key.patch   [plain text]


diff -Naur roundcubemail-0.5/program/include/rcmail.php roundcubemail/program/include/rcmail.php
--- roundcubemail-0.5/program/include/rcmail.php	2011-01-06 04:41:16.000000000 -0800
+++ roundcubemail/program/include/rcmail.php	2011-01-12 15:40:38.000000000 -0800
@@ -41,6 +41,7 @@
    * @var rcmail
    */
   static private $instance;
+  static private $crypto_method = "AES-128-CBC";
 
   /**
    * Stores instance of rcube_config.
@@ -596,6 +597,11 @@
       $_SESSION['auth_time'] = time();
       $_SESSION['temp'] = true;
     }
+	// create a random DES key cookie if there isn't one
+	if (!isset($_COOKIE['webmail_des_key'])) {
+		rcmail::setcookie('webmail_des_key', rcmail::random_key(24));
+	}
+
   }
 
 
@@ -1170,7 +1176,13 @@
      */
     $clear = pack("a*H2", $clear, "80");
 
-    if (function_exists('mcrypt_module_open') &&
+    if (function_exists('openssl_encrypt'))
+    {
+      $iv = $this->create_iv(openssl_cipher_iv_length(self::$crypto_method));
+      $cipher = openssl_encrypt($clear, self::$crypto_method, $this->config->get_crypto_key($key), true, $iv);
+      $cipher = $iv . $cipher;
+    }
+    else if (function_exists('mcrypt_module_open') &&
         ($td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CBC, "")))
     {
       $iv = $this->create_iv(mcrypt_enc_get_iv_size($td));
@@ -1215,7 +1227,14 @@
 
     $cipher = $base64 ? base64_decode($cipher) : $cipher;
 
-    if (function_exists('mcrypt_module_open') &&
+    if (function_exists('openssl_decrypt'))
+    {
+      $iv_len = openssl_cipher_iv_length(self::$crypto_method);
+      $iv = substr($cipher, 0, $iv_len);
+      $cipher = substr($cipher, $iv_len);
+      $clear = openssl_decrypt($cipher, self::$crypto_method, $this->config->get_crypto_key($key), true, $iv);
+    }
+    else if (function_exists('mcrypt_module_open') &&
         ($td = mcrypt_module_open(MCRYPT_TripleDES, "", MCRYPT_MODE_CBC, "")))
     {
       $iv_size = mcrypt_enc_get_iv_size($td);
@@ -1320,6 +1339,25 @@
     setcookie($name, $value, $exp, $cookie['path'], $cookie['domain'],
       rcube_https_check(), true);
   }
+ 
+
+  /**
+   * Generate a random string to be used as encryption key
+   *
+   * @param int Key length
+   * @return string The generated random string
+   * @static
+  */
+  public static function random_key($length)
+   {
+	$alpha = 'ABCDEFGHIJKLMNOPQERSTUVXYZabcdefghijklmnopqrtsuvwxyz0123456789+*%&?!$-_=';
+	$out = '';
+ 
+	for ($i=0; $i < $length; $i++)
+		$out .= $alpha{rand(0, strlen($alpha)-1)};
+  
+	return $out;
+   }
 }
 
 
diff -Naur roundcubemail-0.4.2/program/include/rcube_config.php roundcubemail/program/include/rcube_config.php
--- roundcubemail-0.4.2/program/include/rcube_config.php	2010-12-22 11:17:47.000000000 -0800
+++ roundcubemail/program/include/rcube_config.php	2011-01-12 15:40:38.000000000 -0800
@@ -212,8 +212,16 @@
      */
     public function get_crypto_key($key)
     {
-        // Bomb out if the requested key does not exist
-        if (!array_key_exists($key, $this->prop)) {
+		$val = null;
+  
+		// try and get the key from a cookie
+		if (isset($_COOKIE['webmail_'.$key]))
+		{
+			$val = $_COOKIE['webmail_'.$key];
+		}
+  
+       // Bomb out if the requested key does not exist
+        if ($val == null && !array_key_exists($key, $this->prop)) {
             raise_error(array(
                 'code' => 500, 'type' => 'php',
                 'file' => __FILE__, 'line' => __LINE__,
@@ -222,17 +230,20 @@
         }
 
         $key = $this->prop[$key];
+		
+		if ($val == null)
+			$val = $this->prop[$key];
 
         // Bomb out if the configured key is not exactly 24 bytes long
-        if (strlen($key) != 24) {
+        if (strlen($val) != 24) {
             raise_error(array(
                 'code' => 500, 'type' => 'php',
 	            'file' => __FILE__, 'line' => __LINE__,
-                'message' => "Configured crypto key '$key' is not exactly 24 bytes long"
+                'message' => "Configured crypto key '$val' is not exactly 24 bytes long"
             ), true, true);
         }
 
-        return $key;
+        return $val;
     }