Remove the custom IV option from CI_Encryption
It serves for no practical purpose and can only do harm.
diff --git a/system/libraries/Encryption.php b/system/libraries/Encryption.php
index 810b7bf..d6ffc9b 100644
--- a/system/libraries/Encryption.php
+++ b/system/libraries/Encryption.php
@@ -356,16 +356,14 @@
{
return FALSE;
}
- elseif ( ! isset($params['iv']))
- {
- // The greater-than-1 comparison is mostly a work-around for a bug,
- // where 1 is returned for ARCFour instead of 0.
- $params['iv'] = (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1)
- ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM)
- : NULL;
- }
- if (mcrypt_generic_init($params['handle'], $params['key'], $params['iv']) < 0)
+ // The greater-than-1 comparison is mostly a work-around for a bug,
+ // where 1 is returned for ARCFour instead of 0.
+ $iv = (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1)
+ ? mcrypt_create_iv($iv_size, MCRYPT_DEV_URANDOM)
+ : NULL;
+
+ if (mcrypt_generic_init($params['handle'], $params['key'], $iv) < 0)
{
if ($params['handle'] !== $this->_handle)
{
@@ -396,7 +394,7 @@
// but OpenSSL isn't that dumb and we need to make the process
// portable, so ...
$data = (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB')
- ? $params['iv'].mcrypt_generic($params['handle'], $data)
+ ? $iv.mcrypt_generic($params['handle'], $data)
: mcrypt_generic($params['handle'], $data);
mcrypt_generic_deinit($params['handle']);
@@ -423,19 +421,17 @@
{
return FALSE;
}
- elseif ( ! isset($params['iv']))
- {
- $params['iv'] = ($iv_size = openssl_cipher_iv_length($params['handle']))
- ? openssl_random_pseudo_bytes($iv_size)
- : NULL;
- }
+
+ $iv = ($iv_size = openssl_cipher_iv_length($params['handle']))
+ ? openssl_random_pseudo_bytes($iv_size)
+ : NULL;
$data = openssl_encrypt(
$data,
$params['handle'],
$params['key'],
1, // DO NOT TOUCH!
- $params['iv']
+ $iv
);
if ($data === FALSE)
@@ -443,7 +439,7 @@
return FALSE;
}
- return $params['iv'].$data;
+ return $iv.$data;
}
// --------------------------------------------------------------------
@@ -499,11 +495,6 @@
$data = base64_decode($data);
}
- if (isset($params['iv']) && strncmp($params['iv'], $data, $iv_size = strlen($params['iv'])) === 0)
- {
- $data = substr($data, $iv_size);
- }
-
isset($params['key']) OR $params['key'] = $this->hkdf($this->_key, 'sha512', NULL, strlen($this->_key), 'encryption');
return $this->{'_'.$this->_driver.'_decrypt'}($data, $params);
@@ -524,30 +515,28 @@
{
return FALSE;
}
- elseif ( ! isset($params['iv']))
+
+ // The greater-than-1 comparison is mostly a work-around for a bug,
+ // where 1 is returned for ARCFour instead of 0.
+ if (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1)
{
- // The greater-than-1 comparison is mostly a work-around for a bug,
- // where 1 is returned for ARCFour instead of 0.
