diff --git a/lam/HISTORY b/lam/HISTORY index 1d426fc3..29fa94c0 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -1,3 +1,9 @@ +??? 0.4.2 + - added config wizard + - MHash is only needed for PHP < 4.3 + - use Blowfish for encryption instead of MCrypt + + 29.12.2003 0.4.1 - better error handling at login diff --git a/lam/INSTALL b/lam/INSTALL index c1492116..6b315eca 100644 --- a/lam/INSTALL +++ b/lam/INSTALL @@ -6,7 +6,7 @@ Installation Instructions for LAM 1. Requirements - Apache webserver (SSL optional) with installed PHP-Module (PHP-Module with - ldap, gettext, mcrypt, mhash) + ldap, gettext, mcrypt+mhash optional) - Perl - Openldap (>2.0) - A web browser :-) diff --git a/lam/README b/lam/README index 1f1846b0..bbafafea 100644 --- a/lam/README +++ b/lam/README @@ -80,8 +80,9 @@ LAM - Readme LAM needs to store your LDAP username + password in the session. The session files are saved in sess/ and are accessible only by the web server. To increase - security username and password are encrypted with AES (256 bit). The key and iv - are generated at random when you log in. They are stored in two cookies. + security username and password are encrypted with MCrypt/AES or Blowfish. + The key and iv are generated at random when you log in. They are stored in two + cookies. Have fun! diff --git a/lam/docs/README.security b/lam/docs/README.security index aace300c..b797912f 100644 --- a/lam/docs/README.security +++ b/lam/docs/README.security @@ -25,7 +25,7 @@ 4. LDAP-password protection Your LDAP-password is stored encrypted in the session file. The key and IV to decrypt - it are stored in two cookies. We use AES to encrypt the passwort. + it are stored in two cookies. We use MCrypt/AES or Blowfish to encrypt the password. 5. Protection of new user passwords diff --git a/lam/lib/account.inc b/lam/lib/account.inc index 8c79e3cd..00daf150 100644 --- a/lam/lib/account.inc +++ b/lam/lib/account.inc @@ -856,7 +856,7 @@ class accountContainer { function lamdaemon($commands) { // get username and password of the current lam-admin - $ldap_q = $_SESSION[$this->ldap]->decrypt(); + $ldap_q = $_SESSION[$this->ldap]->decrypt_login(); /* $towrite has the following syntax: * admin-username, admin-password, owner of homedir, 'home', operation='add' * use escapeshellarg to make exec() shell-safe @@ -1084,7 +1084,7 @@ function getquotas($users) { if (is_array($users)) $return = $users; else $return[0] = $users; // get username and password of the current lam-admin - $ldap_q = $_SESSION['ldap']->decrypt(); + $ldap_q = $_SESSION['ldap']->decrypt_login(); /* $towrite has the following syntax: * admin-username, admin-password, account with quotas, 'quota', operation='get', type=user|group * use escapeshellarg to make exec() shell-safe @@ -1182,7 +1182,7 @@ function getquotas($users) { */ function setquotas($values2) { // get username and password of the current lam-admin - $ldap_q = $_SESSION['ldap']->decrypt(); + $ldap_q = $_SESSION['ldap']->decrypt_login(); /* $towrite has the following syntax: * admin-username, admin-password, account with quotas, 'quota', operation='set', type=user|group * use escapeshellarg to make exec() shell-safe @@ -1273,7 +1273,7 @@ function setquotas($values2) { */ function remquotas($users, $type) { // get username and password of the current lam-admin - $ldap_q = $_SESSION['ldap']->decrypt(); + $ldap_q = $_SESSION['ldap']->decrypt_login(); /* $towrite has the following syntax: * admin-username, admin-password, account with quotas, 'quota', operation='rem', type=user|group * use escapeshellarg to make exec() shell-safe @@ -1338,7 +1338,7 @@ function remquotas($users, $type) { */ function addhomedir($users) { // get username and password of the current lam-admin - $ldap_q = $_SESSION['ldap']->decrypt(); + $ldap_q = $_SESSION['ldap']->decrypt_login(); /* $towrite has the following syntax: * admin-username, admin-password, owner of homedir, 'home', operation='add' * use escapeshellarg to make exec() shell-safe @@ -1404,7 +1404,7 @@ function addhomedir($users) { */ function remhomedir($users) { // get username and password of the current lam-admin - $ldap_q = $_SESSION['ldap']->decrypt(); + $ldap_q = $_SESSION['ldap']->decrypt_login(); /* $towrite has the following syntax: * admin-username, admin-password, owner of homedir, 'home', operation='add' * use escapeshellarg to make exec() shell-safe @@ -2192,15 +2192,11 @@ function createuser($values, $uselamdaemon=true) { // Create DN for new user account $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; // decrypt password because we don't want to store them unencrypted in session - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); if ($values->unix_password != '') { - $values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv); - $values->unix_password = str_replace(chr(00), '', $values->unix_password); + $values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password)); } if ($values->smb_password != '') { - $values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv); - $values->smb_password = str_replace(chr(00), '', $values->smb_password); + $values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password)); } // Attributes which are required @@ -2382,15 +2378,11 @@ function modifyuser($values,$values_old,$uselamdaemon=true) { // Will modify the // Create DN for new user account $values->general_dn = 'uid=' . $values->general_username . ',' . $values->general_dn; // decrypt password because we don't want to store them unencrypted in session - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); if ($values->unix_password != '') { - $values->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->unix_password), MCRYPT_MODE_ECB, $iv); - $values->unix_password = str_replace(chr(00), '', $values->unix_password); + $values->unix_password = $_SESSION['ldap']->decrypt(base64_decode($values->unix_password)); } if ($values->smb_password != '') { - $values->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($values->smb_password), MCRYPT_MODE_ECB, $iv); - $values->smb_password = str_replace(chr(00), '', $values->smb_password); + $values->smb_password = $_SESSION['ldap']->decrypt(base64_decode($values->smb_password)); } // Attributes which are required if ($values->general_username != $values_old->general_username) { diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc index 92bc14fe..fde6be44 100644 --- a/lam/lib/ldap.inc +++ b/lam/lib/ldap.inc @@ -24,6 +24,7 @@ $Id$ // ldap.inc provides basic functions to connect to the OpenLDAP server. include_once("config.inc"); +include_once("blowfish.inc"); // converts a HEX string to a binary value function hex2bin($value) { @@ -233,7 +234,7 @@ class Ldap{ return false; } // save password und username encrypted - $this->encrypt($user, $passwd); + $this->encrypt_login($user, $passwd); $this->server = @ldap_connect($this->conf->get_ServerURL()); if ($this->server) { // use LDAPv3 @@ -386,7 +387,7 @@ class Ldap{ // reconnects to LDAP server when deserialized function __wakeup() { - $data = $this->decrypt(); + $data = $this->decrypt_login(); $this->connect($data[0], $data[1]); // change random number mt_srand($this->rand + (microtime() * 1000000)); @@ -415,32 +416,74 @@ class Ldap{ $this->rand = mt_rand(); } + // encrypts a string + // $data: string to encrypt + // return: encrypted string + function encrypt($data) { + // use MCrypt if available + if (function_exists(mcrypt_create_iv)) { + // read key and iv from cookie + $iv = base64_decode($_COOKIE["IV"]); + $key = base64_decode($_COOKIE["Key"]); + // encrypt string + return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv); + } + // use Blowfish if MCrypt is not available + else { + // read key and iv from cookie + $iv = base64_decode($_COOKIE["IV"]); + $key = base64_decode($_COOKIE["Key"]); + $b_key = $iv . $key; + // encrypt string + $b_fish = new Cipher_blowfish(); + return $b_fish->encrypt($data, $b_key); + } + } + + // decrypts a string + // $data: string to decrypt + // return: decrypted string + function decrypt($data) { + // use MCrypt if available + if (function_exists(mcrypt_create_iv)) { + // read key and iv from cookie + $iv = base64_decode($_COOKIE["IV"]); + $key = base64_decode($_COOKIE["Key"]); + // decrypt string + $ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv); + $ret = str_replace(chr(00), "", $ret); + return $ret; + } + // use Blowfish if MCrypt is not available + else { + // read key and iv from cookie + $iv = base64_decode($_COOKIE["IV"]); + $key = base64_decode($_COOKIE["Key"]); + $b_key = $iv . $key; + // decrypt string + $b_fish = new Cipher_blowfish(); + return $b_fish->decrypt($data, $b_key); + } + } + // encrypts username and password // $username: LDAP user name // $password: LDAP password - function encrypt($username, $password) { - // read key and iv from cookie - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); + function encrypt_login($username, $password) { // encrypt username and password - $this->username = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $username, MCRYPT_MODE_ECB, $iv)); - $this->password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $password, MCRYPT_MODE_ECB, $iv)); + $this->username = base64_encode($this->encrypt($username)); + $this->password = base64_encode($this->encrypt($password)); } // decrypts username and password // returns an array // return[0]: user name // return[1]: password - function decrypt() { - // read key and iv from cookie - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); + function decrypt_login() { // decrypt username and password - $username = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->username), MCRYPT_MODE_ECB, $iv); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->password), MCRYPT_MODE_ECB, $iv); + $username = $this->decrypt(base64_decode($this->username)); + $password = $this->decrypt(base64_decode($this->password)); $ret = array($username, $password); - $ret[0] = str_replace(chr(00), "", $ret[0]); - $ret[1] = str_replace(chr(00), "", $ret[1]); return $ret; } diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc index 0c5f017b..a1bedc7d 100644 --- a/lam/lib/modules/posixAccount.inc +++ b/lam/lib/modules/posixAccount.inc @@ -119,9 +119,7 @@ class posixAccount { if (is_string($newpassword)) { // Write new password if ($newpassword!='') { - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv)); + $this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword)); } else $this->attributes['userPassword'][0] = ''; return 0; @@ -129,10 +127,7 @@ class posixAccount { else { if ($this->attributes['userPassword'][0]!='') { // Read existing password if set - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv); - $password = str_replace(chr(00), '', $password); + $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0])); return $password; } else return ''; diff --git a/lam/lib/modules/posixGroup.inc b/lam/lib/modules/posixGroup.inc index f1e51d1d..49a9603a 100644 --- a/lam/lib/modules/posixGroup.inc +++ b/lam/lib/modules/posixGroup.inc @@ -108,9 +108,7 @@ class posixGroup { if (is_string($newpassword)) { // Write new password if ($newpassword!='') { - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $this->attributes['userPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv)); + $this->attributes['userPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword)); } else $this->attributes['userPassword'][0] = ''; return 0; @@ -118,10 +116,7 @@ class posixGroup { else { if ($this->attributes['userPassword'][0]!='') { // Read existing password if set - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['userPassword'][0]), MCRYPT_MODE_ECB, $iv); - $password = str_replace(chr(00), '', $password); + $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['userPassword'][0])); return $password; } else return ''; diff --git a/lam/lib/modules/sambaAccount.inc b/lam/lib/modules/sambaAccount.inc index 85c73029..eaea4ee5 100644 --- a/lam/lib/modules/sambaAccount.inc +++ b/lam/lib/modules/sambaAccount.inc @@ -109,19 +109,14 @@ class sambaAccount { function lmPassword($newpassword=false) { if (is_string($newpassword)) { // Write new password - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $this->attributes['lmPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv)); + $this->attributes['lmPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword)); return 0; } else { if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword(); if ($this->attributes['lmPassword'][0]!='') { // Read existing password if set - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['lmPassword'][0]), MCRYPT_MODE_ECB, $iv); - $password = str_replace(chr(00), '', $password); + $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['lmPassword'][0])); return $password; } else return ''; diff --git a/lam/lib/modules/sambaSamAccount.inc b/lam/lib/modules/sambaSamAccount.inc index fd97a575..7b99863f 100644 --- a/lam/lib/modules/sambaSamAccount.inc +++ b/lam/lib/modules/sambaSamAccount.inc @@ -109,19 +109,14 @@ class sambaSamAccount { function sambaLMPassword($newpassword=false) { if (is_string($newpassword)) { // Write new password - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $this->attributes['sambaLMPassword'][0] = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $newpassword, MCRYPT_MODE_ECB, $iv)); + $this->attributes['sambaLMPassword'][0] = base64_encode($_SESSION['ldap']->encrypt($newpassword)); return 0; } else { if ($this->useunixpwd) return $_SESSION[$this->base]->module['posixAccount']->userPassword(); if ($this->attributes['sambaLMPassword'][0]!='') { // Read existing password if set - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($this->attributes['sambaLMPassword'][0]), MCRYPT_MODE_ECB, $iv); - $password = str_replace(chr(00), '', $password); + $password = $_SESSION['ldap']->decrypt(base64_decode($this->attributes['sambaLMPassword'][0])); return $password; } else return ''; diff --git a/lam/lib/pdf.inc b/lam/lib/pdf.inc index 7af43dbf..d3f2fb7b 100644 --- a/lam/lib/pdf.inc +++ b/lam/lib/pdf.inc @@ -41,8 +41,6 @@ function createUserPDF($accounts) { $pdfFile->setCreator("LDAP Account Manager (pdf.inc)"); // Loop for every sumbitted account and print its values on a extra page foreach ($accounts as $account) { - $iv = base64_decode($_COOKIE['IV']); - $key = base64_decode($_COOKIE['Key']); $pdfFile->addPage(); // Load string with