diff options
author | Roberts Lataria <roberts.lataria@zabbix.com> | 2021-12-17 00:46:38 +0300 |
---|---|---|
committer | Roberts Lataria <roberts.lataria@zabbix.com> | 2021-12-17 00:56:31 +0300 |
commit | 373a2ddb9b8b4736976d7090b2481e572f98cc4b (patch) | |
tree | 18317b94c7e82c8ce13250f5568ea7f7d43cdb00 | |
parent | 876868379470a7bbc3415138746afb450ebe0976 (diff) |
A.F....... [ZBX-20350] changed hash algo for encrypted cookies
(cherry picked from commit 63c3e8cde9dcb5b208d1e3a87e4b4120fd056094)
-rw-r--r-- | ChangeLog.d/bugfix/ZBX-20350 | 1 | ||||
-rw-r--r-- | ui/include/classes/core/CEncryptedCookieSession.php | 2 | ||||
-rw-r--r-- | ui/include/classes/helpers/CEncryptHelper.php | 15 | ||||
-rw-r--r-- | ui/index_sso.php | 4 |
4 files changed, 6 insertions, 16 deletions
diff --git a/ChangeLog.d/bugfix/ZBX-20350 b/ChangeLog.d/bugfix/ZBX-20350 new file mode 100644 index 00000000000..b5905bdff79 --- /dev/null +++ b/ChangeLog.d/bugfix/ZBX-20350 @@ -0,0 +1 @@ +A.F....... [ZBX-20350] changed hash algo for encrypted cookies (rlataria) diff --git a/ui/include/classes/core/CEncryptedCookieSession.php b/ui/include/classes/core/CEncryptedCookieSession.php index afb0790ac69..3f5fce54f37 100644 --- a/ui/include/classes/core/CEncryptedCookieSession.php +++ b/ui/include/classes/core/CEncryptedCookieSession.php @@ -52,7 +52,7 @@ class CEncryptedCookieSession extends CCookieSession { /** * Prepare session data. * - * @param string $data + * @param array $data * * @return string */ diff --git a/ui/include/classes/helpers/CEncryptHelper.php b/ui/include/classes/helpers/CEncryptHelper.php index 64c27ff5266..7563cf648c3 100644 --- a/ui/include/classes/helpers/CEncryptHelper.php +++ b/ui/include/classes/helpers/CEncryptHelper.php @@ -27,7 +27,7 @@ class CEncryptHelper { /** * Signature algorithm. */ - public const SIGN_ALGO = 'aes-256-ecb'; + public const SIGN_ALGO = 'sha256'; /** * Session secret key. @@ -82,7 +82,7 @@ class CEncryptHelper { public static function sign(string $data): string { $key = self::getKey(); - return openssl_encrypt($data, self::SIGN_ALGO, $key); + return hash_hmac(self::SIGN_ALGO, $data, $key, false); } /** @@ -110,15 +110,4 @@ class CEncryptHelper { ' WHERE '.dbConditionInt('configid', [$db_config['configid']]) ); } - - /** - * Generate a hash value. - * - * @param string $message - * - * @return string - */ - public static function hash(string $message): string { - return hash('sha256', $message, false); - } } diff --git a/ui/index_sso.php b/ui/index_sso.php index de42a21221f..45130e7cd8a 100644 --- a/ui/index_sso.php +++ b/ui/index_sso.php @@ -204,7 +204,7 @@ try { 'nameid_sp_name_qualifier' => $auth->getNameIdSPNameQualifier(), 'session_index' => $auth->getSessionIndex() ]; - $saml_data['sign'] = CEncryptHelper::hash(json_encode($saml_data)); + $saml_data['sign'] = CEncryptHelper::sign(json_encode($saml_data)); CSessionHelper::set('saml_data', $saml_data); @@ -243,7 +243,7 @@ try { } $saml_data_sign = $saml_data['sign']; - $saml_data_sign_check = CEncryptHelper::hash(json_encode(array_diff_key($saml_data, array_flip(['sign'])))); + $saml_data_sign_check = CEncryptHelper::sign(json_encode(array_diff_key($saml_data, array_flip(['sign'])))); if (!CEncryptHelper::checkSign($saml_data_sign, $saml_data_sign_check)) { throw new Exception(_('Session initialization error.')); |