Author: jfthomps
Date: Fri Jun 9 17:54:41 2017
New Revision: 1798255
URL: http://svn.apache.org/viewvc?rev=1798255&view=rev
Log:
VCL-1045 - Method of encrypting sensitive database entries
addomain.php: modified AJsaveResource: renamed call to addMNcryptkeyUpdates to
addCryptSecretKeyUpdates
authentication.php: modified addLoginLog: if $passfail is true, call
checkMissingWebSecretKeys to generate cryptsecrets for other web servers that
may be missing
utils.php and itecsauth.php: moved include_once for itecsauth/itecsauth.php
from utils.php to itecsauth.php - file not needed unless itecsauth is being
used, so no need to have it in utils.php
states.php: added checkMissingWebSecretKeys to entry actions and to misc pages
utils.php:
-modified decryptData: added checks for length of $iv and $cryptdata being
invalid and return false if invalid
-added checkMissingWebSecretKeys
-modified checkCryptSecrets: renamed call to addMNcryptkeyUpdates to
addCryptSecretKeyUpdates
vm.php: modified AJupdateVMprofileItem: renamed call to addMNcryptkeyUpdates to
addCryptSecretKeyUpdates; modified update query to set rsapub, rsakey, and
encryptedpasswd to NULL when setting password with new system
xmlrpcWrappers.php: modified XMLRPCcheckCryptSecrets: renamed call to
addMNcryptkeyUpdates to addCryptSecretKeyUpdates; removed unnecessary call to
mysql_real_escape_string because data being escaped will always be base64
encoded
Modified:
vcl/trunk/web/.ht-inc/addomain.php
vcl/trunk/web/.ht-inc/authentication.php
vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
vcl/trunk/web/.ht-inc/states.php
vcl/trunk/web/.ht-inc/utils.php
vcl/trunk/web/.ht-inc/vm.php
vcl/trunk/web/.ht-inc/xmlrpcWrappers.php
Modified: vcl/trunk/web/.ht-inc/addomain.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/addomain.php?rev=1798255&r1=1798254&r2=1798255&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/addomain.php (original)
+++ vcl/trunk/web/.ht-inc/addomain.php Fri Jun 9 17:54:41 2017
@@ -218,7 +218,7 @@ class ADdomain extends Resource {
while($row = mysql_fetch_assoc($qh))
$secretidset[$row['mnid']][$newsecretid] = 1;
$values =
getMNcryptkeyUpdates($secretidset, $cryptkeyid);
- addMNcryptkeyUpdates($values);
+ addCryptSecretKeyUpdates($values);
$olddata['secretid'] = $newsecretid;
$updates[] = "secretid = $newsecretid";
# clean up old cryptsecret entries for
management nodes
Modified: vcl/trunk/web/.ht-inc/authentication.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/authentication.php?rev=1798255&r1=1798254&r2=1798255&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/authentication.php (original)
+++ vcl/trunk/web/.ht-inc/authentication.php Fri Jun 9 17:54:41 2017
@@ -575,6 +575,8 @@ function addLoginLog($login, $mech, $aff
. "'{$_SERVER['REMOTE_ADDR']}', "
. "'$code')";
doQuery($query, 101);
+ if($passfail == 1)
+ checkMissingWebSecretKeys();
}
////////////////////////////////////////////////////////////////////////////////
Modified: vcl/trunk/web/.ht-inc/authmethods/itecsauth.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/authmethods/itecsauth.php?rev=1798255&r1=1798254&r2=1798255&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/authmethods/itecsauth.php (original)
+++ vcl/trunk/web/.ht-inc/authmethods/itecsauth.php Fri Jun 9 17:54:41 2017
@@ -16,6 +16,8 @@
limitations under the License.
*/
+@include_once("itecsauth/itecsauth.php");
+
/**
* \file
*/
Modified: vcl/trunk/web/.ht-inc/states.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/states.php?rev=1798255&r1=1798254&r2=1798255&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/states.php (original)
+++ vcl/trunk/web/.ht-inc/states.php Fri Jun 9 17:54:41 2017
@@ -64,6 +64,7 @@ $actions["entry"] = array('main',
'newOneClick',
'AJsetTZoffset',
'changeLocale',
+ 'checkMissingWebSecretKeys',
);
$noHTMLwrappers = array('sendRDPfile',
@@ -752,6 +753,7 @@ $actions['mode']['errorrpt'] = "errorrpt
$actions['mode']['AJvalidateUserid'] = "AJvalidateUserid";
$actions['mode']['changeLocale'] = "changeLocale";
$actions['mode']['AJsetTZoffset'] = "AJsetTZoffset";
+$actions['mode']['checkMissingWebSecretKeys'] = "checkMissingWebSecretKeys";
$actions['pages']['continuationsError'] = "misc";
$actions['pages']['clearCache'] = "misc";
$actions['pages']['errorrpt'] = "misc";
@@ -760,6 +762,7 @@ $actions['pages']['shiblogout'] = "misc"
$actions['pages']['AJvalidateUserid'] = "misc";
$actions['pages']['changeLocale'] = "misc";
$actions['pages']['AJsetTZoffset'] = "misc";
+$actions['pages']['checkMissingWebSecretKeys'] = "misc";
# OneClicks (VCL go)
$actions['mode']['newOneClick'] = "newOneClick";
Modified: vcl/trunk/web/.ht-inc/utils.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/utils.php?rev=1798255&r1=1798254&r2=1798255&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/utils.php (original)
+++ vcl/trunk/web/.ht-inc/utils.php Fri Jun 9 17:54:41 2017
@@ -17,7 +17,6 @@
*/
require_once(".ht-inc/secrets.php");
-@include_once("itecsauth/itecsauth.php");
require_once(".ht-inc/authentication.php");
require_once(".ht-inc/spyc-0.5.1/Spyc.php");
if(file_exists(".ht-inc/vcldocs.php"))
@@ -2733,7 +2732,11 @@ function decryptData($data, $cryptkey, $
return false;
$cryptdata = base64_decode($data);
$iv = substr($cryptdata, 0, $ivsize);
+ if(strlen($iv) < $ivsize)
+ return false;
$cryptdata = substr($cryptdata, $ivsize);
+ if(strlen($cryptdata) == 0)
+ return false;
if(USE_PHPSECLIB) {
if($algo == 'AES') {
$mode = constant("CRYPT_AES_MODE_$option");
@@ -3030,6 +3033,54 @@ function encryptWebSecretKeys($secret, $
////////////////////////////////////////////////////////////////////////////////
///
+/// \fn checkMissingWebSecretKeys()
+///
+/// \brief checks for any web servers missing secret key entries and creates
+/// them if possible
+///
+////////////////////////////////////////////////////////////////////////////////
+function checkMissingWebSecretKeys() {
+ global $mode;
+ $mycryptkeyid = getCryptKeyID();
+
+ $values = array();
+ $query = "SELECT ck.id as cryptkeyid, "
+ . "ck.pubkey as cryptkey, "
+ . "s.id as secretid, "
+ . "s.cryptsecret AS mycryptsecret "
+ . "FROM cryptkey ck "
+ . "JOIN (SELECT secretid as id, cryptsecret "
+ . "FROM cryptsecret "
+ . "WHERE cryptkeyid = $mycryptkeyid) AS s "
+ . "LEFT JOIN cryptsecret cs ON (ck.id = cs.cryptkeyid AND
cs.secretid = s.id) "
+ . "WHERE ck.hosttype = 'web' AND "
+ . "cs.secretid IS NULL AND "
+ . "ck.id != $mycryptkeyid";
+ $qh = doQuery($query);
+ while($row = mysql_fetch_assoc($qh)) {
+ $secret = decryptSecretKey($row['mycryptsecret']);
+ $encsecret = encryptSecretKey($secret, $row['cryptkey']);
+ $values[] = "({$row['cryptkeyid']}, {$row['secretid']},
'$encsecret', '"
+ . SYMALGO . "', '" . SYMOPT . "', " . SYMLEN . ")";
+ }
+ if(empty($values)) {
+ if($mode == 'checkMissingWebSecretKeys') {
+ print "<h2>Update Missing Web Server Secret
