moved encryption functions to security.inc

This commit is contained in:
Roland Gruber 2016-08-07 10:40:36 +02:00
parent b50d48e082
commit 5f725d3253
8 changed files with 82 additions and 78 deletions

View File

@ -19,6 +19,7 @@
@ -44,7 +45,10 @@ This is a list of API changes for all LAM releases.
<br> <br>
<h2>5.0 -&gt; 5.1</h2>Module interface<br> <h2>5.4 -&gt; 5.5</h2>Functions Ldap::encrypt/decrypt in ldap.inc moved to lamEncrypt/lamDecrypt in security.inc.<br>
<br>
<h2>5.0 -&gt; 5.1</h2>
Module interface<br>
<ul> <ul>
<li><span style="font-weight: bold;">getPDFEntries(): </span>It is no <li><span style="font-weight: bold;">getPDFEntries(): </span>It is no
longer supported that modules generate PDF XML on their own. You must longer supported that modules generate PDF XML on their own. You must

View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2015 Roland Gruber Copyright (C) 2003 - 2016 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -187,62 +187,6 @@ class Ldap{
@closedir($dir); @closedir($dir);
} }
/**
* Encrypts a string
*
* @param string $data string to encrypt
* @param string $prefix prefix for cookie names
* @return object encrypted string
*/
public static function encrypt($data, $prefix='') {
// use MCrypt if available
if (function_exists('mcrypt_create_iv')) {
// MCrypt may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
}
// read key and iv from cookie
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// encrypt string
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
}
// otherwise do not encrypt
else {
return $data;
}
}
/**
* Decrypts a string
*
* @param object $data string to decrypt
* @param string $prefix prefix for cookie names
* @return string decrypted string
*/
public static function decrypt($data, $prefix='') {
// use MCrypt if available
if (function_exists('mcrypt_create_iv')) {
// MCrypt may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
}
// read key and iv from cookie
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// decrypt string
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
$ret = base64_decode(str_replace(chr(00), "", $ret));
return $ret;
}
// otherwise do not decrypt
else {
return $data;
}
}
/** /**
* Encrypts username and password * Encrypts username and password
* *
@ -251,8 +195,8 @@ class Ldap{
*/ */
function encrypt_login($username, $password) { function encrypt_login($username, $password) {
// encrypt username and password // encrypt username and password
$this->username = base64_encode($this->encrypt($username)); $this->username = base64_encode(lamEncrypt($username));
$this->password = base64_encode($this->encrypt($password)); $this->password = base64_encode(lamEncrypt($password));
} }
/** /**
@ -262,8 +206,8 @@ class Ldap{
*/ */
function decrypt_login() { function decrypt_login() {
// decrypt username and password // decrypt username and password
$username = $this->decrypt(base64_decode($this->username)); $username = lamDecrypt(base64_decode($this->username));
$password = $this->decrypt(base64_decode($this->password)); $password = lamDecrypt(base64_decode($this->password));
$ret = array($username, $password); $ret = array($username, $password);
return $ret; return $ret;
} }

View File

@ -2150,9 +2150,9 @@ class accountContainer {
*/ */
function __sleep() { function __sleep() {
// encrypt data // encrypt data
$this->attributes = $_SESSION['ldap']->encrypt(serialize($this->attributes)); $this->attributes = lamEncrypt(serialize($this->attributes));
$this->attributes_orig = $_SESSION['ldap']->encrypt(serialize($this->attributes_orig)); $this->attributes_orig = lamEncrypt(serialize($this->attributes_orig));
$this->module = $_SESSION['ldap']->encrypt(serialize($this->module)); $this->module = lamEncrypt(serialize($this->module));
// save all attributes // save all attributes
return array_keys(get_object_vars($this)); return array_keys(get_object_vars($this));
} }
@ -2162,9 +2162,9 @@ class accountContainer {
*/ */
function __wakeup() { function __wakeup() {
// decrypt data // decrypt data
$this->attributes = unserialize($_SESSION['ldap']->decrypt($this->attributes)); $this->attributes = unserialize(lamDecrypt($this->attributes));
$this->attributes_orig = unserialize($_SESSION['ldap']->decrypt($this->attributes_orig)); $this->attributes_orig = unserialize(lamDecrypt($this->attributes_orig));
$this->module = unserialize($_SESSION['ldap']->decrypt($this->module)); $this->module = unserialize(lamDecrypt($this->module));
} }
} }