additional information from session $info_string = $_SESSION['config']->pdftext; @@ -141,8 +139,7 @@ function createUserPDF($accounts) { elseif($account->unix_password == "") { } else { - $account->unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->unix_password), MCRYPT_MODE_ECB, $iv); - $account->unix_password = str_replace(chr(00), '', $account->unix_password); + $account->unix_password = $_SESSION['ldap']->decrypt(base64_decode($account->unix_password)); $pdfFile->setFont("times","B",10); $pdfFile->Cell(50,5,_("Unix password") . ":",0,0,"R",0); $pdfFile->setFont("times","",10); @@ -199,8 +196,7 @@ function createUserPDF($accounts) { elseif($account->smb_password == "") { } else { - $account->smb_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account->smb_password), MCRYPT_MODE_ECB, $iv); - $account->smb_password = str_replace(chr(00), '', $account->smb_password); + $account->smb_password = $_SESSION['ldap']->decrypt(base64_decode($account->smb_password)); $pdfFile->setFont("times","B",10); $pdfFile->Cell(50,5,_("Windows password") . ":",0,0,"R",0); $pdfFile->setFont("times","",10); diff --git a/lam/session-vars.txt b/lam/session-vars.txt index b03a1d59..bc42ab50 100644 --- a/lam/session-vars.txt +++ b/lam/session-vars.txt @@ -85,7 +85,7 @@ convsave, confmain, conflogin: useredit: - shellist: Array mit allen shells -- account_old: Object account. Hier wird beim laden eines Accounts alle alten Werte zwischengespeichert +- account_old: Object account. Hier wird beim laden eines Accounts alle alten Werte zwischengespeichert - account: Object account. Hier wird der aktuelle Eintrag gespeichert - final_changegids: boolean. Wenn gesetzt, werden die gids in ldap angepasst - hostDN: Array mit allen hosts. @@ -122,9 +122,9 @@ confwiz/*.php - confwiz_config: Config-Objekt mit Optionen - confwiz_ldap: LDAP-Objekt - conwiz_masterpwd: Hauptpasswort für Einstellungen, zur Überprüfung des Admins -- confwiz_domainsid: Domänen-SID der erstellten/zuerst gefundenen Domäne -- confwiz_missing_groups: Array mit fehlenden Standard-Samba-Gruppen -- confwiz_optional: Array mit optionalen Seiten, die angezeigt werden sollen + + + diff --git a/lam/templates/account/useredit.php b/lam/templates/account/useredit.php index 67bbb88d..f9812f58 100644 --- a/lam/templates/account/useredit.php +++ b/lam/templates/account/useredit.php @@ -311,13 +311,11 @@ switch ($_POST['select']) { // Write all general values into $account_new if (isset($_POST['f_unix_password'])) { // Encraypt password - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); if ($_POST['f_unix_password'] != $_POST['f_unix_password2']) { $errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.')); unset ($_POST['f_unix_password2']); } - else $account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_unix_password'], MCRYPT_MODE_ECB, $iv)); + else $account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_unix_password'])); } else $account_new->unix_password = ''; if ($_POST['f_unix_password_no']) $account_new->unix_password_no = true; @@ -333,9 +331,7 @@ switch ($_POST['select']) { else $account_new->unix_deactivated = false; if ($_POST['genpass']) { // Generate a random password if generate-button was pressed - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $account_new->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv)); + $account_new->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd())); unset ($_POST['f_unix_password2']); // Keep unix-page acitve $select_local = 'unix'; @@ -343,10 +339,7 @@ switch ($_POST['select']) { // Check if values are OK and set automatic values. if not error-variable will be set else { // account.inc if ($account_new->unix_password != '') { - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv); - $password = str_replace(chr(00), '', $password); + $password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password)); } if (!ereg('^([a-z]|[A-Z]|[0-9]|[\|]|[\#]|[\*]|[\,]|[\.]|[\;]|[\:]|[\_]|[\-]|[\+]|[\!]|[\%]|[\&]|[\/]|[\?]|[\{]|[\[]|[\(]|[\)]|[\]]|[\}])*$', $password)) $errors[] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!$%&/|?{[()]}= !')); @@ -412,8 +405,6 @@ switch ($_POST['select']) { break; } } - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); // Set Samba password if (isset($_POST['f_smb_password']) && !$account_new->smb_useunixpwd) { // Encraypt password @@ -421,14 +412,13 @@ switch ($_POST['select']) { $errors[] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.')); unset ($_POST['f_smb_password2']); } - else $account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $_POST['f_smb_password'], MCRYPT_MODE_ECB, $iv)); + else $account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($_POST['f_smb_password'])); } else $account_new->smb_password = ''; if ( (($account_new->smb_useunixpwd && !