Bug#964318: gosa login broken with PHP 7.4

Thu, 09 Jul 2020 12:57:18 -0700 

On Mon, Jul 06, 2020 at 12:05:44PM +0200, Wolfgang Schweer wrote:
> In both encrypt and decrypt cases, the chosen cipher method seems to 
> return 0.

This is the case because the chosen method (aes-256-ecb) doesn't use an 
initialization vector ($iv) at all, causing its length ($ivlen) to be 0, 
see e.g. https://usr.ed48.com/php/ssl/?xf=7

So the encrypt/decrypt implementation seems to have been sort of wrong 
before (and only now with PHP 7.4 an error is thrown).

Please check and test the attached changes to 
/usr/share/gosa/include/functions.inc and 
/usr/sbin/gosa-encrypt-passwords; works for me, but then my skills are 
low level and this is a quite sensitive issue.

Wolfgang

diff -u a/functions.inc b/functions.inc
--- a/functions.inc	2020-04-20 07:32:48.000000000 +0200
+++ b/functions.inc	2020-07-09 21:09:16.311305601 +0200
@@ -3308,11 +3308,10 @@
 }
 
 
-function cred_encrypt($input, $password, $cipher = "aes-256-ecb") {
+function cred_encrypt($input, $password) {
+  $cipher = "aes-256-ecb";
   if (in_array($cipher, openssl_get_cipher_methods())) {
-    $ivlen = openssl_cipher_iv_length($cipher);
-    $iv = openssl_random_pseudo_bytes($ivlen);
-    return bin2hex(openssl_encrypt($input, $cipher, $password, OPENSSL_RAW_DATA, $iv));
+    return bin2hex(openssl_encrypt($input, $cipher, $password));
   }
 
   return null;
@@ -3320,9 +3319,7 @@
 
 function cred_decrypt($input, $password, $cipher = "aes-256-ecb") {
   if (in_array($cipher, openssl_get_cipher_methods())) {
-    $ivlen = openssl_cipher_iv_length($cipher);
-    $iv = openssl_random_pseudo_bytes($ivlen);
-    return rtrim(openssl_decrypt(pack("H*", $input), $cipher, $password, OPENSSL_RAW_DATA, $iv ), "\0\3\4\n");
+    return rtrim(openssl_decrypt(pack("H*", $input), $cipher, $password, $options=0, ), "\0\3\4\n");
   }
 
   return null;
diff -u a/gosa-encrypt-passwords b/gosa-encrypt-passwords
--- a/gosa-encrypt-passwords	2020-04-20 07:32:00.000000000 +0200
+++ b/gosa-encrypt-passwords	2020-07-09 21:07:27.143219922 +0200
@@ -1,11 +1,10 @@
 #!/usr/bin/php
 <?php
 
-function cred_encrypt($input, $password, $cipher = "aes-256-ecb") {
+function cred_encrypt($input, $password) {
+  $cipher = "aes-256-ecb";
   if (in_array($cipher, openssl_get_cipher_methods())) {
-    $ivlen = openssl_cipher_iv_length($cipher);
-    $iv = openssl_random_pseudo_bytes($ivlen);
-    return bin2hex(openssl_encrypt($input, $cipher, $password, OPENSSL_RAW_DATA, $iv));
+    return bin2hex(openssl_encrypt($input, $cipher, $password, $options=0, ));
   }
 
   return null;

Attachment: signature.asc
Description: PGP signature

Reply via email to