moved encryption functions to security.inc

2016-08-07 10:40:36 +02:00 · 2016-08-07 10:40:36 +02:00 · 5f725d3253
parent b50d48e082
commit 5f725d3253
8 changed files with 82 additions and 78 deletions
--- a/lam/docs/devel/upgrade.htm
+++ b/lam/docs/devel/upgrade.htm
@ -19,6 +19,7 @@



+



@ -44,7 +45,10 @@ This is a list of API changes for all LAM releases.

 <br>

-<h2>5.0 -&gt; 5.1</h2>Module interface<br>
+<h2>5.4 -&gt; 5.5</h2>Functions Ldap::encrypt/decrypt in ldap.inc moved to lamEncrypt/lamDecrypt in security.inc.<br>
+<br>
+<h2>5.0 -&gt; 5.1</h2>
+Module interface<br>
 <ul>
  <li><span style="font-weight: bold;">getPDFEntries(): </span>It is no
 longer supported that modules generate PDF XML on their own. You must
--- a/lam/lib/ldap.inc
+++ b/lam/lib/ldap.inc
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2015  Roland Gruber
+  Copyright (C) 2003 - 2016  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -187,62 +187,6 @@ class Ldap{
 		@closedir($dir);
 	}

-	/**
-	* Encrypts a string
-	*
-	* @param string $data string to encrypt
-	* @param string $prefix prefix for cookie names
-	* @return object encrypted string
-	*/
-	public static function encrypt($data, $prefix='') {
-		// use MCrypt if available
-		if (function_exists('mcrypt_create_iv')) {
-			// MCrypt may have been enabled in a running session
-			if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
-			if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
-				return $data;
-			}
-			// read key and iv from cookie
-			$iv = base64_decode($_COOKIE[$prefix . "IV"]);
-			$key = base64_decode($_COOKIE[$prefix . "Key"]);
-			// encrypt string
-			return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
-		}
-		// otherwise do not encrypt
-		else {
-			return $data;
-		}
-	}
-
-	/**
-	* Decrypts a string
-	*
-	* @param object $data string to decrypt
-	* @param string $prefix prefix for cookie names
-	* @return string decrypted string
-	*/
-	public static function decrypt($data, $prefix='') {
-		// use MCrypt if available
-		if (function_exists('mcrypt_create_iv')) {
-			// MCrypt may have been enabled in a running session
-			if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
-			if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
-				return $data;
-			}
-			// read key and iv from cookie
-			$iv = base64_decode($_COOKIE[$prefix . "IV"]);
-			$key = base64_decode($_COOKIE[$prefix . "Key"]);
-			// decrypt string
-			$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
-			$ret = base64_decode(str_replace(chr(00), "", $ret));
-			return $ret;
-		}
-		// otherwise do not decrypt
-		else {
-			return $data;
-		}
-	}
-
 	/**
 	* Encrypts username and password
 	*
@ -251,8 +195,8 @@ class Ldap{
 	*/
 	function encrypt_login($username, $password) {
 		// encrypt username and password
-		$this->username = base64_encode($this->encrypt($username));
-		$this->password = base64_encode($this->encrypt($password));
+		$this->username = base64_encode(lamEncrypt($username));
+		$this->password = base64_encode(lamEncrypt($password));
 	}

