Permalink
Browse files

Centralized all calls to mcrypt to prepare migration

  • Loading branch information...
1 parent 190fc2e commit 0c63a04e0d637928bfbb307aad7f760cc2394278 @cdujeu cdujeu committed Sep 23, 2016
@@ -24,6 +24,7 @@
use Pydio\Core\Model\ContextInterface;
use Pydio\Core\Services\ConfService;
use Pydio\Core\Services\UsersService;
+use Pydio\Core\Utils\Crypto;
use Pydio\Log\Core\Logger;
use Pydio\Tasks\Task;
use Pydio\Tasks\TaskService;
@@ -75,11 +76,7 @@ public static function applyActionInBackground(ContextInterface $ctx, $actionNam
$logFile = $logDir . "/" . $token . ".out";
if (UsersService::usersEnabled()) {
- $cKey = ConfService::getGlobalConf("AJXP_CLI_SECRET_KEY", "conf");
- if (empty($cKey)) {
- $cKey = "\1CDAFx¨op#";
- }
- $user = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($token . $cKey), $user, MCRYPT_MODE_ECB));
+ $user = Crypto::encrypt($user, md5($token . Crypto::getCliSecret()));
}
$robustInstallPath = str_replace("/", DIRECTORY_SEPARATOR, AJXP_INSTALL_PATH);
$cmd = ConfService::getGlobalConf("CLI_PHP") . " " . $robustInstallPath . DIRECTORY_SEPARATOR . "cmd.php -u=$user -t=$token -a=$actionName -r=$repositoryId";
@@ -108,7 +105,7 @@ public static function applyActionInBackground(ContextInterface $ctx, $actionNam
$cmd .= " --$key=" . escapeshellarg($value);
}
}
-
+ error_log($cmd);
$envSet = false;
if ($ctx->getRepository()->getContextOption($ctx, "USE_SESSION_CREDENTIALS")) {
$envSet = MemorySafe::setEnv();
@@ -35,6 +35,7 @@
use Pydio\Core\Services\RolesService;
use Pydio\Core\Services\UsersService;
use Pydio\Core\Utils\ApplicationState;
+use Pydio\Core\Utils\Crypto;
use Pydio\Core\Utils\TextEncoder;
use Pydio\Log\Core\Logger;
use Pydio\Tasks\Task;
@@ -69,9 +70,7 @@ protected static function authenticateFromCliParameters($options){
} else {
// Consider "u" is a crypted version of u:p
$optToken = $options["t"];
- $cKey = ConfService::getGlobalConf("AJXP_CLI_SECRET_KEY", "conf");
- if(empty($cKey)) $cKey = "\1CDAFx¨op#";
- $optUser = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($optToken.$cKey), base64_decode($optUser), MCRYPT_MODE_ECB), "\0");
+ $optUser = Crypto::decrypt($optUser, md5($optToken.Crypto::getCliSecret()));
$envPass = MemorySafe::loadPasswordStringFromEnvironment($optUser);
if($envPass !== false){
unset($optToken);
@@ -28,6 +28,7 @@
use Pydio\Core\Services\UsersService;
+use Pydio\Core\Utils\Crypto;
use Pydio\Core\Utils\TextEncoder;
use \Sabre;
use Pydio\Auth\Core\MemorySafe;
@@ -58,11 +59,7 @@ class AuthBackendDigest extends Sabre\DAV\Auth\Backend\AbstractDigest
public function __construct($context)
{
$this->context = $context;
- if (defined('AJXP_SAFE_SECRET_KEY')) {
- $this->secretKey = AJXP_SAFE_SECRET_KEY;
- } else {
- $this->secretKey = "\1CDAFx¨op#";
- }
+ $this->secretKey = Crypto::getApplicationSecret();
}
/**
@@ -185,11 +182,7 @@ protected function updateCurrentUserRights($user)
*/
private function _decodePassword($encoded, $user)
{
- if (function_exists('mcrypt_decrypt')) {
- $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND);
- $encoded = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($user.$this->secretKey), base64_decode($encoded), MCRYPT_MODE_ECB, $iv), "\0");
- }
- return $encoded;
+ return Crypto::decrypt($encoded, md5($user . $this->secretKey));
}
@@ -180,7 +180,7 @@ public static function instanciatePluginFromGlobalParams($globalsArray, $interfa
*/
public static function backgroundActionsSupported()
{
- return function_exists("mcrypt_create_iv") && ConfService::getGlobalConf("CMDLINE_ACTIVE");
+ return ConfService::getGlobalConf("CMDLINE_ACTIVE");
}
/**
@@ -183,8 +183,9 @@ public static function detectServerURL($withURI = false, $forceInternal = false)
if (!empty($setUrl) && !$forceInternal) {
return (string)$setUrl;
}
- if (php_sapi_name() == "cli") {
- Logger::debug("WARNING, THE SERVER_URL IS NOT SET, WE CANNOT BUILD THE MAIL ADRESS WHEN WORKING IN CLI");
+ if (self::sapiIsCli()) {
+ Logger::debug("WARNING, THE SERVER_URL IS NOT SET, WE CANNOT BUILD IT WHEN WORKING IN CLI");
+ return "";
}
$protocol = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? 'https' : 'http');
$port = (($protocol === 'http' && $_SERVER['SERVER_PORT'] == 80 || $protocol === 'https' && $_SERVER['SERVER_PORT'] == 443)
@@ -0,0 +1,94 @@
+<?php
+/*
+ * Copyright 2007-2016 Abstrium <contact (at) pydio.com>
+ * This file is part of Pydio.
