replaced MCrypt with OpenSSL

lam/docs/manual-sources/appendix-security.xml

@@ -145,7 +145,7 @@ require {
 #============= httpd_t ==============
 
 #!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t.  Change the label to httpd_var_lib_t.
-#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf   
+#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
 #!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
 allow httpd_t var_lib_t:file { setattr write };
 </programlisting>
@@ -180,11 +180,11 @@ semodule -i httpdlocal.pp</programlisting>
     <section>
       <title>Protection of your LDAP password and directory contents</title>
 
-      <para>You have to install the MCrypt extension for PHP to enable
+      <para>You have to install the OpenSSL extension for PHP to enable
       encryption.</para>
 
       <para>Your LDAP password is stored encrypted in the session file. The
-      key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
+      key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
       encrypt the password. All data that was read from LDAP and needs to be
       stored in the session file is also encrypted.</para>
     </section>
@@ -235,11 +235,11 @@ semodule -i httpdlocal.pp</programlisting>
 
         <itemizedlist>
           <listitem>
-            <para>LAM admin password in clear text or MCrypt encrypted</para>
+            <para>LAM admin password in clear text or OpenSSL encrypted</para>
           </listitem>
 
           <listitem>
-            <para>cached LDAP entries in clear text or MCrypt encrypted</para>
+            <para>cached LDAP entries in clear text or OpenSSL encrypted</para>
           </listitem>
 
           <listitem>
@@ -440,4 +440,4 @@ semodule -i httpdlocal.pp</programlisting>
 </programlisting>
       </section>
     </section>
-  </appendix> 
+  </appendix>

lam/docs/manual-sources/chapter-configuration.xml

@@ -84,7 +84,7 @@
 
       <para id="sessionEncryption">Session encryption will encrypt sensitive
       data like passwords in your session files. This is only available when
-      PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
+      PHP <ulink url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is active. This
       adds extra security but also costs performance. If you manage a large
       directory you might want to disable this and take other actions to
       secure your LAM server.</para>
@@ -758,7 +758,7 @@
 mysql -u root -p
 # create a database
 mysql&gt; create database lam_cron;
-# 
+#
 mysql&gt; CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password';
 mysql&gt; CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password';
 # grant access for new user

lam/docs/manual-sources/chapter-installation.xml

@@ -16,7 +16,7 @@
         <listitem>
           <para>Apache/Nginx webserver (SSL recommended) with PHP module (PHP
           (&gt;= 5.4.0) with ldap, gettext, xml, openssl and optional
-          mcrypt)</para>
+          OpenSSL)</para>
         </listitem>
 
         <listitem>
@@ -59,7 +59,7 @@
         </listitem>
       </itemizedlist>
 
-      <para>MCrypt will be used to store your LDAP password encrypted in the
+      <para>OpenSSL will be used to store your LDAP password encrypted in the
       session file.</para>
 
       <para>Please note that LAM does not ship with a selinux policy. Please

lam/help/help.inc

@@ -161,7 +161,7 @@ $helpArray = array (
 				"244" => array ("Headline" => _('PHP error reporting'),
 					"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
 				"245" => array ("Headline" => _('Encrypt session'),
-					"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
+					"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')),
 				"246" => array ("Headline" => _('Number of rules that must match'),
 					"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
 				"247" => array ("Headline" => _('Password must not contain user name'),

