Feature: Hook up PR #2667

a43ad7bd · Gary Allan · 1395dc70 · a43ad7bd · a43ad7bd · a43ad7bd
Commit a43ad7bd authored Jul 25, 2019 by Gary Allan
--- a/api/index.php
+++ b/api/index.php
@@ -66,16 +66,11 @@ try {
 	// crypt check
 	if($app->app_security=="crypt") {
-		$api_crypt_encryption_library = Config::get('api_crypt_encryption_library') === "mcrypt" ? 'mcrypt' : 'openssl';
+		$encryption_method = Config::get('api_crypt_encryption_library', 'openssl-128-cbc');
-		// verify php extensions
-		if (!in_array($api_crypt_encryption_library, get_loaded_extensions())) {
-			$Response->throw_exception(500, 'php extension '.$api_crypt_encryption_library.' missing');
-		}
 		// decrypt request - form_encoded
 		if(strpos($_SERVER['CONTENT_TYPE'], "application/x-www-form-urlencoded")!==false) {
-			$decoded = $User->Crypto->decrypt($_GET['enc_request'], $app->app_code, $api_crypt_encryption_library);
+			$decoded = $User->Crypto->decrypt($_GET['enc_request'], $app->app_code, $encryption_method);
 			if ($decoded === false) $Response->throw_exception(503, 'Invalid enc_request');
 			$decoded = $decoded[0]=="?" ? substr($decoded, 1) : $decoded;
 			parse_str($decoded, $encrypted_params);
@@ -84,7 +79,7 @@ try {
 		}
 		// json_encoded
 		else {
-			$encrypted_params = $User->Crypto->decrypt($_GET['enc_request'], $app->app_code, $api_crypt_encryption_library);
+			$encrypted_params = $User->Crypto->decrypt($_GET['enc_request'], $app->app_code, $encryption_method);
 			if ($encrypted_params === false) $Response->throw_exception(503, 'Invalid enc_request');
 			$encrypted_params = json_decode($encrypted_params, true);
 			$encrypted_params['app_id'] = $_GET['app_id'];

--- a/config.dist.php
+++ b/config.dist.php
@@ -75,9 +75,12 @@ $config['resolve_verbose']             = true;       // verbose response - print
 $debugging = false;
 /*
- * API Crypt security provider. "mcrypt" or "openssl"
+ * API Crypt security provider. "mcrypt" or "openssl*"
+ * Supported methods:
+ *    openssl-128-cbc (alias openssl, openssl-128) *default
+ *    openssl-256-cbc (alias openssl-256)
 *
- * default as of 1.3.2 "openssl"
+ * default as of 1.3.2 "openssl-128-cbc"
 ******************************/
 // $api_crypt_encryption_library = "mcrypt";

--- a/functions/classes/class.Crypto.php
+++ b/functions/classes/class.Crypto.php
@@ -71,28 +71,65 @@ class Crypto {
     * encrypt data and base64 encode results
     * @param  string $rawdata
     * @param  string $password
-     * @param  string $encryption_library   (default value: "openssl")
+     * @param  string method   (default value: "openssl-128-cbc")
     * @return string|false
     */
-    public function encrypt($rawdata, $password, $encryption_library="openssl") {
+    public function encrypt($rawdata, $password, $method="openssl-128-cbc") {
-        if ($encryption_library === "mcrypt")
+        $method = $this->supported_methods($method);
+        if ($method === 'mcrypt')
            return $this->encrypt_using_legacy_mcrypt($rawdata, $password);
        else
-            return $this->encrypt_using_openssl($rawdata, $password, $encryption_library);
+            return $this->encrypt_using_openssl($rawdata, $password, $method);
    }
    /**
     * decrypt base64 encoded data
     * @param  string $base64data
     * @param  string $password
-     * @param  string $encryption_library   (default value: "openssl")
+     * @param  string $method   (default value: "openssl-128-cbc")
     * @return string|false
     */
-    public function decrypt($base64data, $password, $encryption_library="openssl") {
+    public function decrypt($base64data, $password, $method="openssl-128-cbc") {
-        if ($encryption_library === "mcrypt")
+        $method = $this->supported_methods($method);
+        if ($method === "mcrypt")
            return $this->decrypt_using_legacy_mcrypt($base64data, $password);
        else
-            return $this->decrypt_using_openssl($base64data, $password, $encryption_library);
+            return $this->decrypt_using_openssl($base64data, $password, $method);
+    }
+    /**
+     * Return a supported encryption method
+     * @param  string $method
+     * @return string
+     */
+    private function supported_methods($method) {
+        switch ($method) {
+            case 'mcrypt':
+                $retval = 'mcrypt';
+                break;
+            case 'openssl':
+            case 'openssl-128':
+            case 'openssl-128-cbc':
+                $retval = 'AES-128-CBC';
+                break;
+            case 'openssl-256':
+            case 'openssl-256-cbc':
+                $retval = 'AES-256-CBC';
+                break;
+            default:
+                $this->Result->show("danger", _("Error: "). _('Unsupported $api_crypt_encryption_library method: ').escape_input($method), true);
+        }
+        $required_ext = ($retval === 'mcrypt') ? 'mcrypt' : 'openssl';
+        if (!in_array($required_ext, get_loaded_extensions()))
+            $this->Result->show("danger", _("Error: "). _('php extension not installed: ').$required_ext, true);
+        return $retval;
    }
    // OpenSSL
@@ -101,12 +138,11 @@ class Crypto {
     * encrypt data and base64 encode results
     * @param  string $rawdata
     * @param  string $password
+     * @param  string $method
     * @return string|false
     */
-    private function encrypt_using_openssl($rawdata, $password, $key_size) {
+    private function encrypt_using_openssl($rawdata, $password, $method) {
-        $method = ($key_size == "openssl-256") ? 'AES-256-CBC' : 'AES-128-CBC';
+        // Binary key derived from password (32 bytes)
-        // Binary key derived from password
        $key = openssl_digest($password, 'sha256', true);
        // Encrypt using IV
        $ivlen = openssl_cipher_iv_length($method);
@@ -124,12 +160,11 @@ class Crypto {
     * decrypt base64 encoded data
     * @param  string $base64data
     * @param  string $password
+     * @param  string $method
     * @return string|false
     */
-    private function decrypt_using_openssl($base64data, $password, $key_size) {
+    private function decrypt_using_openssl($base64data, $password, $method) {
-        $method = ($key_size == "openssl-256") ? 'AES-256-CBC' : 'AES-128-CBC';
+        // Binary key derived from password (32 bytes)
-        // Binary key derived from password
        $key = openssl_digest($password, 'sha256', true);
        $c = base64_decode($base64data);