diff --git a/lam/docs/devel/upgrade.htm b/lam/docs/devel/upgrade.htm
index 494f8b5e..3b55196a 100644
--- a/lam/docs/devel/upgrade.htm
+++ b/lam/docs/devel/upgrade.htm
@@ -19,6 +19,7 @@
+
@@ -44,7 +45,10 @@ This is a list of API changes for all LAM releases.
-
5.0 -> 5.1
Module interface
+5.4 -> 5.5
Functions Ldap::encrypt/decrypt in ldap.inc moved to lamEncrypt/lamDecrypt in security.inc.
+
+5.0 -> 5.1
+Module interface
- getPDFEntries(): It is no
longer supported that modules generate PDF XML on their own. You must
diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc
index 8c9e83e3..558d0bc5 100644
--- a/lam/lib/ldap.inc
+++ b/lam/lib/ldap.inc
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2015 Roland Gruber
+ Copyright (C) 2003 - 2016 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -187,62 +187,6 @@ class Ldap{
@closedir($dir);
}
- /**
- * Encrypts a string
- *
- * @param string $data string to encrypt
- * @param string $prefix prefix for cookie names
- * @return object encrypted string
- */
- public static function encrypt($data, $prefix='') {
- // use MCrypt if available
- if (function_exists('mcrypt_create_iv')) {
- // MCrypt may have been enabled in a running session
- if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
- if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
- return $data;
- }
- // read key and iv from cookie
- $iv = base64_decode($_COOKIE[$prefix . "IV"]);
- $key = base64_decode($_COOKIE[$prefix . "Key"]);
- // encrypt string
- return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
- }
- // otherwise do not encrypt
- else {
- return $data;
- }
- }
-
- /**
- * Decrypts a string
- *
- * @param object $data string to decrypt
- * @param string $prefix prefix for cookie names
- * @return string decrypted string
- */
- public static function decrypt($data, $prefix='') {
- // use MCrypt if available
- if (function_exists('mcrypt_create_iv')) {
- // MCrypt may have been enabled in a running session
- if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
- if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
- return $data;
- }
- // read key and iv from cookie
- $iv = base64_decode($_COOKIE[$prefix . "IV"]);
- $key = base64_decode($_COOKIE[$prefix . "Key"]);
- // decrypt string
- $ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
- $ret = base64_decode(str_replace(chr(00), "", $ret));
- return $ret;
- }
- // otherwise do not decrypt
- else {
- return $data;
- }
- }
-
/**
* Encrypts username and password
*
@@ -251,8 +195,8 @@ class Ldap{
*/
function encrypt_login($username, $password) {
// encrypt username and password
- $this->username = base64_encode($this->encrypt($username));
- $this->password = base64_encode($this->encrypt($password));
+ $this->username = base64_encode(lamEncrypt($username));
+ $this->password = base64_encode(lamEncrypt($password));
}
/**
@@ -262,8 +206,8 @@ class Ldap{
*/
function decrypt_login() {
// decrypt username and password
- $username = $this->decrypt(base64_decode($this->username));
- $password = $this->decrypt(base64_decode($this->password));
+ $username = lamDecrypt(base64_decode($this->username));
+ $password = lamDecrypt(base64_decode($this->password));
$ret = array($username, $password);
return $ret;
}
diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc
index 1f23c449..f17cf003 100644
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@@ -2150,9 +2150,9 @@ class accountContainer {
*/
function __sleep() {
// encrypt data
- $this->attributes = $_SESSION['ldap']->encrypt(serialize($this->attributes));
- $this->attributes_orig = $_SESSION['ldap']->encrypt(serialize($this->attributes_orig));
- $this->module = $_SESSION['ldap']->encrypt(serialize($this->module));