 	/**
@ -262,8 +206,8 @@ class Ldap{
 	*/
 	function decrypt_login() {
 		// decrypt username and password
-		$username = $this->decrypt(base64_decode($this->username));
-		$password = $this->decrypt(base64_decode($this->password));
+		$username = lamDecrypt(base64_decode($this->username));
+		$password = lamDecrypt(base64_decode($this->password));
 		$ret = array($username, $password);
 		return $ret;
 	}
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@ -2150,9 +2150,9 @@ class accountContainer {
 	*/
 	function __sleep() {
 		// encrypt data
-		$this->attributes = $_SESSION['ldap']->encrypt(serialize($this->attributes));
-		$this->attributes_orig = $_SESSION['ldap']->encrypt(serialize($this->attributes_orig));
-		$this->module = $_SESSION['ldap']->encrypt(serialize($this->module));
+		$this->attributes = lamEncrypt(serialize($this->attributes));
+		$this->attributes_orig = lamEncrypt(serialize($this->attributes_orig));
+		$this->module = lamEncrypt(serialize($this->module));
 		// save all attributes
 		return array_keys(get_object_vars($this));
 	}
@ -2162,9 +2162,9 @@ class accountContainer {
 	*/
 	function __wakeup() {
 		// decrypt data
-		$this->attributes = unserialize($_SESSION['ldap']->decrypt($this->attributes));
-		$this->attributes_orig = unserialize($_SESSION['ldap']->decrypt($this->attributes_orig));
-		$this->module = unserialize($_SESSION['ldap']->decrypt($this->module));
+		$this->attributes = unserialize(lamDecrypt($this->attributes));
+		$this->attributes_orig = unserialize(lamDecrypt($this->attributes_orig));
+		$this->module = unserialize(lamDecrypt($this->module));
 	}

 }
--- a/lam/lib/modules/imapAccess.inc
+++ b/lam/lib/modules/imapAccess.inc
@ -580,7 +580,7 @@ class imapAccess extends baseModule {
 		//perform admin password
 		$imap_admin_password = null; //default value is null, it can be changed during the work
 		if (isset($_SESSION['imapAdmPass'])) {
-			$imap_admin_password = $_SESSION['ldap']->decrypt($_SESSION['imapAdmPass']);
+			$imap_admin_password = lamDecrypt($_SESSION['imapAdmPass']);
 		}
 		elseif (isset($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0]) && ($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0] == "lam_user_pass")) {
 			$credentials = $_SESSION['ldap']->decrypt_login();
@ -606,7 +606,7 @@ class imapAccess extends baseModule {
 			$imap_admin_password = $_POST['ImapAdminPassword'];
 			$mbox = @imap_open("{" . $imap_server_address . "}", $imap_admin_user, $imap_admin_password, OP_HALFOPEN, 1);
 			if ($mbox) {
-				$_SESSION['imapAdmPass'] = $_SESSION['ldap']->encrypt($_POST['ImapAdminPassword']);
+				$_SESSION['imapAdmPass'] = lamEncrypt($_POST['ImapAdminPassword']);
 				@imap_close($mbox);
 			}
 			else {
--- a/lam/lib/modules/windowsUser.inc
+++ b/lam/lib/modules/windowsUser.inc
@ -2581,7 +2581,7 @@ class windowsUser extends baseModule implements passwordService {
 	 */
 	private function setSelfServicePassword(&$return, $attributes) {
 		$newPasswordVal = self::pwdAttributeValue($_POST['windowsUser_unicodePwd']);
-		$oldPassword = Ldap::decrypt($_SESSION['selfService_clientPassword'], 'SelfService');
+		$oldPassword = lamDecrypt($_SESSION['selfService_clientPassword'], 'SelfService');
 		$oldPasswordVal = self::pwdAttributeValue($oldPassword);
 		$dn = $attributes['dn'];
 		$ldif = "dn: " . $dn . "\n";
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@ -3,7 +3,7 @@
 $Id$

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2015  Roland Gruber
+  Copyright (C) 2006 - 2016  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
@ -155,7 +155,7 @@ function logoffAndBackToLoginPage() {
 		@$_SESSION["ldap"]->destroy();
 	}
 	elseif (isset($_SESSION['selfService_clientDN']) || (strpos($_SERVER['REQUEST_URI'], '/selfService/') !== false)) {
-		logNewMessage(LOG_WARNING, 'Self service session of DN ' . Ldap::decrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
+		logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
 	}
 	// delete key and iv in cookie
 	if (function_exists('mcrypt_create_iv')) {
@ -568,4 +568,60 @@ function setLAMHeaders() {
 	}
 }

