About libmcrypt and php-mcrypt
+
Par Remi le mardi 7 juillet 2015, 08:07 - HowTo - Lien permanent
I can't count the number of time I had to explain why using this library or this PHP extension is a terrible mistake. So time to blog about it.
libmcrypt is a dead project, unmaintained for ~8 years, last version 2.5.8 was released in February 2007!... and despite lot of open tickets, no acitvity.
Cryptography is a very important part of security management. Looking at the past, and issue discovered / fixed in various software, and the need to always increase security standards, and to drop old algorithms, how can we imagine using an 8 years old software ?
Various well maintained alternative libraries exist:
And for PHP, various other solutions are also available
- crypt function, one way hashing
- openssl extension
- password hashing functions since 5.5 or its pure PHP implementation password_compat
- phpseclib a pure PHP implementation, which can take benefit of installed extension.
A RFC have been proposed to drop mcrypt extension from PHP 7, but, shame on us, it didn't pass (15-18), so it will stay available.
Chicken and eggs: the extension is used, because available, and is kept available because used in lot of projects.
We really need to spread information about this issue, and we already do it for a long time in Fedora, and most projects understand this issue and agree to fix it and switch to some more secure implementation, some examples:
- phpMyAdmin rely on phpseclib.
- roundcubemail have switch to openssl as default, see rcube.php
- CakePHP is aware, see issue #5440, and PR #5496 have be merged in new version 3.0
- Laravel is also aware, see issue #9020, and PR #9041 have be merged in version 5.1
- etc
Some other Framework still provide a wrapper to mcrypt (ex Zend\Crypt\Symmetric\MCrypt, issue #3), but chicken and eggs issue again, with applications using such framework which rely on this feature.
This explain why some enterprise distribution, like RHEL, don't provide libmcrypt or php-mcrypt. Probably we should discuss with other Linux distributions (Debian, Fedora...) to stop providing this awfull library.
Do you use mcrypt ? Do you understand you MUST switch as soon as possible, or at least report this issue to your software provider.
Commentaires
https://github.com/defuse/php-encry... is a nice wrapper around openssl and worth a look
I just open PR #23 for tcpdf.
Dolibarr Erp Crm has also replaced need of mcrypt for 4 years, but still depends on tcpdf that is using it.
TCPDF version 6.2.10 doesn't require mcrypt anymore :)
PHP RFC: Deprecate (then Remove) Mcrypt have been accepted, so mcrypt will be deprecated in PHP 7.1.