Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-81940

Replace the RC4 encryption methods with a standard library

XMLWordPrintable

    • MOODLE_404_STABLE
    • MOODLE_405_STABLE
    • Hide
      1. Confirm the following returns only the methods themselves (there aren't any calls to them):

        $ git grep "rc4\(en\|de\)crypt("
        

      2. Confirm the following returns only calls from the previous two methods, and that the method itself is now deprecated:

        $ git grep -B3 -A1 "endecrypt("
        

      3. Log in as admin
      4. Log out
      5. Confirm the login Username field contains "admin"
      Show
      Confirm the following returns only the methods themselves (there aren't any calls to them): $ git grep "rc4\(en\|de\)crypt(" Confirm the following returns only calls from the previous two methods, and that the method itself is now deprecated: $ git grep -B3 -A1 "endecrypt(" Log in as admin Log out Confirm the login Username field contains "admin"

      See https://en.wikipedia.org/wiki/RC4 (emphasis mine)

      While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure.[3][4] It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used. Particularly problematic uses of RC4 have led to very insecure protocols such as WEP.[5]

      It's currently only used in core for reading/writing cookie username, however we have a much better encryption library available since this method was added 23 (twenty three!) years ago in the very first project commit (the method has barely changed at at all in the meantime)

      I propose deprecating that code, and replacing current usage with modern alternative. This is in the same spirit of removing other cryptographically insecure code as in MDL-78698 & MDL-71421

            pholden Paul Holden
            pholden Paul Holden
            Daniel Ziegenberg Daniel Ziegenberg
            Andrew Lyons Andrew Lyons
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 25 minutes
                25m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.