From 639d099341d7713f22b6972f0f41571f2b63e552 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sun, 8 Feb 2015 20:45:32 +0100 Subject: [PATCH] crypt: use the proper OpenSSL version when appropriate This is not the fix I have been meaning to push, but openssl_encrypt() and openssl_decrypt() are too low level. They do AES-256-CBC, but not key derivation as well as salt and IV handling. Getting this 100% compatible with OpenSSL was the blocker then. Also, experts have said that the cipher should not be used anymore, adding more annoyances as this config output does not have a version information prefix... --- src/etc/inc/crypt.inc | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/crypt.inc b/src/etc/inc/crypt.inc index 9845b7697..62cce2c1b 100644 --- a/src/etc/inc/crypt.inc +++ b/src/etc/inc/crypt.inc @@ -30,9 +30,29 @@ function _crypt_data($val, $pass, $opt) { $result = ''; + if (file_exists('/usr/local/bin/openssl')) { + /* use the ports version */ + $bin_openssl = '/usr/local/bin/openssl'; + } elseif (file_exists('/usr/bin/openssl')) { + /* use the base version (legacy fallback) */ + $bin_openssl = '/usr/bin/openssl'; + } else { + /* the infamous "this should never happen" */ + log_error(_('Could not find an OpenSSL implementation on your system.')); + return $result; + } + $file = tempnam('/tmp', 'php-encrypt'); file_put_contents("{$file}.dec", $val); - exec("/usr/bin/openssl enc {$opt} -aes-256-cbc -in {$file}.dec -out {$file}.enc -k " . escapeshellarg($pass)); + exec(sprintf( + '%s enc %s -aes-256-cbc -in %s.dec -out %s.enc -k %s', + $bin_openssl, + $opt, + $file, + $file, + escapeshellarg($pass) + )); + if (file_exists("{$file}.enc")) { $result = file_get_contents("{$file}.enc"); } else {