Update setup page to generate better blowfish_secret keys

Instead of generating a printable string, it generates a binary string
and converts it to an hexadecimal string.

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>

2 files changed, 46 insertions, 51 deletions

diff --git a/libraries/classes/Config/ServerConfigChecks.php b/libraries/classes/Config/ServerConfigChecks.php
index 4a8283c742..3420091e94 100644
--- a/libraries/classes/Config/ServerConfigChecks.php
+++ b/libraries/classes/Config/ServerConfigChecks.php
@@ -11,17 +11,17 @@ use PhpMyAdmin\Core;
 use PhpMyAdmin\Sanitize;
 use PhpMyAdmin\Setup\Index as SetupIndex;
 use PhpMyAdmin\Url;
-use PhpMyAdmin\Util;
 
 use function __;
-use function count;
 use function function_exists;
 use function htmlspecialchars;
-use function implode;
 use function ini_get;
-use function preg_match;
+use function is_string;
+use function mb_strlen;
+use function sodium_crypto_secretbox_keygen;
 use function sprintf;
-use function strlen;
+
+use const SODIUM_CRYPTO_SECRETBOX_KEYBYTES;
 
 /**
  * Performs various compatibility, security and consistency checks on current config
@@ -247,9 +247,12 @@ class ServerConfigChecks
         $cookieAuthServer,
         $blowfishSecretSet
     ): array {
-        if ($cookieAuthServer && $blowfishSecret === null) {
+        if (
+            $cookieAuthServer
+            && (! is_string($blowfishSecret) || mb_strlen($blowfishSecret, '8bit') !== SODIUM_CRYPTO_SECRETBOX_KEYBYTES)
+        ) {
             $blowfishSecretSet = true;
-            $this->cfg->set('blowfish_secret', Util::generateRandom(32));
+            $this->cfg->set('blowfish_secret', sodium_crypto_secretbox_keygen());
         }
 
         return [
@@ -345,55 +348,21 @@ class ServerConfigChecks
     ): void {
         // $cfg['blowfish_secret']
         // it's required for 'cookie' authentication
-        if (! $cookieAuthUsed) {
-            return;
-        }
-
-        if ($blowfishSecretSet) {
-            // 'cookie' auth used, blowfish_secret was generated
-            SetupIndex::messagesSet(
-                'notice',
-                'blowfish_secret_created',
-                Descriptions::get('blowfish_secret'),
-                Sanitize::sanitizeMessage(__(
-                    'You didn\'t have blowfish secret set and have enabled '
-                    . '[kbd]cookie[/kbd] authentication, so a key was automatically '
-                    . 'generated for you. It is used to encrypt cookies; you don\'t need to '
-                    . 'remember it.'
-                ))
-            );
-
-            return;
-        }
-
-        $blowfishWarnings = [];
-        // check length
-        if (strlen($blowfishSecret) < 32) {
-            // too short key
-            $blowfishWarnings[] = __('Key is too short, it should have at least 32 characters.');
-        }
-
-        // check used characters
-        $hasDigits = (bool) preg_match('/\d/', $blowfishSecret);
-        $hasChars = (bool) preg_match('/\S/', $blowfishSecret);
-        $hasNonword = (bool) preg_match('/\W/', $blowfishSecret);
-        if (! $hasDigits || ! $hasChars || ! $hasNonword) {
-            $blowfishWarnings[] = Sanitize::sanitizeMessage(
-                __(
-                    'Key should contain letters, numbers [em]and[/em] special characters.'
-                )
-            );
-        }
-
-        if (empty($blowfishWarnings)) {
+        if (! $cookieAuthUsed || ! $blowfishSecretSet) {
             return;
         }
 
+        // 'cookie' auth used, blowfish_secret was generated
         SetupIndex::messagesSet(
-            'error',
-            'blowfish_warnings' . count($blowfishWarnings),
+            'notice',
+            'blowfish_secret_created',
             Descriptions::get('blowfish_secret'),
-            implode('<br>', $blowfishWarnings)
+            Sanitize::sanitizeMessage(__(
+                'You didn\'t have blowfish secret set and have enabled '
+                . '[kbd]cookie[/kbd] authentication, so a key was automatically '
+                . 'generated for you. It is used to encrypt cookies; you don\'t need to '
+                . 'remember it.'
+            ))
         );
     }
 
diff --git a/libraries/classes/Setup/ConfigGenerator.php b/libraries/classes/Setup/ConfigGenerator.php
index d252636efa..af5d94a637 100644
--- a/libraries/classes/Setup/ConfigGenerator.php
+++ b/libraries/classes/Setup/ConfigGenerator.php
@@ -15,12 +15,18 @@ use function count;
 use function gmdate;
 use function implode;
 use function is_array;
+use function is_string;
+use function mb_strlen;
 use function preg_replace;
+use function sodium_bin2hex;
+use function sodium_crypto_secretbox_keygen;
+use function sprintf;
 use function str_contains;
 use function strtr;
 use function var_export;
 
 use const DATE_RFC1123;
+use const SODIUM_CRYPTO_SECRETBOX_KEYBYTES;
 
 /**
  * Config file generation class
@@ -94,6 +100,12 @@ class ConfigGenerator
      */
     private static function getVarExport($var_name, $var_value, $crlf)
     {
+        if ($var_name === 'blowfish_secret') {
+            $secret = self::getBlowfishSecretKey($var_value);
+
+            return sprintf('$cfg[\'blowfish_secret\'] = \sodium_hex2bin(\'%s\');%s', sodium_bin2hex($secret), $crlf);
+        }
+
         if (! is_array($var_value) || empty($var_value)) {
             return "\$cfg['" . $var_name . "'] = "
                 . var_export($var_value, true) . ';' . $crlf;
@@ -199,4 +211,18 @@ class ConfigGenerator
 
         return $ret;
     }
+
+    /**
+     * @param mixed $key
+     *
+     * @psalm-return non-empty-string
+     */
+    private static function getBlowfishSecretKey($key): string
+    {
+        if (is_string($key) && mb_strlen($key, '8bit') === SODIUM_CRYPTO_SECRETBOX_KEYBYTES) {
+            return $key;
+        }
+
+        return sodium_crypto_secretbox_keygen();
+    }
 }