replaced MCrypt with OpenSSL
This commit is contained in:
Roland Gruber
parent
ee2bde16e9
commit
e99f8dae36
|
|
@ -180,11 +180,11 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
<section>
|
||||
<title>Protection of your LDAP password and directory contents</title>
|
||||
|
||||
<para>You have to install the MCrypt extension for PHP to enable
|
||||
<para>You have to install the OpenSSL extension for PHP to enable
|
||||
encryption.</para>
|
||||
|
||||
<para>Your LDAP password is stored encrypted in the session file. The
|
||||
key and IV to decrypt it are stored in two cookies. We use MCrypt/AES to
|
||||
key and IV to decrypt it are stored in two cookies. We use OpenSSL/AES to
|
||||
encrypt the password. All data that was read from LDAP and needs to be
|
||||
stored in the session file is also encrypted.</para>
|
||||
</section>
|
||||
|
|
@ -235,11 +235,11 @@ semodule -i httpdlocal.pp</programlisting>
|
|||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>LAM admin password in clear text or MCrypt encrypted</para>
|
||||
<para>LAM admin password in clear text or OpenSSL encrypted</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cached LDAP entries in clear text or MCrypt encrypted</para>
|
||||
<para>cached LDAP entries in clear text or OpenSSL encrypted</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@
|
|||
|
||||
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
||||
data like passwords in your session files. This is only available when
|
||||
PHP <ulink url="http://php.net/mcrypt">MCrypt</ulink> is active. This
|
||||
PHP <ulink url="http://php.net/manual/en/book.openssl.php">OpenSSL</ulink> is active. This
|
||||
adds extra security but also costs performance. If you manage a large
|
||||
directory you might want to disable this and take other actions to
|
||||
secure your LAM server.</para>
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@
|
|||
<listitem>
|
||||
<para>Apache/Nginx webserver (SSL recommended) with PHP module (PHP
|
||||
(>= 5.4.0) with ldap, gettext, xml, openssl and optional
|
||||
mcrypt)</para>
|
||||
OpenSSL)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
|
@ -59,7 +59,7 @@
|
|||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>MCrypt will be used to store your LDAP password encrypted in the
|
||||
<para>OpenSSL will be used to store your LDAP password encrypted in the
|
||||
session file.</para>
|
||||
|
||||
<para>Please note that LAM does not ship with a selinux policy. Please
|
||||
|
|
|
|||
|
|
@ -161,7 +161,7 @@ $helpArray = array (
|
|||
"244" => array ("Headline" => _('PHP error reporting'),
|
||||
"Text" => _('Defines if the PHP error reporting setting from php.ini is used or the setting preferred by LAM ("E_ALL & ~E_NOTICE"). If you do not develop LAM modules please use the default. This will prevent displaying messages that are useful only for developers.')),
|
||||
"245" => array ("Headline" => _('Encrypt session'),
|
||||
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP MCrypt extension.')),
|
||||
"Text" => _('Encrypts sensitive data like passwords in your session. This requires the PHP OpenSSL extension.')),
|
||||
"246" => array ("Headline" => _('Number of rules that must match'),
|
||||
"Text" => _('Specifies the number of above password rules that must be fulfilled.')),
|
||||
"247" => array ("Headline" => _('Password must not contain user name'),
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ function logoffAndBackToLoginPage() {
|
|||
logNewMessage(LOG_WARNING, 'Self service session of DN ' . lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService') . ' expired.');
|
||||
}
|
||||
// delete key and iv in cookie
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
}
|
||||
|
|
@ -583,9 +583,9 @@ function setLAMHeaders() {
|
|||
* @return object encrypted string
|
||||
*/
|
||||
function lamEncrypt($data, $prefix='') {
|
||||
// use MCrypt if available
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
// MCrypt may have been enabled in a running session
|
||||
// use OpenSSL if available
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
// OpenSSL may have been enabled in a running session
|
||||
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
|
||||
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
|
||||
return $data;
|
||||
|
|
@ -594,7 +594,7 @@ function lamEncrypt($data, $prefix='') {
|
|||
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
|
||||
$key = base64_decode($_COOKIE[$prefix . "Key"]);
|
||||
// encrypt string
|
||||
return mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, base64_encode($data), MCRYPT_MODE_ECB, $iv);
|
||||
return openssl_encrypt(base64_encode($data), lamEncryptionAlgo(), $key, 0, $iv);
|
||||
}
|
||||
// otherwise do not encrypt
|
||||
else {
|
||||
|
|
@ -610,9 +610,9 @@ function lamEncrypt($data, $prefix='') {
|
|||
* @return string decrypted string
|
||||
*/
|
||||
function lamDecrypt($data, $prefix='') {
|
||||
// use MCrypt if available
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
// MCrypt may have been enabled in a running session
|
||||
// use OpenSSL if available
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
// OpenSSL may have been enabled in a running session
|
||||
if (!isset($_COOKIE[$prefix . "IV"]) || ($_COOKIE[$prefix . "IV"] == '')) return $data;
|
||||
if ($_COOKIE[$prefix . "IV"] == "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx") {
|
||||
return $data;
|
||||
|
|
@ -621,7 +621,7 @@ function lamDecrypt($data, $prefix='') {
|
|||
$iv = base64_decode($_COOKIE[$prefix . "IV"]);
|
||||
$key = base64_decode($_COOKIE[$prefix . "Key"]);
|
||||
// decrypt string
|
||||
$ret = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
|
||||
$ret = openssl_decrypt($data, lamEncryptionAlgo(), $key, 0, $iv);
|
||||
$ret = base64_decode(str_replace(chr(00), "", $ret));
|
||||
return $ret;
|
||||
}
|
||||
|
|
@ -631,4 +631,20 @@ function lamDecrypt($data, $prefix='') {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the encryption algorithm to use.
