From 865faf755070832ca9c794e1f1c190ddda7e0850 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Tue, 30 Jul 2013 18:50:28 +0200
Subject: Add AES from phpseclib and use it for cookie encryption

This replaces the deprecated and broken Blowfish implementation that has
previously been used and should provide a lot more security.
---
 inc/auth.php | 40 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 37 insertions(+), 3 deletions(-)

(limited to 'inc/auth.php')

diff --git a/inc/auth.php b/inc/auth.php
index a1da971ae..f02bfebca 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -220,7 +220,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
             // make logininfo globally available
             $_SERVER['REMOTE_USER'] = $user;
             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
-            auth_setCookie($user, PMA_blowfish_encrypt($pass, $secret), $sticky);
+            auth_setCookie($user, auth_encrypt($pass, $secret), $sticky);
             return true;
         } else {
             //invalid credentials - log off
@@ -251,7 +251,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) {
             }
             // no we don't trust it yet - recheck pass but silent
             $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
-            $pass   = PMA_blowfish_decrypt($pass, $secret);
+            $pass   = auth_decrypt($pass, $secret);
             return auth_login($user, $pass, $sticky, true);
         }
     }
@@ -449,6 +449,40 @@ function auth_random($min, $max) {
     return $min + $integer;
 }
 
+/**
+ * Encrypt data using the given secret using AES
+ *
+ * The mode is CBC with a random initialization vector, the key is derived
+ * using pbkdf2.
+ *
+ * @param string $data   The data that shall be encrypted
+ * @param string $secret The secret/password that shall be used
+ * @return string The ciphertext
+ */
+function auth_encrypt($data, $secret) {
+    $iv = auth_randombytes(16);
+    $cipher = new Crypt_AES();
+    $cipher->setPassword($secret);
+
+    return $cipher->encrypt($iv.$data);
+}
+
+/**
+ * Decrypt the given AES ciphertext
+ *
+ * The mode is CBC, the key is derived using pbkdf2
+ *
+ * @param string $ciphertext The encrypted data
+ * @param string $secret     The secret/password that shall be used
+ * @return string The decrypted data
+ */
+function auth_decrypt($ciphertext, $secret) {
+    $cipher = new Crypt_AES();
+    $cipher->setPassword($secret);
+
+    return substr($cipher->decrypt($ciphertext), 16);
+}
+
 /**
  * Log out the current user
  *
@@ -992,7 +1026,7 @@ function updateprofile() {
         // update cookie and session with the changed data
         if($changes['pass']) {
             list( /*user*/, $sticky, /*pass*/) = auth_getCookie();
-            $pass = PMA_blowfish_encrypt($changes['pass'], auth_cookiesalt(!$sticky, true));
+            $pass = auth_encrypt($changes['pass'], auth_cookiesalt(!$sticky, true));
             auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky);
         }
         return true;
-- 
cgit v1.2.3