Merge pull request from GHSA-7xwm-4vjr-jvqh

* Deprecate GLPIKEY usage CVE-2020-5248 Deprecate GLPIKEY usage, and replace it with key file per instance. Add a command to generate new key, and update database. Add plugins hooks to rgister fields or configuration entries to be handled when updating db. * Rely on sodium compat for encryption/decryption New name for key file, handle migration Add not required sodium extension Deprecate, fill changelog, drop old keyfile Key must be generated from dedicated method
glpi-project · May 6, 2020 · f1ae6c8 · f1ae6c8
1 parent 8d48dc4
commit f1ae6c8
Show file tree

Hide file tree

Showing 26 changed files with 789 additions and 72 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 /config/config_db*
+/config/glpi.key
+/config/glpicrypt.key
 /config/local_define.php
 /tests/config_db*
 /marketplace/

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@ The present file will list all changes made to the project; according to the
 
 - PHP error_reporting and display_errors configuration directives are no longer overrided by GLPI, unless in debug mode (which forces reporting and display of all errors).
 - `scripts/migrations/racks_plugin.php` has been replaced by `glpi:migration:racks_plugin_to_core` command available using `bin/console`
+- Encryption alogithm improved using libsodium
 
 ### API changes
 
@@ -114,6 +115,8 @@ The present file will list all changes made to the project; according to the
 - `ProjectCost::cloneProject()`
 - `ProjectTeam::cloneProjectTask()`
 - `ProjectTask::cloneProjectTeam()`
+- Usage of `GLPIKEY` constant
+- `Toolbox::encrypt()` and `Toolbox::decrypt()` because they use the old encryption aglogithm
 
 #### Removed
 

diff --git a/ajax/mailcollector.php b/ajax/mailcollector.php
@@ -58,7 +58,7 @@
             if (empty($input["passwd"])) {
                unset($input["passwd"]);
             } else {
-               $input["passwd"] = Toolbox::encrypt(stripslashes($input["passwd"]), GLPIKEY);
+               $input["passwd"] = Toolbox::sodiumEncrypt(stripslashes($input["passwd"]));
             }
          }
 

diff --git a/composer.json b/composer.json
@@ -36,6 +36,7 @@
         "mexitek/phpcolors": "^0.4.0",
         "michelf/php-markdown": "^1.6",
         "monolog/monolog": "^2.0",
+        "paragonie/sodium_compat": "^1.13",
         "phpmailer/phpmailer": "^6.0",
         "psr/log": "^1.1",
         "psr/simple-cache": "^1.0",
@@ -66,13 +67,15 @@
         "sensiolabs/security-checker": "^6.0"
     },
     "replace": {
+        "paragonie/random_compat": "*",
         "symfony/polyfill-ctype": "*",
         "symfony/polyfill-intl-idn": "*",
         "symfony/polyfill-mbstring": "*",
         "symfony/polyfill-php72": "*"
     },
     "suggest": {
-        "ext-ldap": "Used to provide LDAP authentication and synchronization"
+        "ext-ldap": "Used to provide LDAP authentication and synchronization",
+        "ext-sodium": "Used to provide strong encryption for sensitive data in database"
     },
     "config": {
         "optimize-autoloader": true,

diff --git a/composer.lock b/composer.lock
diff --git a/inc/auth.class.php b/inc/auth.class.php
@@ -744,8 +744,7 @@ function login($login_name, $login_password, $noauto = false, $remember_me = fal
                   $ds = AuthLDAP::connectToServer($ldap_method["host"],
                                                   $ldap_method["port"],
                                                   $ldap_method["rootdn"],
-                                                  Toolbox::decrypt($ldap_method["rootdn_passwd"],
-                                                                   GLPIKEY),
+                                                  Toolbox::sodiumDecrypt($ldap_method["rootdn_passwd"]),
                                                   $ldap_method["use_tls"],
                                                   $ldap_method["deref_option"]);
 
@@ -1708,4 +1707,4 @@ static function dropdownLogin() {
    static function getIcon() {
       return "fas fa-sign-in-alt";
    }
-}
+}