View File

@ -580,7 +580,7 @@ class imapAccess extends baseModule {
//perform admin password //perform admin password
$imap_admin_password = null; //default value is null, it can be changed during the work $imap_admin_password = null; //default value is null, it can be changed during the work
if (isset($_SESSION['imapAdmPass'])) { if (isset($_SESSION['imapAdmPass'])) {
$imap_admin_password = $_SESSION['ldap']->decrypt($_SESSION['imapAdmPass']); $imap_admin_password = lamDecrypt($_SESSION['imapAdmPass']);
} }
elseif (isset($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0]) && ($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0] == "lam_user_pass")) { elseif (isset($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0]) && ($this->moduleSettings['ImapAccess_ImapAdminPasswordSelect'][0] == "lam_user_pass")) {
$credentials = $_SESSION['ldap']->decrypt_login(); $credentials = $_SESSION['ldap']->decrypt_login();
@ -606,7 +606,7 @@ class imapAccess extends baseModule {
$imap_admin_password = $_POST['ImapAdminPassword']; $imap_admin_password = $_POST['ImapAdminPassword'];
$mbox = @imap_open("{" . $imap_server_address . "}", $imap_admin_user, $imap_admin_password, OP_HALFOPEN, 1); $mbox = @imap_open("{" . $imap_server_address . "}", $imap_admin_user, $imap_admin_password, OP_HALFOPEN, 1);
if ($mbox) { if ($mbox) {
$_SESSION['imapAdmPass'] = $_SESSION['ldap']->encrypt($_POST['ImapAdminPassword']); $_SESSION['imapAdmPass'] = lamEncrypt($_POST['ImapAdminPassword']);
@imap_close($mbox); @imap_close($mbox);
} }
else { else {

View File

@ -2581,7 +2581,7 @@ class windowsUser extends baseModule implements passwordService {
*/ */
private function setSelfServicePassword(&$return, $attributes) { private function setSelfServicePassword(&$return, $attributes) {
$newPasswordVal = self::pwdAttributeValue($_POST['windowsUser_unicodePwd']); $newPasswordVal = self::pwdAttributeValue($_POST['windowsUser_unicodePwd']);
$oldPassword = Ldap::decrypt($_SESSION['selfService_clientPassword'], 'SelfService'); $oldPassword = lamDecrypt($_SESSION['selfService_clientPassword'], 'SelfService');
$oldPasswordVal = self::pwdAttributeValue($oldPassword); $oldPasswordVal = self::pwdAttributeValue($oldPassword);
$dn = $attributes['dn']; $dn = $attributes['dn'];
$ldif = "dn: " . $dn . "\n"; $ldif = "dn: " . $dn . "\n";

View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2006 - 2015 Roland Gruber Copyright (C) 2006 - 2016 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -155,7 +155,7 @@ function logoffAndBackToLoginPage() {
@$_SESSION["ldap"]->destroy(); @$_SESSION["ldap"]->destroy();
} }
elseif (isset($_SESSION['selfService_clientDN']) || (strpos($_SERVER['REQUEST_URI'], '/selfService/') !== false)) { elseif (isset($_SESSION['selfService_clientDN']) || (strpos($_SERVER['REQUEST_URI'], '/selfService/') !== false)) {
logNewMessage(LOG_WARNING, 'Self service session of DN ' . Ldap::decrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.'); logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
} }
// delete key and iv in cookie // delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
@ -568,4 +568,60 @@ function setLAMHeaders() {
} }
} }
/**
* Encrypts a string
*
* @param string $data string to encrypt
* @param string $prefix prefix for cookie names
* @return object encrypted string
*/
function lamEncrypt($data, $prefix='') {
// use MCrypt if available
if (function_exists('mcrypt_create_iv')) {
// MCrypt may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
}
// read key and iv from cookie
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// encrypt string
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
}
// otherwise do not encrypt
else {
return $data;
}
}
/**
* Decrypts a string
*
* @param object $data string to decrypt
* @param string $prefix prefix for cookie names
* @return string decrypted string
*/
function lamDecrypt($data, $prefix='') {
// use MCrypt if available
if (function_exists('mcrypt_create_iv')) {
// MCrypt may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
}
// read key and iv from cookie
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// decrypt string
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
$ret = base64_decode(str_replace(chr(00), "", $ret));
return $ret;
}
// otherwise do not decrypt
else {
return $data;
}
}
?> ?>

