[mms] Fix regression in removing CBC cipher mode when encrypting data…

… within a session (Bug #13869).

framework/Core/lib/Horde/Core/Factory/Secret/Cbc.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * @todo  Replace Horde_Core_Factory_Secret with this class.
+ *
+ * @category Horde
+ * @package  Core
+ */
+class Horde_Core_Factory_Secret_Cbc extends Horde_Core_Factory_Injector
+{
+    public function create(Horde_Injector $injector)
+    {
+        global $conf;
+
+        return new Horde_Core_Secret_Cbc(array(
+            'cookie_domain' => $conf['cookie']['domain'],
+            'cookie_path' => $conf['cookie']['path'],
+            'cookie_ssl' => $conf['use_ssl'] == 1,
+            'iv' => $conf['secret_key'],
+            'session_name' => $conf['session']['name']
+        ));
+    }
+}

framework/Core/lib/Horde/Core/Secret/Cbc.php

@@ -0,0 +1,54 @@
+<?php
+/**
+ * Copyright 2015 Horde LLC (http://www.horde.org/)
+ *
+ * See the enclosed file COPYING for license information (LGPL). If you
+ * did not receive this file, see http://www.horde.org/licenses/lgpl21.
+ *
+ * @category  Horde
+ * @copyright 2015 Horde LLC
+ * @license   http://www.horde.org/licenses/lgpl21 LGPL
+ * @package   Core
+ */
+
+/**
+ * Horde_Secret, using single session key, with CBC based Blowfish encryption.
+ *
+ * This is much more secure than the default Horde_Secret algorithm. It should
+ * be used for all Horde_Secret/session encryption, but for BC purposes it
+ * needs to live in a separate class for now.
+ *
+ * Uses the additional parameter 'iv' - the IV used to seed the CBC cipher.
+ *
+ * @todo  Merge this class with Horde_Core_Secret.
+ *
+ * @author    Michael Slusarz <slusarz@horde.org>
+ * @category  Horde
+ * @copyright 2015 Horde LLC
+ * @license   http://www.horde.org/licenses/lgpl21 LGPL
+ * @package   Core
+ * @since     2.20.0
+ */
+class Horde_Core_Secret_Cbc extends Horde_Core_Secret
+{
+    /**
+     */
+    protected function _getCipherOb($key)
+    {
+        global $conf;
+
+        if (!isset($this->_cipherCache[self::HORDE_KEYNAME])) {
+            /* Use more secure CBC mode (rather than ECB). */
+            $this->_cipherCache[self::HORDE_KEYNAME] = new Horde_Crypt_Blowfish(
+                substr($key, 0, 56),
+                array(
+                    'cipher' => 'cbc',
+                    'iv' => $this->_params['iv']
+                )
+            );
+        }
+
+        return $this->_cipherCache[self::HORDE_KEYNAME];
+    }
+
+}

framework/Core/lib/Horde/Registry.php

@@ -432,6 +432,7 @@ public function __construct($session_flags = 0, array $args = array())
             'Horde_Routes_Mapper' => 'Horde_Core_Factory_Mapper',
             'Horde_Routes_Matcher' => 'Horde_Core_Factory_Matcher',
             'Horde_Secret' => 'Horde_Core_Factory_Secret',
+            'Horde_Secret_Cbc' => 'Horde_Core_Factory_Secret_Cbc',
             'Horde_Service_Facebook' => 'Horde_Core_Factory_Facebook',
             'Horde_Service_Twitter' => 'Horde_Core_Factory_Twitter',
             'Horde_Service_UrlShortener' => 'Horde_Core_Factory_UrlShortener',

framework/Core/lib/Horde/Session.php

@@ -277,7 +277,7 @@ public function clean()
         $this->_data = array();
         $this->_start();
 
-        $GLOBALS['injector']->getInstance('Horde_Secret')->setKey();
+        $GLOBALS['injector']->getInstance('Horde_Secret_Cbc')->setKey();
 
         $this->_cleansession = true;
 
@@ -303,7 +303,7 @@ public function destroy()
             session_destroy();
         }
         $this->_cleansession = true;
-        $GLOBALS['injector']->getInstance('Horde_Secret')->clearKey();
+        $GLOBALS['injector']->getInstance('Horde_Secret_Cbc')->clearKey();
     }
 
     /**
@@ -355,7 +355,7 @@ public function get($app, $name, $mask = 0)
             }
 
             if (isset($this->_data[self::ENCRYPTED][$app][$name])) {
-                $secret = $injector->getInstance('Horde_Secret');
+                $secret = $injector->getInstance('Horde_Secret_Cbc');
                 $value = strval($secret->read($secret->getKey(), $value));
             }
 
