replaced MCrypt with OpenSSL

This commit is contained in:
Roland Gruber 2017-04-02 19:37:06 +02:00
parent ee2bde16e9
commit e99f8dae36
8 changed files with 42 additions and 35 deletions

View File

@ -145,7 +145,7 @@ require {
#============= httpd_t ==============
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
allow httpd_t var_lib_t:file { setattr write };
</programlisting>
@ -180,11 +180,11 @@ semodule -i httpdlocal.pp</programlisting>
<section>
<title>Protection of your LDAP password and directory contents</title>
<para>You have to install the MCrypt extension for PHP to enable
<para>You have to install the OpenSSL extension for PHP to enable
encryption.</para>
<para>Your LDAP password is stored encrypted in the session file. The
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
encrypt the password. All data that was read from LDAP and needs to be
stored in the session file is also encrypted.</para>
</section>
@ -235,11 +235,11 @@ semodule -i httpdlocal.pp</programlisting>
<itemizedlist>
<listitem>
<para>LAM admin password in clear text or MCrypt encrypted</para>
<para>LAM admin password in clear text or OpenSSL encrypted</para>
</listitem>
<listitem>
<para>cached LDAP entries in clear text or MCrypt encrypted</para>
<para>cached LDAP entries in clear text or OpenSSL encrypted</para>
</listitem>
<listitem>
@ -440,4 +440,4 @@ semodule -i httpdlocal.pp</programlisting>
</programlisting>
</section>
</section>
</appendix>
</appendix>

View File

@ -84,7 +84,7 @@
<para id="sessionEncryption">Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when
PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
PHP <ulink url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is active. This
adds extra security but also costs performance. If you manage a large
directory you might want to disable this and take other actions to
secure your LAM server.</para>
@ -758,7 +758,7 @@
mysql -u root -p
# create a database
mysql&gt; create database lam_cron;
#
#
mysql&gt; CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password';
mysql&gt; CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password';
# grant access for new user

View File

@ -16,7 +16,7 @@
<listitem>
<para>Apache/Nginx webserver (SSL recommended) with PHP module (PHP
(&gt;= 5.4.0) with ldap, gettext, xml, openssl and optional
mcrypt)</para>
OpenSSL)</para>
</listitem>
<listitem>
@ -59,7 +59,7 @@
</listitem>
</itemizedlist>
<para>MCrypt will be used to store your LDAP password encrypted in the
<para>OpenSSL will be used to store your LDAP password encrypted in the
session file.</para>
<para>Please note that LAM does not ship with a selinux policy. Please

View File

@ -161,7 +161,7 @@ $helpArray = array (
"244" => array ("Headline" => _('PHP error reporting'),
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
"245" => array ("Headline" => _('Encrypt session'),
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')),
"246" => array ("Headline" => _('Number of rules that must match'),
"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
"247" => array ("Headline" => _('Password must not contain user name'),

View File

@ -163,7 +163,7 @@ function logoffAndBackToLoginPage() {
logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
}
// delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) {
if (function_exists('openssl_random_pseudo_bytes')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
}
@ -583,9 +583,9 @@ function setLAMHeaders() {
* @return object encrypted string
*/
function lamEncrypt($data, $prefix='') {
// use MCrypt if available
if (function_exists('mcrypt_create_iv')) {
// MCrypt may have been enabled in a running session
// use OpenSSL if available
if (function_exists('openssl_random_pseudo_bytes')) {
// OpenSSL may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
@ -594,7 +594,7 @@ function lamEncrypt($data, $prefix='') {
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// encrypt string
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
return openssl_encrypt(base64_encode($data), lamEncryptionAlgo(), $key, 0, $iv);
}
// otherwise do not encrypt
else {
@ -610,9 +610,9 @@ function lamEncrypt($data, $prefix='') {
* @return string decrypted string
*/
function lamDecrypt($data, $prefix='') {
// use MCrypt if available
if (function_exists('mcrypt_create_iv')) {
// MCrypt may have been enabled in a running session
// use OpenSSL if available
if (function_exists('openssl_random_pseudo_bytes')) {
// OpenSSL may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
@ -621,7 +621,7 @@ function lamDecrypt($data, $prefix='') {
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// decrypt string
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
$ret = openssl_decrypt($data, lamEncryptionAlgo(), $key, 0, $iv);
$ret = base64_decode(str_replace(chr(00), "", $ret));
return $ret;
}
@ -631,4 +631,20 @@ function lamDecrypt($data, $prefix='') {
}
}
/**
* Returns the encryption algorithm to use.
*
* @return string algorithm name
*/
function lamEncryptionAlgo() {
$possibleAlgos = openssl_get_cipher_methods();
if (in_array('AES-256-CTR', $possibleAlgos)) {
return 'AES-256-CTR';
}
elseif (in_array('AES-256-CBC', $possibleAlgos)) {
return 'AES-256-CBC';
}
return 'AES256';
}
?>

View File

@ -159,7 +159,7 @@ if (isset($_POST['submitFormData'])) {
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
}
// set session encryption
if (function_exists('mcrypt_create_iv')) {
if (function_exists('openssl_random_pseudo_bytes')) {
$encryptSession = 'false';
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
$encryptSession = 'true';
@ -343,7 +343,7 @@ if (isLAMProVersion()) {
}
$encryptSession = ($cfg->encryptSession === 'true');
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
$encryptSessionBox->setIsEnabled(function_exists('openssl_random_pseudo_bytes'));
$securityTable->addElement($encryptSessionBox, true);
// SSL certificate
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));

View File

@ -178,18 +178,9 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <me
function display_LoginPage($config_object, $cfgMain, $licenseValidator, $error_message) {
logNewMessage(LOG_DEBUG, "Display login page");
// generate 256 bit key and initialization vector for user/passwd-encryption
// check if we can use /dev/urandom otherwise use rand()
if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
if (! $key) {
srand((double)microtime()*1234567);
$key = mcrypt_create_iv(32, MCRYPT_RAND);
}
$iv = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
if (! $iv) {
srand((double)microtime()*1234567);
$iv = mcrypt_create_iv(32, MCRYPT_RAND);
}
if(function_exists('openssl_random_pseudo_bytes') && ($cfgMain->encryptSession == 'true')) {
$key = openssl_random_pseudo_bytes(32);
$iv = openssl_random_pseudo_bytes(16);
// save both in cookie
setcookie("Key", base64_encode($key), 0, "/", null, null, true);
setcookie("IV", base64_encode($iv), 0, "/", null, null, true);

View File

@ -30,7 +30,7 @@ $Id$
// delete key and iv in cookie
if (function_exists('mcrypt_create_iv')) {
if (function_exists('openssl_random_pseudo_bytes')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
}