Project

General

Profile

« Previous | Next » 

Revision 6765f83a

Added by Jim Pingle over 6 years ago

Use new/stronger openssl options for crypt_data(). Fixes #9421

Retry with legacy options if new options fail, so we can still
read old style data from previous encryption runs (e.g. old encrypted
backups, ACB entries, etc)

Better error handling and suppression to prevent issues like #9421.

View differences:

src/etc/inc/crypt.inc
24 24 
 * limitations under the License.
25 25 
 */
26 26 

  		




  27
  
  
    
	function crypt_data($val, $pass, $opt) {


  		




  
  27
  
    
	function crypt_data($val, $pass, $opt, $legacy = false) {


  		




  28
  28
  
    
		$file = tempnam("/tmp", "php-encrypt");


  		




  
  29
  
    
		/* Ensure the files do not already exist */


  		




  
  30
  
    
		unlink_if_exists($file);


  		




  
  31
  
    
		unlink_if_exists("{$file}.dec");


  		




  
  32
  
    
		unlink_if_exists("{$file}.enc");


  		




  
  33
  
    

  		




  29
  34
  
    
		file_put_contents("{$file}.dec", $val);


  		




  30
  
  
    
		exec("/usr/bin/openssl enc {$opt} -aes-256-cbc -in {$file}.dec -out {$file}.enc -pass pass:" . escapeshellarg($pass));


  		




  31
  
  
    
		if (file_exists("{$file}.enc")) {


  		




  
  35
  
    

  		




  
  36
  
    
		/* Use PBKDF2 Key Derivation (https://en.wikipedia.org/wiki/PBKDF2)


  		




  
  37
  
    
		 *  unless we need to read old data encrypted without it. */


  		




  
  38
  
    
		$keyder = ($legacy) ? "" : "-pbkdf2";


  		




  
  39
  
    

  		




  
  40
  
    
		$output = "";


  		




  
  41
  
    
		$exitcode = "";


  		




  
  42
  
    
		exec("/usr/bin/openssl enc {$opt} -aes-256-cbc -in {$file}.dec -out {$file}.enc -pass pass:" . escapeshellarg($pass) . " -salt -md sha256 {$keyder} 2> /dev/null", $output, $exitcode);


  		




  
  43
  
    

  		




  
  44
  
    
		if (($exitcode == 0) && file_exists("{$file}.enc") && (filesize("{$file}.enc") > 0)) {


  		




  32
  45
  
    
			$result = file_get_contents("{$file}.enc");


  		




  
  46
  
    
		} elseif ($legacy === false) {


  		




  
  47
  
    
			/* Operation failed without new options, try old. */


  		




  
  48
  
    
			$result = crypt_data($val, $pass, $opt, true);


  		




  33
  49
  
    
		} else {


  		




  34
  50
  
    
			$result = "";


  		




  35
  51
  
    
			log_error(gettext("Failed to encrypt/decrypt data!"));


  		




  36
  52
  
    
		}


  		




  37
  
  
    
		@unlink($file);


  		




  38
  
  
    
		@unlink("{$file}.dec");


  		




  39
  
  
    
		@unlink("{$file}.enc");


  		




  
  53
  
    

  		




  
  54
  
    
		/* Cleanup */


  		




  
  55
  
    
		unlink_if_exists($file);


  		




  
  56
  
    
		unlink_if_exists("{$file}.dec");


  		




  
  57
  
    
		unlink_if_exists("{$file}.enc");


  		




  40
  58
  
    
		return $result;


  		




  41
  59
  
    
	}


  		




  42
  60
  
    

  		




  43
  
  
    
	function encrypt_data(& $data, $pass) {


  		




  44
  
  
    
		return base64_encode(crypt_data($data, $pass, "-e"));


  		




  
  61
  
    
	function encrypt_data(& $data, $pass, $legacy = false) {


  		




  
  62
  
    
		return base64_encode(crypt_data($data, $pass, "-e", $legacy));


  		




  45
  63
  
    
	}


  		




  46
  64
  
    

  		




  47
  
  
    
	function decrypt_data(& $data, $pass) {


  		




  48
  
  
    
		return crypt_data(base64_decode($data), $pass, "-d");


  		




  
  65
  
    
	function decrypt_data(& $data, $pass, $legacy = false) {


  		




  
  66
  
    
		return crypt_data(base64_decode($data), $pass, "-d", $legacy);


  		




  49
  67
  
    
	}


  		




  50
  68
  
    

  		




  51
  69
  
    
	function tagfile_reformat($in, & $out, $tag) {


  		












Also available in:  Unified diff