From 24ff6f5c840249efe5c1f4d947fb863eafa2e4ca Mon Sep 17 00:00:00 2001 From: wrongecho Date: Sun, 25 Aug 2024 12:45:18 +0100 Subject: [PATCH] WIP: Allow decrypting logins/credentials via the API --- api/v1/credentials/create.php | 2 +- api/v1/credentials/credential_model.php | 2 +- api/v1/credentials/update.php | 2 +- functions.php | 6 ++---- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/api/v1/credentials/create.php b/api/v1/credentials/create.php index a7df2540..66140df1 100644 --- a/api/v1/credentials/create.php +++ b/api/v1/credentials/create.php @@ -27,4 +27,4 @@ if (!empty($api_key_decrypt_password) && !empty($name) && !(empty($password))) { } // Output -require_once '../create_output.php'; \ No newline at end of file +require_once '../create_output.php'; diff --git a/api/v1/credentials/credential_model.php b/api/v1/credentials/credential_model.php index 4551d35d..6397f5f3 100644 --- a/api/v1/credentials/credential_model.php +++ b/api/v1/credentials/credential_model.php @@ -117,4 +117,4 @@ if (isset($_POST['login_software_id'])) { $software_id = $credential_row['login_software_id']; } else { $software_id = ''; -} \ No newline at end of file +} diff --git a/api/v1/credentials/update.php b/api/v1/credentials/update.php index a7237a35..489ef8b0 100644 --- a/api/v1/credentials/update.php +++ b/api/v1/credentials/update.php @@ -35,4 +35,4 @@ if (!empty($_POST['api_key_decrypt_password']) && !empty($login_id)) { } // Output -require_once '../update_output.php'; \ No newline at end of file +require_once '../update_output.php'; diff --git a/functions.php b/functions.php index 1d6b6300..e3df27b6 100644 --- a/functions.php +++ b/functions.php @@ -380,10 +380,8 @@ function encryptLoginEntry($login_password_cleartext) return $iv . $ciphertext; } -function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key_decrypt_password) +function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, #[\SensitiveParameter]$api_key_decrypt_password) { - // TODO: try marking $api_key_decrypt_password as sensitive - new in PHP 8.2 - // Split the login entry (username/password) into IV and Ciphertext $login_iv = substr($login_ciphertext, 0, 16); $login_ciphertext = $salt = substr($login_ciphertext, 16); @@ -395,7 +393,7 @@ function apiDecryptLoginEntry($login_ciphertext, $api_key_decrypt_hash, $api_key return openssl_decrypt($login_ciphertext, 'aes-128-cbc', $site_encryption_master_key, 0, $login_iv); } -function apiEncryptLoginEntry($credential_cleartext, $api_key_decrypt_hash, $api_key_decrypt_password) +function apiEncryptLoginEntry(#[\SensitiveParameter]$credential_cleartext, $api_key_decrypt_hash, #[\SensitiveParameter]$api_key_decrypt_password) { $iv = randomString();