diff options
| author | Michael Hamann <michael@content-space.de> | 2013-07-30 18:50:28 +0200 |
|---|---|---|
| committer | Michael Hamann <michael@content-space.de> | 2013-07-30 18:55:19 +0200 |
| commit | 04369c3eae728e14962c41d1ab259f9e7ed99144 (patch) | |
| tree | 215444b8ba53bcb3ba29b87d12e23a2affe81f33 /inc/auth.php | |
| parent | 30d544a4c371bf69023e4d9958bc2b00d84387d9 (diff) | |
| download | rpg-04369c3eae728e14962c41d1ab259f9e7ed99144.tar.gz rpg-04369c3eae728e14962c41d1ab259f9e7ed99144.tar.bz2 | |
Add AES from phpseclib and use it for cookie encryption
This replaces the deprecated and broken Blowfish implementation that has
previously been used and should provide a lot more security.
Diffstat (limited to 'inc/auth.php')
| -rw-r--r-- | inc/auth.php | 40 |
1 files changed, 37 insertions, 3 deletions
diff --git a/inc/auth.php b/inc/auth.php index a1da971ae..f02bfebca 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -220,7 +220,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session - auth_setCookie($user, PMA_blowfish_encrypt($pass, $secret), $sticky); + auth_setCookie($user, auth_encrypt($pass, $secret), $sticky); return true; } else { //invalid credentials - log off @@ -251,7 +251,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { } // no we don't trust it yet - recheck pass but silent $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session - $pass = PMA_blowfish_decrypt($pass, $secret); + $pass = auth_decrypt($pass, $secret); return auth_login($user, $pass, $sticky, true); } } @@ -450,6 +450,40 @@ function auth_random($min, $max) { } /** + * Encrypt data using the given secret using AES + * + * The mode is CBC with a random initialization vector, the key is derived + * using pbkdf2. + * + * @param string $data The data that shall be encrypted + * @param string $secret The secret/password that shall be used + * @return string The ciphertext + */ +function auth_encrypt($data, $secret) { + $iv = auth_randombytes(16); + $cipher = new Crypt_AES(); + $cipher->setPassword($secret); + + return $cipher->encrypt($iv.$data); +} + +/** + * Decrypt the given AES ciphertext + * + * The mode is CBC, the key is derived using pbkdf2 + * + * @param string $ciphertext The encrypted data + * @param string $secret The secret/password that shall be used + * @return string The decrypted data + */ +function auth_decrypt($ciphertext, $secret) { + $cipher = new Crypt_AES(); + $cipher->setPassword($secret); + + return substr($cipher->decrypt($ciphertext), 16); +} + +/** * Log out the current user * * This clears all authentication data and thus log the user @@ -992,7 +1026,7 @@ function updateprofile() { // update cookie and session with the changed data if($changes['pass']) { list( /*user*/, $sticky, /*pass*/) = auth_getCookie(); - $pass = PMA_blowfish_encrypt($changes['pass'], auth_cookiesalt(!$sticky, true)); + $pass = auth_encrypt($changes['pass'], auth_cookiesalt(!$sticky, true)); auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky); } return true; |