search

robrichards / xmlseclibs

A PHP library for XML Security
BSD 3-Clause "New" or "Revised" License
388 stars 181 forks source link

xmlseclibs fails when using mb_str functions #2

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Edit php.ini, find mbstring.func_overload, and change the value to 7. 
Save & quit.
2. Run tests

What is the expected output?
> php ./xml-sign.phpt 
--TEST--
Basic Signature
--FILE--
DONE--EXPECTF--
DONE

> php ./xmlsec-decrypt.phpt 
--TEST--
Basic Decryption
--FILE--
AOESP_SHA1: Passed
--EXPECTF--
AOESP_SHA1: Passed

> php ./xmlsec-encrypt.phpt 
--TEST--
Basic Encryption
--FILE--
EncryptedData--EXPECTF--
EncryptedData

> php ./xmlsec-verify.phpt 
--TEST--
Basic Verify
--FILE--
SIGN_TEST: Signature validated!
--EXPECTF--
SIGN_TEST: Signature validated!

What do you see instead?
> php ./xml-sign.phpt
--TEST--
Basic Signature
--FILE--
DONE--EXPECTF--
DONE

> php ./xmlsec-decrypt.phpt
--TEST--
Basic Decryption
--FILE--
AOESP_SHA1: PHP Warning:  mcrypt_generic_init(): Iv size incorrect;
supplied length: 22, needed: 16 in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 356

Warning: mcrypt_generic_init(): Iv size incorrect; supplied length: 22,
needed: 16 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 356
PHP Warning:  DOMDocument::loadXML(): Empty string supplied as input in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 1288

Warning: DOMDocument::loadXML(): Empty string supplied as input in
/usr/home/craig/xmlseclibs/xmlseclibs.php on line 1288
PHP Catchable fatal error:  Argument 1 passed to DOMDocument::importNode()
must be an instance of DOMNode, null given, called in
/usr/home/craig/xmlseclibs/tests/xmlsec-decrypt.phpt on line 58 and defined
in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 1292

Catchable fatal error: Argument 1 passed to DOMDocument::importNode() must
be an instance of DOMNode, null given, called in
/usr/home/craig/xmlseclibs/tests/xmlsec-decrypt.phpt on line 58 and defined
in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 1292

> php ./xmlsec-encrypt.phpt
--TEST--
Basic Encryption
--FILE--
PHP Warning:  mcrypt_generic_init(): Key size too large; supplied length:
46, max: 32 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 336

Warning: mcrypt_generic_init(): Key size too large; supplied length: 46,
max: 32 in /usr/home/craig/xmlseclibs/xmlseclibs.php on line 336
EncryptedData--EXPECTF--
EncryptedData

> php ./xmlsec-verify.phpt
--TEST--
Basic Verify
--FILE--
SIGN_TEST: Signature validated!
--EXPECTF--
SIGN_TEST: Signature validated!

What version of the product are you using? On what operating system?
xmlseclibs-1.2.1.tar.gz on FreeBSD, running PHP 5.2.9

Please provide any additional information below.
The problem is the the mb_strlen() and mb_substr() function intrepret the
random binary characters as multibyte characters.  This causes mb_strlen()
to return a number that is not the same as the number of bytes.  This
causes all sorts of problems with mb_substr() as well.

I have a patch, but only for decryptMcrypt().  This is the only function
that I had to fix to get my SimpleSAML message to work.

Original issue reported on code.google.com by craiglewis782@gmail.com on 20 Aug 2009 at 12:21

Attachments:

GoogleCodeExporter commented 9 years ago 
Hi,

instead of playing tricks with regexps and depending on "subtle" behaviour ('.' 
matching a byte), you could use something like 
http://www.php.net/manual/en/function.strlen.php#54906 (but using 'ISO-8859-1' 
as the character set, instead of 'latin1', which is the canonical character set 
name).

Saludos.
Iñaki.

Original comment by iaren...@mondragon.edu on 2 May 2011 at 9:47

GoogleCodeExporter commented 9 years ago 
Here's a proposed patch for a svn checkout of trunk (current as of today).

Saludos.
Iñaki.

Original comment by iaren...@mondragon.edu on 2 May 2011 at 5:19

Attachments:

GoogleCodeExporter commented 9 years ago 
I missed that argument to the mb_ family of functions.  That's a much better 
solution.

Original comment by craiglewis782@gmail.com on 7 Jun 2011 at 9:14

guiwoda commented 9 years ago

This had me going around for a week when trying to use SimpleSAML in a server with mbstring.func_overload 6.

Is there any intention of fixing it?

robrichards commented 9 years ago

@guiwoda Will take a look at this once I finish re-organizing the code and versions

sstok commented 9 years ago

You can solve this by detecting of mb_str exists and use the 8bit encoding instead. See https://github.com/defuse/php-encryption/blob/master/src/Crypto.php#L663

robrichards commented 9 years ago

@sstok Thanks. This is one of the issues I'm currently working on so appreciate the reference to that