Move aesEncrypt() and aesDecrypt() in SimpleSAML_Utilities to SimpleSAML_Utils_Crypto.

Mark the old ones as deprecated and schedule them for removal in 2.0.

lib/SimpleSAML/Utilities.php

@@ -1731,7 +1731,7 @@ class SimpleSAML_Utilities {
 		$session = SimpleSAML_Session::getSessionFromRequest();
 		$session->setData('core_postdatalink', $postId, $postData);
 
-		$redirInfo = base64_encode(self::aesEncrypt($session->getSessionId() . ':' . $postId));
+		$redirInfo = base64_encode(SimpleSAML_Utils_Crypto::aesEncrypt($session->getSessionId() . ':' . $postId));
 
 		$url = SimpleSAML_Module::getModuleURL('core/postredirect.php', array('RedirInfo' => $redirInfo));
 		$url = preg_replace("#^https:#", "http:", $url);
@@ -2244,6 +2244,7 @@ class SimpleSAML_Utilities {
 	 *
 	 * @param string $clear  Data to encrypt.
 	 * @return array  The encrypted data and IV.
+     * @deprecated This function will be removed in SSP 2.0. Please use SimpleSAML_Utils_Crypto::aesEncrypt() instead.
 	 */
 	public static function aesEncrypt($clear) {
 		assert('is_string($clear)');
@@ -2280,6 +2281,7 @@ class SimpleSAML_Utilities {
 	 * @param $data  Encrypted data.
 	 * @param $iv  IV of encrypted data.
 	 * @return string  The decrypted data.
+     * @deprecated This function will be removed in SSP 2.0. Please use SimpleSAML_Utils_Crypto::aesDecrypt() instead.
 	 */
 	public static function aesDecrypt($encData) {
 		assert('is_string($encData)');

lib/SimpleSAML/Utils/Crypto.php

@@ -9,6 +9,86 @@
 class SimpleSAML_Utils_Crypto
 {
 
+    /**
+     * Decrypt data using AES and the system-wide secret salt as key.
+     *
+     * @param string $data The encrypted data to decrypt.
+     *
+     * @return string The decrypted data.
+     * @throws SimpleSAML_Error_Exception If the mcrypt module is not loaded or $ciphertext is not a string.
+     * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
+     * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+     */
+    public static function aesDecrypt($ciphertext)
+    {
+        if (!is_string($ciphertext)) {
+            throw new SimpleSAML_Error_Exception('Input parameter "$ciphertext" must be a string.');
+        }
+        if (!function_exists("mcrypt_encrypt")) {
+            throw new SimpleSAML_Error_Exception("The mcrypt PHP module is not loaded.");
+        }
+
+        $enc = MCRYPT_RIJNDAEL_256;
+        $mode = MCRYPT_MODE_CBC;
+
+        $ivSize = mcrypt_get_iv_size($enc, $mode);
+        $keySize = mcrypt_get_key_size($enc, $mode);
+
+        $key = hash('sha256', SimpleSAML_Utilities::getSecretSalt(), true);
+        $key = substr($key, 0, $keySize);
+
+        $iv = substr($ciphertext, 0, $ivSize);
+        $data = substr($ciphertext, $ivSize);
+
+        $clear = mcrypt_decrypt($enc, $key, $data, $mode, $iv);
+
+        $len = strlen($clear);
+        $numpad = ord($clear[$len - 1]);
+        $clear = substr($clear, 0, $len - $numpad);
+
+        return $clear;
+    }
+
+    /**
+     * Encrypt data using AES and the system-wide secret salt as key.
+     *
+     * @param string $data The data to encrypt.
+     *
+     * @return string The encrypted data and IV.
+     * @throws SimpleSAML_Error_Exception If the mcrypt module is not loaded or $data is not a string.
+     * @author Andreas Solberg, UNINETT AS <andreas.solberg@uninett.no>
+     * @author Jaime Perez, UNINETT AS <jaime.perez@uninett.no>
+     */
+    public static function aesEncrypt($data)
+    {
+        if (!is_string($data)) {
+            throw new SimpleSAML_Error_Exception('Input parameter "$data" must be a string.');
+        }
+        if (!function_exists("mcrypt_encrypt")) {
+            throw new SimpleSAML_Error_Exception('The mcrypt PHP module is not loaded.');
+        }
+
+        $enc = MCRYPT_RIJNDAEL_256;
+        $mode = MCRYPT_MODE_CBC;
+
+        $blockSize = mcrypt_get_block_size($enc, $mode);
+        $ivSize = mcrypt_get_iv_size($enc, $mode);
+        $keySize = mcrypt_get_key_size($enc, $mode);
+
+        $key = hash('sha256', SimpleSAML_Utilities::getSecretSalt(), true);
+        $key = substr($key, 0, $keySize);
+
+        $len = strlen($data);
+        $numpad = $blockSize - ($len % $blockSize);
+        $data = str_pad($data, $len + $numpad, chr($numpad));
+
+        $iv = SimpleSAML_Utilities::generateRandomBytes($ivSize);
+
+        $data = mcrypt_encrypt($enc, $key, $data, $mode, $iv);
+
+        return $iv.$data;
+    }
+
     /**
      * This function hashes a password with a given algorithm.
      *

modules/core/www/postredirect.php

@@ -16,7 +16,7 @@ if (array_key_exists('RedirId', $_REQUEST)) {
 		throw new SimpleSAML_Error_BadRequest('Invalid RedirInfo data.');
 	}
 
-	list($sessionId, $postId) = explode(':', SimpleSAML_Utilities::aesDecrypt($encData));
+	list($sessionId, $postId) = explode(':', SimpleSAML_Utils_Crypto::aesDecrypt($encData));
 
 	if (empty($sessionId) || empty($postId)) {
 		throw new SimpleSAML_Error_BadRequest('Invalid session info data.');