View File

@ -65,7 +65,7 @@ if (isset($_GET['showldif'])) {
//download file //download file
header('Content-Type: text/plain'); header('Content-Type: text/plain');
header('Content-disposition: attachment; filename=lam.ldif'); header('Content-disposition: attachment; filename=lam.ldif');
$accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts'])); $accounts = unserialize(lamDecrypt($_SESSION['mass_accounts']));
for ($i = 0; $i < sizeof($accounts); $i++) { for ($i = 0; $i < sizeof($accounts); $i++) {
echo "DN: " . $accounts[$i]['dn'] . "\n"; echo "DN: " . $accounts[$i]['dn'] . "\n";
unset($accounts[$i]['dn']); unset($accounts[$i]['dn']);
@ -214,12 +214,12 @@ if ($_FILES['inputfile'] && ($_FILES['inputfile']['size'] > 0)) {
} }
else { else {
// store accounts in session // store accounts in session
$_SESSION['mass_accounts'] = $_SESSION['ldap']->encrypt(serialize($accounts)); $_SESSION['mass_accounts'] = lamEncrypt(serialize($accounts));
$_SESSION['mass_counter'] = 0; $_SESSION['mass_counter'] = 0;
$_SESSION['mass_errors'] = array(); $_SESSION['mass_errors'] = array();
$_SESSION['mass_failed'] = array(); $_SESSION['mass_failed'] = array();
$_SESSION['mass_postActions'] = array(); $_SESSION['mass_postActions'] = array();
$_SESSION['mass_data'] = $_SESSION['ldap']->encrypt(serialize($data)); $_SESSION['mass_data'] = lamEncrypt(serialize($data));
$_SESSION['mass_ids'] = $ids; $_SESSION['mass_ids'] = $ids;
$_SESSION['mass_scope'] = $scope; $_SESSION['mass_scope'] = $scope;
$_SESSION['mass_selectedModules'] = $selectedModules; $_SESSION['mass_selectedModules'] = $selectedModules;

View File

@ -76,7 +76,7 @@ if (!checkIfNewEntriesAreAllowed($scope) || !checkIfWriteAccessIsAllowed($scope)
echo '<div class="' . $scope . '-bright smallPaddingContent">'; echo '<div class="' . $scope . '-bright smallPaddingContent">';
// create accounts // create accounts
$accounts = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_accounts'])); $accounts = unserialize(lamDecrypt($_SESSION['mass_accounts']));
if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_postActions']['finished']) || !isset($_SESSION['mass_pdf']['finished'])) { if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_postActions']['finished']) || !isset($_SESSION['mass_pdf']['finished'])) {
$startTime = time(); $startTime = time();
$maxTime = get_cfg_var('max_execution_time') - 5; $maxTime = get_cfg_var('max_execution_time') - 5;
@ -151,7 +151,7 @@ if (($_SESSION['mass_counter'] < sizeof($accounts)) || !isset($_SESSION['mass_po
flush(); // send HTML to browser flush(); // send HTML to browser
// do post upload actions after all accounts are created // do post upload actions after all accounts are created
if (($_SESSION['mass_counter'] >= sizeof($accounts)) && !isset($_SESSION['mass_postActions']['finished'])) { if (($_SESSION['mass_counter'] >= sizeof($accounts)) && !isset($_SESSION['mass_postActions']['finished'])) {
$data = unserialize($_SESSION['ldap']->decrypt($_SESSION['mass_data'])); $data = unserialize(lamDecrypt($_SESSION['mass_data']));
$return = doUploadPostActions($scope, $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts); $return = doUploadPostActions($scope, $data, $_SESSION['mass_ids'], $_SESSION['mass_failed'], $_SESSION['mass_selectedModules'], $accounts);
if ($return['status'] == 'finished') { if ($return['status'] == 'finished') {
$_SESSION['mass_postActions']['finished'] = true; $_SESSION['mass_postActions']['finished'] = true;