Quantcast

[Tiki-devel] Replacing mcrypt in Tiki

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Tiki-devel] Replacing mcrypt in Tiki

Arild Berg

The MCrypt library is used in Tiki, but it has not been maintained since 2007.
For this reason it has been marked as depreciated in PHP 7.1 and will be moved out of the standard PHP installation to PECL in PHP 7.2
For details see: https://secure.php.net/manual/en/intro.mcrypt.php

This means that all modules using MCrypt will fail to work "out of the box" pretty soon.
For this reason Tiki should replace MCrypt with another maintained crypto library.

Some questions
- Which Tiki versions should be updated?
- To which crypto library should the Tiki code be migrated?
- Which modules in Tiki are affected?
- How should the data migration process work?

One module that will be affected is the User Encryption.
In my (limited) searches so far, it seems like the alternative libraries do not encrypt/decrypt the same way as MCrypt.
The recommended upgrade procedure seems to be...
1) Decrypt using MCrypt
2) Encrypt using the new library
This may cause a problem for the User Encryption, since the user's password in plaintext must be known to decrypt the data.
The plaintext password is only known when the user logs in.

It would be good to collect some more thoughts, before the code migration is started.

Thanks to Bernard for raising the issue.

Arild


Virus-free. www.avast.com

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] Replacing mcrypt in Tiki

Jean-Marc Libs
Hi

On Tue, Mar 21, 2017 at 12:36 PM, Arild Berg <[hidden email]> wrote:

The MCrypt library is used in Tiki, but it has not been maintained since 2007.
For this reason it has been marked as depreciated in PHP 7.1 and will be moved out of the standard PHP installation to PECL in PHP 7.2
For details see: https://secure.php.net/manual/en/intro.mcrypt.php

This means that all modules using MCrypt will fail to work "out of the box" pretty soon.
For this reason Tiki should replace MCrypt with another maintained crypto library.

+1

Some questions
- Which Tiki versions should be updated?
- To which crypto library should the Tiki code be migrated?
- Which modules in Tiki are affected?
- How should the data migration process work?

One module that will be affected is the User Encryption.
In my (limited) searches so far, it seems like the alternative libraries do not encrypt/decrypt the same way as MCrypt.

I'm not sure about that. My (limited) searches seem to show that mcrypt uses some outdated design decisions which are not recommended any more. So I suppose it still implements in a non-optimal way crypto algorithms which are available to new libraries.
https://secure.php.net/manual/en/function.mcrypt-encrypt.php#117667

Seems like we have many jobs:
* choose a better library
* make the new library implement mcrypt's algorithms
* choose of a new improved crypto algorithm for Tiki and organize some migration like you describe below

 
The recommended upgrade procedure seems to be...
1) Decrypt using MCrypt
2) Encrypt using the new library
This may cause a problem for the User Encryption, since the user's password in plaintext must be known to decrypt the data.
The plaintext password is only known when the user logs in.

It would be good to collect some more thoughts, before the code migration is started.

We already have piles of old passwords/hashes storage mechanisms we keep for backwards compatibility, time for a new one :-/
It's probably not the last one, security best practices keep evolving.


Thanks bernard & Arild
Jyhem

 
 

Virus-free. www.avast.com

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] Replacing mcrypt in Tiki

Cloutier, Philippe (RESSOURCE EXTERNE)
In reply to this post by Arild Berg

Greetings Arild,

I don’t have many answers, but regarding the versions to update, there is no plan to make existing versions compatible with new PHP versions, and I do not think there should be one, so I think only trunk.

 

Philippe Cloutier
Développeur/configurateur Tiki

Service des systèmes d’information du Registre foncier

Direction des systèmes d’information

Direction générale du soutien aux opérations

Ministère de l'Énergie et des Ressources naturelles

Québec (Québec)  G1H 6R1

Téléphone : 418 627-6282, poste 2209

philippe.cloutier.externe@...
mern.gouv.qc.ca

 

De : Arild Berg [mailto:[hidden email]]
Envoyé : 21 mars 2017 07:36
À : [hidden email]
Objet : [Tiki-devel] Replacing mcrypt in Tiki

 


The MCrypt library is used in Tiki, but it has not been maintained since 2007.
For this reason it has been marked as depreciated in PHP 7.1 and will be moved out of the standard PHP installation to PECL in PHP 7.2
For details see: https://secure.php.net/manual/en/intro.mcrypt.php

This means that all modules using MCrypt will fail to work "out of the box" pretty soon.
For this reason Tiki should replace MCrypt with another maintained crypto library.

