Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
<code>
Problem/Motivation
https://wiki.php.net/rfc/mcrypt-viking-funeral
In PHP 7.1, all mcrypt_* functions will raise an E_DEPRECATED notice.
Proposed resolution
- Replace use of mcrypt in TfaBasePlugin::encrypt() and TfaBasePlugin::decrypt() methods with openssl, where available.
Figure out an upgrade path.
Comment | File | Size | Author |
---|---|---|---|
#83 | tfa-n2820710-83.patch | 7.88 KB | jcnventura |
| |||
#83 | interdiff_80_83.txt | 902 bytes | jcnventura |
#83 | interdiff_54_83.txt | 8.57 KB | jcnventura |
Comments
Comment #2
pjcdawkins CreditAttribution: pjcdawkins commented7.1 is now out; this isn't about the future anymore
Comment #3
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedSomething like this, perhaps. It selects OpenSSL if available, falling back to mcrypt. Maybe horrible. But a start.
Comment #4
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedComment #7
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedThe last test failed for a PHP 5.3 (???) compatibility issue
Comment #8
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedComment #9
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedComment #10
webservant316 CreditAttribution: webservant316 commentedquestion, can I move to PHP71 even though this deprecated error still exists?
Comment #11
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commented@webservant316: yes, but you might want to set your error_reporting level to exclude E_DEPRECATED, via ini settings or via the function.
Comment #12
webservant316 CreditAttribution: webservant316 commentedthanks
Comment #13
Neo13 CreditAttribution: Neo13 commentedThe patch doesn't work for me. It always uses decryptWithMCrypt even when the mcrypt extension is not loaded. I think the problem could be here:
Could you please look into that?
Comment #14
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedThe intent is that it will
decryptWithMcrypt()
only for data that was encrypted with the old scheme, and even then only if the mcrypt extension is loaded (if the extension isn't loaded, it will fail to decrypt). Decryption of newly encrypted data will use openssl.Anyway, there are probably more modern ways to do this since the patch 10 months ago...
Comment #15
freezypop CreditAttribution: freezypop commentedHas libsodium been considered?
Comment #16
nullkernel CreditAttribution: nullkernel commentedI was able to produce a patch which uses OpenSSL to decrypt data that was originally encrypted with MCrypt.
Libsodium may be worth considering, I lean towards not using it (but don't have a strong opinion). Presumably, data encrypted by OpenSSL can be decrypted by Sodium down the road if there is a desire to make the switch. I used OpenSSL because:
This patch will decrypt with OpenSSL (instead of MCrypt) if both extensions are available. There is no particular reason why, other than it addresses #13 and may aid in testing/verification. Depending on compatibility with obsolete versions of PHP (e.g. I haven't tested 5.3), it might be worth using MCrypt over OpenSSL when decrypting legacy data.
The MCrypt extension was removed from PHP 7.2. This patch should make the TFA plugin compatible with PHP 7.2 while remaining backwards-compatible with older versions of PHP, as well as sites which upgrade from an older version (and already have encrypted data).
It may or may not be not be a lot of work to re-implement my patch with Sodium - I don't know.
Comment #18
nullkernel CreditAttribution: nullkernel commentedThe patch I uploaded for #16 is malformed - the "interdiff" utility won't even work with it. I guess I should have known better than to manually edit it before upload. I've re-generated the patch to try again.
diff tfa-2820710-16.patch tfa-2820710-18.patch
Comment #19
andyrigby CreditAttribution: andyrigby at Ixis - UK Drupal Support, Maintenance, Hosting and Development commentedHi,
We're having trouble with this patch where random users are not prompted to enter their 2FA details on login. They are logged straight in.
The error displayed is:
The number 13 varies.
I believe it's down to the iv or formatting of the iv with the data before it's stored.
I believe the iv is being generated with a pipe symbol ('|') and then stored so you end up with
Where you should have:
Quick back of a napkin script shows drupal_random_bytes() returns the pipe symbol in ~6% of cases for me.
Perhaps the iv needs to be base64 encoded before storing, something like that. Or perhaps a quick solution would be retry drupal_random_bytes() until one is generated without a pipe symbol?
Comment #20
nullkernel CreditAttribution: nullkernel commentedThanks for the feedback. I don't think base64 encoding the IV is the right way forward, since existing encryptions don't use it. I've updated my patch to ensure that the IV length is always 16. I've done this by creating additional methods that parse the encrypted storage string by using a regex. Please review / give it a try. I haven't tested it so hopefully everything works :).
Comment #22
nullkernel CreditAttribution: nullkernel commentedSorry, my patch had the wrong regex.. updated it.
Comment #24
andyrigby CreditAttribution: andyrigby at Ixis - UK Drupal Support, Maintenance, Hosting and Development commentedThanks for taking a look. I'm getting a similar error (but different):
I think the getIvFromEncryptedStorageText() and getDataToDecryptFromEncryptedStorageText() are looking in the wrong positions in the array.
getIvFromEncryptedStorageText() should be looking in $matches[2] and getDataToDecryptFromEncryptedStorageText() in $matches[3] (there is no $matches[4])
Changing this seems to resolve it for me, at least the error disappears and I am prompted for the verification code now.
Comment #25
nagba CreditAttribution: nagba commentedRegexp does not always work.
I tested with the following snippet using drush:
$iv = drupal_random_bytes(16); $data = drupal_random_bytes(32); $encrypted = "1|" . $iv . "|" . $data; var_dump($encrypted); preg_match("/^\d+\|(.{16})\|(.*)\$/m", $encrypted, $matches); var_dump($matches);
and occasionally it got me no matches.
The following code I did not see fail so far:
$iv = drupal_random_bytes(16); $data = drupal_random_bytes(32); $encrypted = "1|" . $iv . "|" . $data; var_dump($encrypted); $version_cutoff = strpos($encrypted, "|"); $decoded_iv = substr($encrypted, $version_cutoff + 1, 16); var_dump($decoded_iv); $decoded_data = substr($encrypted, $version_cutoff + 18); var_dump($decoded_data);
Comment #26
andyrigby CreditAttribution: andyrigby at Ixis - UK Drupal Support, Maintenance, Hosting and Development commentedGood spot, yes I see the same. I believe it's down to drupal_random_bytes() returning newline characters, and by default '.' in the regex does not include them. Adding the 's' modifier e.g.
'/^(\d+\|){0,1}(.{16})\|(.*)$/s'
and I can't get it to fail after ~1000 attempts.Having said that, using substr is likely to be quicker though anyway? Only edge case I can think of is *if* http://php.net/manual/en/mbstring.overload.php is in use, it might return the wrong number of chars.
Comment #27
nullkernel CreditAttribution: nullkernel commentedI'm thinking we don't need a nonstandard data format that requires a nontrivial regex. I've rerolled the patch using JSON encoding to simplify. If the JSON parser doesn't return something that matches expectations, then use a decryptLegacyData method. It also makes it easy to extend the format to store additional data fields (should the need arise in the future).
Comment #29
nullkernel CreditAttribution: nullkernel commentedI've modified my patch to use base64 encoding, since I can't json_encode the IV/ciphertext as-is.
Comment #30
nullkernel CreditAttribution: nullkernel commentedComment #31
collinhaines CreditAttribution: collinhaines commented#29 worked for me with PHP 7.1.20
Comment #32
malaynayak CreditAttribution: malaynayak as a volunteer and at TA Digital commentedpatch #29 worked for me with PHP 7.2.
Comment #33
monstrfolk CreditAttribution: monstrfolk commentedWorked for me also
Comment #34
malaynayak CreditAttribution: malaynayak as a volunteer and at TA Digital commentedComment #35
jonas139 CreditAttribution: jonas139 at iO commentedI can also confirm that #29 works with PHP 7.1.
Thanks!
Comment #36
nikolabintev CreditAttribution: nikolabintev commentedHow do we handle already encrypted seeds with mcrypt?
Comment #37
nikolabintev CreditAttribution: nikolabintev commentedComment #38
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commented@nikolabintev the patch is intended to detect data encrypted via the mcrypt method, and decrypt it, with either openssl or mcrypt depending what's available
Comment #39
pjcdawkins CreditAttribution: pjcdawkins commentedThe patch in #29 missed removing the IV from the start of the
$data
variable (when doing legacy decryption with OpenSSL).Comment #40
narkoff CreditAttribution: narkoff commentedPatch #39 is generating the following error:
Patch #29 works perfectly, however.
Comment #41
hoegrammer CreditAttribution: hoegrammer commentedHi, I've tried patch #29 and it is working (by which I mean that I can set up and use 2FA; I don't have the skill to assess it for security in regard to how it does encryption).
Tested with Drupal 7.63 and PHP 7.2
Comment #42
pjcdawkins CreditAttribution: pjcdawkins commentedMy patch in #39 wrongly changed the decryption algo.
This one works according to a test script.
Comment #43
pjcdawkins CreditAttribution: pjcdawkins commentedInterdiff between 29 and 42 - removing the IV before decryption avoids all the looping
Comment #44
narkoff CreditAttribution: narkoff commentedPatch #42 works great. Thank you @pjcdawkins.
