-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aaron,
Good thoughts, and thanks for "asking the obvious". I vaguely remember
considering using openssl instead of mcrypt when I initially wrote that code.
I think the only reason I decided to use mcrypt was that it was symmetric key
based, making it quite a bit faster. It probably doesn't introduce enough
delay to really matter, but just doing some tests now, I found using
openssl_public_encrypt/openssl_private_decrypt to be around 15 times slower
than the current code.
If it wasn't for what I see to be a useful exercise in dealing with possibly
incompatible code from another project, I'd go ahead and switch to openssl,
using the symmetric functions if available and the asymmetric ones if not.
For now, I think I'll go ahead and finish working through the issue with
phpseclib.
Josh
On Thursday, May 17, 2012 2:26:55 PM Aaron Coburn wrote:
> Just to ask the obvious.... Why not just use the openssl library for this?
> Especially since the public and private keys are already being loaded in
> the initGlobals() function. I know that it's interface is not nearly so
> nice, and it doesn't support symmetric encryption for PHP <= 5.3, but
> here's some code that could be dropped in place in utils.php:
>
> function encryptData($data){
> global $keys;
> if(! $data)
> return false;
> openssl_public_encrypt(
> $data,
> $encrypted,
> $keys['public']);
> return trim(base64_encode($encrypted));
> }
>
> function decryptData($data){
> global $keys;
> if(! $data)
> return false;
> openssl_private_decrypt(
> base64_decode($data),
> $decrypted,
> $keys['private']);
> return trim($decrypted);
> }
>
> The other change would require modifying the initGlobals() function so that
> the public/private keys were read earlier in the execution of the function,
> i.e. before trying to decrypt a continuation value.
>
> Aaron
>
>
>
> --
> Aaron Coburn
> Systems Administrator and Programmer
> Academic Technology Services, Amherst College
> acob...@amherst.edu<mailto:acob...@amherst.edu>
>
>
>
>
>
>
> On May 17, 2012, at 8:34 AM, Josh Thompson wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wednesday, May 16, 2012 10:37:02 AM Kevan Miller wrote:
> On May 11, 2012, at 3:17 PM, Josh Thompson wrote:
>
> Kevan,
>
> Ugh. Thanks for looking at this. I guess it goes to show you can't just
> trust that another project that says it is MIT licensed is *completely*
> MIT
> licensed. :( I'll figure out a way to deal with it. If it works out
> that
> bcpowmod.php and str_split.php are not actually needed, can I just remove
> them? If so, do I need to document that modification somewhere?
>
> BTW, vcl/trunk/web/.ht-inc/phpseclib/index.html refers to PHP Secure
> Communications Library as LGPL-licensed. Which is contradicted by
> http://phpseclib.sourceforge.net/
>
> It looks like our documentation comes from
> http://phpseclib.sourceforge.net/documentation/ -- I'd check with the
> phpseclib project. Seems to be their reference to LGPL is unintended or
> inconsistent. bcpowmod.php's LGPL license would seem to be a problem with
> this, however…
>
> --kevan
>
> After looking further, there are only two files (AES.php and Rijndael.php)
> needed from the phpseclib project, and both of them appear as though they
> were written to be able to be included by themselves (i.e. each one
> contains information about the author, the project, and the license). Both
> files state that they are MIT licensed and contain that license in them.
> Is it normal to just pull in specific files from another project, or is it
> better to include the whole project?
>
> My only other experience in including another open source project in one I
> work on is from including the Dojo Toolkit with VCL. In that case, it
> seemed to make the most sense to include the whole thing.
>
> License wise, it seems simplest to just include the two files in the
> release, but I just want to make sure we do the right thing in respecting
> other open source projects.
>
> Thanks,
> Josh
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found at pgp.mit.edu<http://pgp.mit.edu>
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (GNU/Linux)
>
> iEYEARECAAYFAk+08HIACgkQV/LQcNdtPQN8dgCdF/RaBttxHHuRMjuw73G9Kv34
> RjYAnimOHe1R50N532Bgxi+uOjVnkgjv
> =PjK8
> -----END PGP SIGNATURE-----
- --
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University
my GPG/PGP key can be found at pgp.mit.edu
All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iEYEARECAAYFAk+1YfsACgkQV/LQcNdtPQO49ACfXGgDbk743upn9gTa97GEjN/M
sTMAniT1Z0tAwOM8tbTsVzuHa/FnFPQt
=ePgF
-----END PGP SIGNATURE-----
