WebSVN – Moodle – Diff – /lib/classes/encryption.php

  * @package core
  * @copyright 2020 The Open University
  * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class encryption {
     /** @var string Encryption method: Sodium */
     const METHOD_SODIUM = 'sodium';
-    /**
-     * @var string Encryption method: hand-coded OpenSSL (less safe)
-     *
-     * @deprecated
-     */
-    const METHOD_OPENSSL = 'openssl-aes-256-ctr';
-    /**
-     * @var string OpenSSL cipher method
-     *
-     * @deprecated
-     */
-    const OPENSSL_CIPHER = 'AES-256-CTR';
-    /**
-     * Checks if Sodium is installed.
-     *
-     * @return bool True if the Sodium extension is available
     /**
      * @deprecated since Moodle 4.3 Sodium is always present
+     */
-     */
+    #[\core\attribute\deprecated(null, reason: 'Sodium is always present', since: '4.3', mdl: 'MDL-71421', final: true)]
-    public static function is_sodium_installed(): bool {
+    public static function is_sodium_installed() {
-        debugging(__FUNCTION__ . '() is deprecated, sodium is now always present', DEBUG_DEVELOPER);
-        return extension_loaded('sodium');
+        \core\deprecation::emit_deprecation([self::class, __FUNCTION__]);
+    }
     /**
+    }
     /**
      * Creates a key for the server.
-     *
-     * Note we currently retain support for all methods, in order to decrypt legacy {@see METHOD_OPENSSL} content
+     *
      * @param string|null $method Encryption method (only if you want to create a non-default key)
      * @param bool $chmod If true, restricts the file access of the key
      * @throws \moodle_exception If the server already has a key, or there is an error
      */
         if (self::key_exists($method)) {
             throw new \moodle_exception('encryption_keyalreadyexists', 'error');
         }
-        // Don't make it read-only in Behat or it will fail to clear for future runs.
+        // Don't make it read-only in tests or it will fail to clear for future runs.
-        if (defined('BEHAT_SITE_RUNNING')) {
+        if (defined('BEHAT_SITE_RUNNING') || PHPUNIT_TEST) {
             $chmod = false;
+        }
         // Generate the key.
         switch ($method) {
-            case self::METHOD_SODIUM:
-                $key = sodium_crypto_secretbox_keygen();
-                break;
-            case self::METHOD_OPENSSL:
+            case self::METHOD_SODIUM:
-                $key = openssl_random_pseudo_bytes(32);
+                $key = sodium_crypto_secretbox_keygen();
                 break;
             default:
+    }
     /**
      * Gets the length in bytes of the initial values data required.
-     *
-     * Note we currently retain support for all methods, in order to decrypt legacy {@see METHOD_OPENSSL} content
+     *
      * @param string $method Crypto method
      * @return int Length in bytes
      */
     protected static function get_iv_length(string $method): int {
         switch ($method) {
             case self::METHOD_SODIUM:
-                return SODIUM_CRYPTO_SECRETBOX_NONCEBYTES;
-            case self::METHOD_OPENSSL:
-                return openssl_cipher_iv_length(self::OPENSSL_CIPHER);
+                return SODIUM_CRYPTO_SECRETBOX_NONCEBYTES;
             default:
                 throw new \coding_exception('Unknown method: ' . $method);
+        }
         } else {
             if ($method === null) {
                 $method = self::get_encryption_method();
+            }
-            // We currently retain support for all methods, falling back to Sodium if deprecated OpenSSL is requested.
-            if ($method === self::METHOD_OPENSSL) {
-                debugging('Encryption using legacy OpenSSL is deprecated, reverting to Sodium', DEBUG_DEVELOPER);
-                $method = self::METHOD_SODIUM;
-            }
             // Create IV.
             $iv = random_bytes(self::get_iv_length($method));
+    }
     /**
      * Decrypts data using the server's key. The decryption works with either supported method.
-     *
-     * Note currently we retain support for all methods, in order to decrypt legacy {@see METHOD_OPENSSL} content
+     *
      * @param string $data Data to decrypt
      * @return string Decrypted data
      */
     public static function decrypt(string $data): string {
         if ($data === '') {
             return '';
         } else {
-            if (preg_match('~^(' . self::METHOD_OPENSSL . '|' . self::METHOD_SODIUM . '):~', $data, $matches)) {
+            if (preg_match('~^(' . self::METHOD_SODIUM . '):~', $data, $matches)) {
                 $method = $matches[1];
             } else {
                 throw new \moodle_exception('encryption_wrongmethod', 'error');
+            }
                     if ($decrypted === false) {
                         throw new \moodle_exception('encryption_decryptfailed', 'error',
                                 '', null, 'Integrity check failed');
+                    }
                     break;
-                case self::METHOD_OPENSSL:
-                    if (strlen($encrypted) < 33) {
-                        throw new \moodle_exception('encryption_decryptfailed', 'error',
-                                '', null, 'Insufficient data');
-                    }
-                    $hmac = substr($encrypted, -32);
-                    $encrypted = substr($encrypted, 0, -32);
-                    $key = self::get_key($method);
-                    $expectedhmac = hash_hmac('sha256', $iv . $encrypted, $key, true);
-                    if ($hmac !== $expectedhmac) {
-                        throw new \moodle_exception('encryption_decryptfailed', 'error',
-                                '', null, 'Integrity check failed');
-                    }
-                    debugging('Decryption using legacy OpenSSL is deprecated, please upgrade to Sodium', DEBUG_DEVELOPER);
-                    $decrypted = @openssl_decrypt($encrypted, self::OPENSSL_CIPHER, $key, OPENSSL_RAW_DATA, $iv);
-                    if ($decrypted === false) {
-                        throw new \moodle_exception('encryption_decryptfailed', 'error',
-                                '', null, openssl_error_string());
-                    }
-                    break;
                 default:
                     throw new \coding_exception('Unknown method: ' . $method);
+            }

Proyectos de Subversion Moodle

(root)/lib/classes/encryption.php – Rev 1 → 1441