+ $this->attributes = lamEncrypt(serialize($this->attributes));
+ $this->attributes_orig = lamEncrypt(serialize($this->attributes_orig));
+ $this->module = lamEncrypt(serialize($this->module));
// save all attributes
return array_keys(get_object_vars($this));
}
@@ -2162,9 +2162,9 @@ class accountContainer {
*/
function __wakeup() {
// decrypt data
- $this->attributes = unserialize($_SESSION['ldap']->decrypt($this->attributes));
- $this->attributes_orig = unserialize($_SESSION['ldap']->decrypt($this->attributes_orig));
- $this->module = unserialize($_SESSION['ldap']->decrypt($this->module));
+ $this->attributes = unserialize(lamDecrypt($this->attributes));
+ $this->attributes_orig = unserialize(lamDecrypt($this->attributes_orig));
+ $this->module = unserialize(lamDecrypt($this->module));
}
}
diff --git a/lam/lib/modules/imapAccess.inc b/lam/lib/modules/imapAccess.inc
index 34c3f723..ee7a0094 100644
--- a/lam/lib/modules/imapAccess.inc
+++ b/lam/lib/modules/imapAccess.inc
@@ -580,7 +580,7 @@ class imapAccess extends baseModule {
//perform admin password
$imap_admin_password = null; //default value is null, it can be changed during the work
if (isset($_SESSION['imapAdmPass'])) {
- $imap_admin_password = $_SESSION['ldap']->decrypt($_SESSION['imapAdmPass']);
+ $imap_admin_password = lamDecrypt($_SESSION['imapAdmPass']);
}
elseif (isset($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0]) && ($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0] == "lam_user_pass")) {
$credentials = $_SESSION['ldap']->decrypt_login();
@@ -606,7 +606,7 @@ class imapAccess extends baseModule {
$imap_admin_password = $_POST['ImapAdminPassword'];
$mbox = @imap_open("{" . $imap_server_address . "}", $imap_admin_user, $imap_admin_password, OP_HALFOPEN, 1);
if ($mbox) {
- $_SESSION['imapAdmPass'] = $_SESSION['ldap']->encrypt($_POST['ImapAdminPassword']);
+ $_SESSION['imapAdmPass'] = lamEncrypt($_POST['ImapAdminPassword']);
@imap_close($mbox);
}
else {
diff --git a/lam/lib/modules/windowsUser.inc b/lam/lib/modules/windowsUser.inc
index f5f2b648..c39a8af3 100644
--- a/lam/lib/modules/windowsUser.inc
+++ b/lam/lib/modules/windowsUser.inc
@@ -2581,7 +2581,7 @@ class windowsUser extends baseModule implements passwordService {
*/
private function setSelfServicePassword(&$return, $attributes) {
$newPasswordVal = self::pwdAttributeValue($_POST['windowsUser_unicodePwd']);
- $oldPassword = Ldap::decrypt($_SESSION['selfService_clientPassword'], 'SelfService');
+ $oldPassword = lamDecrypt($_SESSION['selfService_clientPassword'], 'SelfService');
$oldPasswordVal = self::pwdAttributeValue($oldPassword);
$dn = $attributes['dn'];
$ldif = "dn: " . $dn . "\n";
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index 19e7232a..a48d28f0 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2006 - 2015 Roland Gruber
+ Copyright (C) 2006 - 2016 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -155,7 +155,7 @@ function logoffAndBackToLoginPage() {
@$_SESSION["ldap"]->destroy();
}
elseif (isset($_SESSION['selfService_clientDN']) || (strpos($_SERVER['REQUEST_URI'], '/selfService/') !== false)) {
- logNewMessage(LOG_WARNING, 'Self service session of DN ' . Ldap::decrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
+ logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
}
// delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) {
@@ -568,4 +568,60 @@ function setLAMHeaders() {
}
}
+/**
+* Encrypts a string
+*
+* @param string $data string to encrypt
+* @param string $prefix prefix for cookie names
+* @return object encrypted string
+*/
+function lamEncrypt($data, $prefix='') {
+ // use MCrypt if available
+ if (function_exists('mcrypt_create_iv')) {
+ // MCrypt may have been enabled in a running session
