From 99f398a87e497285435c88f5ac1ebc56a8122808 Mon Sep 17 00:00:00 2001 From: Stephen Abello Date: Wed, 24 Apr 2019 11:44:43 +0200 Subject: [PATCH] =?UTF-8?q?N=C2=B01529:=20Correct=20wrong=20constant=20nam?= =?UTF-8?q?e=20for=20Mcrypt,=20handle=20iv=20generation=20fails=20to=20avo?= =?UTF-8?q?id=20data=20corruption?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- core/simplecrypt.class.inc.php | 45 ++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/core/simplecrypt.class.inc.php b/core/simplecrypt.class.inc.php index f3b163519..51f2bc0e6 100644 --- a/core/simplecrypt.class.inc.php +++ b/core/simplecrypt.class.inc.php @@ -3,7 +3,7 @@ // // This file is part of iTop. // -// iTop is free software; you can redistribute it and/or modify +// iTop is free software; you can redistribute it and/or modify // it under the terms of the GNU Affero General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. @@ -66,7 +66,7 @@ class SimpleCrypt * Constructor * @param string $sEngineName Engine for encryption. Values: Simple, Mcrypt, Sodium or OpenSSL * @throws Exception This library is unkown - */ + */ function __construct($sEngineName = 'Mcrypt') { switch($sEngineName){ @@ -101,30 +101,30 @@ class SimpleCrypt $sEngineName = 'SimpleCrypt' . $sEngineName . 'Engine'; $this->oEngine = new $sEngineName; } - + /** * Encrypts the string with the given key * @param string $key * @param string $sString Plaintext string * @return string Ciphered string - */ + */ function Encrypt($key, $sString) { - return $this->oEngine->Encrypt($key,$sString); + return $this->oEngine->Encrypt($key,$sString); } - + /** * Decrypts the string by the given key * @param string $key * @param string $string Ciphered string - * @return string Plaintext string + * @return string Plaintext string */ function Decrypt($key, $string) { return $this->oEngine->Decrypt($key,$string); } - + /** * Returns a random "salt" value, to be used when "hashing" a password * using a one-way encryption algorithm, to prevent an attack using a "rainbow table" @@ -135,9 +135,9 @@ class SimpleCrypt { // Copied from http://www.php.net/manual/en/function.mt-rand.php#83655 // get 128 pseudorandom bits in a string of 16 bytes - + $sRandomBits = null; - + // Unix/Linux platform? $fp = @fopen('/dev/urandom','rb'); if ($fp !== FALSE) @@ -156,14 +156,14 @@ class SimpleCrypt { $CAPI_Util = new COM('CAPICOM.Utilities.1'); $sBase64RandomBits = ''.$CAPI_Util->GetRandom(16,0); - + // if we ask for binary data PHP munges it, so we // request base64 return value. We squeeze out the // redundancy and useless ==CRLF by hashing... if ($sBase64RandomBits) { //echo "Random bits got from CAPICOM.Utilities.1
\n"; - $sRandomBits = md5($sBase64RandomBits, TRUE); + $sRandomBits = md5($sBase64RandomBits, TRUE); } } catch (Exception $ex) @@ -182,10 +182,10 @@ class SimpleCrypt { $sRandomBits .= sprintf('%04x', mt_rand(0, 65535)); } - - + + } - return $sRandomBits; + return $sRandomBits; } } @@ -221,7 +221,7 @@ class SimpleCryptSimpleEngine implements CryptEngine $char = chr(ord($char)+ord($keychar)); $result.=$char; } - return $result; + return $result; } public function Decrypt($key, $encrypted_data) @@ -235,7 +235,7 @@ class SimpleCryptSimpleEngine implements CryptEngine $result.=$char; } return $result; - } + } } /** @@ -258,10 +258,13 @@ class SimpleCryptMcryptEngine implements CryptEngine { $this->td = mcrypt_module_open($this->alg,'','cbc',''); } - + public function Encrypt($key, $sString) { - $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($this->td), MCRYPT_RAND_URANDOM); // MCRYPT_RAND_URANDOM is now useable since itop requires php >= 5.6 + $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($this->td), MCRYPT_DEV_URANDOM); // MCRYPT_DEV_URANDOM is now useable since itop requires php >= 5.6 + if (false === $iv) { + throw new Exception('IV generation failed'); + } mcrypt_generic_init($this->td, $key, $iv); if (empty($sString)) { @@ -275,7 +278,7 @@ class SimpleCryptMcryptEngine implements CryptEngine public function Decrypt($key, $encrypted_data) { $iv = substr($encrypted_data, 0, mcrypt_enc_get_iv_size($this->td)); - $string = substr($encrypted_data, mcrypt_enc_get_iv_size($this->td)); + $string = substr($encrypted_data, mcrypt_enc_get_iv_size($this->td)); $r = mcrypt_generic_init($this->td, $key, $iv); if (($r < 0) || ($r === false)) { @@ -288,7 +291,7 @@ class SimpleCryptMcryptEngine implements CryptEngine } return $decrypted_data; } - + public function __destruct() { mcrypt_module_close($this->td);