Replacement of mcrypt and usage of mcryptcompat in Magento 1.9.4.x and 20.x (mcrypt is deprecated)

[seansan]

Getting some mcrypt warnings after I pulled 20.x yesterday we are on php 7.2.33

Am I missing something?

Deprecated: Function mcrypt_module_open() is deprecated in public_html/lib/Varien/Crypt/Mcrypt.php on line 74
Deprecated: Function mcrypt_enc_get_iv_size() is deprecated in public_html/lib/Varien/Crypt/Mcrypt.php on line 83
Deprecated: Function mcrypt_create_iv() is deprecated in public_html/lib/Varien/Crypt/Mcrypt.php on line 83
Deprecated: Function mcrypt_enc_get_key_size() is deprecated in public_html/lib/Varien/Crypt/Mcrypt.php on line 87
Deprecated: Function mcrypt_generic_init() is deprecated in public_html/lib/Varien/Crypt/Mcrypt.php on line 94
Deprecated: Function mdecrypt_generic() is deprecated in public_html/lib/Varien/Crypt/Mcrypt.php on line 130
Deprecated: Function mdecrypt_generic() is deprecated in public_html/lib/Varien/Crypt/Mcrypt.php on line 130

Funny. I am missing these files and this code in latest 20.x pull ... ce5c202

ce5c202

[seansan]

OK I have learnt some things and I think it is good to share here; also 1 remaining question then this issue can be closed ;)

Learnings

• mcrypt is deprected as of php 7.2; although it can still be loaded via ini files
• to find out if mcrypt via php is used, use this command php --ini | grep mcrypt
• it can also be installed via pecl as a module

Since Magento 19.4.x with php 7.2 support the phpseclib lib and mcryptcompat methods have been introduced as a fall back for the deprecation of mcrypt. Important to know is that mcryptcompat will only be used if you disable mcrypt via your ini settings and restart php. Otherwise mcryptcompat will not be used. Btw mcryptcompat is required in the header lines of app/mage.php.

Fixing it

• you can stop some of the deprecated messages by adding error_reporting(0); to the top of lib/Varien/Crypt/Mcrypt.php
• you can start using mcryptcompat by disabling mcrypt via the ini files
• you can install openssl, although this resulted in some encoding/decoding errors with paypal and PSP's Replace mcrypt with openssl as the default extension used for encrypt… #506

After disabling mcrypt via the php ini files we saw Magento falls back on mcryptcompat.

Mcryptcompat sources can be found here https://github.com/phpseclib/mcrypt_compat and phpseclib3 here https://github.com/phpseclib/phpseclib - but there are some changes so dont just upgrade

I am closing this issue now

[joshua-bn]

@seansan do you find any performance changes between using the two?

[seansan]

Not tested. But would be msecs I guess

…

On Tue, 6 Oct 2020 at 18:32, Joshua Dickerson ***@***.***> wrote: @seansan <https://github.com/seansan> do you find any performance changes between using the two? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1211 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE7I275PKYSEWAZLVWFZJTSJNBDBANCNFSM4RON2O3Q> .

[colinmollenhour]

I think someone tested at some point and of course it depends on how many times you call it but it wasn't insignificant. Could you just disable E_DEPRECATED in production?

[seansan]

> Could you just disable E_DEPRECATED in production?

What do you mean?

…

On Wed, 7 Oct 2020 at 11:54, Colin Mollenhour ***@***.***> wrote: I think someone tested at some point and of course it depends on how many times you call it but it wasn't insignificant. Could you just disable E_DEPRECATED in production? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1211 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE7I24F7Q6KZQACWPZBZD3SJQ3F5ANCNFSM4RON2O3Q> .

[joshua-bn]

Use the PECL mcrypt lib and disable E_DEPRECATED

[colinmollenhour]

Could you just disable E_DEPRECATED in production?
What do you mean?

Set the error_reporting value to not show E_DEPRECATED. For example this is the default php.ini:

; Development Value: E_ALL
; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
; http://php.net/error-reporting
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT

Stated differently: just because there is a deprecation warning doesn't mean you have to immediately cease using the code, you can just ignore the warning.. :)

[seansan]

yeah we did that; but I still saw the error warning sometimes, I think if certain function calls were made directly in the original php code

…

On Wed, Oct 7, 2020 at 6:38 PM Colin Mollenhour ***@***.***> wrote: Could you just disable E_DEPRECATED in production? What do you mean? Set the error_reporting value to not show E_DEPRECATED. For example this is the default php.ini: ; Development Value: E_ALL ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT ; http://php.net/error-reporting error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT Stated differently: just because there is a deprecation warning doesn't mean you have to immediately cease using the code, you can just ignore the warning.. :) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1211 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE7I2YZG5LE7VMB7NR7OSLSJSKOVANCNFSM4RON2O3Q> .