replaced MCrypt with OpenSSL
This commit is contained in:
parent
ee2bde16e9
commit
e99f8dae36
|
@ -180,11 +180,11 @@ semodule -i httpdlocal.pp</programlisting>
|
||||||
<section>
|
<section>
|
||||||
<title>Protection of your LDAP password and directory contents</title>
|
<title>Protection of your LDAP password and directory contents</title>
|
||||||
|
|
||||||
<para>You have to install the MCrypt extension for PHP to enable
|
<para>You have to install the OpenSSL extension for PHP to enable
|
||||||
encryption.</para>
|
encryption.</para>
|
||||||
|
|
||||||
<para>Your LDAP password is stored encrypted in the session file. The
|
<para>Your LDAP password is stored encrypted in the session file. The
|
||||||
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
|
key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
|
||||||
encrypt the password. All data that was read from LDAP and needs to be
|
encrypt the password. All data that was read from LDAP and needs to be
|
||||||
stored in the session file is also encrypted.</para>
|
stored in the session file is also encrypted.</para>
|
||||||
</section>
|
</section>
|
||||||
|
@ -235,11 +235,11 @@ semodule -i httpdlocal.pp</programlisting>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>LAM admin password in clear text or MCrypt encrypted</para>
|
<para>LAM admin password in clear text or OpenSSL encrypted</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>cached LDAP entries in clear text or MCrypt encrypted</para>
|
<para>cached LDAP entries in clear text or OpenSSL encrypted</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|
|
@ -84,7 +84,7 @@
|
||||||
|
|
||||||
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
||||||
data like passwords in your session files. This is only available when
|
data like passwords in your session files. This is only available when
|
||||||
PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
|
PHP <ulink url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is active. This
|
||||||
adds extra security but also costs performance. If you manage a large
|
adds extra security but also costs performance. If you manage a large
|
||||||
directory you might want to disable this and take other actions to
|
directory you might want to disable this and take other actions to
|
||||||
secure your LAM server.</para>
|
secure your LAM server.</para>
|
||||||
|
|
|
@ -16,7 +16,7 @@
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Apache/Nginx webserver (SSL recommended) with PHP module (PHP
|
<para>Apache/Nginx webserver (SSL recommended) with PHP module (PHP
|
||||||
(>= 5.4.0) with ldap, gettext, xml, openssl and optional
|
(>= 5.4.0) with ldap, gettext, xml, openssl and optional
|
||||||
mcrypt)</para>
|
OpenSSL)</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
@ -59,7 +59,7 @@
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>MCrypt will be used to store your LDAP password encrypted in the
|
<para>OpenSSL will be used to store your LDAP password encrypted in the
|
||||||
session file.</para>
|
session file.</para>
|
||||||
|
|
||||||
<para>Please note that LAM does not ship with a selinux policy. Please
|
<para>Please note that LAM does not ship with a selinux policy. Please
|
||||||
|
|
|
@ -161,7 +161,7 @@ $helpArray = array (
|
||||||
"244" => array ("Headline" => _('PHP error reporting'),
|
"244" => array ("Headline" => _('PHP error reporting'),
|
||||||
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
|
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
|
||||||
"245" => array ("Headline" => _('Encrypt session'),
|
"245" => array ("Headline" => _('Encrypt session'),
|
||||||
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
|
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')),
|
||||||
"246" => array ("Headline" => _('Number of rules that must match'),
|
"246" => array ("Headline" => _('Number of rules that must match'),
|
||||||
"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
|
"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
|
||||||
"247" => array ("Headline" => _('Password must not contain user name'),
|
"247" => array ("Headline" => _('Password must not contain user name'),
|
||||||
|
|
|
@ -163,7 +163,7 @@ function logoffAndBackToLoginPage() {
|
||||||
logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
|
logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
|
||||||
}
|
}
|
||||||
// delete key and iv in cookie
|
// delete key and iv in cookie
|
||||||
if (function_exists('mcrypt_create_iv')) {
|
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||||
}
|
}
|
||||||
|
@ -583,9 +583,9 @@ function setLAMHeaders() {
|
||||||
* @return object encrypted string
|
* @return object encrypted string
|
||||||
*/
|
*/
|
||||||
function lamEncrypt($data, $prefix='') {
|
function lamEncrypt($data, $prefix='') {
|
||||||
// use MCrypt if available
|
// use OpenSSL if available
|
||||||
if (function_exists('mcrypt_create_iv')) {
|
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||||
// MCrypt may have been enabled in a running session
|
// OpenSSL may have been enabled in a running session
|
||||||
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
|
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
|
||||||
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
|
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
|
||||||
return $data;
|
return $data;
|
||||||
|
@ -594,7 +594,7 @@ function lamEncrypt($data, $prefix='') {
|
||||||
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
|
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
|
||||||
$key = base64_decode($_COOKIE[$prefix . "Key"]);
|
$key = base64_decode($_COOKIE[$prefix . "Key"]);
|
||||||
// encrypt string
|
// encrypt string
|
||||||
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
|
return openssl_encrypt(base64_encode($data), lamEncryptionAlgo(), $key, 0, $iv);
|
||||||
}
|
}
|
||||||
// otherwise do not encrypt
|
// otherwise do not encrypt
|
||||||
else {
|
else {
|
||||||
|
@ -610,9 +610,9 @@ function lamEncrypt($data, $prefix='') {
|
||||||
* @return string decrypted string
|
* @return string decrypted string
|
||||||
*/
|
*/
|
||||||
function lamDecrypt($data, $prefix='') {
|
function lamDecrypt($data, $prefix='') {
|
||||||
// use MCrypt if available
|
// use OpenSSL if available
|
||||||
if (function_exists('mcrypt_create_iv')) {
|
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||||
// MCrypt may have been enabled in a running session
|
// OpenSSL may have been enabled in a running session
|
||||||
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
|
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
|
||||||
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
|
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
|
||||||
return $data;
|
return $data;
|
||||||
|
@ -621,7 +621,7 @@ function lamDecrypt($data, $prefix='') {
|
||||||
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
|
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
|
||||||
$key = base64_decode($_COOKIE[$prefix . "Key"]);
|
$key = base64_decode($_COOKIE[$prefix . "Key"]);
|
||||||
// decrypt string
|
// decrypt string
|
||||||
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
|
$ret = openssl_decrypt($data, lamEncryptionAlgo(), $key, 0, $iv);
|
||||||
$ret = base64_decode(str_replace(chr(00), "", $ret));
|
$ret = base64_decode(str_replace(chr(00), "", $ret));
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
|
@ -631,4 +631,20 @@ function lamDecrypt($data, $prefix='') {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the encryption algorithm to use.
