Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73517

openssl_seal() and openssl_open() method param is now required

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.11.6
    • 3.11.4, 4.0
    • MNet
    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • MOODLE_311_STABLE
    • Hide
      • Sanity check. Verify that all this patch does is to add a new, 5th param to all the openssl_open() and openssl_seal() cases in code.
      • Basically, run this script with php73, php74 and php80 and verify that it works ok and without any error/warning/notice:

        <?php
         
        $new = openssl_pkey_new();
        $crt = openssl_csr_new(
            ["commonName" => 'test'],
            $new,
            ['private_key_bits', 2048]);
        $sig = openssl_csr_sign($crt, null, $new, 180);
         
        $orig = 'Hello, Moodle';
        var_dump('orig: ' . $orig);
         
        $public = openssl_pkey_get_details($new)['key'];
         
        openssl_seal($orig, $enc, $keys, [$public], 'RC4');
        var_dump('enc: ' . $enc);
         
        openssl_open($enc, $dec, $keys[0], $new, 'RC4');
        var_dump('dec: ' . $dec);
        

      • Keep it in CiBoT hands, although I'm not sure this stuff is covered at all.
      Show
      Sanity check. Verify that all this patch does is to add a new, 5th param to all the openssl_open() and openssl_seal() cases in code. Basically, run this script with php73, php74 and php80 and verify that it works ok and without any error/warning/notice: <?php   $new = openssl_pkey_new(); $crt = openssl_csr_new( ["commonName" => 'test'], $new, ['private_key_bits', 2048]); $sig = openssl_csr_sign($crt, null, $new, 180);   $orig = 'Hello, Moodle'; var_dump('orig: ' . $orig);   $public = openssl_pkey_get_details($new)['key'];   openssl_seal($orig, $enc, $keys, [$public], 'RC4'); var_dump('enc: ' . $enc);   openssl_open($enc, $dec, $keys[0], $new, 'RC4'); var_dump('dec: ' . $dec); Keep it in CiBoT hands, although I'm not sure this stuff is covered at all.

      From PHP 8.0 release notes:

      openssl_seal() and openssl_open() now require $method to be passed, as the
      previous default of "RC4" is considered insecure.

      So this issues is, simply, about to:

      1) Add that 5th parameter to all cases in core, continuing with current "RC4" default, so all installations will continue working ok.
      2) MDL-73518 - Create another issue, about to consider moving the "RC4" default to a better one, surely including init vector too.

      Note that, in practice... 2) is not critical as far as now all sites run over SSL, hence, data is double encrypted, once by the MNet RC4 implementation, not ideal, and another by the http SSL layer (usually safer).

            stronk7 Eloy Lafuente (stronk7)
            stronk7 Eloy Lafuente (stronk7)
            Nobody Nobody
            Victor Déniz Falcón Victor Déniz Falcón
            CiBoT CiBoT
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 hours, 2 minutes
                2h 2m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.