improve crypto

Author: root

inc/oohforms.inc

@@ -513,9 +513,10 @@ class form {
   }
 
   function encrypt($str) {  #must match the decrypt function in tpl_form
-	$iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC), MCRYPT_RAND);
-        $key = md5($GLOBALS["sess"]->id.$_ENV["DatabaseClass"],true);
-        return $iv . mcrypt_encrypt ( MCRYPT_RIJNDAEL_128 , $key , $str , MCRYPT_MODE_CBC, $iv );
+	global $sess;
+	if (empty($sess->id)) $key=md5('somecrap'); else $key=$sess->id;
+	$iv = hex2bin(md5($_ENV["DatabaseClass"]));
+	return openssl_encrypt($str,"AES-256-CTR",hex2bin($key),OPENSSL_RAW_DATA,$iv);
   }
 
 } /* end FORM */

inc/session.inc

@@ -106,8 +106,6 @@ class Session {
     if ( "" == $id ) {
       $newid=false;
       switch ($this->mode) {
-        case "cookieonly":
-	  $id = isset($_COOKIE[$this->name]) ? $_COOKIE[$this->name] : "";
         case "cookie":
         case "get":
           $id = isset($_COOKIE[$this->name]) ?
@@ -128,9 +126,7 @@ class Session {
 
     if ( "" == $id ) {
       $newid=true;
-      do {
-         $id = $this->that->ac_newid(bin2hex(openssl_random_pseudo_bytes(16)), $this->name);  // Generate a new ID
-      } while ($this->that->ac_get_value($id, $this->name));	     // See if it exists already
+      $id = $this->that->ac_newid(md5(uniqid($this->magic)), $this->name);
     }
 
     switch ($this->mode) {
@@ -357,16 +353,20 @@ class Session {
   ## Reload frozen variables from the database and microwave them.
 
   function thaw() {
-        $this->get_lock();
+    $this->get_lock();
 
-        $vals = $this->that->ac_get_value($this->id, $this->name);
+    $vals = $this->that->ac_get_value($this->id, $this->name);
+    if ((isset($vals)) and (substr($vals,0,1)=="$")) {
+	eval(sprintf(";%s",$vals));  // support old session data for php3
+    } else {
 	$arr = unserialize($vals);   // new serialised data req. php => 4.07
 	if (is_array($arr)) {
 	    foreach($arr as $k=>$v) {
 		$this->pt[$k]=1;
 		$GLOBALS[$k]=$v;
 	    }
 	}
+    }
   }
 
   ##

inc/tpl_form.inc

@@ -1134,11 +1134,10 @@ echo "<script type='text/javascript' src='/js/datefunc.js'>
   }
 
   function decrypt($str) {  # must match encrypt function in oohforms
-	$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
-	$iv = substr($str, 0, $iv_size);
-	$str = substr($str, $iv_size);
-        $key = md5($GLOBALS["sess"]->id.$_ENV["DatabaseClass"],true);
-        return mcrypt_decrypt ( MCRYPT_RIJNDAEL_128 , $key , $str , MCRYPT_MODE_CBC, $iv );
+        global $sess;
+        if (empty($sess->id)) $key=md5('somecrap'); else $key=$sess->id;
+	$iv = hex2bin(md5($_ENV["DatabaseClass"]));
+        return openssl_decrypt($str,"AES-256-CTR",hex2bin($key),OPENSSL_RAW_DATA,$iv);
   } 
 
 }