@@ -427,7 +427,7 @@ public function set($app, $name, $value, $mask = 0)
             $value = $injector->getInstance('Horde_Pack')->pack($value, $opts);
 
             if ($mask & self::ENCRYPT) {
-                $secret = $injector->getInstance('Horde_Secret');
+                $secret = $injector->getInstance('Horde_Secret_Cbc');
                 $value = $secret->write($secret->getKey(), $value);
                 $this->_data[self::ENCRYPTED][$app][$name] = true;
             }

framework/Core/package.xml

@@ -28,18 +28,18 @@
   <email>mrubinsk@horde.org</email>
   <active>yes</active>
  </developer>
- <date>2015-03-04</date>
+ <date>2015-03-06</date>
  <version>
-  <release>2.19.3</release>
-  <api>2.19.0</api>
+  <release>2.20.0</release>
+  <api>2.20.0</api>
  </version>
  <stability>
   <release>stable</release>
   <api>stable</api>
  </stability>
  <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
  <notes>
-* 
+* [mms] Fix regression in removing CBC cipher mode when encrypting data within a session (Bug #13869).
  </notes>
  <contents>
   <dir baseinstalldir="/" name="/">
@@ -407,6 +407,9 @@
        <dir name="Identity">
         <file name="UsernameHook.php" role="php" />
        </dir> <!-- /lib/Horde/Core/Factory/Identity -->
+       <dir name="Secret">
+        <file name="Cbc.php" role="php" />
+       </dir> <!-- /lib/Horde/Core/Factory/Secret -->
        <file name="ActiveSyncBackend.php" role="php" />
        <file name="ActiveSyncServer.php" role="php" />
        <file name="ActiveSyncState.php" role="php" />
@@ -572,6 +575,9 @@
         <file name="Sortable.php" role="php" />
        </dir> <!-- /lib/Horde/Core/Script/Package -->
       </dir> <!-- /lib/Horde/Core/Script -->
+      <dir name="Secret">
+       <file name="Cbc.php" role="php" />
+      </dir> <!-- /lib/Horde/Core/Secret -->
       <dir name="Share">
        <file name="Driver.php" role="php" />
        <file name="FactoryCallback.php" role="php" />
@@ -1880,6 +1886,7 @@
    <install as="Horde/Core/Factory/View.php" name="lib/Horde/Core/Factory/View.php" />
    <install as="Horde/Core/Factory/Weather.php" name="lib/Horde/Core/Factory/Weather.php" />
    <install as="Horde/Core/Factory/Identity/UsernameHook.php" name="lib/Horde/Core/Factory/Identity/UsernameHook.php" />
+   <install as="Horde/Core/Factory/Secret/Cbc.php" name="lib/Horde/Core/Factory/Secret/Cbc.php" />
    <install as="Horde/Core/Group/Ldap.php" name="lib/Horde/Core/Group/Ldap.php" />
    <install as="Horde/Core/HashTable/PersistentSession.php" name="lib/Horde/Core/HashTable/PersistentSession.php" />
    <install as="Horde/Core/HashTable/Vfs.php" name="lib/Horde/Core/HashTable/Vfs.php" />
@@ -1918,6 +1925,7 @@
    <install as="Horde/Core/Script/Package/Keynavlist.php" name="lib/Horde/Core/Script/Package/Keynavlist.php" />
    <install as="Horde/Core/Script/Package/Popup.php" name="lib/Horde/Core/Script/Package/Popup.php" />
    <install as="Horde/Core/Script/Package/Sortable.php" name="lib/Horde/Core/Script/Package/Sortable.php" />
+   <install as="Horde/Core/Secret/Cbc.php" name="lib/Horde/Core/Secret/Cbc.php" />
    <install as="Horde/Core/Share/Driver.php" name="lib/Horde/Core/Share/Driver.php" />
    <install as="Horde/Core/Share/FactoryCallback.php" name="lib/Horde/Core/Share/FactoryCallback.php" />
    <install as="Horde/Core/Smartmobile/Url.php" name="lib/Horde/Core/Smartmobile/Url.php" />
@@ -3854,15 +3862,15 @@
   </release>
   <release>
    <version>
-    <release>2.19.3</release>
-    <api>2.19.0</api></version>
+    <release>2.20.0</release>
+    <api>2.20.0</api></version>
    <stability>
     <release>stable</release>
     <api>stable</api></stability>
-   <date>2015-03-04</date>
+   <date>2015-03-06</date>
    <license uri="http://www.horde.org/licenses/lgpl21">LGPL-2.1</license>
    <notes>
-* 
+* [mms] Fix regression in removing CBC cipher mode when encrypting data within a session (Bug #13869).
    </notes>
   </release>
  </changelog>