Some questions
- Which Tiki versions should be updated?
- To which crypto library should the Tiki code be migrated?
- Which modules in Tiki are affected?
- How should the data migration process work?

One module that will be affected is the User Encryption.
In my (limited) searches so far, it seems like the alternative libraries do not encrypt/decrypt the same way as MCrypt.
The recommended upgrade procedure seems to be...
1) Decrypt using MCrypt
2) Encrypt using the new library
This may cause a problem for the User Encryption, since the user's password in plaintext must be known to decrypt the data.

The plaintext password is only known when the user logs in.


It would be good to collect some more thoughts, before the code migration is started.

Thanks to Bernard for raising the issue.

Arild

 

 

Image supprimée par l'expéditeur.

Virus-free. www.avast.com

 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] Replacing mcrypt in Tiki

Marc Laporte-3
In reply to this post by Arild Berg
FYI, Ricardo just updated https://github.com/phpseclib/phpseclib to latest version and deprecated https://github.com/phpsec/phpSec
https://sourceforge.net/p/tikiwiki/code/61780

Maybe phpseclib has what is needed? Or else perhaps in Zend Framework?

Thanks!



On Tue, Mar 21, 2017 at 7:36 AM, Arild Berg <[hidden email]> wrote:

The MCrypt library is used in Tiki, but it has not been maintained since 2007.
For this reason it has been marked as depreciated in PHP 7.1 and will be moved out of the standard PHP installation to PECL in PHP 7.2
For details see: https://secure.php.net/manual/en/intro.mcrypt.php

This means that all modules using MCrypt will fail to work "out of the box" pretty soon.
For this reason Tiki should replace MCrypt with another maintained crypto library.

Some questions
- Which Tiki versions should be updated?
- To which crypto library should the Tiki code be migrated?
- Which modules in Tiki are affected?
- How should the data migration process work?

One module that will be affected is the User Encryption.
In my (limited) searches so far, it seems like the alternative libraries do not encrypt/decrypt the same way as MCrypt.
The recommended upgrade procedure seems to be...
1) Decrypt using MCrypt
2) Encrypt using the new library
This may cause a problem for the User Encryption, since the user's password in plaintext must be known to decrypt the data.
The plaintext password is only known when the user logs in.

It would be good to collect some more thoughts, before the code migration is started.

Thanks to Bernard for raising the issue.

Arild


Virus-free. www.avast.com

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel




--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Tiki-devel] Replacing mcrypt in Tiki

Ricardo Melo
Had a quick look, levereging Zend/Crypt may be a good option, they have adaptors for MCrypt and Openssl (with the same interface).

Ricardo

On Fri, Mar 24, 2017 at 6:40 PM, Marc Laporte <[hidden email]> wrote:
FYI, Ricardo just updated https://github.com/phpseclib/phpseclib to latest version and deprecated https://github.com/phpsec/phpSec
https://sourceforge.net/p/tikiwiki/code/61780

Maybe phpseclib has what is needed? Or else perhaps in Zend Framework?

Thanks!



On Tue, Mar 21, 2017 at 7:36 AM, Arild Berg <[hidden email]> wrote:

The MCrypt library is used in Tiki, but it has not been maintained since 2007.
For this reason it has been marked as depreciated in PHP 7.1 and will be moved out of the standard PHP installation to PECL in PHP 7.2
For details see: https://secure.php.net/manual/en/intro.mcrypt.php

This means that all modules using MCrypt will fail to work "out of the box" pretty soon.
For this reason Tiki should replace MCrypt with another maintained crypto library.

Some questions
- Which Tiki versions should be updated?
- To which crypto library should the Tiki code be migrated?
- Which modules in Tiki are affected?
- How should the data migration process work?

One module that will be affected is the User Encryption.
In my (limited) searches so far, it seems like the alternative libraries do not encrypt/decrypt the same way as MCrypt.
The recommended upgrade procedure seems to be...
1) Decrypt using MCrypt
2) Encrypt using the new library
This may cause a problem for the User Encryption, since the user's password in plaintext must be known to decrypt the data.
The plaintext password is only known when the user logs in.

It would be good to collect some more thoughts, before the code migration is started.

Thanks to Bernard for raising the issue.

Arild


Virus-free. www.avast.com

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel




--

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
TikiWiki-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel
Loading...