Keys</h2>\n";
+ print "There are no missing secret keys this server has
access to.";
+ }
+ return;
+ }
+
+ addCryptSecretKeyUpdates($values);
+
+ if($mode == 'checkMissingWebSecretKeys') {
+ print "<h2>Update Missing Web Server Secret Keys</h2>\n";
+ print "Successfully updated any missing secret keys this server
has access to.";
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////
+///
/// \fn checkCryptSecrets($requestid)
///
/// \param $requestid - id from request table
@@ -3076,7 +3127,7 @@ function checkCryptSecrets($requestid) {
# find any missing secrets for management nodes
$values = getMNcryptkeyUpdates($secretids, $mycryptkeyid);
# add secrets
- addMNcryptkeyUpdates($values);
+ addCryptSecretKeyUpdates($values);
}
////////////////////////////////////////////////////////////////////////////////
@@ -3130,7 +3181,7 @@ function getMNcryptkeyUpdates($secretids
////////////////////////////////////////////////////////////////////////////////
///
-/// \fn addMNcryptkeyUpdates($values)
+/// \fn addCryptSecretKeyUpdates($values)
///
/// \param $values - array of cryptsecret values that can be joined by commas
/// and used as the VALUES portion of an INSERT statement
@@ -3138,7 +3189,7 @@ function getMNcryptkeyUpdates($secretids
/// \brief inserts values into cryptsecret table
///
////////////////////////////////////////////////////////////////////////////////
-function addMNcryptkeyUpdates($values) {
+function addCryptSecretKeyUpdates($values) {
if(empty($values))
return;
$allvalues = implode(',', $values);
Modified: vcl/trunk/web/.ht-inc/vm.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/vm.php?rev=1798255&r1=1798254&r2=1798255&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/vm.php (original)
+++ vcl/trunk/web/.ht-inc/vm.php Fri Jun 9 17:54:41 2017
@@ -898,7 +898,7 @@ function AJupdateVMprofileItem() {
while($row = mysql_fetch_assoc($qh))
$secretidset[$row['mnid']][$newsecretid] = 1;
$values = getMNcryptkeyUpdates($secretidset,
$cryptkeyid);
- addMNcryptkeyUpdates($values);
+ addCryptSecretKeyUpdates($values);
$secretid = $newsecretid;
# clean up old cryptsecret entries for
management nodes
$query = "DELETE FROM cryptsecret WHERE
secretid IN ($delids)";
@@ -912,7 +912,10 @@ function AJupdateVMprofileItem() {
$encpass = encryptDBdata($newvalue, $secretid);
$query = "UPDATE vmprofile "
. "SET password = '$encpass', "
- . "secretid = '$secretid' "
+ . "secretid = '$secretid', "
+ . "rsapub = NULL, "
+ . "rsakey = NULL, "
+ . "encryptedpasswd = NULL "
. "WHERE id = $profileid";
doQuery($query);
}
Modified: vcl/trunk/web/.ht-inc/xmlrpcWrappers.php
URL:
http://svn.apache.org/viewvc/vcl/trunk/web/.ht-inc/xmlrpcWrappers.php?rev=1798255&r1=1798254&r2=1798255&view=diff
==============================================================================
--- vcl/trunk/web/.ht-inc/xmlrpcWrappers.php (original)
+++ vcl/trunk/web/.ht-inc/xmlrpcWrappers.php Fri Jun 9 17:54:41 2017
@@ -3844,14 +3844,13 @@ function XMLRPCcheckCryptSecrets($reserv
}
$secret = decryptSecretKey($row['mycryptsecret']);
$encsecret = encryptSecretKey($secret, $row['cryptkey']);
- $encsecret = mysql_real_escape_string($encsecret);
$values[] = "({$row['cryptkeyid']}, {$row['secretid']},
'$encsecret', '"
. SYMALGO . "', '" . SYMOPT . "', " . SYMLEN . ")";
}
if(empty($values) && empty($fails))
return array('status' => 'noupdate');
- addMNcryptkeyUpdates($values);
+ addCryptSecretKeyUpdates($values);
if(count($values) && count($fails))
return array('status' => 'partial');