|
||||
*
|
||||
* @return string algorithm name
|
||||
*/
|
||||
function lamEncryptionAlgo() {
|
||||
$possibleAlgos = openssl_get_cipher_methods();
|
||||
if (in_array('AES-256-CTR', $possibleAlgos)) {
|
||||
return 'AES-256-CTR';
|
||||
}
|
||||
elseif (in_array('AES-256-CBC', $possibleAlgos)) {
|
||||
return 'AES-256-CBC';
|
||||
}
|
||||
return 'AES256';
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
@ -159,7 +159,7 @@ if (isset($_POST['submitFormData'])) {
|
|||
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
|
||||
}
|
||||
// set session encryption
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
$encryptSession = 'false';
|
||||
if (isset($_POST['encryptSession']) && ($_POST['encryptSession'] == 'on')) {
|
||||
$encryptSession = 'true';
|
||||
|
|
@ -343,7 +343,7 @@ if (isLAMProVersion()) {
|
|||
}
|
||||
$encryptSession = ($cfg->encryptSession === 'true');
|
||||
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
|
||||
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
|
||||
$encryptSessionBox->setIsEnabled(function_exists('openssl_random_pseudo_bytes'));
|
||||
$securityTable->addElement($encryptSessionBox, true);
|
||||
// SSL certificate
|
||||
$securityTable->addElement(new htmlOutputText(_('SSL certificates')));
|
||||
|
|
|
|||
|
|
@ -178,18 +178,9 @@ $_SESSION['header'] .= "<meta http-equiv=\"pragma\" content=\"no-cache\">\n <me
|
|||
function display_LoginPage($config_object, $cfgMain, $licenseValidator, $error_message) {
|
||||
logNewMessage(LOG_DEBUG, "Display login page");
|
||||
// generate 256 bit key and initialization vector for user/passwd-encryption
|
||||
// check if we can use /dev/urandom otherwise use rand()
|
||||
if(function_exists('mcrypt_create_iv') && ($cfgMain->encryptSession == 'true')) {
|
||||
$key = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
|
||||
if (! $key) {
|
||||
srand((double)microtime()*1234567);
|
||||
$key = mcrypt_create_iv(32, MCRYPT_RAND);
|
||||
}
|
||||
$iv = @mcrypt_create_iv(32, MCRYPT_DEV_URANDOM);
|
||||
if (! $iv) {
|
||||
srand((double)microtime()*1234567);
|
||||
$iv = mcrypt_create_iv(32, MCRYPT_RAND);
|
||||
}
|
||||
if(function_exists('openssl_random_pseudo_bytes') && ($cfgMain->encryptSession == 'true')) {
|
||||
$key = openssl_random_pseudo_bytes(32);
|
||||
$iv = openssl_random_pseudo_bytes(16);
|
||||
// save both in cookie
|
||||
setcookie("Key", base64_encode($key), 0, "/", null, null, true);
|
||||
setcookie("IV", base64_encode($iv), 0, "/", null, null, true);
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ $Id$
|
|||
|
||||
|
||||
// delete key and iv in cookie
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
if (function_exists('openssl_random_pseudo_bytes')) {
|
||||
setcookie("Key", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
setcookie("IV", "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", 0, "/", null, null, true);
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue