Just to ask the obvious.... Why not just use the openssl library for this? Especially since the public and private keys are already being loaded in the initGlobals() function. I know that it's interface is not nearly so nice, and it doesn't support symmetric encryption for PHP <= 5.3, but here's some code that could be dropped in place in utils.php:
function encryptData($data){ global $keys; if(! $data) return false; openssl_public_encrypt( $data, $encrypted, $keys['public']); return trim(base64_encode($encrypted)); } function decryptData($data){ global $keys; if(! $data) return false; openssl_private_decrypt( base64_decode($data), $decrypted, $keys['private']); return trim($decrypted); } The other change would require modifying the initGlobals() function so that the public/private keys were read earlier in the execution of the function, i.e. before trying to decrypt a continuation value. Aaron -- Aaron Coburn Systems Administrator and Programmer Academic Technology Services, Amherst College acob...@amherst.edu<mailto:acob...@amherst.edu> On May 17, 2012, at 8:34 AM, Josh Thompson wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, May 16, 2012 10:37:02 AM Kevan Miller wrote: On May 11, 2012, at 3:17 PM, Josh Thompson wrote: Kevan, Ugh. Thanks for looking at this. I guess it goes to show you can't just trust that another project that says it is MIT licensed is *completely* MIT licensed. :( I'll figure out a way to deal with it. If it works out that bcpowmod.php and str_split.php are not actually needed, can I just remove them? If so, do I need to document that modification somewhere? BTW, vcl/trunk/web/.ht-inc/phpseclib/index.html refers to PHP Secure Communications Library as LGPL-licensed. Which is contradicted by http://phpseclib.sourceforge.net/ It looks like our documentation comes from http://phpseclib.sourceforge.net/documentation/ -- I'd check with the phpseclib project. Seems to be their reference to LGPL is unintended or inconsistent. bcpowmod.php's LGPL license would seem to be a problem with this, however… --kevan After looking further, there are only two files (AES.php and Rijndael.php) needed from the phpseclib project, and both of them appear as though they were written to be able to be included by themselves (i.e. each one contains information about the author, the project, and the license). Both files state that they are MIT licensed and contain that license in them. Is it normal to just pull in specific files from another project, or is it better to include the whole project? My only other experience in including another open source project in one I work on is from including the Dojo Toolkit with VCL. In that case, it seemed to make the most sense to include the whole thing. License wise, it seems simplest to just include the two files in the release, but I just want to make sure we do the right thing in respecting other open source projects. Thanks, Josh - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu<http://pgp.mit.edu> All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAk+08HIACgkQV/LQcNdtPQN8dgCdF/RaBttxHHuRMjuw73G9Kv34 RjYAnimOHe1R50N532Bgxi+uOjVnkgjv =PjK8 -----END PGP SIGNATURE-----