Use salt to encrypt the website check password #297

This commit is contained in:
Pavel Dvořák 2016-05-22 00:28:55 +02:00 committed by Samuel Denis-D'Ortun
parent 4d480fe2c3
commit 24d7fee63e
4 changed files with 44 additions and 28 deletions

View File

@ -624,18 +624,20 @@ function psm_no_cache() {
/** /**
* Encrypts the password for storage in the database * Encrypts the password for storage in the database
* *
* @param string $key
* @param string $password * @param string $password
* @return string * @return string
* @author Pavel Laupe Dvorak <pavel@pavel-dvorak.cz> * @author Pavel Laupe Dvorak <pavel@pavel-dvorak.cz>
*/ */
function psm_password_encrypt($password) function psm_password_encrypt($key, $password)
{ {
if(empty($password)) if(empty($password))
return ''; return '';
$key = psm_get_conf('password_encrypt_key'); if (empty($key))
throw new \InvalidArgumentException('invalid_encryption_key');
$iv = mcrypt_create_iv( $iv = mcrypt_create_iv(
mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC),
MCRYPT_DEV_URANDOM MCRYPT_DEV_URANDOM
); );
@ -657,17 +659,19 @@ function psm_password_encrypt($password)
/** /**
* Decrypts password stored in the database for future use * Decrypts password stored in the database for future use
* *
* @param string $key
* @param string $encryptedString * @param string $encryptedString
* @return string * @return string
* @author Pavel Laupe Dvorak <pavel@pavel-dvorak.cz> * @author Pavel Laupe Dvorak <pavel@pavel-dvorak.cz>
*/ */
function psm_password_decrypt($encryptedString) function psm_password_decrypt($key, $encryptedString)
{ {
if(empty($encryptedString)) if(empty($encryptedString))
return ''; return '';
$key = psm_get_conf('password_encrypt_key'); if (empty($key))
throw new \InvalidArgumentException('invalid_encryption_key');
$data = base64_decode($encryptedString); $data = base64_decode($encryptedString);
$iv = substr($data, 0, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC)); $iv = substr($data, 0, mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC));

View File

@ -126,7 +126,7 @@ $sm_lang = array(
'website_username' => 'Uživatelské jméno', 'website_username' => 'Uživatelské jméno',
'website_username_description' => 'Uživatelské jméno pro přístup na stránku. (Pouze Apache autorizace je podporovaná.)', 'website_username_description' => 'Uživatelské jméno pro přístup na stránku. (Pouze Apache autorizace je podporovaná.)',
'website_password' => 'Heslo', 'website_password' => 'Heslo',
'website_password_description' => 'Heslo pro přístup na stránku. Heslo je v databázi šifrované a NENÍ uloženo v čistém textu.', 'website_password_description' => 'Heslo pro přístup na stránku. Heslo je v databázi šifrované.',
'fieldset_monitoring' => 'Monitoring', 'fieldset_monitoring' => 'Monitoring',
'fieldset_permissions' => 'Oprávnění', 'fieldset_permissions' => 'Oprávnění',
'port' => 'Port', 'port' => 'Port',

View File

@ -229,33 +229,28 @@ class ServerController extends AbstractServerController {
* Executes the saving of one of the servers * Executes the saving of one of the servers
*/ */
protected function executeSave() { protected function executeSave() {
if(empty($_POST)) { if (empty($_POST)) {
// dont process anything if no data has been posted // dont process anything if no data has been posted
return $this->executeIndex(); return $this->executeIndex();
} }
$encrypted_password = ''; $encrypted_password = '';
if(!empty($_POST['website_password'])) if ( !empty( $_POST['website_password'] )) {
{
$new_password = psm_POST('website_password'); $new_password = psm_POST('website_password');
if($this->server_id > 0)
{
$edit_server = $this->getServers($this->server_id);
$hash = sha1($edit_server['website_password']);
if($new_password == $hash) if ($this->server_id > 0) {
{ $edit_server = $this->getServers($this->server_id);
$hash = sha1($edit_server['website_password']);
if ($new_password == $hash) {
$encrypted_password = $edit_server['website_password']; $encrypted_password = $edit_server['website_password'];
} else {
$encrypted_password = psm_password_encrypt($this->server_id . psm_get_conf('password_encrypt_key'), $new_password);
} }
else } else {
{ // We need the server id to encrypt the password. Encryption will be done after the server is added
$encrypted_password = psm_password_encrypt( $new_password); $encrypted_password = '';
}
}
else
{
$encrypted_password = psm_password_encrypt($new_password);
} }
} }
@ -264,7 +259,7 @@ class ServerController extends AbstractServerController {
'ip' => trim(strip_tags(psm_POST('ip', ''))), 'ip' => trim(strip_tags(psm_POST('ip', ''))),
'timeout' => (isset($_POST['timeout']) && intval($_POST['timeout']) > 0) ? intval($_POST['timeout']) : null, 'timeout' => (isset($_POST['timeout']) && intval($_POST['timeout']) > 0) ? intval($_POST['timeout']) : null,
'website_username' => psm_POST('website_username', null), 'website_username' => psm_POST('website_username', null),
'website_password' => $encrypted_password, 'website_password' => $encrypted_password,
'port' => intval(psm_POST('port', 0)), 'port' => intval(psm_POST('port', 0)),
'type' => psm_POST('type', ''), 'type' => psm_POST('type', ''),
'pattern' => psm_POST('pattern', ''), 'pattern' => psm_POST('pattern', ''),
@ -308,6 +303,23 @@ class ServerController extends AbstractServerController {
// add // add
$clean['status'] = 'on'; $clean['status'] = 'on';
$this->server_id = $this->db->save(PSM_DB_PREFIX.'servers', $clean); $this->server_id = $this->db->save(PSM_DB_PREFIX.'servers', $clean);
// server has been added, re-encrypt
if (!empty($_POST['website_password'])) {
$cleanWebsitePassword = array(
'website_password' => psm_password_encrypt(
$this->server_id . psm_get_conf('password_encrypt_key'),
psm_POST('website_password')
),
);
$this->db->save(
PSM_DB_PREFIX . 'servers',
$cleanWebsitePassword,
array('server_id' => $this->server_id)
);
}
$this->addMessage(psm_get_lang('servers', 'inserted'), 'success'); $this->addMessage(psm_get_lang('servers', 'inserted'), 'success');
} }

View File

@ -180,7 +180,7 @@ class StatusUpdater {
$this->server['timeout'], $this->server['timeout'],
true, true,
$this->server['website_username'], $this->server['website_username'],
psm_password_decrypt($this->server['website_password']) psm_password_decrypt($this->server['server_id'] . psm_get_conf('password_encrypt_key'), $this->server['website_password'])
); );
$this->rtime = (microtime(true) - $starttime); $this->rtime = (microtime(true) - $starttime);