diff --git a/.docker/app/Dockerfile b/.docker/app/Dockerfile index acfc1a9e5..7a87f7ea3 100644 --- a/.docker/app/Dockerfile +++ b/.docker/app/Dockerfile @@ -16,7 +16,7 @@ RUN [ ! -z ${ALPINE_MIRROR} ] && \ apk add --no-cache ca-certificates dcron git postgresql-client rsync sudo tzdata \ php${PHP_SUFFIX} \ $(for p in ctype curl dom exif fileinfo fpm gd iconv intl json mbstring opcache \ - openssl pcntl pdo pdo_pgsql pecl-apcu pecl-xdebug phar posix session simplexml sockets tokenizer xml xmlwriter zip; do \ + openssl pcntl pdo pdo_pgsql pecl-apcu pecl-xdebug phar posix session simplexml sockets sodium tokenizer xml xmlwriter zip; do \ php_pkgs="$php_pkgs php${PHP_SUFFIX}-$p"; \ done; \ echo $php_pkgs) && \ diff --git a/classes/Config.php b/classes/Config.php index 92037ff74..5098bfe68 100644 --- a/classes/Config.php +++ b/classes/Config.php @@ -6,7 +6,7 @@ class Config { const T_STRING = 2; const T_INT = 3; - const SCHEMA_VERSION = 147; + const SCHEMA_VERSION = 148; /** override default values, defined below in _DEFAULTS[], prefixing with _ENVVAR_PREFIX: * @@ -192,6 +192,10 @@ class Config { /** disables login form controls except HOOK_LOGINFORM_ADDITIONAL_BUTTONS (for SSO providers), also prevents logging in through auth_internal */ const DISABLE_LOGIN_FORM = "DISABLE_LOGIN_FORM"; + /** optional key to transparently encrypt sensitive data (currently limited to sessions and feed passwords), + * key is a 32 byte hex string which may be generated using `update.php --gen-encryption-key` */ + const ENCRYPTION_KEY = "ENCRYPTION_KEY"; + /** default values for all global configuration options */ private const _DEFAULTS = [ Config::DB_TYPE => [ "pgsql", Config::T_STRING ], @@ -249,7 +253,8 @@ class Config { Config::HTTP_USER_AGENT => [ 'Tiny Tiny RSS/%s (https://tt-rss.org/)', Config::T_STRING ], Config::HTTP_429_THROTTLE_INTERVAL => [ 3600, Config::T_INT ], - Config::DISABLE_LOGIN_FORM => [ "", Config::T_BOOL ] + Config::DISABLE_LOGIN_FORM => [ "", Config::T_BOOL ], + Config::ENCRYPTION_KEY => [ "", Config::T_STRING ] ]; private static ?Config $instance = null; diff --git a/classes/Crypt.php b/classes/Crypt.php new file mode 100644 index 000000000..2b3a7b788 --- /dev/null +++ b/classes/Crypt.php @@ -0,0 +1,62 @@ + self::ENCRYPT_ALGO, + 'nonce' => $nonce, + 'payload' => $payload, + ]; + + return $encrypted_data; + } + + throw new Exception("Crypt::encrypt_string() failed to encrypt ciphertext"); + } + + /** decrypts payload of a valid encrypted object using Config::ENCRYPTION_KEY + * + * @param array{'algo': string, 'nonce': string, 'payload': string} $encrypted_data + * + * @return string decrypted string payload + */ + static function decrypt_string(array $encrypted_data) : string { + $key = Config::get(Config::ENCRYPTION_KEY); + + if (!$key) + throw new Exception("Crypt::decrypt_string() failed to decrypt - key is not available"); + + // only one is supported for the time being + switch ($encrypted_data['algo']) { + case self::ENCRYPT_ALGO: + return sodium_crypto_aead_xchacha20poly1305_ietf_decrypt($encrypted_data['payload'], '', $encrypted_data['nonce'], hex2bin($key)); + } + + throw new Exception('Crypt::decrypt_string() failed to decrypt passed encrypted data object, unsupported algo: ' . $encrypted_data['algo']); + } + +} \ No newline at end of file diff --git a/classes/Feeds.php b/classes/Feeds.php index 7a81ec6c0..7d818598d 100644 --- a/classes/Feeds.php +++ b/classes/Feeds.php @@ -2376,5 +2376,29 @@ class Feeds extends Handler_Protected { return [$query, $skip_first_id]; } + + /** decrypts encrypted feed password if possible (key is available and data is a base64-encoded serialized object) + * + * @param $auth_pass possibly encrypted feed password + * + * @return string plaintext representation of an encrypted feed password if encrypted or plaintext password otherwise + * */ + static function decrypt_feed_pass(string $auth_pass) : string { + $key = Config::get(Config::ENCRYPTION_KEY); + + if ($auth_pass && $key) { + $auth_pass_serialized = @base64_decode($auth_pass); + + if ($auth_pass_serialized) { + $unserialized_data = @unserialize($auth_pass_serialized); + + if ($unserialized_data !== false) + return Crypt::decrypt_string($unserialized_data); + } + } + + return $auth_pass; + } + } diff --git a/classes/Pref_Feeds.php b/classes/Pref_Feeds.php index 537cc3c86..bc059b99f 100644 --- a/classes/Pref_Feeds.php +++ b/classes/Pref_Feeds.php @@ -560,6 +560,7 @@ class Pref_Feeds extends Handler_Protected { ob_end_clean(); $row["icon"] = Feeds::_get_icon($feed_id); + $row["auth_pass"] = Feeds::decrypt_feed_pass($row["auth_pass"]); $local_update_intervals = $update_intervals; $local_update_intervals[0] .= sprintf(" (%s)", $update_intervals[Prefs::get(Prefs::DEFAULT_UPDATE_INTERVAL, $_SESSION['uid'])]); @@ -746,6 +747,11 @@ class Pref_Feeds extends Handler_Protected { $feed_language = clean($_POST["feed_language"] ?? ""); + $key = Config::get(Config::ENCRYPTION_KEY); + + if ($key && $auth_pass) + $auth_pass = base64_encode(serialize(Crypt::encrypt_string($auth_pass))); + if (!$batch) { /* $sth = $this->pdo->prepare("SELECT feed_url FROM ttrss_feeds WHERE id = ?"); diff --git a/classes/RSSUtils.php b/classes/RSSUtils.php index ee58416e3..f6a81d00f 100644 --- a/classes/RSSUtils.php +++ b/classes/RSSUtils.php @@ -331,6 +331,8 @@ class RSSUtils { $pluginhost->load((string)$user_plugins, PluginHost::KIND_USER, $feed->owner_uid); //$pluginhost->load_data(); + $feed_auth_pass_plaintext = Feeds::decrypt_feed_pass($feed->auth_pass); + $basic_info = []; $pluginhost->run_hooks_callback(PluginHost::HOOK_FEED_BASIC_INFO, function ($result) use (&$basic_info) { @@ -338,13 +340,13 @@ class RSSUtils { $basic_info = $result; return true; } - }, $basic_info, $feed->feed_url, $feed->owner_uid, $feed_id, $feed->auth_login, $feed->auth_pass); + }, $basic_info, $feed->feed_url, $feed->owner_uid, $feed_id, $feed->auth_login, $feed_auth_pass_plaintext); if (!$basic_info) { $feed_data = UrlHelper::fetch([ 'url' => $feed->feed_url, 'login' => $feed->auth_login, - 'pass' => $feed->auth_pass, + 'pass' => $feed_auth_pass_plaintext, 'timeout' => Config::get(Config::FEED_FETCH_TIMEOUT), ]); @@ -458,12 +460,26 @@ class RSSUtils { $hff_owner_uid = $feed_obj->owner_uid; $hff_feed_url = $feed_obj->feed_url; + $feed_auth_pass_plaintext = Feeds::decrypt_feed_pass($feed_obj->auth_pass); + + // transparently encrypt plaintext password if possible + if ($feed_obj->auth_pass && $feed_auth_pass_plaintext === $feed_obj->auth_pass) { + $key = Config::get(Config::ENCRYPTION_KEY); + + if ($key) { + Debug::log("encrypting stored plaintext feed password...", Debug::LOG_VERBOSE); + + $feed_obj->auth_pass = base64_encode(serialize(Crypt::encrypt_string($feed_auth_pass_plaintext))); + $feed_obj->save(); + } + } + $pluginhost->chain_hooks_callback(PluginHost::HOOK_FETCH_FEED, function ($result, $plugin) use (&$feed_data, $start_ts) { $feed_data = $result; Debug::log(sprintf("=== %.4f (sec) %s", microtime(true) - $start_ts, get_class($plugin)), Debug::LOG_VERBOSE); }, - $feed_data, $hff_feed_url, $hff_owner_uid, $feed, $last_article_timestamp, $feed_obj->auth_login, $feed_obj->auth_pass); + $feed_data, $hff_feed_url, $hff_owner_uid, $feed, $last_article_timestamp, $feed_obj->auth_login, $feed_auth_pass_plaintext); if ($feed_data) { Debug::log("feed data has been modified by a plugin.", Debug::LOG_VERBOSE); @@ -510,7 +526,7 @@ class RSSUtils { $feed_data = UrlHelper::fetch([ "url" => $feed_obj->feed_url, "login" => $feed_obj->auth_login, - "pass" => $feed_obj->auth_pass, + "pass" => $feed_auth_pass_plaintext, "timeout" => $no_cache ? Config::get(Config::FEED_FETCH_NO_CACHE_TIMEOUT) : Config::get(Config::FEED_FETCH_TIMEOUT), "last_modified" => $force_refetch ? "" : $feed_obj->last_modified ]); diff --git a/classes/Sessions.php b/classes/Sessions.php index 5c586154b..f3c0cea42 100644 --- a/classes/Sessions.php +++ b/classes/Sessions.php @@ -58,7 +58,17 @@ class Sessions implements \SessionHandlerInterface { $sth->execute([$id]); if ($row = $sth->fetch()) { - return base64_decode($row['data']); + $data = base64_decode($row['data']); + + if (Config::get(Config::ENCRYPTION_KEY)) { + $unserialized_data = @unserialize($data); // avoid leaking plaintext session via error message + + if ($unserialized_data !== false) + return Crypt::decrypt_string($unserialized_data); + } + + // if encryption key is missing or session data is not in serialized format, assume plaintext data and return as-is + return $data; } $expire = time() + $this->session_expire; @@ -69,7 +79,12 @@ class Sessions implements \SessionHandlerInterface { } public function write(string $id, string $data): bool { + + if (Config::get(Config::ENCRYPTION_KEY)) + $data = serialize(Crypt::encrypt_string($data)); + $data = base64_encode($data); + $expire = time() + $this->session_expire; $sth = Db::pdo()->prepare('SELECT id FROM ttrss_sessions WHERE id=?'); diff --git a/sql/mysql/migrations/148.sql b/sql/mysql/migrations/148.sql new file mode 100644 index 000000000..b981cadeb --- /dev/null +++ b/sql/mysql/migrations/148.sql @@ -0,0 +1,2 @@ +alter table ttrss_feeds change auth_pass auth_pass text not null; + diff --git a/sql/mysql/schema.sql b/sql/mysql/schema.sql index ffabab669..43be5b479 100644 --- a/sql/mysql/schema.sql +++ b/sql/mysql/schema.sql @@ -121,7 +121,7 @@ create table ttrss_feeds (id integer not null auto_increment primary key, favicon_is_custom boolean default null, site_url varchar(250) not null default '', auth_login varchar(250) not null default '', - auth_pass varchar(250) not null default '', + auth_pass text not null default '', parent_feed integer default null, private bool not null default false, rtl_content bool not null default false, diff --git a/sql/pgsql/migrations/148.sql b/sql/pgsql/migrations/148.sql new file mode 100644 index 000000000..68678e4f5 --- /dev/null +++ b/sql/pgsql/migrations/148.sql @@ -0,0 +1,5 @@ +alter table ttrss_feeds rename column auth_pass to auth_pass_old; +alter table ttrss_feeds add column auth_pass text; +update ttrss_feeds set auth_pass = auth_pass_old; +alter table ttrss_feeds alter column auth_pass set not null; +alter table ttrss_feeds drop column auth_pass_old; diff --git a/sql/pgsql/schema.sql b/sql/pgsql/schema.sql index 938ccc905..acfa619c9 100644 --- a/sql/pgsql/schema.sql +++ b/sql/pgsql/schema.sql @@ -92,7 +92,7 @@ create table ttrss_feeds (id serial not null primary key, auth_login varchar(250) not null default '', parent_feed integer default null references ttrss_feeds(id) on delete set null, private boolean not null default false, - auth_pass varchar(250) not null default '', + auth_pass text not null default '', hidden boolean not null default false, include_in_digest boolean not null default true, rtl_content boolean not null default false, diff --git a/update.php b/update.php index 471e323c8..dfac5ab4c 100755 --- a/update.php +++ b/update.php @@ -84,6 +84,7 @@ "update-schema::" => ["[force-yes]", "update database schema, optionally without prompting"], "force-update" => "mark all feeds as pending update", "gen-search-idx" => "generate basic PostgreSQL fulltext search index", + "gen-encryption-key" => "generate an encryption key (ChaCha20-Poly1305)", "plugins-list" => "list installed plugins", "debug-feed:" => ["N", "update specified feed with debug output enabled"], "force-refetch" => "debug update: force refetch feed data", @@ -323,6 +324,10 @@ } } + if (isset($options["gen-encryption-key"])) { + echo "Generated encryption key: " . bin2hex(Crypt::generate_key()) . "\n"; + } + if (isset($options["plugins-list"])) { $tmppluginhost = new PluginHost(); $tmppluginhost->load_all($tmppluginhost::KIND_ALL);