From 5469ee05f0dfc32d2dd9bae9ef8c3b5ae236c228 Mon Sep 17 00:00:00 2001
From: Jaime Perez Crespo <jaime.perez@uninett.no>
Date: Thu, 16 Apr 2015 12:16:16 +0200
Subject: [PATCH] Move aesEncrypt() and aesDecrypt() in SimpleSAML_Utilities to
SimpleSAML_Utils_Crypto.
Mark the old ones as deprecated and schedule them for removal in 2.0.
---
lib/SimpleSAML/Utilities.php | 4 +-
lib/SimpleSAML/Utils/Crypto.php | 80 +++++++++++++++++++++++++++++++
modules/core/www/postredirect.php | 2 +-
3 files changed, 84 insertions(+), 2 deletions(-)
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index 5b99a9313..fc949067e 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -1731,7 +1731,7 @@ class SimpleSAML_Utilities {
$session = SimpleSAML_Session::getSessionFromRequest();
$session->setData('core_postdatalink', $postId, $postData);
- $redirInfo = base64_encode(self::aesEncrypt($session->getSessionId() . ':' . $postId));
+ $redirInfo = base64_encode(SimpleSAML_Utils_Crypto::aesEncrypt($session->getSessionId() . ':' . $postId));
$url = SimpleSAML_Module::getModuleURL('core/postredirect.php', array('RedirInfo' => $redirInfo));
$url = preg_replace("#^https:#", "http:", $url);
@@ -2244,6 +2244,7 @@ class SimpleSAML_Utilities {
*
* @param string $clear Data to encrypt.
* @return array The encrypted data and IV.
+ * @deprecated This function will be removed in SSP 2.0. Please use SimpleSAML_Utils_Crypto::aesEncrypt() instead.
*/
public static function aesEncrypt($clear) {
assert('is_string($clear)');
@@ -2280,6 +2281,7 @@ class SimpleSAML_Utilities {
* @param $data Encrypted data.
* @param $iv IV of encrypted data.
* @return string The decrypted data.
+ * @deprecated This function will be removed in SSP 2.0. Please use SimpleSAML_Utils_Crypto::aesDecrypt() instead.
*/
public static function aesDecrypt($encData) {
assert('is_string($encData)');
diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 265e43c1d..b70fb991e 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -9,6 +9,86 @@
class SimpleSAML_Utils_Crypto
{
+ /**
+ * Decrypt data using AES and the system-wide secret salt as key.
+ *
+ * @param string $data The encrypted data to decrypt.
+ *
+ * @return string The decrypted data.
+ * @throws SimpleSAML_Error_Exception If the mcrypt module is not loaded or $ciphertext is not a string.
+ * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
+ * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+ */
+ public static function aesDecrypt($ciphertext)
+ {
+ if (!is_string($ciphertext)) {
+ throw new SimpleSAML_Error_Exception('Input parameter "$ciphertext" must be a string.');
+ }
+ if (!function_exists("mcrypt_encrypt")) {
+ throw new SimpleSAML_Error_Exception("The mcrypt PHP module is not loaded.");
+ }
+
+ $enc = MCRYPT_RIJNDAEL_256;
+ $mode = MCRYPT_MODE_CBC;
+
+ $ivSize = mcrypt_get_iv_size($enc, $mode);
+ $keySize = mcrypt_get_key_size($enc, $mode);
+
+ $key = hash('sha256', SimpleSAML_Utilities::getSecretSalt(), true);
+ $key = substr($key, 0, $keySize);
+
+ $iv = substr($ciphertext, 0, $ivSize);
+ $data = substr($ciphertext, $ivSize);
+
+ $clear = mcrypt_decrypt($enc, $key, $data, $mode, $iv);
+
+ $len = strlen($clear);
+ $numpad = ord($clear[$len - 1]);
+ $clear = substr($clear, 0, $len - $numpad);
+
+ return $clear;
+ }
+
+ /**
+ * Encrypt data using AES and the system-wide secret salt as key.
+ *
+ * @param string $data The data to encrypt.
+ *
+ * @return string The encrypted data and IV.
+ * @throws SimpleSAML_Error_Exception If the mcrypt module is not loaded or $data is not a string.
+ * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
+ * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+ */
+ public static function aesEncrypt($data)
+ {
+ if (!is_string($data)) {
+ throw new SimpleSAML_Error_Exception('Input parameter "$data" must be a string.');
+ }
+ if (!function_exists("mcrypt_encrypt")) {
+ throw new SimpleSAML_Error_Exception('The mcrypt PHP module is not loaded.');
+ }
+
+ $enc = MCRYPT_RIJNDAEL_256;
+ $mode = MCRYPT_MODE_CBC;
+
+ $blockSize = mcrypt_get_block_size($enc, $mode);
+ $ivSize = mcrypt_get_iv_size($enc, $mode);
+ $keySize = mcrypt_get_key_size($enc, $mode);
+
+ $key = hash('sha256', SimpleSAML_Utilities::getSecretSalt(), true);
+ $key = substr($key, 0, $keySize);
+
+ $len = strlen($data);
+ $numpad = $blockSize - ($len % $blockSize);
+ $data = str_pad($data, $len + $numpad, chr($numpad));
+
+ $iv = SimpleSAML_Utilities::generateRandomBytes($ivSize);
+
+ $data = mcrypt_encrypt($enc, $key, $data, $mode, $iv);
+
+ return $iv.$data;
+ }
+
/**
* This function hashes a password with a given algorithm.
*
diff --git a/modules/core/www/postredirect.php b/modules/core/www/postredirect.php
index 9180bdfc4..7614d9812 100644
--- a/modules/core/www/postredirect.php
+++ b/modules/core/www/postredirect.php
@@ -16,7 +16,7 @@ if (array_key_exists('RedirId', $_REQUEST)) {
throw new SimpleSAML_Error_BadRequest('Invalid RedirInfo data.');
}
- list($sessionId, $postId) = explode(':', SimpleSAML_Utilities::aesDecrypt($encData));
+ list($sessionId, $postId) = explode(':', SimpleSAML_Utils_Crypto::aesDecrypt($encData));
if (empty($sessionId) || empty($postId)) {
throw new SimpleSAML_Error_BadRequest('Invalid session info data.');
--
GitLab