Crypt passwords in DB

fixed #2252
glpi-project · Oct 26, 2010 · 60732c5 · 60732c5
1 parent b236a88
commit 60732c5
Show file tree

Hide file tree

Showing 10 changed files with 153 additions and 23 deletions.
diff --git a/config/define.php b/config/define.php
@@ -77,6 +77,10 @@
 
 define("NOT_AVAILABLE",'N/A');
 
+// key used to crypt passwords in DB for external access : proxy / smtp / ldap /  mailcollectors
+// This key is not used to crypt user's passwords
+// If you hav to define passwords again
+define("GLPIKEY","GLPI£i'snarss'ç");
 
 // TIMES
 define("MINUTE_TIMESTAMP",60);

diff --git a/front/notificationmailsetting.form.php b/front/notificationmailsetting.form.php
@@ -42,7 +42,6 @@
 if (!empty($_POST["test_smtp_send"])) {
    NotificationMail::testNotification();
    glpi_header($_SERVER['HTTP_REFERER']);
-
 } else if (!empty($_POST["update"])) {
    $config = new Config;
    $config->update($_POST);

diff --git a/inc/auth.class.php b/inc/auth.class.php
@@ -542,7 +542,7 @@ function Login($login_name, $login_password, $noauto=false) {
                   $ds = AuthLdap::connectToServer($ldap_method["host"],
                                                   $ldap_method["port"],
                                                   $ldap_method["rootdn"],
-                                                  $ldap_method["rootdn_password"],
+                                                  decrypt($ldap_method["rootdn_password"],GLPIKEY),
                                                   $ldap_method["use_tls"],
                                                   $ldap_method["deref_option"]);
 

diff --git a/inc/authldap.class.php b/inc/authldap.class.php
@@ -138,8 +138,12 @@ function preconfig($type) {
 
    function prepareInputForUpdate($input) {
 
-      if (isset($input["rootdn_password"]) && empty($input["rootdn_password"])) {
-         unset($input["rootdn_password"]);
+      if (isset($input["rootdn_password"])) {
+         if (empty($input["rootdn_password"])) {
+            unset($input["rootdn_password"]);
+         } else {
+            $input["rootdn_password"]=encrypt($input["rootdn_password"],GLPIKEY);
+         }
       }
 
       // Set attributes in lower case
@@ -855,7 +859,7 @@ static function testLDAPConnection($auths_id, $replicate_id=-1) {
          $port = $config_ldap->fields['port'];
       }
       $ds = AuthLdap::connectToServer($host, $port, $config_ldap->fields['rootdn'],
-                                      $config_ldap->fields['rootdn_password'],
+                                      decrypt($config_ldap->fields['rootdn_password'],GLPIKEY),
                                       $config_ldap->fields['use_tls'],
                                       $config_ldap->fields['deref_option']);
       if ($ds) {
@@ -1030,7 +1034,7 @@ static function getAllUsers($options = array(), &$results, &$limitexceeded) {
       }
       $ds = AuthLdap::connectToServer($config_ldap->fields['host'], $config_ldap->fields['port'],
                                       $config_ldap->fields['rootdn'],
-                                      $config_ldap->fields['rootdn_password'],
+                                      decrypt($config_ldap->fields['rootdn_password'],GLPIKEY),
                                       $config_ldap->fields['use_tls'],
                                       $config_ldap->fields['deref_option']);
       if ($ds) {
@@ -1278,7 +1282,7 @@ static function getAllGroups($auths_id, $filter, $filter2, $entity, $order='DESC
 
       $ds = AuthLdap::connectToServer($config_ldap->fields['host'], $config_ldap->fields['port'],
                                       $config_ldap->fields['rootdn'],
-                                      $config_ldap->fields['rootdn_password'],
+                                      decrypt($config_ldap->fields['rootdn_password'],GLPIKEY),
                                       $config_ldap->fields['use_tls'],
                                       $config_ldap->fields['deref_option']);
       if ($ds) {
@@ -1498,7 +1502,7 @@ static function ldapImportUserByServerId($params=array(), $action, $ldap_server,
       } else {
          $ds = AuthLdap::connectToServer($config_ldap->fields['host'], $config_ldap->fields['port'],
                                          $config_ldap->fields['rootdn'],
-                                         $config_ldap->fields['rootdn_password'],
+                                         decrypt($config_ldap->fields['rootdn_password'],GLPIKEY),
                                          $config_ldap->fields['use_tls'],
                                          $config_ldap->fields['deref_option']);
       }
@@ -1598,7 +1602,7 @@ static function ldapImportGroup ($group_dn, $options=array()) {
       //Connect to the directory
       $ds = AuthLdap::connectToServer($config_ldap->fields['host'], $config_ldap->fields['port'],
                                       $config_ldap->fields['rootdn'],
-                                      $config_ldap->fields['rootdn_password'],
+                                      decrypt($config_ldap->fields['rootdn_password'],GLPIKEY),
                                       $config_ldap->fields['use_tls'],
                                       $config_ldap->fields['deref_option']);
       if ($ds) {
@@ -1672,7 +1676,8 @@ static function connectToServer($host, $port, $login = "", $password = "", $use_
    static function tryToConnectToServer($ldap_method, $login, $password) {
 
       $ds = AuthLdap::connectToServer($ldap_method['host'], $ldap_method['port'],
-                                      $ldap_method['rootdn'], $ldap_method['rootdn_password'],
+                                      $ldap_method['rootdn'],
+                                      decrypt($ldap_method['rootdn_password'],GLPIKEY),
                                       $ldap_method['use_tls'], $ldap_method['deref_option']);
 
       // Test with login and password of the user if exists
@@ -1686,7 +1691,8 @@ static function tryToConnectToServer($ldap_method, $login, $password) {
       if (!$ds && $ldap_method['id']>0) {
          foreach (getAllReplicateForAMaster($ldap_method['id']) as $replicate) {
             $ds = AuthLdap::connectToServer($replicate["host"], $replicate["port"],
-                                            $ldap_method['rootdn'], $ldap_method['rootdn_password'],
+                                            $ldap_method['rootdn'],
+                                            decrypt($ldap_method['rootdn_password'],GLPIKEY),
                                             $ldap_method['use_tls'], $ldap_method['deref_option']);
 
             // Test with login and password of the user
@@ -2298,7 +2304,7 @@ static function searchUser(AuthLDAP $authldap) {
 
       if (AuthLdap::connectToServer($authldap->getField('host'), $authldap->getField('port'),
                                     $authldap->getField('rootdn'),
-                                    $authldap->getField('rootdn_password'),
+                                    decrypt($authldap->getField('rootdn_password'),GLPIKEY),
                                     $authldap->getField('use_tls'),
                                     $authldap->getField('deref_option'))) {
          AuthLdap::showLdapUsers();

diff --git a/inc/common.function.php b/inc/common.function.php
@@ -1627,7 +1627,7 @@ function getURLContent ($url, &$msgerr=NULL, $rec=0) {
          $request .= "Host: ".$taburl["host"]."\r\n";
          if (!empty($CFG_GLPI["proxy_user"])) {
             $request .= "Proxy-Authorization: Basic " . base64_encode ($CFG_GLPI["proxy_user"].":".
-                        $CFG_GLPI["proxy_password"]) . "\r\n";
+                        decrypt($CFG_GLPI["proxy_password"],GLPIKEY)) . "\r\n";
          }
 
       } else {
@@ -2321,6 +2321,10 @@ function sylk_clean($value) {
 
 /**
  * Clean all parameters of an URL. Get a clean URL
+ *
+ * @param $url string URL
+ *
+ * @return clean URL
 **/
 function cleanParametersURL($url) {
 
@@ -2332,6 +2336,10 @@ function cleanParametersURL($url) {
 /**
  * Manage planning posted datas (must have begin + duration or end)
  * Compute end if duration is set
+ *
+ * @param $data array data to process
+ *
+ * @return processed datas
 **/
 function manageBeginAndEndPlanDates(&$data) {
 
@@ -2344,4 +2352,47 @@ function manageBeginAndEndPlanDates(&$data) {
    }
 }
 
+/**
+ * Encrypt a string
+ *
+ * @param $string string to encrypt
+ * @param $key string key used to encrypt
+ *
+ * @return encrypted string
+**/
+function encrypt($string, $key) {
+  $result = '';
+  for($i=0; $i<strlen($string); $i++) {
+    $char = substr($string, $i, 1);
+    $keychar = substr($key, ($i % strlen($key))-1, 1);
+    $char = chr(ord($char)+ord($keychar));
+    $result.=$char;
+  }
+
+  return base64_encode($result);
+}
+
+
+/**
+ * Decrypt a string
+ *
+ * @param $string string to decrypt
+ * @param $key string key used to decrypt
+ *
+ * @return decrypted string
+**/
+function decrypt($string, $key) {
+  $result = '';
+  $string = base64_decode($string);
+
+  for($i=0; $i<strlen($string); $i++) {
+    $char = substr($string, $i, 1);
+    $keychar = substr($key, ($i % strlen($key))-1, 1);
+    $char = chr(ord($char)-ord($keychar));
+    $result.=$char;
+  }
+
+  return $result;
+}
+
 ?>
diff --git a/inc/config.class.php b/inc/config.class.php
@@ -85,12 +85,20 @@ function showForm($ID, $options=array()) {
    **/
    function prepareInputForUpdate($input) {
 
-      if (isset($input["smtp_password"]) && empty($input["smtp_password"])) {
-         unset($input["smtp_password"]);
+      if (isset($input["smtp_password"])) {
+         if (empty($input["smtp_password"])) {
+            unset($input["smtp_password"]);
+         } else {
+            $input["smtp_password"]=encrypt($input["smtp_password"],GLPIKEY);
+         }
       }
 
-      if (isset($input["proxy_password"]) && empty($input["proxy_password"])) {
-         unset($input["proxy_password"]);
+      if (isset($input["proxy_password"])) {
+         if (empty($input["proxy_password"])) {
+            unset($input["proxy_password"]);
+         } else {
+            $input["proxy_password"]=encrypt($input["proxy_password"],GLPIKEY);
+         }
       }
 
       // Manage DB Slave process

diff --git a/inc/mailcollector.class.php b/inc/mailcollector.class.php
@@ -98,9 +98,15 @@ function post_getEmpty () {
 
    function prepareInputForUpdate($input) {
 
-      if (isset($input['password']) && empty($input['password'])) {
-         unset($input['password']);
+
+      if (isset($input["password"])) {
+         if (empty($input["password"])) {
+            unset($input["password"]);
+         } else {
+            $input["password"]=encrypt($input["password"],GLPIKEY);
+         }
       }
+
       if (isset ($input['mail_server']) && !empty ($input['mail_server'])) {
          $input["host"] = constructMailServerConfig($input);
       }
@@ -684,7 +690,7 @@ function decodeMimeString($mimeStr, $inputCharset='utf-8', $targetCharset='utf-8
    function connect() {
 
       $this->marubox=@imap_open($this->fields['host'], $this->fields['login'],
-                                $this->fields['password'], 1);
+                                decrypt($this->fields['password'],GLPIKEY), 1);
    }
 
 

diff --git a/inc/notificationmail.class.php b/inc/notificationmail.class.php
@@ -77,7 +77,7 @@ function __construct() {
          if ($CFG_GLPI['smtp_username'] != '') {
             $this->SMTPAuth = true;
             $this->Username = $CFG_GLPI['smtp_username'];
-            $this->Password = $CFG_GLPI['smtp_password'];
+            $this->Password = decrypt($CFG_GLPI['smtp_password'],GLPIKEY);
          }
          if ($CFG_GLPI['smtp_mode'] == MAIL_SMTPSSL) {
             $this->SMTPSecure = "ssl";

diff --git a/install/update_0781_080.php b/install/update_0781_080.php
@@ -44,7 +44,7 @@
  * @return bool for success (will die for most error)
 **/
 function update0781to080($output='HTML') {
-   global $DB, $LANG;
+   global $DB, $LANG, $CFG_GLPI;
 
    $updateresult     = true;
    $ADDTODISPLAYPREF = array();
@@ -812,6 +812,62 @@ function update0781to080($output='HTML') {
    $migration->addField("glpi_configs", "url_maxlength",
                            "int(11) NOT NULL DEFAULT '30' AFTER `list_limit_max`");
 
+   displayMigrationMessage("080", $LANG['update'][142] . ' - password encrypt');
+
+
+   /// how not to replay password encryption ?
+   if (!empty($CFG_GLPI['proxy_password'])) {
+      $query="UPDATE `glpi_configs`
+               SET `proxy_password` = '".addslashes(encrypt($CFG_GLPI['proxy_password'],GLPIKEY))."'
+               WHERE `id`= 1 ";
+      $DB->query($query)
+      or die("0.80 update proxy_password in glpi_configs " . $LANG['update'][90] . $DB->error());
+   }
+   if (!empty($CFG_GLPI['smtp_password'])) {
+      $query="UPDATE `glpi_configs`
+               SET `smtp_password` = '".addslashes(encrypt($CFG_GLPI['smtp_password'],GLPIKEY))."'
+               WHERE `id`= 1 ";
+      $DB->query($query)
+      or die("0.80 update proxy_password in glpi_configs " . $LANG['update'][90] . $DB->error());
+   }
+
+   $query = "SELECT *
+               FROM `glpi_authldaps`
+               WHERE `rootdn_password` IS NOT NULL AND `rootdn_password` <> ''";
+
+   if ($result = $DB->query($query)) {
+      if ($DB->numrows($result)) {
+         while ($data = $DB->fetch_assoc($result)) {
+            if (!empty($data['rootdn_password'])) {
+               $query="UPDATE `glpi_authldaps`
+                     SET `rootdn_password` = '".addslashes(encrypt($data['rootdn_password'],GLPIKEY))."'
+                     WHERE `id`= '".$data['id']."' ";
+               $DB->query($query)
+               or die("0.80 update rootdn_password in glpi_authldaps " . $LANG['update'][90] . $DB->error());
+            }
+         }
+      }
+   }
+
+   $query = "SELECT *
+               FROM `glpi_mailcollectors`
+               WHERE `password` IS NOT NULL AND `password` <> ''";
+
+   if ($result = $DB->query($query)) {
+      if ($DB->numrows($result)) {
+         while ($data = $DB->fetch_assoc($result)) {
+            if (!empty($data['password'])) {
+               $query="UPDATE `glpi_mailcollectors`
+                     SET `password` = '".addslashes(encrypt($data['password'],GLPIKEY))."'
+                     WHERE `id`= '".$data['id']."' ";
+               $DB->query($query)
+               or die("0.80 update password in glpi_mailcollectors " . $LANG['update'][90] . $DB->error());
+            }
+         }
+      }
+   }
+
+
    displayMigrationMessage("080", $LANG['update'][142] . ' - glpi_displaypreferences');
 
    foreach ($ADDTODISPLAYPREF as $type => $tab) {

diff --git a/status.php b/status.php
@@ -123,7 +123,7 @@
          echo " ".$method['name'];
 
          if (AuthLdap::tryToConnectToServer($method, $method["rootdn"],
-                                            $method["rootdn_password"])) {
+                                            decrypt($method["rootdn_password"],GLPIKEY))) {
             echo "_OK";
          } else {
             echo "_PROBLEM";