🔃 Sync Hub v0.5

Dockerfile

@@ -17,7 +17,7 @@ RUN apk update \
     && apk add --no-cache build-base
 
 
-RUN pip install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython pycryptodome \
+RUN pip install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython cryptography \
     && bash -c "find ${INSTALL_DIR} -type d -exec chmod 750 {} \;" \
     && bash -c "find ${INSTALL_DIR} -type f -exec chmod 640 {} \;" \
     && bash -c "find ${INSTALL_DIR} -type f \( -name '*.sh' -o -name '*.py'  -o -name 'speedtest-cli' \) -exec chmod 750 {} \;"
@@ -43,7 +43,7 @@ ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
 RUN apk update --no-cache \
     && apk add --no-cache bash zip lsblk gettext-envsubst sudo mtr tzdata s6-overlay \
     && apk add --no-cache curl arp-scan iproute2 iproute2-ss nmap nmap-scripts traceroute net-tools net-snmp-tools bind-tools awake ca-certificates  \
-    && apk add --no-cache sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session \
+    && apk add --no-cache sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session php83-openssl \
     && apk add --no-cache python3 nginx \
     && ln -s /usr/bin/awake /usr/bin/wakeonlan \
     && bash -c "install -d -m 750 -o nginx -g www-data ${INSTALL_DIR} ${INSTALL_DIR}" \

Dockerfile.debian

@@ -35,7 +35,7 @@ RUN apt-get update \
 
 RUN apt-get install -y \
     tini snmp ca-certificates curl libwww-perl arp-scan perl apt-utils cron sudo \
-    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools \
+    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools php-openssl \
     python3 iproute2 nmap python3-pip zip systemctl usbutils traceroute 
 
 # Alternate dependencies
@@ -46,7 +46,7 @@ RUN phpenmod -v 8.2 sqlite3
 RUN apt-get install -y python3-venv
 RUN python3 -m venv myenv
 
-RUN /bin/bash -c "source myenv/bin/activate && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 && pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython pycryptodome"
+RUN /bin/bash -c "source myenv/bin/activate && update-alternatives --install /usr/bin/python python /usr/bin/python3 10 && pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython cryptography"
 
 # Create a buildtimestamp.txt to later check if a new version was released
 RUN date +%s > ${INSTALL_DIR}/front/buildtimestamp.txt

front/plugins/sync/hub.php

@@ -4,25 +4,22 @@
 require '/app/front/php/server/init.php';
 
 
-function decrypt_data($encoded_data) {
-    // Base64 decode the encoded data
-    $decoded_data = base64_decode($encoded_data);
+function decrypt_data($encoded_data, $key) {
+    // Base64 decode the encrypted data
+    $data = base64_decode($encoded_data);
 
-    // Extract the initialization vector (IV) from the decoded data
-    $iv = substr($decoded_data, 0, 16);
+    // Extract the IV and the ciphertext
+    $iv = substr($data, 0, 16);
+    $ciphertext = substr($data, 16);
 
-    // Extract the actual encrypted data
-    $encrypted_data = substr($decoded_data, 16);
+    // Derive the key using SHA-256
+    $key = hash('sha256', $key, true);
 
-    // Get the encryption key from the settings
-    $key = hash('sha256', getSettingValue('SYNC_encryption_key'), true);
+    // Decrypt the ciphertext using AES-256-CBC
+    $decrypted_data = openssl_decrypt($ciphertext, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv);
 
-    // Decrypt the data
-    $decrypted_data = openssl_decrypt($encrypted_data, 'AES-256-CBC', $key, OPENSSL_RAW_DATA, $iv);
-    
-    if ($decrypted_data === false) {
-        return null; // Decryption failed
-    }
+    // Remove padding
+    $decrypted_data = rtrim($decrypted_data, "\0");
     
     return $decrypted_data;
 }
@@ -46,9 +43,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
     $plugin_folder = $_POST['plugin_folder'] ?? '';
     $node_name = $_POST['node_name'] ?? '';
 
-    $decoded_data = decrypt_data($data);
+    $decoded_data = decrypt_data($data, getSettingValue('SYNC_encryption_key'));
 
-    if ($decrypted_data === false or $decrypted_data === null) {
+    if ($decoded_data === false or $decoded_data === null) {
         write_notification("[Plugin: Sync hub API] Bad Request: Decryption failed", "alert");
         http_response_code(400);
         echo 'Bad Request: Decryption failed';

front/plugins/sync/sync.py

@@ -92,7 +92,7 @@ def main():
                         secondaryId = timeNowTZ(),
                         watched1    = node_name,
                         watched2    = response.status_code,
-                        watched3    = response.text,
+                        watched3    = response,
                         watched4    = '',
                         extra       = '',
                         foreignKey  = '')

install/install_dependencies.debian.sh

@@ -18,7 +18,7 @@ apt-get update  && apt-get install -y build-essential
 # Install dependencies
 apt-get install -y \
     tini snmp ca-certificates curl libwww-perl arp-scan perl apt-utils cron sudo \
-    nginx-light php php-cgi php-fpm php-sqlite3 php-curl sqlite3 dnsutils net-tools \
+    nginx-light php php-cgi php-fpm php-sqlite3 php-curl php-openssl sqlite3 dnsutils net-tools \
     python3 iproute2 nmap python3-pip zip systemctl usbutils traceroute 
 
 # alternate dependencies
@@ -33,5 +33,5 @@ source myenv/bin/activate
 update-alternatives --install /usr/bin/python python /usr/bin/python3 10
 
 #  install packages thru pip3
-pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython pycryptodome
+pip3 install requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython cryptography
 

server/helper.py

@@ -13,8 +13,9 @@ import json
 import time
 from pathlib import Path
 import requests
-from Crypto.Cipher import AES
-from Crypto.Util.Padding import pad, unpad
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives import padding
+from cryptography.hazmat.backends import default_backend
 import base64
 import hashlib
 
@@ -804,11 +805,22 @@ def collect_lang_strings(json, pref, stringSqlParams):
 
 
 def encrypt_data(data, key):
-    key = hashlib.sha256(key.encode()).digest()  # Ensure the key is 32 bytes long
-    cipher = AES.new(key, AES.MODE_CBC)  # Use CBC mode for encryption
-    iv = cipher.iv  # Initialization vector
-    encrypted_data = cipher.encrypt(pad(data.encode(), AES.block_size))
-    return base64.b64encode(iv + encrypted_data).decode('utf-8')
+    """
+    Encrypt the data using AES-256-CBC.
+    
+    :param data: The plaintext data to encrypt.
+    :param key: The encryption key.
+    :return: The base64 encoded ciphertext.
+    """
+    key = hashlib.sha256(key.encode()).digest()
+    iv = os.urandom(16)  # Generate a random IV
+    padder = padding.PKCS7(128).padder()
+    padded_data = padder.update(data.encode()) + padder.finalize()
+    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend())
+    encryptor = cipher.encryptor()
+    ct = encryptor.update(padded_data) + encryptor.finalize()
+    encrypted_data = base64.b64encode(iv + ct).decode('utf-8')
+    return encrypted_data
 
 #-------------------------------------------------------------------------------
 #  Misc