openssl_cipher_iv_length and openssl 3.0

[crequill]

On archlinux, php7 has been updated with openssl 3.0 and now it's impossible to open a connection in phpldapadmin: connection is anonymous and is rejected by ldap server.
For information, the problem is in lib/functions.php line 772:

if (! empty($data) && function_exists('openssl_encrypt') && in_array('bf-ecb', openssl_get_cipher_methods())) {
    $keylen = openssl_cipher_iv_length('bf-ecb') * 2; 
    $dataenc = openssl_encrypt($data, 'bf-ecb', substr($secret,0,$keylen)); 
    return openssl_encrypt($data, 'bf-ecb', substr($secret,0,$keylen));
  }

$keylen is always 0, so openssl_encrypt return nothing

[crequill]

bf-ecb is deprecated in OpenSSL 3.0.
An another cipher has to be chosen.

[bendem]

Any reason why this doesn't use standard bcrypt using password_hash (PHP 5 >= 5.5.0, PHP 7, PHP 8) instead of calling for random modules that might or might not be there?

[bendem]

Nevermind, I see this is used for cookie encryption. That's a really weird thing to do instead of storing user/pass in the php session.

[bendem]

Easy patch for the interested. Should be adapted to use the config instead of a constant:

24a25,26
> define('SESSION_CIPHER', 'aes-256-gcm');
>
772,774c774,776
<       if (! empty($data) && function_exists('openssl_encrypt') && in_array('bf-ecb', openssl_get_cipher_methods())) {
<               $keylen = openssl_cipher_iv_length('bf-ecb') * 2;
<               return openssl_encrypt($data, 'bf-ecb', substr($secret,0,$keylen));
---
>       if (! empty($data) && function_exists('openssl_encrypt') && in_array(SESSION_CIPHER, openssl_get_cipher_methods())) {
>               $keylen = openssl_cipher_iv_length(SESSION_CIPHER) * 2;
>               return openssl_encrypt($data, SESSION_CIPHER, substr($secret,0,$keylen));
833,835c835,837
<       if (! empty($encdata) && function_exists('openssl_encrypt') && in_array('bf-ecb', openssl_get_cipher_methods())) {
<               $keylen = openssl_cipher_iv_length('bf-ecb') * 2;
<               return trim(openssl_decrypt($encdata, 'bf-ecb', substr($secret,0,$keylen)));
---
>       if (! empty($encdata) && function_exists('openssl_encrypt') && in_array(SESSION_CIPHER, openssl_get_cipher_methods())) {
>               $keylen = openssl_cipher_iv_length(SESSION_CIPHER) * 2;
>               return trim(openssl_decrypt($encdata, SESSION_CIPHER, substr($secret,0,$keylen)));

EDIT: aes256-gcm to aes-256-gcm

[crequill]

Thanks bendem.
All is working for me with php7-7.4.33.

[ItsMeBrianD]

Works for me php8.1.2-1

[p5n]

to work well with php8 it is also required to modify

/usr/share/webapps/phpldapadmin/lib/functions.php:2652
$result = ldap_explode_dn((string)$dn,$with_attrib);

it fails without (string)

[bendem]

Looks like the patch I provided contains a typo, I copied the cipher name from the openssl command, but openssl_get_cipher_methods() doesn't return exactly the same spelling. A dash should be added to the cipher name (aes-256-gcm). Thanks @TPXP for pointing it out.

[afcasco]

Replaced it with sed, works like a charm, thanks!

sed -i "24 i define('SESSION_CIPHER', 'aes-256-gcm');" /var/www/html/phpldapadmin/lib/functions.php
sed -i 's/bf-ecb/SESSION_CIPHER/' /var/www/html/phpldapadmin/lib/functions.php

[williamdes]

Replaced it with sed, works like a charm, thanks!

sed -i "24 i define('SESSION_CIPHER', 'aes-256-gcm');" /var/www/html/phpldapadmin/lib/functions.php sed -i 's/bf-ecb/SESSION_CIPHER/' /var/www/html/phpldapadmin/lib/functions.php

You can use 1.2.6.6 instead ;)