diff options
Diffstat (limited to 'srcs/phpmyadmin/libraries/classes/Plugins/Auth')
4 files changed, 1632 insertions, 0 deletions
diff --git a/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationConfig.php b/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationConfig.php new file mode 100644 index 0000000..7ebd1ae --- /dev/null +++ b/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationConfig.php @@ -0,0 +1,172 @@ +<?php +/* vim: set expandtab sw=4 ts=4 sts=4: */ +/** + * Config Authentication plugin for phpMyAdmin + * + * @package PhpMyAdmin-Authentication + * @subpackage Config + */ +declare(strict_types=1); + +namespace PhpMyAdmin\Plugins\Auth; + +use PhpMyAdmin\Plugins\AuthenticationPlugin; +use PhpMyAdmin\Response; +use PhpMyAdmin\Server\Select; +use PhpMyAdmin\Url; +use PhpMyAdmin\Util; + +/** + * Handles the config authentication method + * + * @package PhpMyAdmin-Authentication + */ +class AuthenticationConfig extends AuthenticationPlugin +{ + /** + * Displays authentication form + * + * @return boolean always true + */ + public function showLoginForm() + { + $response = Response::getInstance(); + if ($response->isAjax()) { + $response->setRequestStatus(false); + // reload_flag removes the token parameter from the URL and reloads + $response->addJSON('reload_flag', '1'); + if (defined('TESTSUITE')) { + return true; + } else { + exit; + } + } + + return true; + } + + /** + * Gets authentication credentials + * + * @return boolean always true + */ + public function readCredentials() + { + if ($GLOBALS['token_provided'] && $GLOBALS['token_mismatch']) { + return false; + } + + $this->user = $GLOBALS['cfg']['Server']['user']; + $this->password = $GLOBALS['cfg']['Server']['password']; + + return true; + } + + /** + * User is not allowed to login to MySQL -> authentication failed + * + * @param string $failure String describing why authentication has failed + * + * @return void + */ + public function showFailure($failure) + { + parent::showFailure($failure); + $conn_error = $GLOBALS['dbi']->getError(); + if (! $conn_error) { + $conn_error = __('Cannot connect: invalid settings.'); + } + + /* HTML header */ + $response = Response::getInstance(); + $response->getFooter() + ->setMinimal(); + $header = $response->getHeader(); + $header->setBodyId('loginform'); + $header->setTitle(__('Access denied!')); + $header->disableMenuAndConsole(); + echo '<br><br> + <center> + <h1>'; + echo sprintf(__('Welcome to %s'), ' phpMyAdmin '); + echo '</h1> + </center> + <br> + <table cellpadding="0" cellspacing="3" class= "auth_config_tbl" width="80%"> + <tr> + <td>'; + if (isset($GLOBALS['allowDeny_forbidden']) + && $GLOBALS['allowDeny_forbidden'] + ) { + trigger_error(__('Access denied!'), E_USER_NOTICE); + } else { + // Check whether user has configured something + if ($GLOBALS['PMA_Config']->source_mtime == 0) { + echo '<p>' , sprintf( + __( + 'You probably did not create a configuration file.' + . ' You might want to use the %1$ssetup script%2$s to' + . ' create one.' + ), + '<a href="setup/">', + '</a>' + ) , '</p>' , "\n"; + } elseif (! isset($GLOBALS['errno']) + || (isset($GLOBALS['errno']) && $GLOBALS['errno'] != 2002) + && $GLOBALS['errno'] != 2003 + ) { + // if we display the "Server not responding" error, do not confuse + // users by telling them they have a settings problem + // (note: it's true that they could have a badly typed host name, + // but anyway the current message tells that the server + // rejected the connection, which is not really what happened) + // 2002 is the error given by mysqli + // 2003 is the error given by mysql + trigger_error( + __( + 'phpMyAdmin tried to connect to the MySQL server, and the' + . ' server rejected the connection. You should check the' + . ' host, username and password