lam/lib/security.inc

@@ -163,7 +163,7 @@ function logoffAndBackToLoginPage() {
 		logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
 	}
 	// delete key and iv in cookie
-	if (function_exists('mcrypt_create_iv')) {
+	if (function_exists('openssl_random_pseudo_bytes')) {
 		setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
 		setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
 	}
@@ -583,9 +583,9 @@ function setLAMHeaders() {
 * @return object encrypted string
 */
 function lamEncrypt($data, $prefix='') {
-	// use MCrypt if available
-	if (function_exists('mcrypt_create_iv')) {
-		// MCrypt may have been enabled in a running session
+	// use OpenSSL if available
+	if (function_exists('openssl_random_pseudo_bytes')) {
+		// OpenSSL may have been enabled in a running session
 		if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
 		if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
 			return $data;
@@ -594,7 +594,7 @@ function lamEncrypt($data, $prefix='') {
 		$iv = base64_decode($_COOKIE[$prefix . "IV"]);
 		$key = base64_decode($_COOKIE[$prefix . "Key"]);
 		// encrypt string
-		return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
+		return openssl_encrypt(base64_encode($data), lamEncryptionAlgo(), $key, 0, $iv);
 	}
 	// otherwise do not encrypt
 	else {
@@ -610,9 +610,9 @@ function lamEncrypt($data, $prefix='') {
 * @return string decrypted string
 */
 function lamDecrypt($data, $prefix='') {
-	// use MCrypt if available
-	if (function_exists('mcrypt_create_iv')) {
-		// MCrypt may have been enabled in a running session
+	// use OpenSSL if available
+	if (function_exists('openssl_random_pseudo_bytes')) {
+		// OpenSSL may have been enabled in a running session
 		if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
 		if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
 			return $data;
@@ -621,7 +621,7 @@ function lamDecrypt($data, $prefix='') {
 		$iv = base64_decode($_COOKIE[$prefix . "IV"]);
 		$key = base64_decode($_COOKIE[$prefix . "Key"]);
 		// decrypt string
-		$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
+		$ret = openssl_decrypt($data, lamEncryptionAlgo(), $key, 0, $iv);
 		$ret = base64_decode(str_replace(chr(00), "", $ret));
 		return $ret;
 	}
@@ -631,4 +631,20 @@ function lamDecrypt($data, $prefix='') {
 	}
 }
 
+/**
+ * Returns the encryption algorithm to use.
+ *
+ * @return string algorithm name
+ */
+function lamEncryptionAlgo() {
+	$possibleAlgos = openssl_get_cipher_methods();
+	if (in_array('AES-256-CTR', $possibleAlgos)) {
+		return 'AES-256-CTR';
+	}
+	elseif (in_array('AES-256-CBC', $possibleAlgos)) {
+		return 'AES-256-CBC';
+	}
+	return 'AES256';
+}
+
 ?>

lam/templates/config/mainmanage.php

@@ -159,7 +159,7 @@ if (isset($_POST['submitFormData'])) {
 		$cfg->allowedHostsSelfService = $allowedHostsSelfService;
 	}
 	// set session encryption
-	if (function_exists('mcrypt_create_iv')) {
+	if (function_exists('openssl_random_pseudo_bytes')) {
 		$encryptSession = 'false';
 		if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
 			$encryptSession = 'true';
@@ -343,7 +343,7 @@ if (isLAMProVersion()) {
 }
 $encryptSession = ($cfg->encryptSession === 'true');
 $encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
-$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
+$encryptSessionBox->setIsEnabled(function_exists('openssl_random_pseudo_bytes'));
 $securityTable->addElement($encryptSessionBox, true);
 // SSL certificate
 $securityTable->addElement(new htmlOutputText(_('SSL certificates')));

lam/templates/login.php

@@ -178,18 +178,9 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n		<me
 function display_LoginPage($config_object, $cfgMain, $licenseValidator, $error_message) {
 	logNewMessage(LOG_DEBUG, "Display login page");
 	// generate 256 bit key and initialization vector for user/passwd-encryption
-	// check if we can use /dev/urandom otherwise use rand()
-	if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
-		$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
-		if (! $key) {
-			srand((double)microtime()*1234567);
-			$key = mcrypt_create_iv(32, MCRYPT_RAND);
-		}
-		$iv = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
-		if (! $iv) {
-			srand((double)microtime()*1234567);
-			$iv = mcrypt_create_iv(32, MCRYPT_RAND);
-		}
+	if(function_exists('openssl_random_pseudo_bytes') && ($cfgMain->encryptSession == 'true')) {
+		$key = openssl_random_pseudo_bytes(32);
+		$iv = openssl_random_pseudo_bytes(16);
 		// save both in cookie
 		setcookie("Key", base64_encode($key), 0, "/", null, null, true);
 		setcookie("IV", base64_encode($iv), 0, "/", null, null, true);

lam/templates/logout.php

@@ -30,7 +30,7 @@ $Id$
 
 
 // delete key and iv in cookie
-if (function_exists('mcrypt_create_iv')) {
+if (function_exists('openssl_random_pseudo_bytes')) {
 	setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
 	setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
 }