Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73517

openssl_seal() and openssl_open() method param is now required

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.11.4, 4.0
    • 3.11.6
    • MNet
    • MOODLE_311_STABLE, MOODLE_400_STABLE
    • MOODLE_311_STABLE
    • MDL-73517_311
    • Hide
      • Sanity check. Verify that all this patch does is to add a new, 5th param to all the openssl_open() and openssl_seal() cases in code.
      • Basically, run this script with php73, php74 and php80 and verify that it works ok and without any error/warning/notice:

        <?php
         
        $new = openssl_pkey_new();
        $crt = openssl_csr_new(
            ["commonName" => 'test'],
            $new,
            ['private_key_bits', 2048]);
        $sig = openssl_csr_sign($crt, null, $new, 180);
         
        $orig = 'Hello, Moodle';
        var_dump('orig: ' . $orig);
         
        $public = openssl_pkey_get_details($new)['key'];
         
        openssl_seal($orig, $enc, $keys, [$public], 'RC4');
        var_dump('enc: ' . $enc);
         
        openssl_open($enc, $dec, $keys[0], $new, 'RC4');
        var_dump('dec: ' . $dec);
        

      • Keep it in CiBoT hands, although I'm not sure this stuff is covered at all.
      Show
      Sanity check. Verify that all this patch does is to add a new, 5th param to all the openssl_open() and openssl_seal() cases in code. Basically, run this script with php73, php74 and php80 and verify that it works ok and without any error/warning/notice: <?php   $new = openssl_pkey_new(); $crt = openssl_csr_new( ["commonName" => 'test'], $new, ['private_key_bits', 2048]); $sig = openssl_csr_sign($crt, null, $new, 180);   $orig = 'Hello, Moodle'; var_dump('orig: ' . $orig);   $public = openssl_pkey_get_details($new)['key'];   openssl_seal($orig, $enc, $keys, [$public], 'RC4'); var_dump('enc: ' . $enc);   openssl_open($enc, $dec, $keys[0], $new, 'RC4'); var_dump('dec: ' . $dec); Keep it in CiBoT hands, although I'm not sure this stuff is covered at all.

    Description

      From PHP 8.0 release notes:

      openssl_seal() and openssl_open() now require $method to be passed, as the
      previous default of "RC4" is considered insecure.

      So this issues is, simply, about to:

      1) Add that 5th parameter to all cases in core, continuing with current "RC4" default, so all installations will continue working ok.
      2) MDL-73518 - Create another issue, about to consider moving the "RC4" default to a better one, surely including init vector too.

      Note that, in practice... 2) is not critical as far as now all sites run over SSL, hence, data is double encrypted, once by the MNet RC4 implementation, not ideal, and another by the http SSL layer (usually safer).

      Attachments

        Issue Links

          Activity

            People

              stronk7 Eloy Lafuente (stronk7)
              stronk7 Eloy Lafuente (stronk7)
              Nobody Nobody
              Víctor Déniz Falcón Víctor Déniz Falcón
              CiBoT CiBoT
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                14/Mar/22

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours, 2 minutes
                  2h 2m