+/**
+* Encrypts a string
+*
+* @param string $data string to encrypt
+* @param string $prefix prefix for cookie names
+* @return object encrypted string
+*/
+function lamEncrypt($data, $prefix='') {
+	// use MCrypt if available
+	if (function_exists('mcrypt_create_iv')) {
+		// MCrypt may have been enabled in a running session
+		if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
+		if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
+			return $data;
+		}
+		// read key and iv from cookie
+		$iv = base64_decode($_COOKIE[$prefix . "IV"]);
+		$key = base64_decode($_COOKIE[$prefix . "Key"]);
+		// encrypt string
+		return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
+	}
+	// otherwise do not encrypt
+	else {
+		return $data;
+	}
+}
+
+/**
+* Decrypts a string
+*
+* @param object $data string to decrypt
+* @param string $prefix prefix for cookie names
+* @return string decrypted string
+*/
+function lamDecrypt($data, $prefix='') {
+	// use MCrypt if available
+	if (function_exists('mcrypt_create_iv')) {
+		// MCrypt may have been enabled in a running session
+		if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
+		if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
+			return $data;
+		}
+		// read key and iv from cookie
+		$iv = base64_decode($_COOKIE[$prefix . "IV"]);
+		$key = base64_decode($_COOKIE[$prefix . "Key"]);
+		// decrypt string
+		$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
+		$ret = base64_decode(str_replace(chr(00), "", $ret));
+		return $ret;
+	}
+	// otherwise do not decrypt
+	else {
+		return $data;
+	}
+}
+
 ?>
--- a/lam/templates/massBuildAccounts.php
+++ b/lam/templates/massBuildAccounts.php
@ -65,7 +65,7 @@ if (isset($_GET['showldif'])) {
 	//download file
 	header('Content-Type: text/plain');
 	header('Content-disposition: attachment; filename=lam.ldif');
-	$accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts']));
+	$accounts = unserialize(lamDecrypt($_SESSION['mass_accounts']));
 	for ($i = 0; $i < sizeof($accounts); $i++) {
 		echo "DN: " . $accounts[$i]['dn'] . "\n";
 		unset($accounts[$i]['dn']);
@ -214,12 +214,12 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
 			}
 			else {
 				// store accounts in session
-				$_SESSION['mass_accounts'] = $_SESSION['ldap']->encrypt(serialize($accounts));
+				$_SESSION['mass_accounts'] = lamEncrypt(serialize($accounts));
 				$_SESSION['mass_counter'] = 0;
 				$_SESSION['mass_errors'] = array();
 				$_SESSION['mass_failed'] = array();
 				$_SESSION['mass_postActions'] = array();
-				$_SESSION['mass_data'] = $_SESSION['ldap']->encrypt(serialize($data));
+				$_SESSION['mass_data'] = lamEncrypt(serialize($data));
 				$_SESSION['mass_ids'] = $ids;
 				$_SESSION['mass_scope'] = $scope;
 				$_SESSION['mass_selectedModules'] = $selectedModules;
--- a/lam/templates/massDoUpload.php
+++ b/lam/templates/massDoUpload.php
@ -76,7 +76,7 @@ if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)
 echo '<div class="' . $scope . '-bright smallPaddingContent">';

 // create accounts
-$accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts']));
+$accounts = unserialize(lamDecrypt($_SESSION['mass_accounts']));
 if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_postActions']['finished']) || !isset($_SESSION['mass_pdf']['finished'])) {
 	$startTime = time();
 	$maxTime = get_cfg_var('max_execution_time') - 5;
@ -151,7 +151,7 @@ if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_po
 	flush();  // send HTML to browser
 	// do post upload actions after all accounts are created
 	if (($_SESSION['mass_counter'] >= sizeof($accounts)) && !isset($_SESSION['mass_postActions']['finished'])) {
-		$data = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_data']));
+		$data = unserialize(lamDecrypt($_SESSION['mass_data']));
 		$return  = doUploadPostActions($scope, $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
 		if ($return['status'] == 'finished') {
 			$_SESSION['mass_postActions']['finished'] = true;