| Summary | credentials of remote calendars from prefs not decoded correctly |
| Queue | Horde Framework Packages |
| Type | Bug |
| State | Resolved |
| Priority | 2. Medium |
| Owners | |
| Requester | piper (at) hrz (dot) uni-marburg (dot) de |
| Created | 02/19/2015 (3789 days ago) |
| Due | |
| Updated | 03/06/2015 (3774 days ago) |
| Assigned | |
| Resolved | 03/02/2015 (3778 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
commit dcb8f4e4a72e687891ba0b18a44f5a339bf953a6
Author: Michael M Slusarz <slusarz@horde.org>
Date: Thu Mar 5 21:28:43 2015 -0700
[mms] Fix regression in removing CBC cipher mode when encrypting
data within a session (
Bug #13869)..../Core/lib/Horde/Core/Factory/Secret/Cbc.php | 22 ++++++++
framework/Core/lib/Horde/Core/Secret/Cbc.php | 54
++++++++++++++++++++
framework/Core/lib/Horde/Registry.php | 1 +
framework/Core/lib/Horde/Session.php | 8 ++--
framework/Core/package.xml | 24 ++++++---
5 files changed, 97 insertions(+), 12 deletions(-)
http://github.com/horde/horde/commit/dcb8f4e4a72e687891ba0b18a44f5a339bf953a6
Queue ⇒ Horde Framework Packages
commit 4cb34e7b8709aaf32f63a830f0214e2d241e66cc
Author: Jan Schneider <jan@horde.org>
Date: Mon Mar 2 14:56:00 2015 +0100
[jan] Revert to using ECB mode for encryption, to not break
existing credentials (
Bug #13869).framework/Core/package.xml | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
http://github.com/horde/horde/commit/4cb34e7b8709aaf32f63a830f0214e2d241e66cc
commit 34ae947ba0d340203b897273cdf1688466963d80
Author: Jan Schneider <jan@horde.org>
Date: Mon Mar 2 14:49:30 2015 +0100
Revert "[mms] Use more secure CBC block cipher mode when storing
encrypted Blowfish data inside the session."
This reverts commit d4feab0e8f873e247c95d298d61d57ce4d1f24c2.
This broke *any* encrypted data stored permanently somewhere in
Horde, e.g.
remote calendar crendentials.
Bug: 13869Conflicts:
framework/Core/package.xml
framework/Core/lib/Horde/Core/Secret.php | 21 ---------------------
1 files changed, 0 insertions(+), 21 deletions(-)
http://github.com/horde/horde/commit/34ae947ba0d340203b897273cdf1688466963d80
New Attachment: encrypt_remote_cals.patch
credentials of the remote calendars. CBC-encryption seems to be
session-dependant and not persistent between sessions, therefore the
encrypted credentials of remote calendars which are stored in
horde_prefs cannot be decrypted in a new session.
Find attached a quick-and-dirty patch which implements
ECB-encryption-functions (as used previously) for en-/decrypting the
credentials of remote calendars. A cleaner patch could be to hand over
the encryption-mechanism as a parameter of the 'Horde_Secret'-method.
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ credentials of remote calendars from prefs not decoded correctly
Due ⇒ 02/19/2015
Queue ⇒ Kronolith
Milestone ⇒
Patch ⇒ No
State ⇒ Unconfirmed
(horde-5.2.4, kronolith-4.2.5, all modules on newest version) is not
working after a new login. The credentials of the remote calendar can
be entered by editing the calender settings, after this the calendar
is accessible, but only for the running session.
The credentials are stored encrypted in the prefs-DB, but their
decryption on session start fails. I tracked this down to the function
'__construct' on line 81 in 'kronolith/lib/Calendar/Remote.php', which
calls the function 'read' from 'pear/php/Horde/Secret.php', which
fails on the decryption.
As this was working fine with horde-5.2.1 and kronolith-4.2.2, there
seem to have occured some changes in the decryption-mechanism since
then, which lead to this problem.
Thanks for any help,
Andreas