+ if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
+ if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
+ return $data;
+ }
+ // read key and iv from cookie
+ $iv = base64_decode($_COOKIE[$prefix . "IV"]);
+ $key = base64_decode($_COOKIE[$prefix . "Key"]);
+ // encrypt string
+ return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
+ }
+ // otherwise do not encrypt
+ else {
+ return $data;
+ }
+}
+
+/**
+* Decrypts a string
+*
+* @param object $data string to decrypt
+* @param string $prefix prefix for cookie names
+* @return string decrypted string
+*/
+function lamDecrypt($data, $prefix='') {
+ // use MCrypt if available
+ if (function_exists('mcrypt_create_iv')) {
+ // MCrypt may have been enabled in a running session
+ if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
+ if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
+ return $data;
+ }
+ // read key and iv from cookie
+ $iv = base64_decode($_COOKIE[$prefix . "IV"]);
+ $key = base64_decode($_COOKIE[$prefix . "Key"]);
+ // decrypt string
+ $ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
+ $ret = base64_decode(str_replace(chr(00), "", $ret));
+ return $ret;
+ }
+ // otherwise do not decrypt
+ else {
+ return $data;
+ }
+}
+
?>
\ No newline at end of file
diff --git a/lam/templates/massBuildAccounts.php b/lam/templates/massBuildAccounts.php
index 46c023d4..aadd18fe 100644
--- a/lam/templates/massBuildAccounts.php
+++ b/lam/templates/massBuildAccounts.php
@@ -65,7 +65,7 @@ if (isset($_GET['showldif'])) {
//download file
header('Content-Type: text/plain');
header('Content-disposition: attachment; filename=lam.ldif');
- $accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts']));
+ $accounts = unserialize(lamDecrypt($_SESSION['mass_accounts']));
for ($i = 0; $i < sizeof($accounts); $i++) {
echo "DN: " . $accounts[$i]['dn'] . "\n";
unset($accounts[$i]['dn']);
@@ -214,12 +214,12 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
}
else {
// store accounts in session
- $_SESSION['mass_accounts'] = $_SESSION['ldap']->encrypt(serialize($accounts));
+ $_SESSION['mass_accounts'] = lamEncrypt(serialize($accounts));
$_SESSION['mass_counter'] = 0;
$_SESSION['mass_errors'] = array();
$_SESSION['mass_failed'] = array();
$_SESSION['mass_postActions'] = array();
- $_SESSION['mass_data'] = $_SESSION['ldap']->encrypt(serialize($data));
+ $_SESSION['mass_data'] = lamEncrypt(serialize($data));
$_SESSION['mass_ids'] = $ids;
$_SESSION['mass_scope'] = $scope;
$_SESSION['mass_selectedModules'] = $selectedModules;
diff --git a/lam/templates/massDoUpload.php b/lam/templates/massDoUpload.php
index 4a6dcee4..438cca58 100644
--- a/lam/templates/massDoUpload.php
+++ b/lam/templates/massDoUpload.php
@@ -76,7 +76,7 @@ if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)
echo '
';
// create accounts
-$accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts']));
+$accounts = unserialize(lamDecrypt($_SESSION['mass_accounts']));
if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_postActions']['finished']) || !isset($_SESSION['mass_pdf']['finished'])) {
$startTime = time();
$maxTime = get_cfg_var('max_execution_time') - 5;
@@ -151,7 +151,7 @@ if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_po
flush(); // send HTML to browser
// do post upload actions after all accounts are created
if (($_SESSION['mass_counter'] >= sizeof($accounts)) && !isset($_SESSION['mass_postActions']['finished'])) {
- $data = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_data']));
+ $data = unserialize(lamDecrypt($_SESSION['mass_data']));
$return = doUploadPostActions($scope, $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
if ($return['status'] == 'finished') {
$_SESSION['mass_postActions']['finished'] = true;