PHP :: Request #73651 :: mcrypt being deprecated without suitable alternative

Request #73651	mcrypt being deprecated without suitable alternative
Submitted:	2016-12-05 06:11 UTC	Modified:	2018-08-20 13:30 UTC
From:	magicaltux at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	mcrypt related
PHP Version:	7.1.0	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2016-12-05 06:11 UTC] magicaltux at gmail dot com

Description:
------------
As per PHP rfc https://wiki.php.net/rfc/mcrypt-viking-funeral mcrypt is being deprecated, being unmaintained since 2007 and probably containing quite a few bugs.

The RFC states:

> Everything libmcrypt can do, openssl can do too (and often better), either out-of-the-box or via its support for pluggable ciphers.

This is however not true. I am writing this because we currently use mcrypt here for a few things and OpenSSL does not work as an alternative to mcrypt.

More specifically low level control on the encryption allows encryption/decryption of streams, either manually (via mcrypt_generic_init) or PHP streams (see http://php.net/manual/en/filters.encryption.php )

There is currently no suitable alternative in OpenSSL or any bundled extension for encryption of streams (over tcp or in order to process large volumes of data) and while it is likely possible to write a PHP native implementation of AES and others, it would lead to a large loss in terms of performances.


I have no objection to see mcrypt disappear in exchange for something else, however there is currently no alternative except using implementations such as phpseclib which have both native code and use tricks to have OpenSSL handle streams of data. Having a clean implementation with PHP filters (or without, that's fine too) would be useful.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-12-05 06:18 UTC] requinix@php.net

-Status: Open +Status: Suspended

[2016-12-05 06:18 UTC] requinix@php.net

This is the kind of thing you should bring up on the internals mailing list, not the bug tracker.
http://php.net/mailing-lists.php

[2018-08-20 13:30 UTC] cmb@php.net

-Status: Suspended +Status: Closed -Assigned To: +Assigned To: cmb

[2018-08-20 13:30 UTC] cmb@php.net

As of PHP 7.2.0 the Sodium extension[1] is bundled with PHP, so
this feature request can be closed.

[1] <http://php.net/manual/en/book.sodium.php>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 05:01:27 2024 UTC