+ *
+ * Pydio is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Pydio is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with Pydio. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * The latest code can be found at <https://pydio.com/>.
+ */
+namespace Pydio\Core\Utils;
+
+use Pydio\Core\Services\ConfService;
+
+defined('AJXP_EXEC') or die('Access not allowed');
+
+/**
+ * Simple encrypt / decrypt utils for small strings
+ * Legacy is using mcrypt Rijndael_256, will be replaced by openssl or libsodium with standard cypher
+ * @package Pydio\Core\Utils
+ */
+class Crypto
+{
+
+ /**
+ * @return string
+ */
+ public static function getApplicationSecret(){
+ if (defined('AJXP_SAFE_SECRET_KEY')) {
+ return AJXP_SAFE_SECRET_KEY;
+ } else {
+ return "\1CDAFx¨op#";
+ }
+ }
+
+ /**
+ * @return string
+ */
+ public static function getCliSecret(){
+ $cKey = ConfService::getGlobalConf("AJXP_CLI_SECRET_KEY", "conf");
+ if (empty($cKey)) {
+ $cKey = "\1CDAFx¨op#";
+ }
+ return $cKey;
+ }
+
+ /**
+ * @param bool $base64encode
+ * @return string
+ */
+ public static function getRandomSalt($base64encode = true){
+ $salt = mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM);
+ return ($base64encode ? base64_encode($salt) : $salt);
+ }
+
+ /**
+ * @param mixed $data
+ * @param string $key
+ * @param bool $base64encode
+ * @return mixed
+ */
+ public static function encrypt($data, $key, $base64encode = true){
+ $encoded = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB);
+ if($base64encode) {
+ return base64_encode($encoded);
+ } else {
+ return $encoded;
+ }
+ }
+
+ /**
+ * @param string $data
+ * @param string $key
+ * @param bool $base64encoded
+ * @return mixed
+ */
+ public static function decrypt($data, $key, $base64encoded = true){
+ if($base64encoded){
+ $data = base64_decode($data);
+ }
+ return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB), "\0");
+ }
+
+}
@@ -24,6 +24,7 @@
use Pydio\Core\Model\ContextInterface;
use Pydio\Core\Services\ConfService;
use Pydio\Core\Utils\ApplicationState;
+use Pydio\Core\Utils\Crypto;
defined('AJXP_EXEC') or die('Access not allowed');
@@ -43,11 +44,7 @@ class OptionsHelper
*/
public static function decypherStandardFormPassword($userId, $password)
{
- if (function_exists('mcrypt_decrypt')) {
- // We have encoded as base64 so if we need to store the result in a database, it can be stored in text column
- $password = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($userId . "\1CDAFx¨op#"), base64_decode($password), MCRYPT_MODE_ECB), "\0");
- }
- return $password;
+ return Crypto::decrypt($password, md5($userId . "\1CDAFx¨op#"));
}
/**
@@ -119,9 +116,8 @@ public static function parseStandardFormParameters(ContextInterface $ctx, &$repD
} else if ($type == "array") {
$value = explode(",", $value);
} else if ($type == "password" && $ctx->hasUser() && !empty($cypheredPassPrefix)) {
- if (trim($value) != "" && $value != "__AJXP_VALUE_SET__" && function_exists('mcrypt_encrypt')) {
- // We encode as base64 so if we need to store the result in a database, it can be stored in text column
- $value = $cypheredPassPrefix . base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($ctx->getUser()->getId() . "\1CDAFx¨op#"), $value, MCRYPT_MODE_ECB));
+ if (trim($value) != "" && $value != "__AJXP_VALUE_SET__") {
+ $value = $cypheredPassPrefix . Crypto::encrypt($value, md5($ctx->getUser()->getId() . "\1CDAFx¨op#"));
}
} else if ($type == "binary" && $binariesContext !== null) {
if (!empty($value)) {
@@ -21,6 +21,7 @@
namespace Pydio\Core\Utils\Vars;
use Pydio\Core\Exception\PydioException;
+use Pydio\Core\Utils\Crypto;
defined('AJXP_EXEC') or die('Access not allowed');
@@ -162,7 +163,7 @@ public static function pbkdf2_validate_password($password, $correct_hash)
public static function pbkdf2_create_hash($password)
{
// format: algorithm:iterations:salt:hash
- $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
+ $salt = Crypto::getRandomSalt();
return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" .
