php-passgen icon indicating copy to clipboard operation
php-passgen copied to clipboard
verified publisher icon defuse

The Mcrypt will be deprecated in php-7.x versions

Open peter279k opened this issue 6 years ago • 3 comments

As title, this mcrypt extension is deprecated.

I think we can consider using the sodium or openssl extensions instead.

Once we use the sodium extension, we have to install sodium_compat package.

This package can be compatible with php-5.x versions if we still let this class support php-5.x.

Using the openssl extension can support all php versions.

peter279k avatar Jun 25 '19 18:06 peter279k

Good point. The only thing it uses mcrypt for is a random number generator, which we can potentially replace with https://github.com/paragonie/random_compat. Although that will ruin the simplicity of it being a single file... so I'll have to look into whether it's possible to reliably get secure random numbers with openssl.

defuse avatar Jul 03 '19 03:07 defuse

Hi @defuse, thank you for your concern.

If you require any help, I can help you to resolve this issue :).

peter279k avatar Jul 03 '19 03:07 peter279k

I think in this case I'll accept a fallback to openssl_random_pseudo_bytes. The problem with it seems to be this bug: https://bugs.php.net/bug.php?id=70014 which should be fixed on most deployments. There's example code for how to call it securely in the sodium_compat changelog, if anyone's interested in submitting a PR: https://github.com/paragonie/random_compat/blob/0a58ef6e3146256cc3dc7cc393927bcc7d1b72db/CHANGELOG.md#version-130---2016-03-17

defuse avatar Jul 16 '19 02:07 defuse