From 030a58f18f6bbd0fd5f035000bd503a023c16ad6 Mon Sep 17 00:00:00 2001 From: karks88 Date: Fri, 26 Mar 2021 14:43:48 -0400 Subject: [PATCH 1/3] Update wp-multisite-sso.php Change $cipher = 'AES-128-EBC'; to $cipher = 'AES-128-CBC'; --- wp-multisite-sso.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wp-multisite-sso.php b/wp-multisite-sso.php index 09383fe..b94de43 100644 --- a/wp-multisite-sso.php +++ b/wp-multisite-sso.php @@ -144,7 +144,7 @@ public static function handle_login( $username, $user ) { } // encrypt the sso object - $cipher = 'AES-128-ECB'; + $cipher = 'AES-128-CBC'; $iv = openssl_random_pseudo_bytes( openssl_cipher_iv_length( $cipher ) ); $sso_objects = array_map( function( $sso_object ) use ( $iv, $cipher ) { @@ -191,7 +191,7 @@ private static function authenticate_user_on_blog() { $sso = base64_decode( esc_attr( $request_sso ) ); // Decrypt the SSO object. - $cipher = 'AES-128-ECB'; + $cipher = 'AES-128-CBC'; $ivlen = openssl_cipher_iv_length( $cipher ); $iv = substr( $sso, 0, $ivlen ); $sha2len = 32; From 52c9674789a9b59648d28a67403faf16913bb13d Mon Sep 17 00:00:00 2001 From: Eric Karkovack Date: Mon, 20 Mar 2023 08:00:11 -0400 Subject: [PATCH 2/3] Update wp-multisite-sso.php Refactored the encryption method for PHP 8.1 compatibility. --- wp-multisite-sso.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/wp-multisite-sso.php b/wp-multisite-sso.php index b94de43..0db4118 100644 --- a/wp-multisite-sso.php +++ b/wp-multisite-sso.php @@ -1,7 +1,7 @@ 0) { + $iv = openssl_random_pseudo_bytes($iv_length); + } else { + // ECB mode or any other mode that does not require an IV + $iv = null; + } $sso_objects = array_map( function( $sso_object ) use ( $iv, $cipher ) { // encode the sso object @@ -191,7 +203,7 @@ private static function authenticate_user_on_blog() { $sso = base64_decode( esc_attr( $request_sso ) ); // Decrypt the SSO object. - $cipher = 'AES-128-CBC'; + $cipher = 'AES-128-ECB'; $ivlen = openssl_cipher_iv_length( $cipher ); $iv = substr( $sso, 0, $ivlen ); $sha2len = 32; From 3482a9f9edb623e1ad793e5de823e044fe90f0fd Mon Sep 17 00:00:00 2001 From: Eric Karkovack Date: Mon, 20 Mar 2023 13:47:58 -0400 Subject: [PATCH 3/3] Update wp-multisite-sso.php Fix: Ensure encryption type matches throughout. --- wp-multisite-sso.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wp-multisite-sso.php b/wp-multisite-sso.php index 0db4118..5139c03 100644 --- a/wp-multisite-sso.php +++ b/wp-multisite-sso.php @@ -144,7 +144,7 @@ public static function handle_login( $username, $user ) { } // encrypt the sso object - //$cipher = 'AES-128-ECB'; + //$cipher = 'AES-128-CBC'; //$iv = openssl_random_pseudo_bytes( openssl_cipher_iv_length( $cipher ) ); /* March 2023 Rewrite for PHP 8 Compatibility */ @@ -203,7 +203,7 @@ private static function authenticate_user_on_blog() { $sso = base64_decode( esc_attr( $request_sso ) ); // Decrypt the SSO object. - $cipher = 'AES-128-ECB'; + $cipher = 'AES-128-CBC'; $ivlen = openssl_cipher_iv_length( $cipher ); $iv = substr( $sso, 0, $ivlen ); $sha2len = 32;