3

I can see that the sample php code uses mcrypt.

Can we expect that sagepay will re-write the php sample code to use open_ssl instead, or perhaps someone has already done it?

Ok, as I've had no response to this, I've tried to find out how to replace the call the mcrypt by one to openssl.

The original code on the encryption side is this :

$strIV = $strEncryptionPassword;
//** add PKCS5 padding to the text to be encypted
$strIn = addPKCS5Padding($strIn);
//** perform encryption with PHP's MCRYPT module
$strCrypt = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $strEncryptionPassword, $strIn, MCRYPT_MODE_CBC, $strIV);

And (one of) my attempts at replacing it is this :

$strIV = $strEncryptionPassword;    
$strCrypt  = openssl_encrypt($strIn,'AES-128-CBC',$strIV,$options=OPENSSL_RAW_DATA);
//** perform hex encoding and return
return "@" . bin2hex($strCrypt);

I've tried the OPENSSL_NO_PADDING options and also "AES_192_CBC" as well as "AES_256_CBC".

I am comparing a before and after string encrypted for mcrypt (and successfully processed by Sagepay), but not getting the same encrypted string from openssl.

I'd appreciate some help.

ok, I think I've got this to work, although I am not sure exactly what I had to do different from what I'd tried before, here's the code for the two functions in the Sagepay interface package:

Define('SESS_CIPHER','AES-128-CBC');
function NEWencryptAndEncode($strIn) {  
global $strEncryptionType
      ,$strEncryptionPassword;
if ($strEncryptionType=="XOR") 
{
    //** XOR encryption with Base64 encoding **
    return base64Encode(simpleXor($strIn,$strEncryptionPassword));
} 
else 
{
    //** AES encryption, CBC blocking with PKCS5 padding then HEX encoding - DEFAULT **
    //** use initialization vector (IV) set from $strEncryptionPassword
$strIV = $strEncryptionPassword;    
//** add PKCS5 padding to the text to be encypted
$strIn = addPKCS5Padding($strIn);
//** perform encryption with PHP's Openssl module
    $strCrypt  = openssl_encrypt($strIn, SESS_CIPHER,$strIV,$options=OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,$strIV);   
    //** perform hex encoding and return
    return "@" . bin2hex($strCrypt);
}}

and

function NEWdecodeAndDecrypt($strIn) {
global $strEncryptionPassword;
if (substr($strIn,0,1)=="@") 
{
    //** HEX decoding then AES decryption, CBC blocking with PKCS5 padding - DEFAULT ** 
    //** use initialization vector (IV) set from $strEncryptionPassword
    $strIV = $strEncryptionPassword;    
    //** remove the first char which is @ to flag this is AES encrypted
    $strIn = substr($strIn,1);      
    //** HEX decoding
    $strIn = pack('H*', $strIn);    
    //** perform decryption with PHP's MCRYPT module
    return openssl_decrypt($strIn, SESS_CIPHER,$strIV,$options=OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,$strIV); 
} 
else 
{
    //** Base 64 decoding plus XOR decryption **
    return simpleXor(base64Decode($strIn),$strEncryptionPassword);
}}
brian read
  • 31
  • 3
  • Please provide more information on the sample code you are using and on *sagepay*... – janniks May 16 '18 at 13:47
  • Sagepay is a Credit Card processing merchant in the UK, and they provide sample php code to use in creating webpages to interface to their systems. The sample code they provide (still - I checked yesterday) uses the mcrypt decode and encode to code up the transaction before sending it to them using (I think) a POST request. – brian read May 17 '18 at 13:51
  • Sagepay support send you to here to get technical help, so I am hoping that one fo the support staff will be along to comment soon. – brian read May 17 '18 at 13:52
  • That seems like a strange unusual process. Have you tried contacting the support at https://www.sagepay.co.uk/support ? – janniks May 18 '18 at 10:57
  • yes, the website sends me to here with the tag [sagepay] – brian read May 18 '18 at 13:01
  • Have you seen [this gist](https://gist.github.com/odan/c1dc2798ef9cedb9fedd09cdfe6e8e76)? The difference I see is that "$iv" is also being passed through, as is your original mcrypt function. – dylan-myers Jul 09 '18 at 14:06
  • I think the difference between that useage and mine is that the encrypt and decrypt will work with each other, whereas I am needing to duplicate the action of mcrypt as the sagepay server will decrypt it I guess using mcrypt or similar. – brian read Jul 09 '18 at 18:26

0 Answers0