Allow longer cookie encryption keys to be used

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
author: Maurício Meneghini Fauth <mauricio@fauth.dev> 2022-09-23 20:32:30 +0300
committer: Maurício Meneghini Fauth <mauricio@fauth.dev> 2022-09-26 23:34:18 +0300
commit: 5d9142674d09379a9e4394779c1e624dd2d6ece5 (patch)
tree: 682076d5816f9c1c2948c03662f19893f029467c
parent: 69bc86677345a875c442c0a40d2836369bc7afbb (diff)
4 files changed, 25 insertions, 11 deletions
diff --git a/doc/config.rst b/doc/config.rst
index 11f5b1d893..27d9500311 100644
--- a/doc/config.rst
+++ b/doc/config.rst
@@ -1913,8 +1913,9 @@ Cookie authentication options
 
     .. warning::
 
-        The encryption key must be 32 bytes long. If it has a different length of bytes, a new key will be automatically
-        generated for you. However it will only last for the duration of the session.
+        The encryption key must be 32 bytes long. If it is longer than the length of bytes, only the first 32 bytes will
+        be used, and if it is shorter, a new temporary key will be automatically generated for you. However, this
+        temporary key will only last for the duration of the session.
 
     .. note::
 
diff --git a/libraries/classes/Controllers/HomeController.php b/libraries/classes/Controllers/HomeController.php
index 998cc3b4ce..39235fdc06 100644
--- a/libraries/classes/Controllers/HomeController.php
+++ b/libraries/classes/Controllers/HomeController.php
@@ -311,19 +311,23 @@ class HomeController extends AbstractController
          * Check if user does not have defined blowfish secret and it is being used.
          */
         if (! empty($_SESSION['encryption_key'])) {
-            if (empty($cfg['blowfish_secret'])) {
+            $encryptionKeyLength = mb_strlen($cfg['blowfish_secret'], '8bit');
+            if ($encryptionKeyLength < SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
                 $this->errors[] = [
                     'message' => __(
-                        'The configuration file now needs a secret passphrase (blowfish_secret).'
+                        'The configuration file needs a valid key for cookie encryption.'
+                        . ' A temporary key was automatically generated for you.'
+                        . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].'
                     ),
                     'severity' => 'warning',
                 ];
-            } elseif (mb_strlen($cfg['blowfish_secret'], '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+            } elseif ($encryptionKeyLength > SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
                 $this->errors[] = [
                     'message' => sprintf(
                         __(
-                            'The secret passphrase in configuration (blowfish_secret) is not the correct length.'
-                            . ' It should be %d bytes long.'
+                            'The cookie encryption key in the configuration file is longer than necessary.'
+                            . ' It should only be %d bytes long.'
+                            . ' Please refer to the [doc@cfg_blowfish_secret]documentation[/doc].'
                         ),
                         SODIUM_CRYPTO_SECRETBOX_KEYBYTES
                     ),
diff --git a/libraries/classes/Plugins/Auth/AuthenticationCookie.php b/libraries/classes/Plugins/Auth/AuthenticationCookie.php
index 33faf56b34..e083ddf19a 100644
--- a/libraries/classes/Plugins/Auth/AuthenticationCookie.php
+++ b/libraries/classes/Plugins/Auth/AuthenticationCookie.php
@@ -597,11 +597,21 @@ class AuthenticationCookie extends AuthenticationPlugin
      */
     private function getEncryptionSecret(): string
     {
+        /** @var mixed $key */
         $key = $GLOBALS['cfg']['blowfish_secret'] ?? null;
-        if (is_string($key) && mb_strlen($key, '8bit') === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+        if (! is_string($key)) {
+            return $this->getSessionEncryptionSecret();
+        }
+
+        $length = mb_strlen($key, '8bit');
+        if ($length === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
             return $key;
         }
 
+        if ($length > SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+            return mb_substr($key, 0, SODIUM_CRYPTO_SECRETBOX_KEYBYTES, '8bit');
+        }
+
         return $this->getSessionEncryptionSecret();
     }
 
@@ -610,6 +620,7 @@ class AuthenticationCookie extends AuthenticationPlugin
      */
     private function getSessionEncryptionSecret(): string
     {
+        /** @var mixed $key */
         $key = $_SESSION['encryption_key'] ?? null;
         if (is_string($key) && mb_strlen($key, '8bit') === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
             return $key;
diff --git a/psalm-baseline.xml b/psalm-baseline.xml
index be2ba27d96..874757e842 100644
--- a/psalm-baseline.xml
+++ b/psalm-baseline.xml
@@ -9042,14 +9042,12 @@
     <MixedArrayOffset occurrences="1">
       <code>$_SESSION['browser_access_time'][$key]</code>
     </MixedArrayOffset>
-    <MixedAssignment occurrences="14">
+    <MixedAssignment occurrences="12">
       <code>$GLOBALS['pma_auth_server']</code>
       <code>$_form_params['route']</code>
       <code>$captchaSiteVerifyURL</code>
       <code>$captchaSiteVerifyURL</code>
       <code>$key</code>
-      <code>$key</code>
-      <code>$key</code>
       <code>$password</code>
       <code>$serverCookie</code>
       <code>$serverCookie</code>
author	Maurício Meneghini Fauth <mauricio@fauth.dev>	2022-09-23 20:32:30 +0300
committer	Maurício Meneghini Fauth <mauricio@fauth.dev>	2022-09-26 23:34:18 +0300
commit	5d9142674d09379a9e4394779c1e624dd2d6ece5 (patch)
tree	682076d5816f9c1c2948c03662f19893f029467c
parent	69bc86677345a875c442c0a40d2836369bc7afbb (diff)