|
||||||
|
*
|
||||||
|
* @return string algorithm name
|
||||||
|
*/
|
||||||
|
function lamEncryptionAlgo() {
|
||||||
|
$possibleAlgos = openssl_get_cipher_methods();
|
||||||
|
if (in_array('AES-256-CTR', $possibleAlgos)) {
|
||||||
|
return 'AES-256-CTR';
|
||||||
|
}
|
||||||
|
elseif (in_array('AES-256-CBC', $possibleAlgos)) {
|
||||||
|
return 'AES-256-CBC';
|
||||||
|
}
|
||||||
|
return 'AES256';
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
|
@ -159,7 +159,7 @@ if (isset($_POST['submitFormData'])) {
|
||||||
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
|
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
|
||||||
}
|
}
|
||||||
// set session encryption
|
// set session encryption
|
||||||
if (function_exists('mcrypt_create_iv')) {
|
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||||
$encryptSession = 'false';
|
$encryptSession = 'false';
|
||||||
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
|
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
|
||||||
$encryptSession = 'true';
|
$encryptSession = 'true';
|
||||||
|
@ -343,7 +343,7 @@ if (isLAMProVersion()) {
|
||||||
}
|
}
|
||||||
$encryptSession = ($cfg->encryptSession === 'true');
|
$encryptSession = ($cfg->encryptSession === 'true');
|
||||||
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
|
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
|
||||||
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
|
$encryptSessionBox->setIsEnabled(function_exists('openssl_random_pseudo_bytes'));
|
||||||
$securityTable->addElement($encryptSessionBox, true);
|
$securityTable->addElement($encryptSessionBox, true);
|
||||||
// SSL certificate
|
// SSL certificate
|
||||||
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
|
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
|
||||||
|
|
|
@ -178,18 +178,9 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <me
|
||||||
function display_LoginPage($config_object, $cfgMain, $licenseValidator, $error_message) {
|
function display_LoginPage($config_object, $cfgMain, $licenseValidator, $error_message) {
|
||||||
logNewMessage(LOG_DEBUG, "Display login page");
|
logNewMessage(LOG_DEBUG, "Display login page");
|
||||||
// generate 256 bit key and initialization vector for user/passwd-encryption
|
// generate 256 bit key and initialization vector for user/passwd-encryption
|
||||||
// check if we can use /dev/urandom otherwise use rand()
|
if(function_exists('openssl_random_pseudo_bytes') && ($cfgMain->encryptSession == 'true')) {
|
||||||
if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
|
$key = openssl_random_pseudo_bytes(32);
|
||||||
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
|
$iv = openssl_random_pseudo_bytes(16);
|
||||||
if (! $key) {
|
|
||||||
srand((double)microtime()*1234567);
|
|
||||||
$key = mcrypt_create_iv(32, MCRYPT_RAND);
|
|
||||||
}
|
|
||||||
$iv = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
|
|
||||||
if (! $iv) {
|
|
||||||
srand((double)microtime()*1234567);
|
|
||||||
$iv = mcrypt_create_iv(32, MCRYPT_RAND);
|
|
||||||
}
|
|
||||||
// save both in cookie
|
// save both in cookie
|
||||||
setcookie("Key", base64_encode($key), 0, "/", null, null, true);
|
setcookie("Key", base64_encode($key), 0, "/", null, null, true);
|
||||||
setcookie("IV", base64_encode($iv), 0, "/", null, null, true);
|
setcookie("IV", base64_encode($iv), 0, "/", null, null, true);
|
||||||
|
|
|
@ -30,7 +30,7 @@ $Id$
|
||||||
|
|
||||||
|
|
||||||
// delete key and iv in cookie
|
// delete key and iv in cookie
|
||||||
if (function_exists('mcrypt_create_iv')) {
|
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue