[MDL-73517] openssl_seal() and openssl_open() method param is now required - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.11.4, 4.0
Fix Version/s: 3.11.6
Component/s: MNet
Labels:
- ci

Affected Branches:
MOODLE_311_STABLE, MOODLE_400_STABLE
Fixed Branches:
MOODLE_311_STABLE
Epic Link:
Prepare Moodle for PHP 8.0
Pull from Repository:
https://github.com/stronk7/moodle.git
Pull 3.11 Branch:
~~MDL-73517~~_311
Pull 3.11 Diff URL:
https://github.com/stronk7/moodle/compare/MDL-73517_311~1...MDL-73517_311
Pull Master Branch:
~~MDL-73517~~
Pull Master Diff URL:
https://github.com/stronk7/moodle/compare/MDL-73517~1...MDL-73517

Testing Instructions:

Hide

Sanity check. Verify that all this patch does is to add a new, 5th param to all the openssl_open() and openssl_seal() cases in code.

Basically, run this script with php73, php74 and php80 and verify that it works ok and without any error/warning/notice:

<?php

$new = openssl_pkey_new();

$crt = openssl_csr_new(

    ["commonName" => 'test'],

    $new,

    ['private_key_bits', 2048]);

$sig = openssl_csr_sign($crt, null, $new, 180);

$orig = 'Hello, Moodle';

var_dump('orig: ' . $orig);

$public = openssl_pkey_get_details($new)['key'];

openssl_seal($orig, $enc, $keys, [$public], 'RC4');

var_dump('enc: ' . $enc);

openssl_open($enc, $dec, $keys[0], $new, 'RC4');

var_dump('dec: ' . $dec);

Keep it in CiBoT hands, although I'm not sure this stuff is covered at all.

Show

Sanity check. Verify that all this patch does is to add a new, 5th param to all the openssl_open() and openssl_seal() cases in code. Basically, run this script with php73, php74 and php80 and verify that it works ok and without any error/warning/notice: <?php $new = openssl_pkey_new(); $crt = openssl_csr_new( ["commonName" => 'test'], $new, ['private_key_bits', 2048]); $sig = openssl_csr_sign($crt, null, $new, 180); $orig = 'Hello, Moodle'; var_dump('orig: ' . $orig); $public = openssl_pkey_get_details($new)['key']; openssl_seal($orig, $enc, $keys, [$public], 'RC4'); var_dump('enc: ' . $enc); openssl_open($enc, $dec, $keys[0], $new, 'RC4'); var_dump('dec: ' . $dec); Keep it in CiBoT hands, although I'm not sure this stuff is covered at all.

Description

From PHP 8.0 release notes:

openssl_seal() and openssl_open() now require $method to be passed, as the
previous default of "RC4" is considered insecure.

So this issues is, simply, about to:

1) Add that 5th parameter to all cases in core, continuing with current "RC4" default, so all installations will continue working ok.
2) MDL-73518 - Create another issue, about to consider moving the "RC4" default to a better one, surely including init vector too.

Note that, in practice... 2) is not critical as far as now all sites run over SSL, hence, data is double encrypted, once by the MNet RC4 implementation, not ideal, and another by the http SSL layer (usually safer).

Attachments

Issue Links

Testing discovered

MDL-73518 Switch MNet RC4 method to better alternative, keeping BC

Open

Activity

People

Assignee:: Eloy Lafuente (stronk7)

Reporter:: Eloy Lafuente (stronk7)

Peer reviewer:: Nobody

Integrator:: Victor Déniz Falcón

Tester:: CiBoT

Participants:: CiBoT, Eloy Lafuente (stronk7), Sara Arjona (@sarjona), Victor Déniz Falcón

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Jan/22 2:14 AM

Updated:: 05/Feb/22 1:51 AM

Resolved:: 05/Feb/22 1:51 AM

Fix Release Date:: 14/Mar/22

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

2h 2m