- if (($iv_size = mcrypt_enc_get_iv_size($params['handle'])) > 1)
+ if (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB')
{
- if (mcrypt_enc_get_modes_name($params['handle']) !== 'ECB')
- {
- $params['iv'] = substr($data, 0, $iv_size);
- $data = substr($data, $iv_size);
- }
- else
- {
- // MCrypt is dumb and this is ignored, only size matters
- $params['iv'] = str_repeat("\x0", $iv_size);
- }
+ $iv = substr($data, 0, $iv_size);
+ $data = substr($data, $iv_size);
}
else
{
- $params['iv'] = NULL;
+ // MCrypt is dumb and this is ignored, only size matters
+ $iv = str_repeat("\x0", $iv_size);
}
}
+ else
+ {
+ $iv = NULL;
+ }
- if (mcrypt_generic_init($params['handle'], $params['key'], $params['iv']) < 0)
+ if (mcrypt_generic_init($params['handle'], $params['key'], $iv) < 0)
{
if ($params['handle'] !== $this->_handle)
{
@@ -584,17 +573,14 @@
*/
protected function _openssl_decrypt($data, $params)
{
- if ( ! isset($params['iv']))
+ if ($iv_size = openssl_cipher_iv_length($params['handle']))
{
- if ($iv_size = openssl_cipher_iv_length($params['handle']))
- {
- $params['iv'] = substr($data, 0, $iv_size);
- $data = substr($data, $iv_size);
- }
- else
- {
- $params['iv'] = NULL;
- }
+ $iv = substr($data, 0, $iv_size);
+ $data = substr($data, $iv_size);
+ }
+ else
+ {
+ $iv = NULL;
}
return empty($params['handle'])
@@ -604,7 +590,7 @@
$params['handle'],
$params['key'],
1, // DO NOT TOUCH!
- $params['iv']
+ $iv
);
}
@@ -679,7 +665,6 @@
'cipher' => $params['cipher'],
'mode' => $params['mode'],
'key' => $params['key'],
- 'iv' => isset($params['iv']) ? $params['iv'] : NULL,
'base64' => isset($params['raw_data']) ? ! $params['raw_data'] : FALSE,
'hmac_digest' => $params['hmac_digest'],
'hmac_key' => $params['hmac_key']
diff --git a/tests/codeigniter/libraries/Encryption_test.php b/tests/codeigniter/libraries/Encryption_test.php
index 759d7cd..f457fe3 100644
--- a/tests/codeigniter/libraries/Encryption_test.php
+++ b/tests/codeigniter/libraries/Encryption_test.php
@@ -141,7 +141,6 @@
$this->assertTrue(is_array($this->encryption->__get_params($params)));
- $params['iv'] = NULL;
$params['base64'] = TRUE;
$params['hmac_digest'] = 'sha512';
@@ -150,7 +149,6 @@
'cipher' => 'aes-128',
'mode' => 'cbc',
'key' => str_repeat("\x0", 16),
- 'iv' => str_repeat("\x0", 16),
'raw_data' => TRUE,
'hmac_key' => str_repeat("\x0", 16),
'hmac_digest' => 'sha256'
@@ -216,22 +214,17 @@
$this->assertFalse($this->encryption->encrypt($message, array('foo')));
$this->assertFalse($this->encryption->decrypt($message, array('foo')));
- // Custom IV (we'll check it), no HMAC, binary output
+ // No HMAC, binary output
$params = array(
'cipher' => 'tripledes',
'mode' => 'cfb',
'key' => str_repeat("\x1", 16),
- 'iv' => str_repeat("\x2", 8),
'base64' => FALSE,
'hmac' => FALSE
);
$ciphertext = $this->encryption->encrypt($message, $params);
- $this->assertEquals(0, strncmp($params['iv'], $ciphertext, 8));
- // IV should be found in the cipher-text, no matter if it was supplied or not
- $this->assertEquals($message, $this->encryption->decrypt($ciphertext, $params));
- unset($params['iv']);
$this->assertEquals($message, $this->encryption->decrypt($ciphertext, $params));
}
diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst
index a4415f5..ff41ade 100644
--- a/user_guide_src/source/libraries/encryption.rst
+++ b/user_guide_src/source/libraries/encryption.rst
@@ -425,7 +425,6 @@
cipher N/A Yes Encryption algorithm (see :ref:`ciphers-and-modes`).
mode N/A Yes Encryption mode (see :ref:`encryption-modes`).
key N/A Yes Encryption key.
-iv N/A No Initialization vector (IV).
If not provided it will be automatically generated
during encryption and looked for during decryption.
hmac TRUE No Whether to use a HMAC.