...

View Full Version : php 5.2



NancyJ
11-06-2006, 04:31 PM
This morning - without warning, our server was upgraded to php 5.2 - which subsequently broke our credit card encryption/decryption system - no errors, just the encryption/decryption were no longer right. I cant see anything obvious in the change log that would break this code

These are the functions



function getKey()
{
$arrSalt = explode("\r\n",chunk_split(md5(substr($this->name, 0, 1)), 15));
$arrPepper = explode("\r\n", chunk_split(md5(substr($this->name, -1, 1)),15));
$k[] = $arrSalt[0];
$k[] = $arrSalt[1];
$k[] = $arrPepper[0];
$k[] = $arrPepper[1];
return $k;
}

function str2long($data)
{
$n = strlen($data);
$tmp = unpack('N*', $data);
$data_long = array();
$j = 0;

foreach ($tmp as $value) $data_long[$j++] = $value;
return $data_long;
}

function long2str($l)
{
return pack('N', $l);
}


function xteaEncrypt($v, $k)
{
$v0=$v[0];
$v1=$v[1];
$sum=0;
$delta=0x9e3779b9;


for ($i=0; $i<32; $i++)
{
$v0 += ($v1<<4 ^ $v1>>5) + $v1 ^ $sum + $k[$sum & 3];
$sum += $delta;
$v1 += ($v0 << 4 ^ $v0 >> 5) + $v0 ^ $sum + $k[$sum>>11 & 3];
}

$v[0]=$v0;
$v[1]=$v1;

return $v;
}

function xteaDecrypt($v, $k)
{
$v0=$v[0];
$v1=$v[1];
$delta=0x9e3779b9;
$sum=0xC6EF3720;

for ($i=0; $i<32; $i++)
{
$v1 -= ($v0 << 4 ^ $v0 >> 5) + $v0 ^ $sum + $k[$sum>>11 & 3];
$sum -= $delta;
$v0 -= ($v1 << 4 ^ $v1 >> 5) + $v1 ^ $sum + $k[$sum&3];
}

$v[0]=$v0;
$v[1]=$v1;

return $v;
}


function encrypt()
{
$key = $this->getKey();
$text = $this->number;
$n = strlen($text);
if($n%8 != 0) $lng = ($n+(8-($n%8)));
$text = str_pad($text, $lng, ' ');

$secret[0][0] = (double)microtime()*1000000;
$secret[0][1] = time();;


$v = $this->str2long($text);
$a = 1;
for($i = 0; $i<count($v); $i+=2)
{

$v[$i] ^= $secret[$a-1][0];
$v[$i+1] ^= $secret[$a-1][1];

$secret[] = $this->xteaEncrypt(array($v[$i],$v[$i+1]),$key);
$a++;
}



for($i = 0; $i<count($secret); $i++)
{
$decrypted .= $this->long2str($secret[$i][0]);
$decrypted .= $this->long2str($secret[$i][1]);
}

$this->encryptedNumber = strrev(base64_encode(md5($this->secCode)).base64_encode($decrypted));
}


function decrypt()
{
$key = $this->getKey();
$text = str_replace(base64_encode(md5($this->secCode)), '',strrev($this->encryptedNumber));

$secret = $this->str2long(base64_decode($text));
$clear = array();
for($i = 2; $i<count($secret); $i+=2)
{
$return = $this->xteaDecrypt(array($secret[$i],$secret[$i+1]),$key);
$clear[] = array($return[0]^$secret[$i-2],$return[1]^$secret[$i-1]);
}

for($i = 0; $i<count($clear); $i++)
{
$decrypted .= $this->long2str($clear[$i][0]);
$decrypted .= $this->long2str($clear[$i][1]);
}

$this->number = $decrypted;
}

dumpfi
11-06-2006, 05:51 PM
Where are you defining $secret in the method encrypt()?

dumpfi

CFMaBiSmAd
11-06-2006, 05:59 PM
Hmm. What version of PHP was it before the unannounced upgrade?

I took a quick look at the 5.2 changes - http://www.php.net/UPDATE_5_2.txt and nothing stands out as affecting your code.

My first thought was a php.ini configuration difference, but nothing in your code stands out as being affected by a feature being turned on/off, that would have still allowed the code to execute without an error.

I assume that you have set error_reporting to E_ALL and/or checked server logs...

NancyJ
11-06-2006, 07:02 PM
the script doesnt fail - it produces output but the encryption and decryption are not producing the correct/expected values as if the values of one of the functions was different to what it should be. I will have to upgrade my local version for more thorough testing, was just wondering if anyone had a similar problem or knew what it was.

dumpfi
11-06-2006, 08:41 PM
You should set your error reporting level to E_ALL | E_STRICT. Then you will get at least some notices about using undeclared variables.

dumpfi

marek_mar
11-06-2006, 09:24 PM
The title could be a bit more descriptive...

These functions look like they're class members. If you switched form PHP4 there could be a lot of differences.

NancyJ
11-06-2006, 09:25 PM
this was just upgrading to 5.2 from 5.14

marek_mar
11-06-2006, 10:30 PM
Did anything else change on the server (or the server)?
Can you decrypt things that you have encrypted under PHP5.2?

You might actually have the honor of finding a bug in PHP5.2!

NancyJ
11-07-2006, 07:43 AM
As far as I know nothing else changed - as I said they did this completely without consulting us first - you can imagine the screaming at my account manager got ;)
No, stuff encrypted under 5.2 wouldnt decrypt either. I'm going to upgrade my local version and work it all out today with full error reporting turned on. See what I can find out.
Might have to go through it step by step and see where it changes.

CFMaBiSmAd
11-10-2006, 09:01 PM
I was just browsing through the PHP change log and the following item stood out as something that would effect the operation of your code -

- Fixed bug #37244 (Added strict flag to base64_decode() that enforces RFC3548 compliance). (Ilia)

NancyJ
11-10-2006, 10:32 PM
I was just browsing through the PHP change log and the following item stood out as something that would effect the operation of your code -

I saw that too, but the default is false - so it should operate as in 5.14

firepages
11-11-2006, 01:07 AM
you have only posted the relevant functions, is there more in your class or its heirarchy? , I see that the internals of _toString() have been played around with , if this is called implicitly or otherwise that may have some effect on values such as

$text = $this->number;

etc, what about trying the methods outside of a class as simple functions, if that makes the difference then at least you know where to start looking.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum