From 99526cfc2c56e644e897b5ddfc5498af39e83cfb Mon Sep 17 00:00:00 2001 From: snipe Date: Mon, 13 Jan 2025 19:54:00 +0000 Subject: [PATCH] Remove mcrypt and legacy recrypter Signed-off-by: snipe --- Dockerfile | 6 - app/Console/Commands/RecryptFromMcrypt.php | 157 --------------- app/LegacyEncrypter/BaseEncrypter.php | 81 -------- app/LegacyEncrypter/McryptEncrypter.php | 214 --------------------- snipeit.sh | 21 +- 5 files changed, 10 insertions(+), 469 deletions(-) delete mode 100644 app/Console/Commands/RecryptFromMcrypt.php delete mode 100644 app/LegacyEncrypter/BaseEncrypter.php delete mode 100644 app/LegacyEncrypter/McryptEncrypter.php diff --git a/Dockerfile b/Dockerfile index bd363ccd18c0..80b7c88e2a40 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,7 +40,6 @@ autoconf \ libc-dev \ libldap-common \ pkg-config \ -libmcrypt-dev \ php8.1-dev \ ca-certificates \ unzip \ @@ -51,11 +50,6 @@ dnsutils \ RUN curl -L -O https://github.com/pear/pearweb_phars/raw/master/go-pear.phar RUN php go-pear.phar -RUN pecl install mcrypt - -RUN bash -c "echo extension=/usr/lib/php/20210902/mcrypt.so > /etc/php/8.1/mods-available/mcrypt.ini" - -RUN phpenmod mcrypt RUN phpenmod gd RUN phpenmod bcmath diff --git a/app/Console/Commands/RecryptFromMcrypt.php b/app/Console/Commands/RecryptFromMcrypt.php deleted file mode 100644 index 33c8ae65c9a3..000000000000 --- a/app/Console/Commands/RecryptFromMcrypt.php +++ /dev/null @@ -1,157 +0,0 @@ -error('ERROR: You do not have a LEGACY_APP_KEY set in your .env file. Please locate your old APP_KEY and ADD a line to your .env file like: LEGACY_APP_KEY=YOUR_OLD_APP_KEY'); - - return false; - } - - // Do some basic legacy app key length checks - if (strlen($legacy_key) == 32) { - $legacy_length_check = true; - } elseif (array_key_exists('1', $key_parts) && (strlen($key_parts[1]) == 44)) { - $legacy_key = base64_decode($key_parts[1], true); - $legacy_length_check = true; - } else { - $legacy_length_check = false; - } - - // Check that the app key is 32 characters - if ($legacy_length_check === true) { - $this->comment('INFO: Your LEGACY_APP_KEY looks correct. Okay to continue.'); - } else { - $this->error('ERROR: Your LEGACY_APP_KEY is not the correct length (32 characters or base64 followed by 44 characters for later versions). Please locate your old APP_KEY and use that as your LEGACY_APP_KEY in your .env file to continue.'); - - return false; - } - - $this->error('================================!!!! WARNING !!!!================================'); - $this->error('================================!!!! WARNING !!!!================================'); - $this->comment("This tool will attempt to decrypt your old Snipe-IT (mcrypt, now deprecated) encrypted data and re-encrypt it using OpenSSL. \n\nYou should only continue if you have backed up any and all old APP_KEYs and have backed up your data."); - - $force = ($this->option('force')) ? true : false; - - if ($force || ($this->confirm('Are you SURE you wish to continue?'))) { - $backup_file = 'backups/env-backups/'.'app_key-'.date('Y-m-d-gis'); - - try { - Storage::disk('local')->put($backup_file, 'APP_KEY: '.config('app.key')); - Storage::disk('local')->append($backup_file, 'LEGACY_APP_KEY: '.$legacy_key); - } catch (\Exception $e) { - $this->info('WARNING: Could not backup app keys'); - } - - if ($legacy_cipher) { - $mcrypter = new McryptEncrypter($legacy_key, $legacy_cipher); - } else { - $mcrypter = new McryptEncrypter($legacy_key); - } - $settings = Setting::getSettings(); - - if ($settings->ldap_pword == '') { - $this->comment('INFO: No LDAP password found. Skipping... '); - } else { - $decrypted_ldap_pword = $mcrypter->decrypt($settings->ldap_pword); - $settings->ldap_pword = Crypt::encrypt($decrypted_ldap_pword); - $settings->save(); - } - /** @var CustomField[] $custom_fields */ - $custom_fields = CustomField::where('field_encrypted', '=', 1)->get(); - $this->comment('INFO: Retrieving encrypted custom fields...'); - - $query = Asset::withTrashed(); - - foreach ($custom_fields as $custom_field) { - $this->comment('FIELD TO RECRYPT: '.$custom_field->name.' ('.$custom_field->db_column.')'); - $query->orWhereNotNull($custom_field->db_column); - } - - // Get all assets with a value in any of the fields that were encrypted - /** @var Asset[] $assets */ - $assets = $query->get(); - - $bar = $this->output->createProgressBar(count($assets)); - - foreach ($assets as $asset) { - foreach ($custom_fields as $encrypted_field) { - $columnName = $encrypted_field->db_column; - - // Make sure the value isn't null - if ($asset->{$columnName} != '') { - // Try to decrypt the payload using the legacy app key - try { - $decrypted_field = $mcrypter->decrypt($asset->{$columnName}); - $asset->{$columnName} = Crypt::encrypt($decrypted_field); - $this->comment($decrypted_field); - } catch (\Exception $e) { - $errors[] = ' - ERROR: Could not decrypt field ['.$encrypted_field->name.']: '.$e->getMessage(); - } - } - } - $asset->save(); - $bar->advance(); - } - - $bar->finish(); - - if (count($errors) > 0) { - $this->comment("\n\n"); - $this->error("The decrypter encountered some errors: \n"); - foreach ($errors as $error) { - $this->error($error); - } - } - } - } -} diff --git a/app/LegacyEncrypter/BaseEncrypter.php b/app/LegacyEncrypter/BaseEncrypter.php deleted file mode 100644 index adc1e451d4bc..000000000000 --- a/app/LegacyEncrypter/BaseEncrypter.php +++ /dev/null @@ -1,81 +0,0 @@ -key); - } - - /** - * Get the JSON array from the given payload. - * - * @param string $payload - * @return array - * - * @throws \Illuminate\Contracts\Encryption\DecryptException - */ - protected function getJsonPayload($payload) - { - $payload = json_decode(base64_decode($payload), true); - - // If the payload is not valid JSON or does not have the proper keys set we will - // assume it is invalid and bail out of the routine since we will not be able - // to decrypt the given value. We'll also check the MAC for this encryption. - if (! $payload || $this->invalidPayload($payload)) { - throw new DecryptException('The payload is invalid.'); - } - - if (! $this->validMac($payload)) { - throw new DecryptException('The MAC is invalid.'); - } - - return $payload; - } - - /** - * Verify that the encryption payload is valid. - * - * @param array|mixed $data - * @return bool - */ - protected function invalidPayload($data) - { - return ! is_array($data) || ! isset($data['iv']) || ! isset($data['value']) || ! isset($data['mac']); - } - - /** - * Determine if the MAC for the given payload is valid. - * - * @param array $payload - * @return bool - * - * @throws \RuntimeException - */ - protected function validMac(array $payload) - { - $bytes = random_bytes(16); - - $calcMac = hash_hmac('sha256', $this->hash($payload['iv'], $payload['value']), $bytes, true); - - return hash_equals(hash_hmac('sha256', $payload['mac'], $bytes, true), $calcMac); - } -} diff --git a/app/LegacyEncrypter/McryptEncrypter.php b/app/LegacyEncrypter/McryptEncrypter.php deleted file mode 100644 index ac0a49fc5869..000000000000 --- a/app/LegacyEncrypter/McryptEncrypter.php +++ /dev/null @@ -1,214 +0,0 @@ -key = $key; - $this->cipher = $cipher; - $this->block = mcrypt_get_iv_size($this->cipher, MCRYPT_MODE_CBC); - } else { - throw new RuntimeException('The only supported ciphers are MCRYPT_RIJNDAEL_128 and MCRYPT_RIJNDAEL_256.'); - } - } - - /** - * Determine if the given key and cipher combination is valid. - * - * @param string $key - * @param string $cipher - * @return bool - */ - public static function supported($key, $cipher) - { - return defined('MCRYPT_RIJNDAEL_128') && - ($cipher === MCRYPT_RIJNDAEL_128 || $cipher === MCRYPT_RIJNDAEL_256); - } - - /** - * Encrypt the given value. - * - * @param string $value - * @return string - * - * @throws \Illuminate\Contracts\Encryption\EncryptException - */ - public function encrypt($value, $serialize = true) - { - $iv = mcrypt_create_iv($this->getIvSize(), $this->getRandomizer()); - - $value = base64_encode($this->padAndMcrypt($value, $iv)); - - // Once we have the encrypted value we will go ahead base64_encode the input - // vector and create the MAC for the encrypted value so we can verify its - // authenticity. Then, we'll JSON encode the data in a "payload" array. - $mac = $this->hash($iv = base64_encode($iv), $value); - - $json = json_encode(compact('iv', 'value', 'mac')); - - if (! is_string($json)) { - throw new EncryptException('Could not encrypt the data.'); - } - - return base64_encode($json); - } - - /** - * Pad and use mcrypt on the given value and input vector. - * - * @param string $value - * @param string $iv - * @return string - */ - protected function padAndMcrypt($value, $iv) - { - $value = $this->addPadding(serialize($value)); - - return mcrypt_encrypt($this->cipher, $this->key, $value, MCRYPT_MODE_CBC, $iv); - } - - /** - * Decrypt the given value. - * - * @param string $payload - * @return string - */ - public function decrypt($payload, $unserialize = true) - { - $payload = $this->getJsonPayload($payload); - - // We'll go ahead and remove the PKCS7 padding from the encrypted value before - // we decrypt it. Once we have the de-padded value, we will grab the vector - // and decrypt the data, passing back the unserialized from of the value. - $value = base64_decode($payload['value']); - - $iv = base64_decode($payload['iv']); - - return unserialize($this->stripPadding($this->mcryptDecrypt($value, $iv))); - } - - /** - * Run the mcrypt decryption routine for the value. - * - * @param string $value - * @param string $iv - * @return string - * - * @throws \Illuminate\Contracts\Encryption\DecryptException - */ - protected function mcryptDecrypt($value, $iv) - { - try { - return mcrypt_decrypt($this->cipher, $this->key, $value, MCRYPT_MODE_CBC, $iv); - } catch (Exception $e) { - throw new DecryptException($e->getMessage()); - } - } - - /** - * Add PKCS7 padding to a given value. - * - * @param string $value - * @return string - */ - protected function addPadding($value) - { - $pad = $this->block - (strlen($value) % $this->block); - - return $value.str_repeat(chr($pad), $pad); - } - - /** - * Remove the padding from the given value. - * - * @param string $value - * @return string - */ - protected function stripPadding($value) - { - $pad = ord($value[($len = strlen($value)) - 1]); - - return $this->paddingIsValid($pad, $value) ? substr($value, 0, $len - $pad) : $value; - } - - /** - * Determine if the given padding for a value is valid. - * - * @param string $pad - * @param string $value - * @return bool - */ - protected function paddingIsValid($pad, $value) - { - $beforePad = strlen($value) - $pad; - - return substr($value, $beforePad) == str_repeat(substr($value, -1), $pad); - } - - /** - * Get the IV size for the cipher. - * - * @return int - */ - protected function getIvSize() - { - return mcrypt_get_iv_size($this->cipher, MCRYPT_MODE_CBC); - } - - /** - * Get the random data source available for the OS. - * - * @return int - */ - protected function getRandomizer() - { - if (defined('MCRYPT_DEV_URANDOM')) { - return MCRYPT_DEV_URANDOM; - } - - if (defined('MCRYPT_DEV_RANDOM')) { - return MCRYPT_DEV_RANDOM; - } - - mt_srand(); - - return MCRYPT_RAND; - } -} diff --git a/snipeit.sh b/snipeit.sh index cce33de36228..121c34280e97 100755 --- a/snipeit.sh +++ b/snipeit.sh @@ -428,7 +428,7 @@ case $distro in progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-mcrypt php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" + PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" install_packages echo "* Configuring Apache." @@ -465,7 +465,7 @@ case $distro in progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-mcrypt php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" + PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" install_packages echo "* Configuring Apache." @@ -502,7 +502,7 @@ case $distro in progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-mcrypt php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" + PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" install_packages echo "* Configuring Apache." @@ -543,7 +543,7 @@ case $distro in progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="cron mariadb-server mariadb-client apache2 libapache2-mod-php php php-mcrypt php-curl php-mysql php-gd php-ldap php-zip php-mbstring php-xml php-bcmath curl git unzip" + PACKAGES="cron mariadb-server mariadb-client apache2 libapache2-mod-php php php-curl php-mysql php-gd php-ldap php-zip php-mbstring php-xml php-bcmath curl git unzip" install_packages echo "* Configuring Apache." @@ -584,7 +584,7 @@ case $distro in progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="cron mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-mcrypt php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" + PACKAGES="cron mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" install_packages echo "* Configuring Apache." @@ -628,7 +628,7 @@ case $distro in progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="cron mariadb-server mariadb-client apache2 libapache2-mod-php8.28.2 php8.2 php8.2-mcrypt php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" + PACKAGES="cron mariadb-server mariadb-client apache2 libapache2-mod-php8.28.2 php8.2 php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" install_packages echo "* Configuring Apache." @@ -688,12 +688,11 @@ EOL progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-mcrypt php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" + PACKAGES="mariadb-server mariadb-client apache2 libapache2-mod-php8.2 php8.2 php8.2-curl php8.2-mysql php8.2-gd php8.2-ldap php8.2-zip php8.2-mbstring php8.2-xml php8.2-bcmath curl git unzip" install_packages echo "* Configuring Apache." create_virtualhost - log "phpenmod mcrypt" log "phpenmod mbstring" log "a2enmod rewrite" log "a2ensite $APP_NAME.conf" @@ -728,7 +727,7 @@ EOL amazon-linux-extras install -y php8.2 echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="httpd mariadb-server git unzip php php-mysqlnd php-bcmath php-embedded php-gd php-mbstring php-mcrypt php-ldap php-json php-simplexml php-process php-zip php-sodium" + PACKAGES="httpd mariadb-server git unzip php php-mysqlnd php-bcmath php-embedded php-gd php-mbstring php-ldap php-json php-simplexml php-process php-zip php-sodium" install_packages echo "* Configuring Apache." @@ -769,7 +768,7 @@ EOL log "yum-config-manager --enable remi-php82" echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="httpd mariadb-server git unzip php php-mysqlnd php-bcmath php-embedded php-gd php-mbstring php-mcrypt php-ldap php-json php-simplexml php-process php-zip" + PACKAGES="httpd mariadb-server git unzip php php-mysqlnd php-bcmath php-embedded php-gd php-mbstring php-ldap php-json php-simplexml php-process php-zip" install_packages echo "* Configuring Apache." @@ -812,7 +811,7 @@ EOL progress echo "* Installing Apache httpd, PHP, MariaDB and other requirements." - PACKAGES="httpd mariadb-server git unzip php php-mysqlnd php-bcmath php-embedded php-gd php-mbstring php-mcrypt php-ldap php-json php-simplexml php-process php-zip" + PACKAGES="httpd mariadb-server git unzip php php-mysqlnd php-bcmath php-embedded php-gd php-mbstring php-ldap php-json php-simplexml php-process php-zip" install_packages echo "* Configuring Apache."