base64_encode(self::pbkdf2_apply(
PBKDF2_HASH_ALGORITHM,
@@ -26,14 +26,14 @@
use Pydio\Core\Model\Context;
use Pydio\Core\Model\ContextInterface;
-use Pydio\Core\Services\AuthService;
use Pydio\Core\Services\ConfService;
use Pydio\Conf\Sql\SqlConfDriver;
use Pydio\Core\Services\LocaleService;
use Pydio\Core\Services\RepositoryService;
use Pydio\Core\Services\RolesService;
use Pydio\Core\Services\UsersService;
+use Pydio\Core\Utils\Crypto;
use Pydio\Log\Core\Logger;
use Pydio\OCS\Model\TargettedLink;
use Pydio\Share\Model\ShareLink;
@@ -183,23 +183,21 @@ public function loadShare($hash){
}
class_alias("Pydio\\Share\\ShareCenter", "ShareCenter");
$lines = file($file);
- $inputData = '';
- // Necessary for the eval
- $id = $hash;
- // UPDATE LINK FOR PHP5.6
- if(trim($lines[4]) == '$inputData = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $id, $cypheredData, MCRYPT_MODE_ECB), "\0");' && is_writable($file)){
- // Upgrade line
- $lines[4] = ' $inputData = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, str_pad($id, 16, "\0"), $cypheredData, MCRYPT_MODE_ECB), "\0");'."\n";
- $res = file_put_contents($file, implode('', $lines));
- }
- $code = $lines[3] . $lines[4] . $lines[5];
- eval($code);
- if(empty($inputData)) return false;
- $publicletData = @unserialize($inputData);
- $publicletData["PUBLICLET_PATH"] = $file;
-
- return $publicletData;
+ // Eval the existing line 3, should be like
+ // $cypheredData = base64_decode("cMYIUkAcvOqGFLbT5j/jyP/VzYJqV03X2.....71gJsTtxw==");
+ $cypheredData = '';
+ eval($lines[3]);
+ if(!empty($cypheredData)) {
+ $key = str_pad($hash, 16, "\0");
+ $inputData = Crypto::decrypt($cypheredData, $key, false);
+ if(!empty($inputData)){
+ $publicletData = @unserialize($inputData);
+ $publicletData["PUBLICLET_PATH"] = $file;
+ return $publicletData;
+ }
+ }
+ return [];
}
/**
@@ -22,6 +22,7 @@
use Pydio\Core\Model\ContextInterface;
use Pydio\Core\Services\SessionService;
+use Pydio\Core\Utils\Crypto;
use Pydio\Core\Utils\Vars\OptionsHelper;
@@ -50,11 +51,7 @@ class MemorySafe
*/
public function __construct()
{
- if (defined('AJXP_SAFE_SECRET_KEY')) {
- $this->secretKey = AJXP_SAFE_SECRET_KEY;
- } else {
- $this->secretKey = "\1CDAFx¨op#";
- }
+ $this->secretKey = Crypto::getApplicationSecret();
}
/**
* Store the user/password pair. Password will be encoded
@@ -93,11 +90,7 @@ public function getCredentials()
*/
private function _encodePassword($password, $user)
{
- if (function_exists('mcrypt_encrypt')) {
- // We encode as base64 so if we need to store the result in a database, it can be stored in text column
- $password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($user.$this->secretKey), $password, MCRYPT_MODE_ECB));
- }
- return $password;
+ return Crypto::encrypt($password, md5($user . $this->secretKey));
}
/**
* Use mcrypt functions to decode the password
@@ -107,11 +100,7 @@ private function _encodePassword($password, $user)
*/
private function _decodePassword($encoded, $user)
{
- if (function_exists('mcrypt_decrypt')) {
- // We have encoded as base64 so if we need to store the result in a database, it can be stored in text column
- $encoded = trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($user.$this->secretKey), base64_decode($encoded), MCRYPT_MODE_ECB), "\0");
- }
- return $encoded;
+ return Crypto::decrypt($encoded, md5($user . $this->secretKey));
}
/**
* Store the password credentials in the session
@@ -45,6 +45,7 @@
use Pydio\Core\Services\SessionService;
use Pydio\Core\Services\UsersService;
use Pydio\Core\Utils\ApplicationState;
+use Pydio\Core\Utils\Crypto;
use Pydio\Core\Utils\Vars\InputFilter;
use Pydio\Core\Utils\Vars\OptionsHelper;
use Pydio\Core\Utils\Vars\StatHelper;
@@ -926,13 +927,7 @@ public function switchAction(ServerRequestInterface $requestInterface, ResponseI
$davData["ACTIVE"] = $activate;
}
if (!empty($httpVars["webdav_pass"])) {
- $password = $httpVars["webdav_pass"];
- if (function_exists('mcrypt_encrypt')) {
- $user = $loggedUser->getId();
- $secret = (defined("AJXP_SAFE_SECRET_KEY")? AJXP_SAFE_SECRET_KEY:"\1CDAFx¨op#");
- $password = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($user.$secret), $password, MCRYPT_MODE_ECB));
- }
- $davData["PASS"] = $password;
+ $davData["PASS"] = Crypto::encrypt($httpVars["webdav_pass"], md5($loggedUser->getId().Crypto::getApplicationSecret()));
}
$loggedUser->setPref("AJXP_WEBDAV_DATA", $davData);
$loggedUser->save("user");

0 comments on commit 0c63a04

Please sign in to comment.