in your configuration and' + . ' make sure that they correspond to the information given' + . ' by the administrator of the MySQL server.' + ), + E_USER_WARNING + ); + } + echo Util::mysqlDie( + $conn_error, + '', + true, + '', + false + ); + } + $GLOBALS['error_handler']->dispUserErrors(); + echo '</td> + </tr> + <tr> + <td>' , "\n"; + echo '<a href="' + , Util::getScriptNameForOption( + $GLOBALS['cfg']['DefaultTabServer'], + 'server' + ) + , Url::getCommon() , '" class="button disableAjax">' + , __('Retry to connect') + , '</a>' , "\n"; + echo '</td> + </tr>' , "\n"; + if (count($GLOBALS['cfg']['Servers']) > 1) { + // offer a chance to login to other servers if the current one failed + echo '<tr>' , "\n"; + echo ' <td>' , "\n"; + echo Select::render(true, true); + echo ' </td>' , "\n"; + echo '</tr>' , "\n"; + } + echo '</table>' , "\n"; + if (! defined('TESTSUITE')) { + exit; + } + } +} diff --git a/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php b/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php new file mode 100644 index 0000000..7a794d0 --- /dev/null +++ b/srcs/phpmyadmin/libraries/classes/Plugins/Auth/AuthenticationCookie.php @@ -0,0 +1,964 @@ +<?php +/* vim: set expandtab sw=4 ts=4 sts=4: */ +/** + * Cookie Authentication plugin for phpMyAdmin + * + * @package PhpMyAdmin-Authentication + * @subpackage Cookie + */ +declare(strict_types=1); + +namespace PhpMyAdmin\Plugins\Auth; + +use PhpMyAdmin\Config; +use PhpMyAdmin\Core; +use PhpMyAdmin\LanguageManager; +use PhpMyAdmin\Message; +use PhpMyAdmin\Plugins\AuthenticationPlugin; +use PhpMyAdmin\Response; +use PhpMyAdmin\Server\Select; +use PhpMyAdmin\Session; +use PhpMyAdmin\Template; +use PhpMyAdmin\Url; +use PhpMyAdmin\Util; +use phpseclib\Crypt; +use phpseclib\Crypt\Random; +use ReCaptcha; + +/** + * Remember where to redirect the user + * in case of an expired session. + */ +if (! empty($_REQUEST['target'])) { + $GLOBALS['target'] = $_REQUEST['target']; +} elseif (Core::getenv('SCRIPT_NAME')) { + $GLOBALS['target'] = basename(Core::getenv('SCRIPT_NAME')); +} + +/** + * Handles the cookie authentication method + * + * @package PhpMyAdmin-Authentication + */ +class AuthenticationCookie extends AuthenticationPlugin +{ + /** + * IV for encryption + */ + private $_cookie_iv = null; + + /** + * Whether to use OpenSSL directly + */ + private $_use_openssl; + + /** + * Constructor + */ + public function __construct() + { + parent::__construct(); + $this->_use_openssl = ! class_exists(Random::class); + } + + /** + * Forces (not)using of openSSL + * + * @param boolean $use The flag + * + * @return void + */ + public function setUseOpenSSL($use) + { + $this->_use_openssl = $use; + } + + /** + * Displays authentication form + * + * this function MUST exit/quit the application + * + * @global string $conn_error the last connection error + * + * @return boolean|void + */ + public function showLoginForm() + { + global $conn_error; + + $response = Response::getInstance(); + + // When sending login modal after session has expired, send the new token explicitly with the response to update the token in all the forms having a hidden token. + $session_expired = isset($_REQUEST['check_timeout']) || isset($_REQUEST['session_timedout']); + if (! $session_expired && $response->loginPage()) { + if (defined('TESTSUITE')) { + return true; + } else { + exit; + } + } + + // When sending login modal after session has expired, send the new token explicitly with the response to update the token in all the forms having a hidden token. + if ($session_expired) { + $response->setRequestStatus(false); + $response->addJSON( + 'new_token', + $_SESSION[' PMA_token '] + ); + } + + // logged_in response parameter is used to check if the login, using the modal was successful after session expiration + if (isset($_REQUEST['session_timedout'])) { + $response->addJSON( + 'logged_in', + 0 + ); + } + + // No recall if blowfish secret is not configured as it would produce + // garbage + if ($GLOBALS['cfg']['LoginCookieRecall'] + && ! empty($GLOBALS['cfg']['blowfish_secret']) + ) { + $default_user = $this->user; + $default_server = $GLOBALS['pma_auth_server']; + $autocomplete = ''; + } else { + $default_user = ''; + $default_server = ''; + // skip the IE autocomplete feature. + $autocomplete = ' autocomplete="off"'; + } + + // wrap the login form in a div which overlays the whole page. + if ($session_expired) { + echo $this->template->render('login/header', [ + 'theme' => $GLOBALS['PMA_Theme'], + 'add_class' => ' modal_form', + 'session_expired' => 1, + ]); + } else { + echo $this->template->render('login/header', [ + 'theme' => $GLOBALS['PMA_Theme'], + 'add_class' => '', + 'session_expired' => 0, + ]); + } + + if ($GLOBALS['cfg']['DBG']['demo']) { + echo '<fieldset>'; + echo '<legend>' , __('phpMyAdmin Demo Server') , '</legend>'; + printf( + __( + 'You are using the demo server. You can do anything here, but ' + . 'please do not change root, debian-sys-maint and pma users. ' + . 'More information is available at %s.' + ), + '<a href="url.php?url=https://demo.phpmyadmin.net/" target="_blank" rel="noopener noreferrer">demo.phpmyadmin.net</a>' + ); + echo '</fieldset>'; + } + + // Show error message + if (! empty($conn_error)) { + Message::rawError((string) $conn_error)->display(); + } elseif (isset($_GET['session_expired']) + && intval($_GET['session_expired']) == 1 + ) { + Message::rawError( + __('Your session has expired. Please log in again.') + )->display(); + } + + // Displays the languages form + $language_manager = LanguageManager::getInstance(); + if (empty($GLOBALS['cfg']['Lang']) && $language_manager->hasChoice()) { + echo "<div class='hide js-show'>"; + // use fieldset, don't show doc link + echo $language_manager->getSelectorDisplay(new Template(), true, false); + echo '</div>'; + } + echo ' + <br> + <!-- Login form --> + <form method="post" id="login_form" action="index.php" name="login_form"' , $autocomplete , + ' class="' . ($session_expired ? "" : "disableAjax hide ") . 'login js-show"> + <fieldset> + <legend>'; + echo '<input type="hidden" name="set_session" value="', htmlspecialchars(session_id()), '">'; + + // Add a hidden element session_timedout which is used to check if the user requested login after session expiration + if ($session_expired) { + echo '<input type="hidden" name="session_timedout" value="1">'; + } + echo __('Log in'); + echo Util::showDocu('index'); + echo '</legend>'; + if ($GLOBALS['cfg']['AllowArbitraryServer']) { + echo ' + <div class="item"> + <label for="input_servername" title="'; + echo __( + 'You can enter hostname/IP address and port separated by space.' + ); + echo '">'; + echo __('Server:'); + echo '</label> + <input type="text" name="pma_servername" id="input_servername"'; + echo ' value="'; + echo htmlspecialchars($default_server); + echo '" size="24" class="textfield" title="'; + echo __( + 'You can enter hostname/IP address and port separated by space.' + ); echo '"> + </div>'; + } + echo '<div class="item"> + <label for="input_username">' , __('Username:') , '</label> + <input type="text" name="pma_username" id="input_username" ' + , 'value="' , htmlspecialchars($default_user) , '" size="24"' + , ' class="textfield"> + </div> + <div class="item"> + <label for="input_password">' , __('Password:') , '</label> + <input type="password" name="pma_password" id="input_password"' + , ' value="" size="24" class="textfield"> + </div>'; + if (count($GLOBALS['cfg']['Servers']) > 1) { + echo '<div class="item"> + <label for="select_server">' . __('Server Choice:') . '</label> + <select name="server" id="select_server"'; + if ($GLOBALS['cfg']['AllowArbitraryServer']) { + echo ' onchange="document.forms[\'login_form\'].' + , 'elements[\'pma_servername\'].value = \'\'" '; + } + echo '>'; + echo Select::render(false, false); + echo '</select></div>'; + } else { + echo ' <input type="hidden" name="server" value="' + , $GLOBALS['server'] , '">'; + } // end if (server choice) + + echo '</fieldset><fieldset class="tblFooters">'; + + // binds input field with invisible reCaptcha if enabled + if (empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) + && empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) + ) { + echo '<input class="btn btn-primary" value="' , __('Go') , '" type="submit" id="input_go">'; + } else { + echo '<script src="https://www.google.com/recaptcha/api.js?hl=' + , $GLOBALS['lang'] , '" async defer></script>'; + echo '<input class="btn btn-primary g-recaptcha" data-sitekey="' + , htmlspecialchars($GLOBALS['cfg']['CaptchaLoginPublicKey']),'"' + . ' data-callback="Functions_recaptchaCallback" value="' , __('Go') , '" type="submit" id="input_go">'; + } + $_form_params = []; + if (! empty($GLOBALS['target'])) { + $_form_params['target'] = $GLOBALS['target']; + } + if (strlen($GLOBALS['db'])) { + $_form_params['db'] = $GLOBALS['db']; + } + if (strlen($GLOBALS['table'])) { + $_form_params['table'] = $GLOBALS['table']; + } + // do not generate a "server" hidden field as we want the "server" + // drop-down to have priority + echo Url::getHiddenInputs($_form_params, '', 0, 'server'); + echo '</fieldset> + </form>'; + + if ($GLOBALS['error_handler']->hasDisplayErrors()) { + echo '<div id="pma_errors">'; + $GLOBALS['error_handler']->dispErrors(); + echo '</div>'; + } + + // close the wrapping div tag, if the request is after session timeout + if ($session_expired) { + echo $this->template->render('login/footer', ['session_expired' => 1]); + } else { + echo $this->template->render('login/footer', ['session_expired' => 0]); + } + + echo Config::renderFooter(); + + if (! defined('TESTSUITE')) { + exit; + } else { + return true; + } + } + + /** + * Gets authentication credentials + * + * this function DOES NOT check authentication - it just checks/provides + * authentication credentials required to connect to the MySQL server + * usually with $GLOBALS['dbi']->connect() + * + * it returns false if something is missing - which usually leads to + * showLoginForm() which displays login form + * + * it returns true if all seems ok which usually leads to auth_set_user() + * + * it directly switches to showFailure() if user inactivity timeout is reached + * + * @return boolean whether we get authentication settings or not + */ + public function readCredentials() + { + global $conn_error; + + // Initialization + /** + * @global $GLOBALS['pma_auth_server'] the user provided server to + * connect to + */ + $GLOBALS['pma_auth_server'] = ''; + + $this->user = $this->password = ''; + $GLOBALS['from_cookie'] = false; + + if (isset($_POST['pma_username']) && strlen($_POST['pma_username']) > 0) { + // Verify Captcha if it is required. + if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) + && ! empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) + ) { + if (! empty($_POST["g-recaptcha-response"])) { + if (function_exists('curl_init')) { + $reCaptcha = new ReCaptcha\ReCaptcha( + $GLOBALS['cfg']['CaptchaLoginPrivateKey'], + new ReCaptcha\RequestMethod\CurlPost() + ); + } elseif (ini_get('allow_url_fopen')) { + $reCaptcha = new ReCaptcha\ReCaptcha( + $GLOBALS['cfg']['CaptchaLoginPrivateKey'], + new ReCaptcha\RequestMethod\Post() + ); + } else { + $reCaptcha = new ReCaptcha\ReCaptcha( + $GLOBALS['cfg']['CaptchaLoginPrivateKey'], + new ReCaptcha\RequestMethod\SocketPost() + ); + } + + // verify captcha status. + $resp = $reCaptcha->verify( + $_POST["g-recaptcha-response"], + Core::getIp() + ); + + // Check if the captcha entered is valid, if not stop the login. + if ($resp == null || ! $resp->isSuccess()) { + $codes = $resp->getErrorCodes(); + + if (in_array('invalid-json', $codes)) { + $conn_error = __('Failed to connect to the reCAPTCHA service!'); + } else { + $conn_error = __('Entered captcha is wrong, try again!'); + } + return false; + } + } else { + $conn_error = __('Missing reCAPTCHA verification, maybe it has been blocked by adblock?'); + return false; + } + } + + // The user just logged in + $this->user = Core::sanitizeMySQLUser($_POST['pma_username']); + $this->password = isset($_POST['pma_password']) ? $_POST['pma_password'] : ''; + if ($GLOBALS['cfg']['AllowArbitraryServer'] + && isset($_REQUEST['pma_servername']) + ) { + if ($GLOBALS['cfg']['ArbitraryServerRegexp']) { + $parts = explode(' ', $_REQUEST['pma_servername']); + if (count($parts) === 2) { + $tmp_host = $parts[0]; + } else { + $tmp_host = $_REQUEST['pma_servername']; + } + + $match = preg_match( + $GLOBALS['cfg']['ArbitraryServerRegexp'], + $tmp_host + ); + if (! $match) { + $conn_error = __( + 'You are not allowed to log in to this MySQL server!' + ); + return false; + } + } + $GLOBALS['pma_auth_server'] = Core::sanitizeMySQLHost($_REQUEST['pma_servername']); + } + /* Secure current session on login to avoid session fixation */ + Session::secure(); + return true; + } + + // At the end, try to set the $this->user + // and $this->password variables from cookies + + // check cookies + $serverCookie = $GLOBALS['PMA_Config']->getCookie('pmaUser-' . $GLOBALS['server']); + if (empty($serverCookie)) { + return false; + } + + $value = $this->cookieDecrypt( + $serverCookie, + $this->_getEncryptionSecret() + ); + + if ($value === false) { + return false; + } + + $this->user = $value; + // user was never logged in since session start + if (empty($_SESSION['browser_access_time'])) { + return false; + } + + // User inactive too long + $last_access_time = time() - $GLOBALS['cfg']['LoginCookieValidity']; + foreach ($_SESSION['browser_access_time'] as $key => $value) { + if ($value < $last_access_time) { + unset($_SESSION['browser_access_time'][$key]); + } + } + // All sessions expired + if (empty($_SESSION['browser_access_time'])) { + Util::cacheUnset('is_create_db_priv'); + Util::cacheUnset('is_reload_priv'); + Util::cacheUnset('db_to_create'); + Util::cacheUnset('dbs_where_create_table_allowed'); + Util::cacheUnset('dbs_to_test'); + Util::cacheUnset('db_priv'); + Util::cacheUnset('col_priv'); + Util::cacheUnset('table_priv'); + Util::cacheUnset('proc_priv'); + + $this->showFailure('no-activity'); + if (! defined('TESTSUITE')) { + exit; + } else { + return false; + } + } + + // check password cookie + $serverCookie = $GLOBALS['PMA_Config']->getCookie('pmaAuth-' . $GLOBALS['server']); + + if (empty($serverCookie)) { + return false; + } + $value = $this->cookieDecrypt( + $serverCookie, + $this->_getSessionEncryptionSecret() + ); + if ($value === false) { + return false; + } + + $auth_data = json_decode($value, true); + + if (! is_array($auth_data) || ! isset($auth_data['password'])) { + return false; + } + $this->password = $auth_data['password']; + if ($GLOBALS['cfg']['AllowArbitraryServer'] && ! empty($auth_data['server'])) { + $GLOBALS['pma_auth_server'] = $auth_data['server']; + } + + $GLOBALS['from_cookie'] = true; + + return true; + } + + /** + * Set the user and password after last checkings if required + * + * @return boolean always true + */ + public function storeCredentials() + { + global $cfg; + + if ($GLOBALS['cfg']['AllowArbitraryServer'] + && ! empty($GLOBALS['pma_auth_server']) + ) { + /* Allow to specify 'host port' */ + $parts = explode(' ', $GLOBALS['pma_auth_server']); + if (count($parts) === 2) { + $tmp_host = $parts[0]; + $tmp_port = $parts[1]; + } else { + $tmp_host = $GLOBALS['pma_auth_server']; + $tmp_port = ''; + } + if ($cfg['Server']['host'] != $GLOBALS['pma_auth_server']) { + $cfg['Server']['host'] = $tmp_host; + if (! empty($tmp_port)) { + $cfg['Server']['port'] = $tmp_port; + } + } + unset($tmp_host, $tmp_port, $parts); + } + + return parent::storeCredentials(); + } + + /** + * Stores user credentials after successful login. + * + * @return void|bool + */ + public function rememberCredentials() + { + // Name and password cookies need to be refreshed each time + // Duration = one month for username + + $this->storeUsernameCookie($this->user); + + // Duration = as configured + // Do not store password cookie on password change as we will + // set the cookie again after password has been changed + if (! isset($_POST['change_pw'])) { + $this->storePasswordCookie($this->password); + } + // URL where to go: + $redirect_url = './index.php'; + + // any parameters to pass? + $url_params = []; + if (strlen($GLOBALS['db']) > 0) { + $url_params['db'] = $GLOBALS['db']; + } + if (strlen($GLOBALS['table']) > 0) { + $url_params['table'] = $GLOBALS['table']; + } + // any target to pass? + if (! empty($GLOBALS['target']) + && $GLOBALS['target'] != 'index.php' + ) { + $url_params['target'] = $GLOBALS['target']; + } + + // user logged in successfully after session expiration + if (isset($_REQUEST['session_timedout'])) { + $response = Response::getInstance(); + $response->addJSON( + 'logged_in', + 1 + ); + $response->addJSON( + 'success', + 1 + ); + $response->addJSON( + 'new_token', + $_SESSION[' PMA_token '] + ); + + if (! defined('TESTSUITE')) { + exit; + } else { + return false; + } + } + // Set server cookies if required (once per session) and, in this case, + // force reload to ensure the client accepts cookies + if (! $GLOBALS['from_cookie']) { + + /** + * Clear user cache. + */ + Util::clearUserCache(); + + Response::getInstance() + ->disable(); + + Core::sendHeaderLocation( + $redirect_url . Url::getCommonRaw($url_params), + true + ); + if (! defined('TESTSUITE')) { + exit; + } else { + return false; + } + } // end if + + return true; + } + + /** + * Stores username in a cookie. + * + * @param string $username User name + * + * @return void + */ + public function storeUsernameCookie($username) + { + // Name and password cookies need to be refreshed each time + // Duration = one month for username + $GLOBALS['PMA_Config']->setCookie( + 'pmaUser-' . $GLOBALS['server'], + $this->cookieEncrypt( + $username, + $this->_getEncryptionSecret() + ) + ); + } + + /** + * Stores password in a cookie. + * + * @param string $password Password + * + * @return void + */ + public function storePasswordCookie($password) + { + $payload = ['password' => $password]; + if ($GLOBALS['cfg']['AllowArbitraryServer'] && ! empty($GLOBALS['pma_auth_server'])) { + $payload['server'] = $GLOBALS['pma_auth_server']; + } + // Duration = as configured + $GLOBALS['PMA_Config']->setCookie( + 'pmaAuth-' . $GLOBALS['server'], + $this->cookieEncrypt( + json_encode($payload), + $this->_getSessionEncryptionSecret() + ), + null, + (int) $GLOBALS['cfg']['LoginCookieStore'] + ); + } + + /** + * User is not allowed to login to MySQL -> authentication failed + * + * prepares error message and switches to showLoginForm() which display the error + * and the login form + * + * this function MUST exit/quit the application, + * currently done by call to showLoginForm() + * + * @param string $failure String describing why authentication has failed + * + * @return void + */ + public function showFailure($failure) + { + global $conn_error; + + parent::showFailure($failure); + + // Deletes password cookie and displays the login form + $GLOBALS['PMA_Config']->removeCookie('pmaAuth-' . $GLOBALS['server']); + + $conn_error = $this->getErrorMessage($failure); + + $response = Response::getInstance(); + + // needed for PHP-CGI (not need for FastCGI or mod-php) + $response->header('Cache-Control: no-store, no-cache, must-revalidate'); + $response->header('Pragma: no-cache'); + + $this->showLoginForm(); + } + + /** + * Returns blowfish secret or generates one if needed. + * + * @return string + */ + private function _getEncryptionSecret() + { + if (empty($GLOBALS['cfg']['blowfish_secret'])) { + return $this->_getSessionEncryptionSecret(); + } + + return $GLOBALS['cfg']['blowfish_secret']; + } + + /** + * Returns blowfish secret or generates one if needed. + * + * @return string + */ + private function _getSessionEncryptionSecret() + { + if (empty($_SESSION['encryption_key'])) { + if ($this->_use_openssl) { + $_SESSION['encryption_key'] = openssl_random_pseudo_bytes(32); + } else { + $_SESSION['encryption_key'] = Crypt\Random::string(32); + } + } + return $_SESSION['encryption_key']; + } + + /** + * Concatenates secret in order to make it 16 bytes log + * + * This doesn't add any security, just ensures the secret + * is long enough by copying it. + * + * @param string $secret Original secret + * + * @return string + */ + public function enlargeSecret($secret) + { + while (strlen($secret) < 16) { + $secret .= $secret; + } + return substr($secret, 0, 16); + } + + /** + * Derives MAC secret from encryption secret. + * + * @param string $secret the secret + * + * @return string the MAC secret + */ + public function getMACSecret($secret) + { + // Grab first part, up to 16 chars + // The MAC and AES secrets can overlap if original secret is short + $length = strlen($secret); + if ($length > 16) { + return substr($secret, 0, 16); + } + return $this->enlargeSecret( + $length == 1 ? $secret : substr($secret, 0, -1) + ); + } + + /** + * Derives AES secret from encryption secret. + * + * @param string $secret the secret + * + * @return string the AES secret + */ + public function getAESSecret($secret) + { + // Grab second part, up to 16 chars + // The MAC and AES secrets can overlap if original secret is short + $length = strlen($secret); + if ($length > 16) { + return substr($secret, -16); + } + return $this->enlargeSecret( + $length == 1 ? $secret : substr($secret, 1) + ); + } + + /** + * Cleans any SSL errors + * + * This can happen from corrupted cookies, by invalid encryption + * parameters used in older phpMyAdmin versions or by wrong openSSL + * configuration. + * + * In neither case the error is useful to user, but we need to clear + * the error buffer as otherwise the errors would pop up later, for + * example during MySQL SSL setup. + * + * @return void + */ + public function cleanSSLErrors() + { + if (function_exists('openssl_error_string')) { + do { + $hasSslErrors = openssl_error_string(); + } while ($hasSslErrors !== false); + } + } + + /** + * Encryption using openssl's AES or phpseclib's AES + * (phpseclib uses mcrypt when it is available) + * + * @param string $data original data + * @param string $secret the secret + * + * @return string the encrypted result + */ + public function cookieEncrypt($data, $secret) + { + $mac_secret = $this->getMACSecret($secret); + $aes_secret = $this->getAESSecret($secret); + $iv = $this->createIV(); + if ($this->_use_openssl) { + $result = openssl_encrypt( + $data, + 'AES-128-CBC', + $aes_secret, + 0, + $iv + ); + } else { + $cipher = new Crypt\AES(Crypt\Base::MODE_CBC); + $cipher->setIV($iv); + $cipher->setKey($aes_secret); + $result = base64_encode($cipher->encrypt($data)); + } + $this->cleanSSLErrors(); + $iv = base64_encode($iv); + return json_encode( + [ |