diff --git a/lam/docs/manual-sources/appendix-security.xml b/lam/docs/manual-sources/appendix-security.xml
index 68c58673..b5dc35a8 100644
--- a/lam/docs/manual-sources/appendix-security.xml
+++ b/lam/docs/manual-sources/appendix-security.xml
@@ -145,7 +145,7 @@ require {
#============= httpd_t ==============
#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t.
-#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
+#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf
#!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf
allow httpd_t var_lib_t:file { setattr write };
@@ -180,11 +180,11 @@ semodule -i httpdlocal.pp
Protection of your LDAP password and directory contents
- You have to install the MCrypt extension for PHP to enable
+ You have to install the OpenSSL extension for PHP to enable
encryption.
Your LDAP password is stored encrypted in the session file. The
- key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
+ key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
encrypt the password. All data that was read from LDAP and needs to be
stored in the session file is also encrypted.
@@ -235,11 +235,11 @@ semodule -i httpdlocal.pp
- LAM admin password in clear text or MCrypt encrypted
+ LAM admin password in clear text or OpenSSL encrypted
- cached LDAP entries in clear text or MCrypt encrypted
+ cached LDAP entries in clear text or OpenSSL encrypted
@@ -440,4 +440,4 @@ semodule -i httpdlocal.pp
-
+
diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml
index 43015210..5a20dd61 100644
--- a/lam/docs/manual-sources/chapter-configuration.xml
+++ b/lam/docs/manual-sources/chapter-configuration.xml
@@ -84,7 +84,7 @@
Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when
- PHP MCrypt is active. This
+ PHP OpenSSL is active. This
adds extra security but also costs performance. If you manage a large
directory you might want to disable this and take other actions to
secure your LAM server.
@@ -758,7 +758,7 @@
mysql -u root -p
# create a database
mysql> create database lam_cron;
-#
+#
mysql> CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password';
mysql> CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password';
# grant access for new user
diff --git a/lam/docs/manual-sources/chapter-installation.xml b/lam/docs/manual-sources/chapter-installation.xml
index f783b241..6c5ba4f1 100644
--- a/lam/docs/manual-sources/chapter-installation.xml
+++ b/lam/docs/manual-sources/chapter-installation.xml
@@ -16,7 +16,7 @@
Apache/Nginx webserver (SSL recommended) with PHP module (PHP
(>= 5.4.0) with ldap, gettext, xml, openssl and optional
- mcrypt)
+ OpenSSL)
@@ -59,7 +59,7 @@
- MCrypt will be used to store your LDAP password encrypted in the
+ OpenSSL will be used to store your LDAP password encrypted in the
session file.
Please note that LAM does not ship with a selinux policy. Please
diff --git a/lam/help/help.inc b/lam/help/help.inc
index 6d5340b4..f7547ac4 100644
--- a/lam/help/help.inc
+++ b/lam/help/help.inc
@@ -161,7 +161,7 @@ $helpArray = array (
"244" => array ("Headline" => _('PHP error reporting'),
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
"245" => array ("Headline" => _('Encrypt session'),
- "Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
+ "Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')),
"246" => array ("Headline" => _('Number of rules that must match'),
"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
"247" => array ("Headline" => _('Password must not contain user name'),
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index 925098a1..247ab3aa 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -163,7 +163,7 @@ function logoffAndBackToLoginPage() {
logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
}
// delete key and iv in cookie
- if (function_exists('mcrypt_create_iv')) {
+ if (function_exists('openssl_random_pseudo_bytes')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
}
@@ -583,9 +583,9 @@ function setLAMHeaders() {
* @return object encrypted string
*/
function lamEncrypt($data, $prefix='') {
- // use MCrypt if available
- if (function_exists('mcrypt_create_iv')) {
- // MCrypt may have been enabled in a running session
+ // use OpenSSL if available
+ if (function_exists('openssl_random_pseudo_bytes')) {
+ // OpenSSL may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
@@ -594,7 +594,7 @@ function lamEncrypt($data, $prefix='') {
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// encrypt string
- return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
+ return openssl_encrypt(base64_encode($data), lamEncryptionAlgo(), $key, 0, $iv);
}
// otherwise do not encrypt
else {
@@ -610,9 +610,9 @@ function lamEncrypt($data, $prefix='') {
* @return string decrypted string
*/
function lamDecrypt($data, $prefix='') {
- // use MCrypt if available
- if (function_exists('mcrypt_create_iv')) {
- // MCrypt may have been enabled in a running session
+ // use OpenSSL if available
+ if (function_exists('openssl_random_pseudo_bytes')) {
+ // OpenSSL may have been enabled in a running session
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
return $data;
@@ -621,7 +621,7 @@ function lamDecrypt($data, $prefix='') {
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
$key = base64_decode($_COOKIE[$prefix . "Key"]);
// decrypt string
- $ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
+ $ret = openssl_decrypt($data, lamEncryptionAlgo(), $key, 0, $iv);
$ret = base64_decode(str_replace(chr(00), "", $ret));
return $ret;
}
@@ -631,4 +631,20 @@ function lamDecrypt($data, $prefix='') {
}
}
+/**
+ * Returns the encryption algorithm to use.
+ *
+ * @return string algorithm name
+ */
+function lamEncryptionAlgo() {
+ $possibleAlgos = openssl_get_cipher_methods();
+ if (in_array('AES-256-CTR', $possibleAlgos)) {
+ return 'AES-256-CTR';
+ }
+ elseif (in_array('AES-256-CBC', $possibleAlgos)) {
+ return 'AES-256-CBC';
+ }
+ return 'AES256';
+}
+
?>
\ No newline at end of file
diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php
index 89d6e449..d06f4225 100644
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@@ -159,7 +159,7 @@ if (isset($_POST['submitFormData'])) {
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
}
// set session encryption
- if (function_exists('mcrypt_create_iv')) {
+ if (function_exists('openssl_random_pseudo_bytes')) {
$encryptSession = 'false';
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
$encryptSession = 'true';
@@ -343,7 +343,7 @@ if (isLAMProVersion()) {
}
$encryptSession = ($cfg->encryptSession === 'true');
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
-$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
+$encryptSessionBox->setIsEnabled(function_exists('openssl_random_pseudo_bytes'));
$securityTable->addElement($encryptSessionBox, true);
// SSL certificate
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
diff --git a/lam/templates/login.php b/lam/templates/login.php
index d267fea1..228edd59 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -178,18 +178,9 @@ $_SESSION['header'] .= "\n encryptSession == 'true')) {
- $key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
- if (! $key) {
- srand((double)microtime()*1234567);
- $key = mcrypt_create_iv(32, MCRYPT_RAND);
- }
- $iv = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
- if (! $iv) {
- srand((double)microtime()*1234567);
- $iv = mcrypt_create_iv(32, MCRYPT_RAND);
- }
+ if(function_exists('openssl_random_pseudo_bytes') && ($cfgMain->encryptSession == 'true')) {
+ $key = openssl_random_pseudo_bytes(32);
+ $iv = openssl_random_pseudo_bytes(16);
// save both in cookie
setcookie("Key", base64_encode($key), 0, "/", null, null, true);
setcookie("IV", base64_encode($iv), 0, "/", null, null, true);
diff --git a/lam/templates/logout.php b/lam/templates/logout.php
index 876b228a..d6da0db1 100644
--- a/lam/templates/logout.php
+++ b/lam/templates/logout.php
@@ -30,7 +30,7 @@ $Id$
// delete key and iv in cookie
-if (function_exists('mcrypt_create_iv')) {
+if (function_exists('openssl_random_pseudo_bytes')) {
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
}