diff --git a/Dockerfile b/Dockerfile index 5b65698a..d460e98f 100755 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ RUN apk update \ && apk add --no-cache build-base -RUN pip install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython pycryptodome \ +RUN pip install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython cryptography \ && bash -c "find ${INSTALL_DIR} -type d -exec chmod 750 {} \;" \ && bash -c "find ${INSTALL_DIR} -type f -exec chmod 640 {} \;" \ && bash -c "find ${INSTALL_DIR} -type f \( -name '*.sh' -o -name '*.py' -o -name 'speedtest-cli' \) -exec chmod 750 {} \;" @@ -43,7 +43,7 @@ ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 RUN apk update --no-cache \ && apk add --no-cache bash zip lsblk gettext-envsubst sudo mtr tzdata s6-overlay \ && apk add --no-cache curl arp-scan iproute2 iproute2-ss nmap nmap-scripts traceroute net-tools net-snmp-tools bind-tools awake ca-certificates \ - && apk add --no-cache sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session \ + && apk add --no-cache sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session php83-openssl \ && apk add --no-cache python3 nginx \ && ln -s /usr/bin/awake /usr/bin/wakeonlan \ && bash -c "install -d -m 750 -o nginx -g www-data ${INSTALL_DIR} ${INSTALL_DIR}" \ diff --git a/Dockerfile.debian b/Dockerfile.debian index 76c3267f..b45dd0ed 100755 --- a/Dockerfile.debian +++ b/Dockerfile.debian @@ -35,7 +35,7 @@ RUN apt-get update \ RUN apt-get install -y \ tini snmp ca-certificates curl libwww-perl arp-scan perl apt-utils cron sudo \ - nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools \ + nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools php-openssl \ python3 iproute2 nmap python3-pip zip systemctl usbutils traceroute # Alternate dependencies @@ -46,7 +46,7 @@ RUN phpenmod -v 8.2 sqlite3 RUN apt-get install -y python3-venv RUN python3 -m venv myenv -RUN /bin/bash -c "source myenv/bin/activate && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 && pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython pycryptodome" +RUN /bin/bash -c "source myenv/bin/activate && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 && pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython cryptography" # Create a buildtimestamp.txt to later check if a new version was released RUN date +%s > ${INSTALL_DIR}/front/buildtimestamp.txt diff --git a/front/plugins/sync/hub.php b/front/plugins/sync/hub.php index 1e602708..d5179ed1 100755 --- a/front/plugins/sync/hub.php +++ b/front/plugins/sync/hub.php @@ -4,25 +4,22 @@ require '/app/front/php/server/init.php'; -function decrypt_data($encoded_data) { - // Base64 decode the encoded data - $decoded_data = base64_decode($encoded_data); - - // Extract the initialization vector (IV) from the decoded data - $iv = substr($decoded_data, 0, 16); - - // Extract the actual encrypted data - $encrypted_data = substr($decoded_data, 16); - - // Get the encryption key from the settings - $key = hash('sha256', getSettingValue('SYNC_encryption_key'), true); - - // Decrypt the data - $decrypted_data = openssl_decrypt($encrypted_data, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv); - - if ($decrypted_data === false) { - return null; // Decryption failed - } +function decrypt_data($encoded_data, $key) { + // Base64 decode the encrypted data + $data = base64_decode($encoded_data); + + // Extract the IV and the ciphertext + $iv = substr($data, 0, 16); + $ciphertext = substr($data, 16); + + // Derive the key using SHA-256 + $key = hash('sha256', $key, true); + + // Decrypt the ciphertext using AES-256-CBC + $decrypted_data = openssl_decrypt($ciphertext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); + + // Remove padding + $decrypted_data = rtrim($decrypted_data, "\0"); return $decrypted_data; } @@ -46,9 +43,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') { $plugin_folder = $_POST['plugin_folder'] ?? ''; $node_name = $_POST['node_name'] ?? ''; - $decoded_data = decrypt_data($data); + $decoded_data = decrypt_data($data, getSettingValue('SYNC_encryption_key')); - if ($decrypted_data === false or $decrypted_data === null) { + if ($decoded_data === false or $decoded_data === null) { write_notification("[Plugin: Sync hub API] Bad Request: Decryption failed", "alert"); http_response_code(400); echo 'Bad Request: Decryption failed'; diff --git a/front/plugins/sync/sync.py b/front/plugins/sync/sync.py index 91d6cef3..6f0b32ad 100755 --- a/front/plugins/sync/sync.py +++ b/front/plugins/sync/sync.py @@ -92,7 +92,7 @@ def main(): secondaryId = timeNowTZ(), watched1 = node_name, watched2 = response.status_code, - watched3 = response.text, + watched3 = response, watched4 = '', extra = '', foreignKey = '') diff --git a/install/install_dependencies.debian.sh b/install/install_dependencies.debian.sh index 4b60a5f9..6eb47d35 100755 --- a/install/install_dependencies.debian.sh +++ b/install/install_dependencies.debian.sh @@ -18,7 +18,7 @@ apt-get update && apt-get install -y build-essential # Install dependencies apt-get install -y \ tini snmp ca-certificates curl libwww-perl arp-scan perl apt-utils cron sudo \ - nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools \ + nginx-light php php-cgi php-fpm php-sqlite3 php-curl php-openssl sqlite3 dnsutils net-tools \ python3 iproute2 nmap python3-pip zip systemctl usbutils traceroute # alternate dependencies @@ -33,5 +33,5 @@ source myenv/bin/activate update-alternatives --install /usr/bin/python python /usr/bin/python3 10 # install packages thru pip3 -pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython pycryptodome +pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython cryptography diff --git a/server/helper.py b/server/helper.py index 76995f3a..613c6970 100755 --- a/server/helper.py +++ b/server/helper.py @@ -13,8 +13,9 @@ import json import time from pathlib import Path import requests -from Crypto.Cipher import AES -from Crypto.Util.Padding import pad, unpad +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes +from cryptography.hazmat.primitives import padding +from cryptography.hazmat.backends import default_backend import base64 import hashlib @@ -804,11 +805,22 @@ def collect_lang_strings(json, pref, stringSqlParams): def encrypt_data(data, key): - key = hashlib.sha256(key.encode()).digest() # Ensure the key is 32 bytes long - cipher = AES.new(key, AES.MODE_CBC) # Use CBC mode for encryption - iv = cipher.iv # Initialization vector - encrypted_data = cipher.encrypt(pad(data.encode(), AES.block_size)) - return base64.b64encode(iv + encrypted_data).decode('utf-8') + """ + Encrypt the data using AES-256-CBC. + + :param data: The plaintext data to encrypt. + :param key: The encryption key. + :return: The base64 encoded ciphertext. + """ + key = hashlib.sha256(key.encode()).digest() + iv = os.urandom(16) # Generate a random IV + padder = padding.PKCS7(128).padder() + padded_data = padder.update(data.encode()) + padder.finalize() + cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) + encryptor = cipher.encryptor() + ct = encryptor.update(padded_data) + encryptor.finalize() + encrypted_data = base64.b64encode(iv + ct).decode('utf-8') + return encrypted_data #------------------------------------------------------------------------------- # Misc