Here are two basic examples on replacing the encryption in OpenCart 3.0.2.0. Probably need to add checks on the length of the value to decrypt and some checks that the functions exist. Done a basic test, but recommend to add checks and test fully before using.
For PHP 7.2+ as long as host has correctly included sodium (check with phpinfo and ask host if it isn't there).
Code: Select all
<?php
final class Encryption {
public function encrypt($key, $value) {
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
return strtr(base64_encode($nonce . sodium_crypto_secretbox($value, $nonce, hash('sha256', $key, true))), '+/=', '-_,');
}
public function decrypt($key, $value) {
$raw_value = base64_decode(strtr($value, '-_,', '+/='));
$nonce = substr($raw_value, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
return trim(sodium_crypto_secretbox_open(substr($raw_value, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES), $nonce, hash('sha256', $key, true)));
}
}
For PHP 7.1+ using openssl 'aes-256-gcm'.
Code: Select all
<?php
final class Encryption {
public function encrypt($key, $value) {
$iv = random_bytes(openssl_cipher_iv_length('aes-256-gcm'));
$tag = '';
$encrypted = openssl_encrypt($value, 'aes-256-gcm', hash('sha256', $key, true), OPENSSL_RAW_DATA, $iv, $tag);
return strtr(base64_encode($iv . $tag . $encrypted), '+/=', '-_,');
}
public function decrypt($key, $value) {
$encrypted = base64_decode(strtr($value, '-_,', '+/='));
$iv_len = openssl_cipher_iv_length('aes-256-gcm');
$tag_len = 16;
if (strlen($encrypted) <= $iv_len + $tag_len) {
return '';
}
$iv = substr($encrypted, 0, $iv_len);
$tag = substr($encrypted, $iv_len, $tag_len);
return trim(openssl_decrypt(substr($encrypted, $iv_len + $tag_len), 'aes-256-gcm', hash('sha256', $key, true), OPENSSL_RAW_DATA, $iv, $tag));
}
}
Edit: Remove ?> to keep same style as 3.x and removed unneeded key assignment in openssl 'aes-256-gcm' version.
Edit: Added length check and use random_bytes in openssl 'aes-256-gcm' version.