6

There are some huge legacy systems whose dependencies on PHPs' mcrypt are extremely important and vital (including the data storage in database). I need to find a way to maintain this library while upgrading to PHP 7.2 (which already worked fine).

My local test environment is Windows. The live environment is run on CentOS.

Some of the answers I have seen is decrypting and change mcrypt to openssl (I think that's not possible at the moment since there's a lot of data to decrypt).

Another way lights to download a lower PHP version with mcrypt-support, copy the extension and add it to php.ini (I do not even know the folder).

Downgrading PHP to 5.6 it's not suitable due to security issues.

Any light in what could be done in this scenario?

Danilo Davanso
  • 77
  • 1
  • 1
  • 9
  • You could nab the [mcrypt package from PECL](https://pecl.php.net/package/mcrypt) – CD001 Mar 16 '18 at 15:14
  • 1
    The problem with PHP mcrypt, it is abandonware, has not been updated in years and does not support standard PKCS#7 (née PKCS#5) padding, only non-standard null padding that can't even be used with binary data. mcrypt has many outstanding [bugs](https://sourceforge.net/p/mcrypt/bugs/) dating back to 2003. The mcrypt-extension is deprecated will be removed in PHP 7.2. Instead consider using [defuse](https://github.com/defuse/php-encryption) or [RNCryptor](https://github.com/RNCryptor), they provide a complete solution and are currently maintained and correct. Or go with OpenSSL, see answer. – zaph Mar 16 '18 at 19:36
  • At the time of writing there is no Windows 7.2 compatible version of mcrypt available on PECL. – ChrisC Sep 13 '18 at 13:54
  • 1
    Same scenario was faced by me and it's really a hectic work. But when we are planning for upgrade we have to be prepared for hectic efforts. We upgraded our security to libsodium and the documentation for implementation can be found(https://paragonie.com/book/pecl-libsodium). – Hari Prasad Sharma Sep 20 '18 at 06:27

3 Answers3

9

Basically I think you have mentioned all possibilities and you do not have a choice. Do not downgrade to PHP 5.6 this approach has no future.

MCrypt was removed from PHP for one of the main reasons why you want to upgrade PHP: Security. The MCrypt library is not maintained anymore. Therefore installing the MCrypt extension is also a bad idea. But it can be a temporary solution (follow e.g. those instructions https://serverpilot.io/community/articles/how-to-install-the-php-mcrypt-extension.html).

The only good solution is migrating from mcrypt to something else. There are questions regarding this topic on Stackoverflow already (e.g. Upgrading my encryption library from Mcrypt to OpenSSL). Alternativly you could use some encryption library. Migrating a large amount of code/data might be a pain but this is the most future-oriented approach in this case.

Blackbam
  • 12,200
  • 19
  • 71
  • 117
  • 1
    I will talk to infrastructure team to arrange this solution. I know installing Mcrypt extension is temporary (i'm trying to do it now, after I can post a feedback here). We use Zend as a Framework and I have seen it has such encryption features. My main problem is decrypting all data, maintain its integrity and encrypt again. – Danilo Davanso Mar 16 '18 at 17:27
  • 1
    @DaniloDavanso Mcrypt is not proprietary encryption, you can employ all the same ciphers for encryption and decryption in other libs like OpenSSL. There is no conversion required other than re-writing the code. – Sammitch Mar 16 '18 at 17:46
  • 3
    As a quick addendum to this, the linked instructions for installing mcrypt do not apply to Windows. Extensions can typically be installed from windows.php.net (or more often https://windows.php.net/downloads/pecl/releases/ ), but there does not appear to be a 7.2-compatible version of the mcrypt extension available as yet. – ChrisC Sep 12 '18 at 15:25
  • The problem is sometimes migrating is not even possible even if you do not depend directly from an extension but something that you already using or would use depends on it. So I think "only good solution" is not the best wording because it would confuse people seeking answer. – Gabor Garami Apr 14 '19 at 17:53
4

Despite all the warnings and suggestions if you still need to make it work, try this:

  1. Locate your PHP directory. Usually it is located on C:\Program Files\PHP\v7.2
  2. Then go to this url: http://pecl.php.net/package/mcrypt/1.0.3/windows
  3. Download the package that better meets your requirements. For example if you are using FastCGI and have a 64 bit Windows installation pick 7.2 Non Thread Safe (NTS) x64
  4. Open the zip and copy php_mcrypt.dll file to the C:\Program Files\PHP\v7.2\ext directory.
  5. Edit the php.ini file and add this to the Dynamic extensions section: extension=php_mcrypt.dll
  6. Save php.ini and restart your web server.

Hope it helps.

Xavier Maurer
  • 51
  • 1
0

Note that no code or information about the mcrypt options/code.

Probably the only problems non-standard null padding used by mcrypt. To decrypt with another implementation that does not support null padding (it is non-standard) just decrypt with no padding and then remove the null padding.

If you also must encrypt the same as mcrypt just add null padding and encrypt with no-padding.

Really consider migrating the current encryption or adding some flag that the encryption is (or not) mcrypt compatible.

zaph
  • 108,117
  • 19
  • 176
  • 215