Skip to content

Y
yii2
Commit 5a429857 by Paul Klimov
Options

Option `Security::useDeriveKeyUniqueSalt` added

parent 772667fa
Showing with 41 additions and 7 deletions
framework/base/Security.php
...@@ -76,6 +76,12 @@ class Security extends Component ...@@ -76,6 +76,12 @@ class Security extends Component
* - 'crypt' - use PHP `crypt()` function. * - 'crypt' - use PHP `crypt()` function.
*/ */
public $passwordHashStrategy = 'crypt'; public $passwordHashStrategy = 'crypt';
/**
* @var boolean whether to generate unique salt while deriving encryption key.
* If enabled (recommended) this option increases encrypted text length, but provide more security.
* If disabled this option reduces encrypted text length, but also reduce security.
*/
public $useDeriveKeyUniqueSalt = true;
/** /**
* Encrypts data. * Encrypts data.
...@@ -89,10 +95,18 @@ class Security extends Component ...@@ -89,10 +95,18 @@ class Security extends Component
{ {
$module = $this->openCryptModule(); $module = $this->openCryptModule();
$data = $this->addPadding($data); $data = $this->addPadding($data);
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($module), MCRYPT_DEV_URANDOM); $ivSize = mcrypt_enc_get_iv_size($module);
$key = $this->deriveKey($password, $iv); $iv = mcrypt_create_iv($ivSize, MCRYPT_DEV_URANDOM);
if ($this->useDeriveKeyUniqueSalt) {
$keySalt = mcrypt_create_iv($ivSize, MCRYPT_DEV_URANDOM);
$encrypted = $keySalt;
} else {
$keySalt = $iv;
$encrypted = '';
}
$key = $this->deriveKey($password, $keySalt);
mcrypt_generic_init($module, $key, $iv); mcrypt_generic_init($module, $key, $iv);
$encrypted = $iv . mcrypt_generic($module, $data); $encrypted .= $iv . mcrypt_generic($module, $data);
mcrypt_generic_deinit($module); mcrypt_generic_deinit($module);
mcrypt_module_close($module); mcrypt_module_close($module);
...@@ -115,9 +129,15 @@ class Security extends Component ...@@ -115,9 +129,15 @@ class Security extends Component
$module = $this->openCryptModule(); $module = $this->openCryptModule();
$ivSize = mcrypt_enc_get_iv_size($module); $ivSize = mcrypt_enc_get_iv_size($module);
$iv = StringHelper::byteSubstr($data, 0, $ivSize); $iv = StringHelper::byteSubstr($data, 0, $ivSize);
$key = $this->deriveKey($password, $iv); $keySalt = $iv;
$encrypted = StringHelper::byteSubstr($data, $ivSize, StringHelper::byteLength($data));
if ($this->useDeriveKeyUniqueSalt) {
$iv = StringHelper::byteSubstr($encrypted, 0, $ivSize);
$encrypted = StringHelper::byteSubstr($encrypted, $ivSize, StringHelper::byteLength($encrypted));
}
$key = $this->deriveKey($password, $keySalt);
mcrypt_generic_init($module, $key, $iv); mcrypt_generic_init($module, $key, $iv);
$decrypted = mdecrypt_generic($module, StringHelper::byteSubstr($data, $ivSize, StringHelper::byteLength($data))); $decrypted = mdecrypt_generic($module, $encrypted);
mcrypt_generic_deinit($module); mcrypt_generic_deinit($module);
mcrypt_module_close($module); mcrypt_module_close($module);
......
tests/unit/framework/base/SecurityTest.php
...@@ -83,10 +83,22 @@ class SecurityTest extends TestCase ...@@ -83,10 +83,22 @@ class SecurityTest extends TestCase
return [ return [
[ [
'hmac', 'hmac',
false true,
false,
],
[
'hmac',
false,
false,
],
[
'pbkdf2',
true,
!function_exists('hash_pbkdf2')
], ],
[ [
'pbkdf2', 'pbkdf2',
false,
!function_exists('hash_pbkdf2') !function_exists('hash_pbkdf2')
], ],
]; ];
...@@ -96,15 +108,17 @@ class SecurityTest extends TestCase ...@@ -96,15 +108,17 @@ class SecurityTest extends TestCase
* @dataProvider dataProviderEncrypt * @dataProvider dataProviderEncrypt
* *
* @param string $deriveKeyStrategy * @param string $deriveKeyStrategy
* @param boolean $useDeriveKeyUniqueSalt
* @param boolean $isSkipped * @param boolean $isSkipped
*/ */
public function testEncrypt($deriveKeyStrategy, $isSkipped) public function testEncrypt($deriveKeyStrategy, $useDeriveKeyUniqueSalt, $isSkipped)
{ {
if ($isSkipped) { if ($isSkipped) {
$this->markTestSkipped("Unable to test '{$deriveKeyStrategy}' derive key strategy"); $this->markTestSkipped("Unable to test '{$deriveKeyStrategy}' derive key strategy");
return; return;
} }
$this->security->deriveKeyStrategy = $deriveKeyStrategy; $this->security->deriveKeyStrategy = $deriveKeyStrategy;
$this->security->useDeriveKeyUniqueSalt = $useDeriveKeyUniqueSalt;
$data = 'known data'; $data = 'known data';
$key = 'secret'; $key = 'secret';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment