/
check_crypto_inc.php
91 lines (81 loc) · 3.39 KB
/
check_crypto_inc.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?php
# MantisBT - A PHP based bugtracking system
# MantisBT is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# MantisBT is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
/**
* This file contains configuration checks for cryptography issues
*
* @package MantisBT
* @copyright Copyright 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
* @copyright Copyright 2002 MantisBT Team - mantisbt-dev@lists.sourceforge.net
* @link http://www.mantisbt.org
*
* @uses check_api.php
* @uses config_api.php
* @uses constant_inc.php
*/
if( !defined( 'CHECK_CRYPTO_INC_ALLOW' ) ) {
return;
}
# MantisBT Check API
require_once( 'check_api.php' );
require_api( 'config_api.php' );
require_api( 'constant_inc.php' );
check_print_section_header_row( 'Cryptography' );
check_print_test_row(
'Master salt value has been specified',
strlen( config_get_global( 'crypto_master_salt' ) ) >= 16,
array( false => 'The crypto_master_salt option needs to be specified in config_inc.php with a minimum string length of 16 characters.' )
);
# Login method checks
$t_login_method = config_get_global( 'login_method' );
$t_switch_to_method = ' You should switch to '
. login_method_name( LOGIN_METHOD_HASH_BCRYPT )
. ', which is currently the strongest password storage method supported by MantisBT.';
$t_deprecated_login_methods = array( LOGIN_METHOD_HASH_MD5, LOGIN_METHOD_HASH_CRYPT, LOGIN_METHOD_HASH_CRYPT_FULL_SALT, LOGIN_METHOD_PLAIN );
check_print_test_row(
'Do not use an outdated login method',
!in_array( $t_login_method, $t_deprecated_login_methods ),
array( false => login_method_name( $t_login_method )
. ' has been deprecated and should no longer be used for security reasons. '
. $t_switch_to_method
)
);
if( $t_login_method != LOGIN_METHOD_LDAP ) {
$t_plain_text_login_methods = array( LOGIN_METHOD_PLAIN, LOGIN_METHOD_BASIC_AUTH, LOGIN_METHOD_HTTP_AUTH );
check_print_test_warn_row(
'Passwords should be stored encrypted in the database',
!in_array( $t_login_method, $t_plain_text_login_methods ),
login_method_name( $t_login_method )
. ' causes passwords to be stored in clear text. '
. $t_switch_to_method
);
}
/**
* Returns the login method name
* @param int $p_method One of the login methods constants
* @return string Login method name
*/
function login_method_name( $p_method ) {
switch( $p_method ) {
case LOGIN_METHOD_PLAIN: return 'LOGIN_METHOD_PLAIN';
case LOGIN_METHOD_BASIC_AUTH: return 'LOGIN_METHOD_BASIC_AUTH';
case LOGIN_METHOD_HTTP_AUTH: return 'LOGIN_METHOD_HTTP_AUTH';
case LOGIN_METHOD_HASH_CRYPT: return 'LOGIN_METHOD_HASH_CRYPT';
case LOGIN_METHOD_HASH_CRYPT_FULL_SALT: return 'LOGIN_METHOD_HASH_CRYPT_FULL_SALT';
case LOGIN_METHOD_HASH_MD5: return 'LOGIN_METHOD_HASH_MD5';
case LOGIN_METHOD_HASH_BCRYPT: return 'LOGIN_METHOD_HASH_BCRYPT';
case LOGIN_METHOD_LDAP: return 'LOGIN_METHOD_LDAP';
}
return 'UNKNOWN';
}