Comment #45
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedComment #46
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedComment #47
klausiPatch looks good to me and works, thanks a lot!
Comment #48
klausiSince the module completely breaks on PHP 7.2 this is critical.
Comment #49
DamienMcKennaComment #50
DamienMcKennaComment #51
DamienMcKennaFYI the
?:
syntax requires PHP 5.3, so I adjusted that part to be compatible with PHP 5.2. Otherwise, this patch is identical to #42.Comment #52
nullkernel CreditAttribution: nullkernel commentedI believe the patch in #51 will not work identically to #42, based on the interdiff. I wrote some quick-and-dirty code to check my hesitation.
Comment #53
DamienMcKennaSo would a !empty() be better?
Comment #54
nullkernel CreditAttribution: nullkernel commentedI agree empty is a little better to use in this situation. However, the result with #53 is the same as #51 (and different from #42).
It looks like the negation is throwing off the result. If you delete the "!" in the if statement, the result becomes consistent with #42:
I've attached an updated patch and interdiff (removing the "!" from #53's if statement).
Comment #55
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedYes #53 and #51 inverted the logic. #54 is fine.
(PHP 5.2 was end-of-life in January 2011, before this module even had an initial commit...)
Comment #56
robpowellbump!
Acquia is forcing php7.2 on October the first. At that time, mcrypt will no longer be available. It would be great to see this merged in with a release version before then.
I tested in Acquia with PHP 7.2 enabled. We are also using tfa_duo. I confirmed that I was able to use TFA to login and that the status message on admin/reports/status no longer displayed warning about mcrypt.
Comment #57
Jon Pollard CreditAttribution: Jon Pollard commentedHi, I've just upgraded my server to php 7.2 - and moved the tfa module from the release version to the dev version in order to apply this patch. I'm now getting an alert that I need to update to the beta3 version... Am I correct in thinking that this patch will only work with the dev version? Is the dev version secure?
Comment #58
pjcdawkins CreditAttribution: pjcdawkins commentedHi @Jon Pollard - by convention and practicality, patches are always intended to apply to the latest -dev version. By coincidence, they may also apply to the latest stable version. As it happens, with the tfa module, 7.x-2.0, 7.x-2.0-beta3, and 7.x-2.x-dev are all exactly the same at the time of writing - the module has not been changed since this commit on 10 December 2015:
https://git.drupalcode.org/project/tfa/commit/94b4c0a52f58fe0f5641746d95...
So you're are free to apply the patch to any of those versions, there is no difference. Security-wise there isn't really much that can be said.
Comment #59
Jon Pollard CreditAttribution: Jon Pollard commentedthanks @pjcdawkins. I've patched the 2.0 version and all looks good! The only concern really is why the dev version was being flagged as needing a security update - not a big issue, but I thought you should be aware.
Comment #60
Rory-- CreditAttribution: Rory-- as a volunteer commentedI'm trying the patch at #54 with the TFA Basic authenticators, and getting this error upon trying to validate with Authy:
Am I missing something? Is #54 an insufficient fix without using prior patches in this thread?
Comment #61
yookoala CreditAttribution: yookoala commented@Rory: The tfa module of version 2.0 does not have line 520 at all. You must be using a wrong version of the module for patching.
I've just try patching tfa version 2.0 with the patch and it works fine.
Comment #62
yookoala CreditAttribution: yookoala commentedIs there anything blocking the merge? PHP 7.4 has been out and PHP 7.1 has just dropped out of support. I think its critical to have the module patch up as soon as possible. Is there anything that needs help here?
Comment #63
firewaller CreditAttribution: firewaller commented+1
Comment #64
DamienMcKennaFor anyone who needs it, you can manually add mcrypt onto PHP 7.x using this pecl package: https://pecl.php.net/package/mcrypt
Comment #65
senthilnz CreditAttribution: senthilnz commentedSame problem with PHP 7.2, will there be an update soon?
Comment #66
Manuel Garcia CreditAttribution: Manuel Garcia as a volunteer and at Appnovation for Pfizer, Inc. commentedComment #67
radimklaskaJust tested #54 and all seems to be working properly on environment with PHP 7.3 without mcrypt.
Comment #68
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedI don't see the need for this $iv parameter. The code only calls this function once, and when it does, it only passes the first parameter.
This is so convoluted.
Why not simply negate the complete if conditions, and move the content of the $is_legacy block inside the if? Way more easy to read the code.
No need to set the $options variable. Simply set 4th parameter to 3.
Comment #69
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedAnd some PHPDoc nitpicks:
Missing the parameter and return descriptions.
Missing the parameter description.
Missing the parameter description.
Comment #70
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedWas the patch in #54 ever tested against legacy mcrypt data? I'm adapting this code to the Drupal 8 module, and reduced the decryptLegacyDataWithOpenSsl() function to:
Comment #71
Kevin Morse CreditAttribution: Kevin Morse as a volunteer commented#54 works fine on legacy mcrypt data. I have patched sites running PHP 7.3 where Google Authenticator was setup while running the un-patched version and the users can still login.
While your fixes might clean the code up, the code in patch 54 has been reviewed and works fine as it has been tested by many in the community. Therefore changing back to "Reviewed and tested by the community"
I would rather have working code that is a little ugly and missing some documentation than code that doesn't work. I have servers running PHP 7.4 now and we are still stuck patching to get PHP 7.1 to work...
Comment #72
jcnventura CreditAttribution: jcnventura at 1xINTERNET commented#68 to #70 are important. #70 is critical. The code to decode an existing Mcrypt(ed) TFA seed simply doesn't work.
BTW, I'm maintaining this module.. Don't set it back to RTBC in the hope a maintainer will then commit it faster. A maintainer has reviewed it, and found that it needs work.
Comment #73
DamienMcKennaWorking on the suggested improvements.
Comment #74
DamienMcKennaImprovements per #68, #69.
Comment #75
DamienMcKennaI think the extra error handling in decryptLegacyDataWithOpenSsl($text, $key) is important for backwards compatibility?
Comment #76
jcnventura CreditAttribution: jcnventura at 1xINTERNET commented$decrypted_text = openssl_decrypt($data, 'AES-256-CBC', $key, 3, $iv);
This line doesn't decrypt data encrypted with 'rijndael-128', at least not in Drupal 8. It does work if it is like this:
openssl_decrypt($text, 'aes-128-cbc', $key, 3);
Comment #77
DamienMcKennaDoes it matter of the $method passed to openssl_decrypt() is uppercase or lowercase, the PHP documentation wasn't clear about it.
Is there a downside to not passing the $iv?
Comment #78
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedI think the problem is the 256/128, not the case.
I'm trying the code with some data I have in an archive of a D7 site to figure out why this code seems to have been validated, even if it clearly didn't work on my D8 tests.
Comment #79
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedOK.. Indeed, it must be 'aes-256-cbc'. Something must be really different between the way that D7's tfa encrypts stuff, and D8's. I'm surprised by that, but this answers my question in #70.
This is not necessary, strpos(FALSE, '|') is FALSE. And this function returns strings, not boolean, so it should return an empty string ("").
The original code returns an empty string if $decrypted_text does not contain a '|'. This is returning the full decrypted string. Move the return inside the if, and add a else return "".
Comment #80
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedOK. Doing the changes from #79, and adapting all decrypt functions to document that an empty string is returned on failure, as per the existing code.
Also, it seems that since OpenSSL 1.1.1, openssl_get_cipher_methods() returns only lowercased versions of the cipher methods, so changing that. Also, Mcrypt's name is not MCrypt (see https://www.php.net/manual/en/book.mcrypt.php)
Comment #81
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedI'll probably commit this soon, and create a 2.1-rc1 release. It would be highly appreciated if this could be moved back to RTBC before that :)
Comment #82
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedMust be $t()
Comment #83
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedAdding an interdiff to #54, to be easier to review for those that have been using it during this time.
Comment #84
joegl CreditAttribution: joegl commentedPatch in #83 applied cleanly to 7.x-2.x-dev but fails for 7.x-2.0 (not unexpected).
Comment #85
joegl CreditAttribution: joegl commentedI have a local development install working cleanly with the patch in #83.
Comment #86
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedI've analysed the interdiff between #54 and #83 several times now. Other than the MCrypt->Mcrypt refactors, and changes to the code comments, the only meaningful change is that the decrypt functions now return an empty string instead of a FALSE. As the existing code behaves this way, this improves compatibility with modules providing TFA plugins.
Setting to RTBC as per #55.
Comment #88
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedComment #89
nullkernel CreditAttribution: nullkernel commentedI'm setting this issue to "Needs Review" due to warnings @edvanleeuwen reported in a different issue: https://www.drupal.org/project/tfa_basic/issues/2916011
The patch I originally created used the openssl extension primarily, and only would make use of mcrypt as a last resort. Same with #54.
On my site, from what I recall, yes. Or maybe it was the patch I provided in #16. It's been a long time.
Are you sure that #54 that didn't work for your use case? Or were you testing this use case after modifying the code? It was reported that legacy data was decrypting.