$account_old) || ($account_new->smb_useunixpwd && $account_new->unix_password!='')) && isset($account_new->unix_password) ) { // Set Samba-Password to unix-password if option is set - $unix_password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv); - $smb_password = str_replace(chr(00), '', $unix_password); - $account_new->smb_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $smb_password, MCRYPT_MODE_ECB, $iv)); + $unix_password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password)); + $account_new->smb_password = base64_encode($_SESSION['ldap']->encrypt($smb_password)); } // Check values $account_new->smb_scriptPath = str_replace('$user', $account_new->general_username, $account_new->smb_scriptPath); @@ -1034,10 +1024,7 @@ switch ($select_local) { // Unix Password Settings // decrypt password if ($account_new->unix_password != '') { - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->unix_password), MCRYPT_MODE_ECB, $iv); - $password = str_replace(chr(00), '', $password); + $password = $_SESSION['ldap']->decrypt(base64_decode($account_new->unix_password)); } else $password=''; // Use dd-mm-yyyy format of date because it's easier to read for humans @@ -1145,10 +1132,7 @@ switch ($select_local) { // Samba Settings // decrypt password if ($account_new->smb_password != '') { - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); - $password = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, base64_decode($account_new->smb_password), MCRYPT_MODE_ECB, $iv); - $password = str_replace(chr(00), '', $password); + $password = $_SESSION['ldap']->decrypt(base64_decode($account_new->smb_password)); } else $password = ""; if ($config_intern->is_samba3()) $samba3domains = $ldap_intern->search_domains($config_intern->get_domainSuffix()); diff --git a/lam/templates/login.php b/lam/templates/login.php index fea60f35..16fe392a 100644 --- a/lam/templates/login.php +++ b/lam/templates/login.php @@ -47,6 +47,14 @@ function display_LoginPage($config_object,$profile) $iv = mcrypt_create_iv(32, MCRYPT_RAND); } } + // use Blowfish if MCrypt is not available + else { + // generate iv and key for encryption + $key = ""; + $iv = ""; + while (strlen($key) < 30) $key .= mt_rand(); + while (strlen($iv) < 30) $iv .= mt_rand(); + } // save both in cookie setcookie("Key", base64_encode($key), 0, "/"); @@ -113,16 +121,8 @@ function display_LoginPage($config_object,$profile)


- - - 4.3."); } ?>

diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php index 41f01347..9b816ab2 100644 --- a/lam/templates/masscreate.php +++ b/lam/templates/masscreate.php @@ -161,8 +161,6 @@ switch ($select) { echo _('Creating users. Please stand by ....'); echo "\n\n"; // Keys needed to encrypt passwords from session - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); $stay=true; // Stay in loop as long there are still users to create and no error did ocour while (($_SESSION['pointer'] < sizeof($_SESSION['accounts'])) && $stay) { @@ -227,8 +225,7 @@ switch ($select) { $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_profilePath); $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$user', $_SESSION['accounts'][$_SESSION['pointer']]->general_username, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome); $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome = str_replace('$group', $_SESSION['accounts'][$_SESSION['pointer']]->general_group, $_SESSION['accounts'][$_SESSION['pointer']]->smb_smbhome); - $_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode(mcrypt_encrypt( - MCRYPT_RIJNDAEL_256, $key, genpasswd(), MCRYPT_MODE_ECB, $iv)); + $_SESSION['accounts'][$_SESSION['pointer']]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd())); $_SESSION['accounts'][$_SESSION['pointer']]->smb_password = $_SESSION['accounts'][$_SESSION['pointer']]->unix_password; // Only create user if we have at least 5sec time to create the user if ( (time()-$time)<(get_cfg_var('max_execution_time')-10)) { @@ -474,8 +471,6 @@ function loadfile() { $profile->quota = array_values($profile->quota); } // Get keys to en/decrypt passwords - $iv = base64_decode($_COOKIE["IV"]); - $key = base64_decode($_COOKIE["Key"]); for ($row=0; $line_array=fgetcsv($handle,2048); $row++) { // loops for every row // Set corrent user to profile @@ -508,8 +503,7 @@ function loadfile() { // Set DN without uid=$username else $_SESSION['accounts'][$row]->general_dn = $_POST['f_general_suffix']; // Create Random Password - $_SESSION['accounts'][$row]->unix_password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, - $key, genpasswd(), MCRYPT_MODE_ECB, $iv)); + $_SESSION['accounts'][$row]->unix_password = base64_encode($_SESSION['ldap']->encrypt(genpasswd())); $_SESSION['accounts'][$row]->smb_password=$_SESSION['accounts'][$row]->unix_password; } }