanks! If I understand correctly, My concern is that installing mcrypt is hard nowadays (and I think that's how it should be, given that it has been unmaintained for a decade or more), so removing that dependency should have top priority. If we can use another CSPRNG that runs even in older versions of PHP (ok, maybe not 5.3, but definitely at least 5.4), then that's a path worth following, even if that requires an extra dependency (given that such dependency is easier to install than mcrypt, of course).
At the very least, I'd say it's preferable to remove the mcrypt dependency on all the branches in xmlseclibs, even if that implies depending on |
|
@robrichards I can definitely change this PR targeting PHP 7+ only in master without the need of the Regarding the 2.0 release train: I agree that PHP 5.6.24+ solves the issue of These are the options I see for the 2.0 release train:
Let me know what you think on the above. I'll proceed meanwhile getting this PR ready for PHP7+ only as requested. We can see what we can backport into 2.0 later on regarding test restructure and coverage. |
skymeyer
force-pushed
the
remove_mcrypt
branch
2 times, most recently
from
dfcbc67 to
9a50ca4
Compare
skymeyer
force-pushed
the
remove_mcrypt
branch
6 times, most recently
from
5fb4f27 to
1b7cb4a
Compare
skymeyer
force-pushed
the
remove_mcrypt
branch
from
1b7cb4a to
18231ef
Compare
* Use openssl for symmetric ciphers
* Adding ext-openssl as a dependency instead of suggestion
* Adding mbstring safe strlen and substr
* Adding plumbing unit tests using autoloader exclusively
* Bump minimum PHP version to 7
* Remove deprecated xmlseclibs.php
skymeyer
force-pushed
the
remove_mcrypt
branch
from
18231ef to
4d85872
Compare
|
@robrichards this PR has been updated targeting PHP 7+ only without the introduction of |
| @@ -315,7 +315,7 @@ public function encryptKey($srcKey, $rawKey, $append=true) | |||
| $this->encKey = $encKey; | |||
| } | |||
| $encMethod = $encKey->appendChild($this->encdoc->createElementNS(self::XMLENCNS, 'xenc:EncryptionMethod')); | |||
| $encMethod->setAttribute('Algorithm', $srcKey->getAlgorith()); | |||
| $encMethod->setAttribute('Algorithm', $srcKey->getAlgorithm()); | |||
There was a problem hiding this comment.
If master will used to create a new 3.0 release train as is on the table, I suggest we remove the deprecated methods XMLSecurityDSig::generate_GUID and XMLSecurityKey::getAlgorith as well. This is not part of this PR yet.
|
@skymeyer @jaimeperez Sorry its taken so long. My local env got pooched so have been rebuilding it. I paired down the pull request to only changes dealing with removing mcrypt - I do agree with some of the other changes as they do fix some things but will add them as separate commits once we get through this one. For this request I went with the change that will work for 5.6.24 only. I would look at making this a 3.0 branch. Would you all please take a look at the changes in my remove_mcrypt branch? I had to commit blind as I couldn't run the tests but appears they passed in Travis. Let me know what you guys think? |
|
👍 for all the work being done here! Looking forward to using this in https://github.com/onelogin/php-saml |
|
@skymeyer @jaimeperez Just realized I hadn't pushed my changes. They are there now. I still have a broken env (problem with my openssl so haven't been able to test locally yet) so this was committed blind. Will try to resolve that with a different env today as it looks like all the tests failed so I need to go through it. |
|
Thanks @robrichards - will take a look tomorrow and run some tests. |
|
@robrichards I have reviewed the commit in the remove_mcrypt branch. There were a few things missing with respect to test fixtures and the logic to call |
|
dupe of #123 |
I'd be a big fan of doing a restructure on the code as currently adding/extending the library is a bit of a pain as per #72. I have stuck to the current code paradigms to remove mcrypt in this PR.
Fixes #55, #87 and #2.