| Summary | when setting session.hash_function to sha512, horde can't auth/decrypt anymore |
| Queue | Horde Framework Packages |
| Queue Version | FRAMEWORK_4 |
| Type | Bug |
| State | Resolved |
| Priority | 2. Medium |
| Owners | slusarz (at) horde (dot) org |
| Requester | jonathan (at) tietznet (dot) de |
| Created | 10/21/2012 (4630 days ago) |
| Due | |
| Updated | 10/27/2012 (4624 days ago) |
| Assigned | 10/22/2012 (4629 days ago) |
| Resolved | 10/24/2012 (4627 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
commit 467831f88724b48f8687d025000adf6886566bc4
Author: Michael M Slusarz <slusarz@horde.org>
Date: Wed Oct 24 10:09:20 2012 -0600
[mms] Limit decryption/encryption key to 56 bytes (
Bug #11566).Conflicts:
framework/Secret/lib/Horde/Secret.php
framework/Secret/package.xml
framework/Secret/lib/Horde/Secret.php | 9 ++++++---
framework/Secret/package.xml | 2 ++
2 files changed, 8 insertions(+), 3 deletions(-)
http://git.horde.org/horde-git/-/commit/467831f88724b48f8687d025000adf6886566bc4
many thanks
now it works for me
Assigned to Michael Slusarz
State ⇒ Resolved
Taken from
commit 467831f88724b48f8687d025000adf6886566bc4
Author: Michael M Slusarz <slusarz@horde.org>
Date: Wed Oct 24 10:09:20 2012 -0600
[mms] Limit decryption/encryption key to 56 bytes (
Bug #11566).Conflicts:
framework/Secret/lib/Horde/Secret.php
framework/Secret/package.xml
framework/Secret/lib/Horde/Secret.php | 9 ++++++---
framework/Secret/package.xml | 2 ++
2 files changed, 8 insertions(+), 3 deletions(-)
http://git.horde.org/horde-git/-/commit/467831f88724b48f8687d025000adf6886566bc4
commit def22bd5e48fd39d1aa26c02af526fe5794d3890
Author: Michael M Slusarz <slusarz@horde.org>
Date: Wed Oct 24 10:09:20 2012 -0600
[mms] Limit decryption/encryption key to 56 bytes (
Bug #11566).framework/Secret/lib/Horde/Secret.php | 10 +++++++---
framework/Secret/package.xml | 2 ++
2 files changed, 9 insertions(+), 3 deletions(-)
http://git.horde.org/horde-git/-/commit/def22bd5e48fd39d1aa26c02af526fe5794d3890
cookie-based key anyway, so it probably doesn't matter anymore if we
cut the session ID to 56 bytes maximum either. Opinions?
encryption key at issue here could theoretically be *any* key:
Horde_Secret#read() and Horde_Secret#write() accept any encryption key.
But I agree that the solution is to simply limit whatever key is given
to a maximum of 56 chars and clearly indicate this in the API
documentation ("Only the first 56 string characters in the
[de|en]cryption key will be used.")
Priority ⇒ 2. Medium
State ⇒ Feedback
Assigned to
encrypting information with Horde_Secret if cookies are disabled.
Since we use Crypt_Blowfish in the background, we need to limit this
key to 56 bytes. Using the session ID is less safe then generating our
own cookie-based key anyway, so it probably doesn't matter anymore if
we cut the session ID to 56 bytes maximum either. Opinions?
Priority ⇒ 3. High
Type ⇒ Bug
Summary ⇒ when setting session.hash_function to sha512, horde can't auth/decrypt anymore
Queue ⇒ Horde Framework Packages
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
with PHP 5.3 you can use a different hash_function other than md5, see
http://www.php.net/manual/en/session.configuration.php#ini.session.hash-function
in my php.ini i tried this:
session.hash_function = sha512
Horde can't decrypt auth anymore:
2012-10-21T02:40:38+02:00 ERR: HORDE [horde] Key must be less than 56
characters and non-zero. Supplied key length: 103 [pid 1950 on line
114 of "/usr/share/php/Horde/Secret.php"]
and further login fails