From what I see of interdiff_54_83.txt, this comment doesn't mention the change to make mcrypt be preferred over openssl. My intent was for mcrypt to only be used as a last resort.
Comment #90
DamienMcKenna@nullkernel: The TFA_Basic module also needs a patch to resolves its reliance upon mcrypt when using the Google Authenticator submodule.
Comment #91
jcnventura CreditAttribution: jcnventura at 1xINTERNET commented@nullkernel, the mcrypt is only used as 'preferred' for decryption if it is installed. OpenSSL is still the preferred way of doing new encryptions. It is a matter of making sure that the code is as compatible as can be with before: if mcrypt is installed, it gets used for decryption, same as before, with less risk of a decryption problem occurring in case OpenSSL does something slightly different. I understand this will make some warnings show up, probably only in PHP 7.0-7.1 (both of them already EOL).
As I said in #79, I then tested #54 and it does work with 'aes-256-cbc', and not with 'aes-128-cbc'. At issue here was that the code in D8 only worked with 128, and I thought the data was being encrypted here the same way. I was wrong, as demonstrated by my tests.
Comment #93
Alina Basarabeanu CreditAttribution: Alina Basarabeanu at Cyber-Duck commentedI do not think that this was fixed as when running the PHP Compatibility using Drupal core 7.91, PHP 8.0.21 and TFA dev version I get the following:
FILE: tfa/tfa.inc
-------------------------------------------------------------------------------------------------------------------------------------------------------
FOUND 29 ERRORS AFFECTING 15 LINES
-------------------------------------------------------------------------------------------------------------------------------------------------------
647 | ERROR | Function mcrypt_module_open() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
647 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
648 | ERROR | Function mcrypt_enc_get_iv_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
648 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
650 | ERROR | Function mcrypt_enc_get_key_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
650 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
652 | ERROR | Function mcrypt_generic_init() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
652 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
656 | ERROR | Function mcrypt_generic() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
656 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
658 | ERROR | Function mcrypt_generic_deinit() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
658 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
659 | ERROR | Function mcrypt_module_close() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
659 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
704 | ERROR | Function mcrypt_module_open() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
704 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
705 | ERROR | Function mcrypt_enc_get_iv_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
705 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
707 | ERROR | Function mcrypt_enc_get_iv_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
707 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
708 | ERROR | Function mcrypt_enc_get_key_size() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
708 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
710 | ERROR | Function mcrypt_generic_init() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
710 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
712 | ERROR | Function mdecrypt_generic() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
717 | ERROR | Function mcrypt_generic_deinit() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
717 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
718 | ERROR | Function mcrypt_module_close() is deprecated since PHP 7.1 and removed since PHP 7.2; Use OpenSSL instead
718 | ERROR | Extension 'mcrypt' is deprecated since PHP 7.1 and removed since PHP 7.2; Use openssl (preferred) or pecl/mcrypt once available instead
Comment #94
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedAdded an annotation so that PHPCompatibility checks no longer provide false-positive warnings for the code using the optional mcrypt extension.
See https://git.drupalcode.org/project/tfa/-/commit/312cc7c4d742bcbb0c8f2909...
Comment #95
ezilo CreditAttribution: ezilo commentedIt it normal that I am still getting the following error with Two-factor Authentication (TFA) 7.x-2.2 on Drupal 7.92 and PHP 7.4.32 ?
Not sure if it is relevant, but I have only detected this with the admin user (of course admin's TFA was enabled before mcrypt was deprecated) but maybe some other users are affected too (not sure as it does not seem very easy to replicate it since this probably happens only with users with an old encryption key). If it is only the admin who is in this situation, it is obviously not a problem as I suppose that it can be easily fixed by generating new verification codes. But so far I have not done so in order to be capable of tracking the issue just in case I become aware that some user is still affected besides the admin.
Comment #96
jcnventura CreditAttribution: jcnventura at 1xINTERNET commentedHi @ezilo,
Since this issue is closed, can you please create a new one and copy+paste your message above into it?
Your problem makes sense, and can be trivially fixed with casting the 3rd parameter to a number.
Comment #97
ezilo CreditAttribution: ezilo commentedSure @jcnventura ,
New issue opened:
https://www.drupal.org/project/tfa/issues/3320552
Comment #98
mchaplin CreditAttribution: mchaplin commented#83 patch doesn't work for me.
patching file tfa.admin.inc
Reversed (or previously applied) patch detected! Assume -R? [n]
Probably have to remove it from the 4 sites we host that use it.
Comment #99
DamienMcKenna@mchaplin: that means the fix is already included in the version you downloaded, so you don't need to apply it.