harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

crypto improvements (use pkcs1_oaep_padding instead of the older pkcs1_padding)

Browse Source
This commit is contained in:
zotlabs 2018-02-16 18:45:15 -08:00
parent 4e6072fb29
commit 46cb45d94b
1 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
include/crypto.php
View File

@ -122,6 +122,14 @@ function other_encapsulate($data,$pubkey,$alg) {
if(! $pubkey) if(! $pubkey)
logger('no key. data: ' . $data); logger('no key. data: ' . $data);
$oaep = false;
if(strpos($alg,'.oaep')) {
$oaep = true;
$alg = substr($alg,0,-5);
}
$fn = strtoupper($alg) . '_encrypt'; $fn = strtoupper($alg) . '_encrypt';
if(function_exists($fn)) { if(function_exists($fn)) {
@ -140,14 +148,14 @@ function other_encapsulate($data,$pubkey,$alg) {
$iv = openssl_random_pseudo_bytes(256); $iv = openssl_random_pseudo_bytes(256);
$result['data'] = base64url_encode($fn($data,$key,$iv),true); $result['data'] = base64url_encode($fn($data,$key,$iv),true);
// log the offending call so we can track it down // log the offending call so we can track it down
if(! openssl_public_encrypt($key,$k,$pubkey)) { if(! openssl_public_encrypt($key,$k,$pubkey,(($oaep) ? OPENSSL_PKCS1_OAEP_PADDING : OPENSSL_PKCS1_PADDING))) {
$x = debug_backtrace(); $x = debug_backtrace();
logger('RSA failed. ' . print_r($x[0],true)); logger('RSA failed. ' . print_r($x[0],true));
} }
$result['alg'] = $alg; $result['alg'] = $alg;
$result['key'] = base64url_encode($k,true); $result['key'] = base64url_encode($k,true);
openssl_public_encrypt($iv,$i,$pubkey); openssl_public_encrypt($iv,$i,$pubkey,(($oaep) ? OPENSSL_PKCS1_OAEP_PADDING : OPENSSL_PKCS1_PADDING));
$result['iv'] = base64url_encode($i,true); $result['iv'] = base64url_encode($i,true);
return $result; return $result;
} }
@ -166,7 +174,7 @@ function crypto_methods() {
// The actual methods are responsible for deriving the actual key/iv from the provided parameters; // The actual methods are responsible for deriving the actual key/iv from the provided parameters;
// possibly by truncation or segmentation - though many other methods could be used. // possibly by truncation or segmentation - though many other methods could be used.
$r = [ 'aes256ctr', 'camellia256cfb', 'cast5cfb', 'aes256cbc', 'aes128cbc', 'cast5cbc' ]; $r = [ 'aes256ctr.oaep', 'camellia256cfb.oaep', 'cast5cfb.oaep', 'aes256ctr', 'camellia256cfb', 'cast5cfb', 'aes256cbc', 'aes128cbc', 'cast5cbc' ];
call_hooks('crypto_methods',$r); call_hooks('crypto_methods',$r);
return $r; return $r;
@ -216,10 +224,19 @@ function crypto_unencapsulate($data,$prvkey) {
} }
function other_unencapsulate($data,$prvkey,$alg) { function other_unencapsulate($data,$prvkey,$alg) {
$oaep = false;
if(strpos($alg,'.oaep')) {
$oaep = true;
$alg = substr($alg,0,-5);
}
$fn = strtoupper($alg) . '_decrypt'; $fn = strtoupper($alg) . '_decrypt';
if(function_exists($fn)) { if(function_exists($fn)) {
openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey); openssl_private_decrypt(base64url_decode($data['key']),$k,$prvkey,(($oaep) ? OPENSSL_PKCS1_OAEP_PADDING : OPENSSL_PKCS1_PADDING));
openssl_private_decrypt(base64url_decode($data['iv']),$i,$prvkey); openssl_private_decrypt(base64url_decode($data['iv']),$i,$prvkey,(($oaep) ? OPENSSL_PKCS1_OAEP_PADDING : OPENSSL_PKCS1_PADDING));
return $fn(base64url_decode($data['data']),$k,$i); return $fn(base64url_decode($data['data']),$k,$i);
} }
else { else {