From e99f8dae3638c91a5fe0db7a4bc5e6c0e4162191 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sun, 2 Apr 2017 19:37:06 +0200 Subject: [PATCH] replaced MCrypt with OpenSSL --- lam/docs/manual-sources/appendix-security.xml | 12 +++---- .../manual-sources/chapter-configuration.xml | 4 +-- .../manual-sources/chapter-installation.xml | 4 +-- lam/help/help.inc | 2 +- lam/lib/security.inc | 34 ++++++++++++++----- lam/templates/config/mainmanage.php | 4 +-- lam/templates/login.php | 15 ++------ lam/templates/logout.php | 2 +- 8 files changed, 42 insertions(+), 35 deletions(-) diff --git a/lam/docs/manual-sources/appendix-security.xml b/lam/docs/manual-sources/appendix-security.xml index 68c58673..b5dc35a8 100644 --- a/lam/docs/manual-sources/appendix-security.xml +++ b/lam/docs/manual-sources/appendix-security.xml @@ -145,7 +145,7 @@ require { #============= httpd_t ============== #!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t. Change the label to httpd_var_lib_t. -#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf +#!!!! $ semanage fcontext -a -t httpd_var_lib_t /var/lib/ldap-account-manager/config/lam.conf #!!!! $ restorecon -R -v /var/lib/ldap-account-manager/config/lam.conf allow httpd_t var_lib_t:file { setattr write }; @@ -180,11 +180,11 @@ semodule -i httpdlocal.pp
Protection of your LDAP password and directory contents - You have to install the MCrypt extension for PHP to enable + You have to install the OpenSSL extension for PHP to enable encryption. Your LDAP password is stored encrypted in the session file. The - key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to + key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to encrypt the password. All data that was read from LDAP and needs to be stored in the session file is also encrypted.
@@ -235,11 +235,11 @@ semodule -i httpdlocal.pp - LAM admin password in clear text or MCrypt encrypted + LAM admin password in clear text or OpenSSL encrypted - cached LDAP entries in clear text or MCrypt encrypted + cached LDAP entries in clear text or OpenSSL encrypted @@ -440,4 +440,4 @@ semodule -i httpdlocal.pp - + diff --git a/lam/docs/manual-sources/chapter-configuration.xml b/lam/docs/manual-sources/chapter-configuration.xml index 43015210..5a20dd61 100644 --- a/lam/docs/manual-sources/chapter-configuration.xml +++ b/lam/docs/manual-sources/chapter-configuration.xml @@ -84,7 +84,7 @@ Session encryption will encrypt sensitive data like passwords in your session files. This is only available when - PHP MCrypt is active. This + PHP OpenSSL is active. This adds extra security but also costs performance. If you manage a large directory you might want to disable this and take other actions to secure your LAM server. @@ -758,7 +758,7 @@ mysql -u root -p # create a database mysql> create database lam_cron; -# +# mysql> CREATE USER 'lam_cron'@'%' IDENTIFIED BY 'password'; mysql> CREATE USER 'lam_cron'@'localhost' IDENTIFIED BY 'password'; # grant access for new user diff --git a/lam/docs/manual-sources/chapter-installation.xml b/lam/docs/manual-sources/chapter-installation.xml index f783b241..6c5ba4f1 100644 --- a/lam/docs/manual-sources/chapter-installation.xml +++ b/lam/docs/manual-sources/chapter-installation.xml @@ -16,7 +16,7 @@ Apache/Nginx webserver (SSL recommended) with PHP module (PHP (>= 5.4.0) with ldap, gettext, xml, openssl and optional - mcrypt) + OpenSSL) @@ -59,7 +59,7 @@ - MCrypt will be used to store your LDAP password encrypted in the + OpenSSL will be used to store your LDAP password encrypted in the session file. Please note that LAM does not ship with a selinux policy. Please diff --git a/lam/help/help.inc b/lam/help/help.inc index 6d5340b4..f7547ac4 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -161,7 +161,7 @@ $helpArray = array ( "244" => array ("Headline" => _('PHP error reporting'), "Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')), "245" => array ("Headline" => _('Encrypt session'), - "Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')), + "Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')), "246" => array ("Headline" => _('Number of rules that must match'), "Text" => _('Specifies the number of above password rules that must be fulfilled.')), "247" => array ("Headline" => _('Password must not contain user name'), diff --git a/lam/lib/security.inc b/lam/lib/security.inc index 925098a1..247ab3aa 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -163,7 +163,7 @@ function logoffAndBackToLoginPage() { logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.'); } // delete key and iv in cookie - if (function_exists('mcrypt_create_iv')) { + if (function_exists('openssl_random_pseudo_bytes')) { setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); } @@ -583,9 +583,9 @@ function setLAMHeaders() { * @return object encrypted string */ function lamEncrypt($data, $prefix='') { - // use MCrypt if available - if (function_exists('mcrypt_create_iv')) { - // MCrypt may have been enabled in a running session + // use OpenSSL if available + if (function_exists('openssl_random_pseudo_bytes')) { + // OpenSSL may have been enabled in a running session if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data; if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") { return $data; @@ -594,7 +594,7 @@ function lamEncrypt($data, $prefix='') { $iv = base64_decode($_COOKIE[$prefix . "IV"]); $key = base64_decode($_COOKIE[$prefix . "Key"]); // encrypt string - return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv); + return openssl_encrypt(base64_encode($data), lamEncryptionAlgo(), $key, 0, $iv); } // otherwise do not encrypt else { @@ -610,9 +610,9 @@ function lamEncrypt($data, $prefix='') { * @return string decrypted string */ function lamDecrypt($data, $prefix='') { - // use MCrypt if available - if (function_exists('mcrypt_create_iv')) { - // MCrypt may have been enabled in a running session + // use OpenSSL if available + if (function_exists('openssl_random_pseudo_bytes')) { + // OpenSSL may have been enabled in a running session if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data; if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") { return $data; @@ -621,7 +621,7 @@ function lamDecrypt($data, $prefix='') { $iv = base64_decode($_COOKIE[$prefix . "IV"]); $key = base64_decode($_COOKIE[$prefix . "Key"]); // decrypt string - $ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv); + $ret = openssl_decrypt($data, lamEncryptionAlgo(), $key, 0, $iv); $ret = base64_decode(str_replace(chr(00), "", $ret)); return $ret; } @@ -631,4 +631,20 @@ function lamDecrypt($data, $prefix='') { } } +/** + * Returns the encryption algorithm to use. + * + * @return string algorithm name + */ +function lamEncryptionAlgo() { + $possibleAlgos = openssl_get_cipher_methods(); + if (in_array('AES-256-CTR', $possibleAlgos)) { + return 'AES-256-CTR'; + } + elseif (in_array('AES-256-CBC', $possibleAlgos)) { + return 'AES-256-CBC'; + } + return 'AES256'; +} + ?> \ No newline at end of file diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php index 89d6e449..d06f4225 100644 --- a/lam/templates/config/mainmanage.php +++ b/lam/templates/config/mainmanage.php @@ -159,7 +159,7 @@ if (isset($_POST['submitFormData'])) { $cfg->allowedHostsSelfService = $allowedHostsSelfService; } // set session encryption - if (function_exists('mcrypt_create_iv')) { + if (function_exists('openssl_random_pseudo_bytes')) { $encryptSession = 'false'; if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) { $encryptSession = 'true'; @@ -343,7 +343,7 @@ if (isLAMProVersion()) { } $encryptSession = ($cfg->encryptSession === 'true'); $encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245'); -$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv')); +$encryptSessionBox->setIsEnabled(function_exists('openssl_random_pseudo_bytes')); $securityTable->addElement($encryptSessionBox, true); // SSL certificate $securityTable->addElement(new htmlOutputText(_('SSL certificates'))); diff --git a/lam/templates/login.php b/lam/templates/login.php index d267fea1..228edd59 100644 --- a/lam/templates/login.php +++ b/lam/templates/login.php @@ -178,18 +178,9 @@ $_SESSION['header'] .= "\n encryptSession == 'true')) { - $key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM); - if (! $key) { - srand((double)microtime()*1234567); - $key = mcrypt_create_iv(32, MCRYPT_RAND); - } - $iv = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM); - if (! $iv) { - srand((double)microtime()*1234567); - $iv = mcrypt_create_iv(32, MCRYPT_RAND); - } + if(function_exists('openssl_random_pseudo_bytes') && ($cfgMain->encryptSession == 'true')) { + $key = openssl_random_pseudo_bytes(32); + $iv = openssl_random_pseudo_bytes(16); // save both in cookie setcookie("Key", base64_encode($key), 0, "/", null, null, true); setcookie("IV", base64_encode($iv), 0, "/", null, null, true); diff --git a/lam/templates/logout.php b/lam/templates/logout.php index 876b228a..d6da0db1 100644 --- a/lam/templates/logout.php +++ b/lam/templates/logout.php @@ -30,7 +30,7 @@ $Id$ // delete key and iv in cookie -if (function_exists('mcrypt_create_iv')) { +if (function_exists('openssl_random_pseudo_bytes')) { setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true); }